Compare commits

...

2 Commits

  1. 56
      user-doc/user-doc.tex

@ -126,10 +126,26 @@ After the configuration options have been set up, rebuild the u-boot binary agai
\subsection{Linux kernel} \subsection{Linux kernel}
{\tt CONFIG\_KEXEC} Make sure that the following options are enabled:
\begin{itemize}[noitemsep]
\item {\tt CONFIG\_BLK\_DEV\_INITRD}
\item {\tt CONFIG\_RD\_GZIP}
\item {\tt CONFIG\_RD\_BZIP2}
\item {\tt CONFIG\_RD\_LZMA}
\item {\tt CONFIG\_RD\_XZ}
\item {\tt CONFIG\_RD\_LZO}
\item {\tt CONFIG\_RD\_LZ4}
\item {\tt CONFIG\_KEXEC}
\end{itemize}
As the ROTS image will be read-only once it has been flashed to the SPI NOR flash, it is encouraged to build a minimal kernel images to reduce the amount of possible bugs and vulnerabilities.
More specifically, it is recommended to build a kernel without any support for networking, graphics and audio.
\subsection{initramfs} \subsection{initramfs}
For the initramfs, we will need static binaries of \emph{busybox}, \emph{kexec-tools}, \emph{cpio} and \emph{gzip}.
\section{Flashing ROTS} \section{Flashing ROTS}
\subsection{Using an External Programmer} \subsection{Using an External Programmer}
@ -211,7 +227,7 @@ flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86
vendor="Macronix" name="MX25L6406E" vendor="Macronix" name="MX25L6406E"
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --get-size ./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --get-size
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
8388608 16777216
\end{minted} \end{minted}
Further, Google's fork of flashrom allows us to tag regions on the SPI NOR flash chip with a custom name. Further, Google's fork of flashrom allows us to tag regions on the SPI NOR flash chip with a custom name.
@ -238,28 +254,36 @@ Now that the images have been written to their respective regions, we can look a
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
Valid write protection ranges: Valid write protection ranges:
start: 0x000000, length: 0x000000 start: 0x000000, length: 0x000000
start: 0x7e0000, length: 0x020000 start: 0xfc0000, length: 0x040000
start: 0x7c0000, length: 0x040000 start: 0xf80000, length: 0x080000
start: 0x7a0000, length: 0x080000 start: 0xf00000, length: 0x100000
start: 0x700000, length: 0x100000 start: 0xe00000, length: 0x200000
start: 0x600000, length: 0x200000 start: 0xc00000, length: 0x400000
start: 0x400000, length: 0x400000 start: 0x800000, length: 0x800000
start: 0x000000, length: 0x800000 start: 0x000000, length: 0x040000
start: 0x000000, length: 0x800000 start: 0x000000, length: 0x080000
start: 0x000000, length: 0x100000
start: 0x000000, length: 0x200000
start: 0x000000, length: 0x400000 start: 0x000000, length: 0x400000
start: 0x000000, length: 0x600000
start: 0x000000, length: 0x700000
start: 0x000000, length: 0x780000
start: 0x000000, length: 0x7c0000
start: 0x000000, length: 0x7e0000
start: 0x000000, length: 0x800000 start: 0x000000, length: 0x800000
start: 0x000000, length: 0x1000000
start: 0xfff000, length: 0x001000
start: 0xffe000, length: 0x002000
start: 0xffc000, length: 0x004000
start: 0xff8000, length: 0x008000
start: 0xff8000, length: 0x008000
start: 0x000000, length: 0x001000
start: 0x000000, length: 0x002000
start: 0x000000, length: 0x004000
start: 0x000000, length: 0x008000
start: 0x000000, length: 0x008000
\end{minted} \end{minted}
Since we don't want our images to be tampered with, we want to enable write-protection for the full range. Since we don't want our images to be tampered with, we want to enable write-protection for the full range.
We can configure the write-protected range as follows: We can configure the write-protected range as follows:
\begin{minted}[breaklines]{text} \begin{minted}[breaklines]{text}
./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate --wp-range 0x000000 0x800000 ./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate --wp-range 0x000000 0x1000000
\end{minted} \end{minted}
After setting the range, we are still able to modify the contents of the entire SPI NOR flash chip. After setting the range, we are still able to modify the contents of the entire SPI NOR flash chip.

Loading…
Cancel
Save