@ -126,10 +126,26 @@ After the configuration options have been set up, rebuild the u-boot binary agai
\subsection{Linux kernel}
\subsection{Linux kernel}
{\tt CONFIG\_KEXEC}
Make sure that the following options are enabled:
\begin{itemize}[noitemsep]
\item{\tt CONFIG\_BLK\_DEV\_INITRD}
\item{\tt CONFIG\_RD\_GZIP}
\item{\tt CONFIG\_RD\_BZIP2}
\item{\tt CONFIG\_RD\_LZMA}
\item{\tt CONFIG\_RD\_XZ}
\item{\tt CONFIG\_RD\_LZO}
\item{\tt CONFIG\_RD\_LZ4}
\item{\tt CONFIG\_KEXEC}
\end{itemize}
As the ROTS image will be read-only once it has been flashed to the SPI NOR flash, it is encouraged to build a minimal kernel images to reduce the amount of possible bugs and vulnerabilities.
More specifically, it is recommended to build a kernel without any support for networking, graphics and audio.
\subsection{initramfs}
\subsection{initramfs}
For the initramfs, we will need static binaries of \emph{busybox}, \emph{kexec-tools}, \emph{cpio} and \emph{gzip}.
\section{Flashing ROTS}
\section{Flashing ROTS}
\subsection{Using an External Programmer}
\subsection{Using an External Programmer}
@ -211,7 +227,7 @@ flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
8388608
16777216
\end{minted}
\end{minted}
Further, Google's fork of flashrom allows us to tag regions on the SPI NOR flash chip with a custom name.
Further, Google's fork of flashrom allows us to tag regions on the SPI NOR flash chip with a custom name.
@ -238,28 +254,36 @@ Now that the images have been written to their respective regions, we can look a
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
Valid write protection ranges:
Valid write protection ranges:
start: 0x000000, length: 0x000000
start: 0x000000, length: 0x000000
start: 0x7e0000, length: 0x020000
start: 0xfc0000, length: 0x040000
start: 0x7c0000, length: 0x040000
start: 0xf80000, length: 0x080000
start: 0x7a0000, length: 0x080000
start: 0xf00000, length: 0x100000
start: 0x700000, length: 0x100000
start: 0xe00000, length: 0x200000
start: 0x600000, length: 0x200000
start: 0xc00000, length: 0x400000
start: 0x400000, length: 0x400000
start: 0x800000, length: 0x800000
start: 0x000000, length: 0x800000
start: 0x000000, length: 0x040000
start: 0x000000, length: 0x800000
start: 0x000000, length: 0x080000
start: 0x000000, length: 0x100000
start: 0x000000, length: 0x200000
start: 0x000000, length: 0x400000
start: 0x000000, length: 0x400000
start: 0x000000, length: 0x600000
start: 0x000000, length: 0x700000
start: 0x000000, length: 0x780000
start: 0x000000, length: 0x7c0000
start: 0x000000, length: 0x7e0000
start: 0x000000, length: 0x800000
start: 0x000000, length: 0x800000
start: 0x000000, length: 0x1000000
start: 0xfff000, length: 0x001000
start: 0xffe000, length: 0x002000
start: 0xffc000, length: 0x004000
start: 0xff8000, length: 0x008000
start: 0xff8000, length: 0x008000
start: 0x000000, length: 0x001000
start: 0x000000, length: 0x002000
start: 0x000000, length: 0x004000
start: 0x000000, length: 0x008000
start: 0x000000, length: 0x008000
\end{minted}
\end{minted}
Since we don't want our images to be tampered with, we want to enable write-protection for the full range.
Since we don't want our images to be tampered with, we want to enable write-protection for the full range.
We can configure the write-protected range as follows:
We can configure the write-protected range as follows: