From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 13 May 2025 16:07:12 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uEqHo-005BAf-0r for lore@lore.pengutronix.de; Tue, 13 May 2025 16:07:12 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1uEqHn-0003qF-Lw; Tue, 13 May 2025 16:07:11 +0200 Received: from mail.thorsis.com ([2003:a:e28:26e4::10]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1uEqHQ-0003ZX-Fk for ptxdist@pengutronix.de; Tue, 13 May 2025 16:06:49 +0200 Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 6AD39148A8DC for ; Tue, 13 May 2025 16:06:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thorsis.com; s=dkim; t=1747145207; h=from:subject:date:message-id:to:mime-version: content-transfer-encoding:in-reply-to:references; bh=uuxOlMdvUu5cV9efnl3FTKycgn/GMvT0FxE+4g6SsMI=; b=j1DLv2yKRhjCkJKKcl/TNNsJSbwbkkYk6uoEv00OHKvd8/1FqHRXzbY8CkB+a0lm/Flvnx HUGy1YkbqQcWcFlQA8Z5BkqBwaTdvCxn2YjmVKwGSCXzhm097LOCoT6G8pZYXniGkkCaVt 374GhffYOwN1VRA+pFEyI4IcJLtub1QDM0cCaPohO0i5BLXzycGKzNgxU88Bm1Dw9CtnMr OHX/idhlIPx4TkrLf2dPCvWPrtf1TAph6AczbJ6RFGQRKfqrAPQqzBKGMz6tlgev5QxDyr L2kwJrAx44DSRA252ZisvlPvX47hSoJeZ+liBtz6EdKzdkygppNvM9viEiX8yQ== To: ptxdist@pengutronix.de Date: Tue, 13 May 2025 16:06:41 +0200 Message-Id: <20250513140641.4075870-3-ada@thorsis.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250513140641.4075870-1-ada@thorsis.com> References: <20250513140641.4075870-1-ada@thorsis.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Last-TLS-Session-Version: TLSv1.3 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-3.3 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] [PATCH v1 2/2] u-boot: Add option to load signed kernel FIT images X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Alexander Dahl via ptxdist Reply-To: ptxdist@pengutronix.de Cc: Alexander Dahl Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Requires U-Boot v2023.04 or later, certain options set in board config, and KERNEL_FIT_SIGNED enabled. Algorithm "sha256,rsa4096" is hardcoded to the same value as harcoded in ptxd_make_image_fit_its() which is used by the kernel-fit package. With those premises met, U-Boot Verified Boot is possible. Tested with U-Boot v2024.04 on Microchip SAM9X60-Curiosity in custom layer on top of DistroKit-2024.06.0. Hit any key to stop autoboot: 0 8787737 bytes read in 391 ms (21.4 MiB/s) ## Loading kernel from FIT Image at 22000000 ... Using 'conf-microchip,sam9x60-curiosity' configuration Verifying Hash Integrity ... sha256,rsa4096:image-kernel-fit+ OK Trying 'kernel' kernel subimage Description: kernel Type: Kernel Image (no loading done) Compression: uncompressed Data Start: 0x220000b4 Data Size: 8757936 Bytes = 8.4 MiB Hash algo: sha256 Hash value: 8c109fc75263329402c7ae63e3d47c18aabf67307ebc0023e88921227abc7cf3 Verifying Hash Integrity ... sha256+ OK ## Loading fdt from FIT Image at 22000000 ... Using 'conf-microchip,sam9x60-curiosity' configuration Verifying Hash Integrity ... sha256,rsa4096:image-kernel-fit+ OK Trying 'fdt-microchip,sam9x60-curiosity' fdt subimage Description: unavailable Type: Flat Device Tree Compression: uncompressed Data Start: 0x2285a45c Data Size: 27903 Bytes = 27.2 KiB Architecture: ARM Hash algo: sha256 Hash value: db2e8047b404f92cc7ca4f7b918be1191aab3ce33d574f046c0f1da959d3cbb2 Verifying Hash Integrity ... sha256+ OK Booting using the fdt blob at 0x2285a45c Working FDT set to 2285a45c XIP Kernel Image (no loading done) to 220000b4 Loading Device Tree to 27b31000, end 27b3acfe ... OK Working FDT set to 27b31000 Starting kernel ... [ 0.000000] Booting Linux on physical CPU 0x0 [ 0.000000] Linux version 6.6.0-tt (ptxdist@ptxdist) (arm-v5te-linux-gnueabi-gcc (OSELAS.Toolchain-2023.07.1 13-20231118) 13.2.1 20231118, GNU ld (GNU Binutils) 2.40) #2 PREEMPT 2024-06-07T12:29:46+00:00 Link: https://docs.u-boot.org/en/latest/usage/fit/verified-boot.html Signed-off-by: Alexander Dahl --- platforms/u-boot.in | 30 +++++++++++++++++++++++++++--- rules/u-boot.make | 13 +++++++++++++ 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/platforms/u-boot.in b/platforms/u-boot.in index 5ce7387e4..d263135ca 100644 --- a/platforms/u-boot.in +++ b/platforms/u-boot.in @@ -7,6 +7,7 @@ config U_BOOT_DEPENDENCIES menuconfig U_BOOT select U_BOOT_DEPENDENCIES select BOOTLOADER + select CODE_SIGNING if U_BOOT_VERIFY_SIGNATURE select HOST_SYSTEM_PYTHON3 select HOST_OPENSSL if U_BOOT_NEEDS_HOST_OPENSSL select HOST_GNUTLS if U_BOOT_NEEDS_HOST_GNUTLS @@ -18,11 +19,11 @@ if U_BOOT config U_BOOT_VERSION string - default "2019.01" + default "2023.04" prompt "U-Boot version" help - Enter the U-Boot version you want to build. Usually something like - "2019.01". + Enter the U-Boot version you want to build. + Usually something like "2019.01". config U_BOOT_MD5 string @@ -193,6 +194,29 @@ config U_BOOT_BOOT_SCRIPT_ROOTFS_PATH endif +config U_BOOT_VERIFY_SIGNATURE + bool + prompt "Verify FIT image signature" + select U_BOOT_NEEDS_HOST_OPENSSL + imply KERNEL_FIT_SIGNED + help + For U-Boot Verified Boot [1] a public key has to be put into + the control dtb built with U-Boot. + The loaded image (most probably a Linux Kernel image) must be + signed with the matching private key. + Uses the PTXdist Code Signing Infrastructure. + + Note: You need U-Boot 2023.04 or later. + + Note: You must enable CONFIG_TOOLS_FIT_SIGNATURE in U-Boot + Kconfig for the necessary host mkimage features, and + enable CONFIG_FIT_SIGNATURE, CONFIG_RSA, and + CONFIG_ECDSA for runtime verification. + Ensure you have _disabled_ CONFIG_LEGACY_IMAGE_FORMAT to + not accidentally allow running unsigned images. + + [1] https://docs.u-boot.org/en/latest/usage/fit/verified-boot.html + comment "target install" config U_BOOT_INSTALL_U_BOOT_BIN diff --git a/rules/u-boot.make b/rules/u-boot.make index 204475b78..d3ea65cf2 100644 --- a/rules/u-boot.make +++ b/rules/u-boot.make @@ -120,6 +120,19 @@ endif $(STATEDIR)/u-boot.compile: @$(call targetinfo) @$(call world/compile, U_BOOT) +ifdef PTXCONF_U_BOOT_VERIFY_SIGNATURE + @mv $(U_BOOT_BUILD_DIR)/u-boot.dtb $(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb + @$(CODE_SIGNING_ENV) $(U_BOOT_BUILD_DIR)/tools/mkimage \ + -f auto-conf -d /dev/null -r \ + -g image-kernel-fit -N pkcs11 -o "sha256,rsa4096" \ + -k "$(shell cs_get_uri image-kernel-fit)" \ + -K "$(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb" \ + $(U_BOOT_BUILD_DIR)/unused.itb +# # retrigger building dts/dt.dtb to use EXT_DTB, might stay as is otherwise + @rm $(U_BOOT_BUILD_DIR)/dts/dt.dtb + @$(call compile, U_BOOT, $(U_BOOT_MAKE_OPT) EXT_DTB=$(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb) +endif + ifdef PTXCONF_U_BOOT_BOOT_SCRIPT @$(U_BOOT_BUILD_DIR)/tools/mkimage -T script -C none \ -d $(U_BOOT_BOOT_SCRIPT_TXT) \ -- 2.39.5