Re: [ptxdist] [APPLIED] u-boot: Add option to load signed kernel FIT images

mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed

From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Alexander Dahl <ada@thorsis.com>
Subject: Re: [ptxdist] [APPLIED] u-boot: Add option to load signed kernel FIT images
Date: Sat, 17 May 2025 00:02:53 +0200	[thread overview]
Message-ID: <20250516220253.221647-1-m.olbrich@pengutronix.de> (raw)
In-Reply-To: <20250513140641.4075870-3-ada@thorsis.com>

Thanks, applied as a4c386b34b25fa0c838797a533fc716b46c80dc0.

Michael

[sent from post-receive hook]

On Sat, 17 May 2025 00:02:53 +0200, Alexander Dahl <ada@thorsis.com> wrote:
> Requires U-Boot v2023.04 or later, certain options set in board config,
> and KERNEL_FIT_SIGNED enabled.  Algorithm "sha256,rsa4096" is hardcoded
> to the same value as harcoded in ptxd_make_image_fit_its() which is used
> by the kernel-fit package.
> 
> With those premises met, U-Boot Verified Boot is possible.  Tested with
> U-Boot v2024.04 on Microchip SAM9X60-Curiosity in custom layer on top of
> DistroKit-2024.06.0.
> 
>     Hit any key to stop autoboot:  0
>     8787737 bytes read in 391 ms (21.4 MiB/s)
>     ## Loading kernel from FIT Image at 22000000 ...
>        Using 'conf-microchip,sam9x60-curiosity' configuration
>        Verifying Hash Integrity ... sha256,rsa4096:image-kernel-fit+ OK
>        Trying 'kernel' kernel subimage
>          Description:  kernel
>          Type:         Kernel Image (no loading done)
>          Compression:  uncompressed
>          Data Start:   0x220000b4
>          Data Size:    8757936 Bytes = 8.4 MiB
>          Hash algo:    sha256
>          Hash value:   8c109fc75263329402c7ae63e3d47c18aabf67307ebc0023e88921227abc7cf3
>        Verifying Hash Integrity ... sha256+ OK
>     ## Loading fdt from FIT Image at 22000000 ...
>        Using 'conf-microchip,sam9x60-curiosity' configuration
>        Verifying Hash Integrity ... sha256,rsa4096:image-kernel-fit+ OK
>        Trying 'fdt-microchip,sam9x60-curiosity' fdt subimage
>          Description:  unavailable
>          Type:         Flat Device Tree
>          Compression:  uncompressed
>          Data Start:   0x2285a45c
>          Data Size:    27903 Bytes = 27.2 KiB
>          Architecture: ARM
>          Hash algo:    sha256
>          Hash value:   db2e8047b404f92cc7ca4f7b918be1191aab3ce33d574f046c0f1da959d3cbb2
>        Verifying Hash Integrity ... sha256+ OK
>        Booting using the fdt blob at 0x2285a45c
>     Working FDT set to 2285a45c
>        XIP Kernel Image (no loading done) to 220000b4
>        Loading Device Tree to 27b31000, end 27b3acfe ... OK
>     Working FDT set to 27b31000
> 
>     Starting kernel ...
> 
>     [    0.000000] Booting Linux on physical CPU 0x0
>     [    0.000000] Linux version 6.6.0-tt (ptxdist@ptxdist) (arm-v5te-linux-gnueabi-gcc (OSELAS.Toolchain-2023.07.1 13-20231118) 13.2.1 20231118, GNU ld (GNU Binutils) 2.40) #2 PREEMPT 2024-06-07T12:29:46+00:00
> 
> Link: https://docs.u-boot.org/en/latest/usage/fit/verified-boot.html
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20250513140641.4075870-3-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/platforms/u-boot.in b/platforms/u-boot.in
> index 5ce7387e495d..d263135ca7e7 100644
> --- a/platforms/u-boot.in
> +++ b/platforms/u-boot.in
> @@ -7,6 +7,7 @@ config U_BOOT_DEPENDENCIES
>  menuconfig U_BOOT
>  	select U_BOOT_DEPENDENCIES
>  	select BOOTLOADER
> +	select CODE_SIGNING		if U_BOOT_VERIFY_SIGNATURE
>  	select HOST_SYSTEM_PYTHON3
>  	select HOST_OPENSSL		if U_BOOT_NEEDS_HOST_OPENSSL
>  	select HOST_GNUTLS		if U_BOOT_NEEDS_HOST_GNUTLS
> @@ -18,11 +19,11 @@ if U_BOOT
>  
>  config U_BOOT_VERSION
>  	string
> -	default "2019.01"
> +	default "2023.04"
>  	prompt "U-Boot version"
>  	help
> -	  Enter the U-Boot version you want to build. Usually something like
> -	  "2019.01".
> +	  Enter the U-Boot version you want to build.
> +	  Usually something like "2019.01".
>  
>  config U_BOOT_MD5
>  	string
> @@ -193,6 +194,29 @@ config U_BOOT_BOOT_SCRIPT_ROOTFS_PATH
>  
>  endif
>  
> +config U_BOOT_VERIFY_SIGNATURE
> +	bool
> +	prompt "Verify FIT image signature"
> +	select U_BOOT_NEEDS_HOST_OPENSSL
> +	imply KERNEL_FIT_SIGNED
> +	help
> +	  For U-Boot Verified Boot [1] a public key has to be put into
> +	  the control dtb built with U-Boot.
> +	  The loaded image (most probably a Linux Kernel image) must be
> +	  signed with the matching private key.
> +	  Uses the PTXdist Code Signing Infrastructure.
> +
> +	  Note: You need U-Boot 2023.04 or later.
> +
> +	  Note: You must enable CONFIG_TOOLS_FIT_SIGNATURE in U-Boot
> +		Kconfig for the necessary host mkimage features, and
> +		enable CONFIG_FIT_SIGNATURE, CONFIG_RSA, and
> +		CONFIG_ECDSA for runtime verification.
> +		Ensure you have _disabled_ CONFIG_LEGACY_IMAGE_FORMAT to
> +		not accidentally allow running unsigned images.
> +
> +	  [1] https://docs.u-boot.org/en/latest/usage/fit/verified-boot.html
> +
>  comment "target install"
>  
>  config U_BOOT_INSTALL_U_BOOT_BIN
> diff --git a/rules/u-boot.make b/rules/u-boot.make
> index 204475b7843b..d3ea65cf2a53 100644
> --- a/rules/u-boot.make
> +++ b/rules/u-boot.make
> @@ -120,6 +120,19 @@ endif
>  $(STATEDIR)/u-boot.compile:
>  	@$(call targetinfo)
>  	@$(call world/compile, U_BOOT)
> +ifdef PTXCONF_U_BOOT_VERIFY_SIGNATURE
> +	@mv $(U_BOOT_BUILD_DIR)/u-boot.dtb $(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb
> +	@$(CODE_SIGNING_ENV) $(U_BOOT_BUILD_DIR)/tools/mkimage \
> +		-f auto-conf -d /dev/null -r \
> +		-g image-kernel-fit -N pkcs11 -o "sha256,rsa4096" \
> +		-k "$(shell cs_get_uri image-kernel-fit)" \
> +		-K "$(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb" \
> +		$(U_BOOT_BUILD_DIR)/unused.itb
> +#	# retrigger building dts/dt.dtb to use EXT_DTB, might stay as is otherwise
> +	@rm $(U_BOOT_BUILD_DIR)/dts/dt.dtb
> +	@$(call compile, U_BOOT, $(U_BOOT_MAKE_OPT) EXT_DTB=$(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb)
> +endif
> +
>  ifdef PTXCONF_U_BOOT_BOOT_SCRIPT
>  	@$(U_BOOT_BUILD_DIR)/tools/mkimage -T script -C none \
>  		-d $(U_BOOT_BOOT_SCRIPT_TXT) \

     prev parent reply	other threads:[~2025-05-16 22:03 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-13 14:06 [ptxdist] [PATCH v1 0/2] u-boot: Add verified boot support Alexander Dahl via ptxdist
2025-05-13 14:06 ` [ptxdist] [PATCH v1 1/2] u-boot-tools: Version bump 2020.07 -> 2025.04 Alexander Dahl via ptxdist
2025-05-16 22:02   ` [ptxdist] [APPLIED] " Michael Olbrich
2025-05-13 14:06 ` [ptxdist] [PATCH v1 2/2] u-boot: Add option to load signed kernel FIT images Alexander Dahl via ptxdist
2025-05-16 22:02   ` Michael Olbrich [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250516220253.221647-1-m.olbrich@pengutronix.de \
    --to=m.olbrich@pengutronix.de \
    --cc=ada@thorsis.com \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox