* [ptxdist] [PATCH v1 0/2] u-boot: Add verified boot support @ 2025-05-13 14:06 Alexander Dahl via ptxdist 2025-05-13 14:06 ` [ptxdist] [PATCH v1 1/2] u-boot-tools: Version bump 2020.07 -> 2025.04 Alexander Dahl via ptxdist 2025-05-13 14:06 ` [ptxdist] [PATCH v1 2/2] u-boot: Add option to load signed kernel FIT images Alexander Dahl via ptxdist 0 siblings, 2 replies; 5+ messages in thread From: Alexander Dahl via ptxdist @ 2025-05-13 14:06 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Hello everyone, the concept widely known as Secure Boot is called "Verified Boot" in U-Boot and it does the same as you would expect: load a signed kernel image (configuration), verify the signature, abort if verification fails. (Other steps of the verification chain are not covered by this series.) Some foundational work like support for U-Boot loading FIT images was merged last year already. I had the remaining parts lying around working, but some necessary patches were not in mainline U-Boot back then. With u-boot-tools 2024.10 or later it's finally possible to upstream this. See commit messages for details. Let me know if Kconfig help is sufficient or if the documentation should be extended. Greets Alex Alexander Dahl (2): u-boot-tools: Version bump 2020.07 -> 2025.04 u-boot: Add option to load signed kernel FIT images platforms/u-boot.in | 30 +++++++++++++++++++++++++++--- rules/host-u-boot-tools.in | 1 + rules/u-boot-tools.make | 6 +++--- rules/u-boot.make | 13 +++++++++++++ scripts/lib/ptxd_make_fit_image.sh | 7 ------- 5 files changed, 44 insertions(+), 13 deletions(-) -- 2.39.5 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [ptxdist] [PATCH v1 1/2] u-boot-tools: Version bump 2020.07 -> 2025.04 2025-05-13 14:06 [ptxdist] [PATCH v1 0/2] u-boot: Add verified boot support Alexander Dahl via ptxdist @ 2025-05-13 14:06 ` Alexander Dahl via ptxdist 2025-05-16 22:02 ` [ptxdist] [APPLIED] " Michael Olbrich 2025-05-13 14:06 ` [ptxdist] [PATCH v1 2/2] u-boot: Add option to load signed kernel FIT images Alexander Dahl via ptxdist 1 sibling, 1 reply; 5+ messages in thread From: Alexander Dahl via ptxdist @ 2025-05-13 14:06 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Apart from bugfixes this is mostly interesting for mkimage ability to image signing. Option -o for specifying the signing algorithm was added with v2022.04. Signing 'auto' FITs was added with v2022.10, support for signed configurations in 'auto' FIT was added in v2023.04, proper pkcs11 uri support was added with v2024.01 and fixed with v2024.04, and finally ability to auto sign scripts in fit images came with v2024.10. Note, without the fix to ptxd_make_fit_image we would get a lot of warnings like this: WARNING: Legacy URI specified. Please add 'pkcs11:'. WARNING: Legacy URI specified. Please add 'pkcs11:'. WARNING: Legacy URI specified. Please add 'pkcs11:'. Noteworthy changes: - v2021.10-rc1-59-g62b27a561c2 ("mkimage: use environment variable MKIMAGE_SIGN_PIN to set pin for OpenSSL Engine") - v2021.10-730-g6b7b9ff14da ("configs: add mkeficapsule to tools-only_defconfig") - v2022.01-705-g5902a397d02 ("mkimage: Allow to specify the signature algorithm on the command line") - v2022.01-818-g2d2384bbaff ("tools: mkimage: Show where signatures/keys are written") - v2022.04-rc1-326-g9af16cc8f1a ("tools: build mkeficapsule with tools-only_defconfig") - v2022.04-rc3-43-g5017f9b595d ("mkimage: error handling for FIT image") - v2022.07-rc1-294-gdeb2638aa09 ("mkimage: Document misc options") - v2022.07-rc4-74-g87b0af9317c ("mkimage: Support signing 'auto' FITs") - v2023.01-892-gb93a65209c4 ("mkimage: fit: Support signed configurations in 'auto' FITs") - v2024.01-rc5-560-gece85cc0202 ("rsa: use pkcs11 uri as defined in rfc7512") - v2024.01-806-g03e598263e3 ("tools: fix build without LIBCRYPTO support") - v2024.01-958-g11ad2bbfa2d ("lib: rsa: Fix PKCS11 URI if one is not given in `keydir`) - v2024.01-959-gf055d6e8f0d ("lib: rsa: Allow legacy URI specification without "pkcs11:"") - v2024.07-677-g6074f6e8578 ("mkimage: Allow 'auto-conf' signing of scripts") (zlib license text had one duplicate empty line remove with 2024.10.) Signed-off-by: Alexander Dahl <ada@thorsis.com> --- rules/host-u-boot-tools.in | 1 + rules/u-boot-tools.make | 6 +++--- scripts/lib/ptxd_make_fit_image.sh | 7 ------- 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/rules/host-u-boot-tools.in b/rules/host-u-boot-tools.in index 55fc9f56e..0cf37ed66 100644 --- a/rules/host-u-boot-tools.in +++ b/rules/host-u-boot-tools.in @@ -2,5 +2,6 @@ config HOST_U_BOOT_TOOLS tristate + select HOST_GNUTLS select HOST_OPENSSL default y if ALLYES diff --git a/rules/u-boot-tools.make b/rules/u-boot-tools.make index 597ea5e30..f71219d88 100644 --- a/rules/u-boot-tools.make +++ b/rules/u-boot-tools.make @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_U_BOOT_TOOLS) += u-boot-tools # # Paths and names # -U_BOOT_TOOLS_VERSION := 2020.07 -U_BOOT_TOOLS_MD5 := 86e51eeccd15e658ad1df943a0edf622 +U_BOOT_TOOLS_VERSION := 2025.04 +U_BOOT_TOOLS_MD5 := da2cd684d4aa6195015fecd3efb1d0f0 U_BOOT_TOOLS := u-boot-$(U_BOOT_TOOLS_VERSION) U_BOOT_TOOLS_SUFFIX := tar.bz2 U_BOOT_TOOLS_URL := https://ftp.denx.de/pub/u-boot/$(U_BOOT_TOOLS).$(U_BOOT_TOOLS_SUFFIX) @@ -25,7 +25,7 @@ U_BOOT_TOOLS_PKGDIR := $(PKGDIR)/u-boot-tools-$(U_BOOT_TOOLS_VERSION) U_BOOT_TOOLS_LICENSE := GPL-2.0-or-later AND Zlib U_BOOT_TOOLS_LICENSE_FILES := \ file://Licenses/gpl-2.0.txt;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://include/u-boot/zlib.h;startline=15;endline=43;md5=7c27ae0384929249664da410d539a1dc + file://include/u-boot/zlib.h;startline=15;endline=42;md5=0ce30a522a630f7e637ea6d74422b320 # ---------------------------------------------------------------------------- # Prepare diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh index 4b99e6fbf..ad9e5bdd3 100644 --- a/scripts/lib/ptxd_make_fit_image.sh +++ b/scripts/lib/ptxd_make_fit_image.sh @@ -126,13 +126,6 @@ ptxd_make_image_fit() { if [ -n "${image_sign_role}" ]; then pkcs11_uri=$(cs_get_uri "${image_sign_role}") - - # - # It would have been too simple for mkimage to just take a - # PKCS#11 URI. We must drop the "pkcs11:" prefix which U-Boot - # then adds again. - # - pkcs11_uri=$(echo "${pkcs11_uri}" | sed "s/pkcs11://") sign_args=( -k "${pkcs11_uri}" ) fi -- 2.39.5 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] [APPLIED] u-boot-tools: Version bump 2020.07 -> 2025.04 2025-05-13 14:06 ` [ptxdist] [PATCH v1 1/2] u-boot-tools: Version bump 2020.07 -> 2025.04 Alexander Dahl via ptxdist @ 2025-05-16 22:02 ` Michael Olbrich 0 siblings, 0 replies; 5+ messages in thread From: Michael Olbrich @ 2025-05-16 22:02 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Thanks, applied as 0ed30d1e9f2d7270830cd207a1e05c09273997d6. Michael [sent from post-receive hook] On Sat, 17 May 2025 00:02:53 +0200, Alexander Dahl <ada@thorsis.com> wrote: > Apart from bugfixes this is mostly interesting for mkimage ability to > image signing. Option -o for specifying the signing algorithm was added > with v2022.04. Signing 'auto' FITs was added with v2022.10, support for > signed configurations in 'auto' FIT was added in v2023.04, proper pkcs11 > uri support was added with v2024.01 and fixed with v2024.04, and finally > ability to auto sign scripts in fit images came with v2024.10. > > Note, without the fix to ptxd_make_fit_image we would get a lot of > warnings like this: > > WARNING: Legacy URI specified. Please add 'pkcs11:'. > WARNING: Legacy URI specified. Please add 'pkcs11:'. > WARNING: Legacy URI specified. Please add 'pkcs11:'. > > Noteworthy changes: > > - v2021.10-rc1-59-g62b27a561c2 ("mkimage: use environment variable MKIMAGE_SIGN_PIN to set pin for OpenSSL Engine") > - v2021.10-730-g6b7b9ff14da ("configs: add mkeficapsule to tools-only_defconfig") > - v2022.01-705-g5902a397d02 ("mkimage: Allow to specify the signature algorithm on the command line") > - v2022.01-818-g2d2384bbaff ("tools: mkimage: Show where signatures/keys are written") > - v2022.04-rc1-326-g9af16cc8f1a ("tools: build mkeficapsule with tools-only_defconfig") > - v2022.04-rc3-43-g5017f9b595d ("mkimage: error handling for FIT image") > - v2022.07-rc1-294-gdeb2638aa09 ("mkimage: Document misc options") > - v2022.07-rc4-74-g87b0af9317c ("mkimage: Support signing 'auto' FITs") > - v2023.01-892-gb93a65209c4 ("mkimage: fit: Support signed configurations in 'auto' FITs") > - v2024.01-rc5-560-gece85cc0202 ("rsa: use pkcs11 uri as defined in rfc7512") > - v2024.01-806-g03e598263e3 ("tools: fix build without LIBCRYPTO support") > - v2024.01-958-g11ad2bbfa2d ("lib: rsa: Fix PKCS11 URI if one is not given in `keydir`) > - v2024.01-959-gf055d6e8f0d ("lib: rsa: Allow legacy URI specification without "pkcs11:"") > - v2024.07-677-g6074f6e8578 ("mkimage: Allow 'auto-conf' signing of scripts") > > (zlib license text had one duplicate empty line remove with 2024.10.) > > Signed-off-by: Alexander Dahl <ada@thorsis.com> > Message-Id: <20250513140641.4075870-2-ada@thorsis.com> > Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > > diff --git a/rules/host-u-boot-tools.in b/rules/host-u-boot-tools.in > index 55fc9f56e987..0cf37ed6614a 100644 > --- a/rules/host-u-boot-tools.in > +++ b/rules/host-u-boot-tools.in > @@ -2,5 +2,6 @@ > > config HOST_U_BOOT_TOOLS > tristate > + select HOST_GNUTLS > select HOST_OPENSSL > default y if ALLYES > diff --git a/rules/u-boot-tools.make b/rules/u-boot-tools.make > index 597ea5e30075..f71219d884b7 100644 > --- a/rules/u-boot-tools.make > +++ b/rules/u-boot-tools.make > @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_U_BOOT_TOOLS) += u-boot-tools > # > # Paths and names > # > -U_BOOT_TOOLS_VERSION := 2020.07 > -U_BOOT_TOOLS_MD5 := 86e51eeccd15e658ad1df943a0edf622 > +U_BOOT_TOOLS_VERSION := 2025.04 > +U_BOOT_TOOLS_MD5 := da2cd684d4aa6195015fecd3efb1d0f0 > U_BOOT_TOOLS := u-boot-$(U_BOOT_TOOLS_VERSION) > U_BOOT_TOOLS_SUFFIX := tar.bz2 > U_BOOT_TOOLS_URL := https://ftp.denx.de/pub/u-boot/$(U_BOOT_TOOLS).$(U_BOOT_TOOLS_SUFFIX) > @@ -25,7 +25,7 @@ U_BOOT_TOOLS_PKGDIR := $(PKGDIR)/u-boot-tools-$(U_BOOT_TOOLS_VERSION) > U_BOOT_TOOLS_LICENSE := GPL-2.0-or-later AND Zlib > U_BOOT_TOOLS_LICENSE_FILES := \ > file://Licenses/gpl-2.0.txt;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ > - file://include/u-boot/zlib.h;startline=15;endline=43;md5=7c27ae0384929249664da410d539a1dc > + file://include/u-boot/zlib.h;startline=15;endline=42;md5=0ce30a522a630f7e637ea6d74422b320 > > # ---------------------------------------------------------------------------- > # Prepare > diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh > index 4b99e6fbfec3..ad9e5bdd380a 100644 > --- a/scripts/lib/ptxd_make_fit_image.sh > +++ b/scripts/lib/ptxd_make_fit_image.sh > @@ -126,13 +126,6 @@ ptxd_make_image_fit() { > > if [ -n "${image_sign_role}" ]; then > pkcs11_uri=$(cs_get_uri "${image_sign_role}") > - > - # > - # It would have been too simple for mkimage to just take a > - # PKCS#11 URI. We must drop the "pkcs11:" prefix which U-Boot > - # then adds again. > - # > - pkcs11_uri=$(echo "${pkcs11_uri}" | sed "s/pkcs11://") > sign_args=( -k "${pkcs11_uri}" ) > fi > ^ permalink raw reply [flat|nested] 5+ messages in thread
* [ptxdist] [PATCH v1 2/2] u-boot: Add option to load signed kernel FIT images 2025-05-13 14:06 [ptxdist] [PATCH v1 0/2] u-boot: Add verified boot support Alexander Dahl via ptxdist 2025-05-13 14:06 ` [ptxdist] [PATCH v1 1/2] u-boot-tools: Version bump 2020.07 -> 2025.04 Alexander Dahl via ptxdist @ 2025-05-13 14:06 ` Alexander Dahl via ptxdist 2025-05-16 22:02 ` [ptxdist] [APPLIED] " Michael Olbrich 1 sibling, 1 reply; 5+ messages in thread From: Alexander Dahl via ptxdist @ 2025-05-13 14:06 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Requires U-Boot v2023.04 or later, certain options set in board config, and KERNEL_FIT_SIGNED enabled. Algorithm "sha256,rsa4096" is hardcoded to the same value as harcoded in ptxd_make_image_fit_its() which is used by the kernel-fit package. With those premises met, U-Boot Verified Boot is possible. Tested with U-Boot v2024.04 on Microchip SAM9X60-Curiosity in custom layer on top of DistroKit-2024.06.0. Hit any key to stop autoboot: 0 8787737 bytes read in 391 ms (21.4 MiB/s) ## Loading kernel from FIT Image at 22000000 ... Using 'conf-microchip,sam9x60-curiosity' configuration Verifying Hash Integrity ... sha256,rsa4096:image-kernel-fit+ OK Trying 'kernel' kernel subimage Description: kernel Type: Kernel Image (no loading done) Compression: uncompressed Data Start: 0x220000b4 Data Size: 8757936 Bytes = 8.4 MiB Hash algo: sha256 Hash value: 8c109fc75263329402c7ae63e3d47c18aabf67307ebc0023e88921227abc7cf3 Verifying Hash Integrity ... sha256+ OK ## Loading fdt from FIT Image at 22000000 ... Using 'conf-microchip,sam9x60-curiosity' configuration Verifying Hash Integrity ... sha256,rsa4096:image-kernel-fit+ OK Trying 'fdt-microchip,sam9x60-curiosity' fdt subimage Description: unavailable Type: Flat Device Tree Compression: uncompressed Data Start: 0x2285a45c Data Size: 27903 Bytes = 27.2 KiB Architecture: ARM Hash algo: sha256 Hash value: db2e8047b404f92cc7ca4f7b918be1191aab3ce33d574f046c0f1da959d3cbb2 Verifying Hash Integrity ... sha256+ OK Booting using the fdt blob at 0x2285a45c Working FDT set to 2285a45c XIP Kernel Image (no loading done) to 220000b4 Loading Device Tree to 27b31000, end 27b3acfe ... OK Working FDT set to 27b31000 Starting kernel ... [ 0.000000] Booting Linux on physical CPU 0x0 [ 0.000000] Linux version 6.6.0-tt (ptxdist@ptxdist) (arm-v5te-linux-gnueabi-gcc (OSELAS.Toolchain-2023.07.1 13-20231118) 13.2.1 20231118, GNU ld (GNU Binutils) 2.40) #2 PREEMPT 2024-06-07T12:29:46+00:00 Link: https://docs.u-boot.org/en/latest/usage/fit/verified-boot.html Signed-off-by: Alexander Dahl <ada@thorsis.com> --- platforms/u-boot.in | 30 +++++++++++++++++++++++++++--- rules/u-boot.make | 13 +++++++++++++ 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/platforms/u-boot.in b/platforms/u-boot.in index 5ce7387e4..d263135ca 100644 --- a/platforms/u-boot.in +++ b/platforms/u-boot.in @@ -7,6 +7,7 @@ config U_BOOT_DEPENDENCIES menuconfig U_BOOT select U_BOOT_DEPENDENCIES select BOOTLOADER + select CODE_SIGNING if U_BOOT_VERIFY_SIGNATURE select HOST_SYSTEM_PYTHON3 select HOST_OPENSSL if U_BOOT_NEEDS_HOST_OPENSSL select HOST_GNUTLS if U_BOOT_NEEDS_HOST_GNUTLS @@ -18,11 +19,11 @@ if U_BOOT config U_BOOT_VERSION string - default "2019.01" + default "2023.04" prompt "U-Boot version" help - Enter the U-Boot version you want to build. Usually something like - "2019.01". + Enter the U-Boot version you want to build. + Usually something like "2019.01". config U_BOOT_MD5 string @@ -193,6 +194,29 @@ config U_BOOT_BOOT_SCRIPT_ROOTFS_PATH endif +config U_BOOT_VERIFY_SIGNATURE + bool + prompt "Verify FIT image signature" + select U_BOOT_NEEDS_HOST_OPENSSL + imply KERNEL_FIT_SIGNED + help + For U-Boot Verified Boot [1] a public key has to be put into + the control dtb built with U-Boot. + The loaded image (most probably a Linux Kernel image) must be + signed with the matching private key. + Uses the PTXdist Code Signing Infrastructure. + + Note: You need U-Boot 2023.04 or later. + + Note: You must enable CONFIG_TOOLS_FIT_SIGNATURE in U-Boot + Kconfig for the necessary host mkimage features, and + enable CONFIG_FIT_SIGNATURE, CONFIG_RSA, and + CONFIG_ECDSA for runtime verification. + Ensure you have _disabled_ CONFIG_LEGACY_IMAGE_FORMAT to + not accidentally allow running unsigned images. + + [1] https://docs.u-boot.org/en/latest/usage/fit/verified-boot.html + comment "target install" config U_BOOT_INSTALL_U_BOOT_BIN diff --git a/rules/u-boot.make b/rules/u-boot.make index 204475b78..d3ea65cf2 100644 --- a/rules/u-boot.make +++ b/rules/u-boot.make @@ -120,6 +120,19 @@ endif $(STATEDIR)/u-boot.compile: @$(call targetinfo) @$(call world/compile, U_BOOT) +ifdef PTXCONF_U_BOOT_VERIFY_SIGNATURE + @mv $(U_BOOT_BUILD_DIR)/u-boot.dtb $(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb + @$(CODE_SIGNING_ENV) $(U_BOOT_BUILD_DIR)/tools/mkimage \ + -f auto-conf -d /dev/null -r \ + -g image-kernel-fit -N pkcs11 -o "sha256,rsa4096" \ + -k "$(shell cs_get_uri image-kernel-fit)" \ + -K "$(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb" \ + $(U_BOOT_BUILD_DIR)/unused.itb +# # retrigger building dts/dt.dtb to use EXT_DTB, might stay as is otherwise + @rm $(U_BOOT_BUILD_DIR)/dts/dt.dtb + @$(call compile, U_BOOT, $(U_BOOT_MAKE_OPT) EXT_DTB=$(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb) +endif + ifdef PTXCONF_U_BOOT_BOOT_SCRIPT @$(U_BOOT_BUILD_DIR)/tools/mkimage -T script -C none \ -d $(U_BOOT_BOOT_SCRIPT_TXT) \ -- 2.39.5 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] [APPLIED] u-boot: Add option to load signed kernel FIT images 2025-05-13 14:06 ` [ptxdist] [PATCH v1 2/2] u-boot: Add option to load signed kernel FIT images Alexander Dahl via ptxdist @ 2025-05-16 22:02 ` Michael Olbrich 0 siblings, 0 replies; 5+ messages in thread From: Michael Olbrich @ 2025-05-16 22:02 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Thanks, applied as a4c386b34b25fa0c838797a533fc716b46c80dc0. Michael [sent from post-receive hook] On Sat, 17 May 2025 00:02:53 +0200, Alexander Dahl <ada@thorsis.com> wrote: > Requires U-Boot v2023.04 or later, certain options set in board config, > and KERNEL_FIT_SIGNED enabled. Algorithm "sha256,rsa4096" is hardcoded > to the same value as harcoded in ptxd_make_image_fit_its() which is used > by the kernel-fit package. > > With those premises met, U-Boot Verified Boot is possible. Tested with > U-Boot v2024.04 on Microchip SAM9X60-Curiosity in custom layer on top of > DistroKit-2024.06.0. > > Hit any key to stop autoboot: 0 > 8787737 bytes read in 391 ms (21.4 MiB/s) > ## Loading kernel from FIT Image at 22000000 ... > Using 'conf-microchip,sam9x60-curiosity' configuration > Verifying Hash Integrity ... sha256,rsa4096:image-kernel-fit+ OK > Trying 'kernel' kernel subimage > Description: kernel > Type: Kernel Image (no loading done) > Compression: uncompressed > Data Start: 0x220000b4 > Data Size: 8757936 Bytes = 8.4 MiB > Hash algo: sha256 > Hash value: 8c109fc75263329402c7ae63e3d47c18aabf67307ebc0023e88921227abc7cf3 > Verifying Hash Integrity ... sha256+ OK > ## Loading fdt from FIT Image at 22000000 ... > Using 'conf-microchip,sam9x60-curiosity' configuration > Verifying Hash Integrity ... sha256,rsa4096:image-kernel-fit+ OK > Trying 'fdt-microchip,sam9x60-curiosity' fdt subimage > Description: unavailable > Type: Flat Device Tree > Compression: uncompressed > Data Start: 0x2285a45c > Data Size: 27903 Bytes = 27.2 KiB > Architecture: ARM > Hash algo: sha256 > Hash value: db2e8047b404f92cc7ca4f7b918be1191aab3ce33d574f046c0f1da959d3cbb2 > Verifying Hash Integrity ... sha256+ OK > Booting using the fdt blob at 0x2285a45c > Working FDT set to 2285a45c > XIP Kernel Image (no loading done) to 220000b4 > Loading Device Tree to 27b31000, end 27b3acfe ... OK > Working FDT set to 27b31000 > > Starting kernel ... > > [ 0.000000] Booting Linux on physical CPU 0x0 > [ 0.000000] Linux version 6.6.0-tt (ptxdist@ptxdist) (arm-v5te-linux-gnueabi-gcc (OSELAS.Toolchain-2023.07.1 13-20231118) 13.2.1 20231118, GNU ld (GNU Binutils) 2.40) #2 PREEMPT 2024-06-07T12:29:46+00:00 > > Link: https://docs.u-boot.org/en/latest/usage/fit/verified-boot.html > Signed-off-by: Alexander Dahl <ada@thorsis.com> > Message-Id: <20250513140641.4075870-3-ada@thorsis.com> > Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > > diff --git a/platforms/u-boot.in b/platforms/u-boot.in > index 5ce7387e495d..d263135ca7e7 100644 > --- a/platforms/u-boot.in > +++ b/platforms/u-boot.in > @@ -7,6 +7,7 @@ config U_BOOT_DEPENDENCIES > menuconfig U_BOOT > select U_BOOT_DEPENDENCIES > select BOOTLOADER > + select CODE_SIGNING if U_BOOT_VERIFY_SIGNATURE > select HOST_SYSTEM_PYTHON3 > select HOST_OPENSSL if U_BOOT_NEEDS_HOST_OPENSSL > select HOST_GNUTLS if U_BOOT_NEEDS_HOST_GNUTLS > @@ -18,11 +19,11 @@ if U_BOOT > > config U_BOOT_VERSION > string > - default "2019.01" > + default "2023.04" > prompt "U-Boot version" > help > - Enter the U-Boot version you want to build. Usually something like > - "2019.01". > + Enter the U-Boot version you want to build. > + Usually something like "2019.01". > > config U_BOOT_MD5 > string > @@ -193,6 +194,29 @@ config U_BOOT_BOOT_SCRIPT_ROOTFS_PATH > > endif > > +config U_BOOT_VERIFY_SIGNATURE > + bool > + prompt "Verify FIT image signature" > + select U_BOOT_NEEDS_HOST_OPENSSL > + imply KERNEL_FIT_SIGNED > + help > + For U-Boot Verified Boot [1] a public key has to be put into > + the control dtb built with U-Boot. > + The loaded image (most probably a Linux Kernel image) must be > + signed with the matching private key. > + Uses the PTXdist Code Signing Infrastructure. > + > + Note: You need U-Boot 2023.04 or later. > + > + Note: You must enable CONFIG_TOOLS_FIT_SIGNATURE in U-Boot > + Kconfig for the necessary host mkimage features, and > + enable CONFIG_FIT_SIGNATURE, CONFIG_RSA, and > + CONFIG_ECDSA for runtime verification. > + Ensure you have _disabled_ CONFIG_LEGACY_IMAGE_FORMAT to > + not accidentally allow running unsigned images. > + > + [1] https://docs.u-boot.org/en/latest/usage/fit/verified-boot.html > + > comment "target install" > > config U_BOOT_INSTALL_U_BOOT_BIN > diff --git a/rules/u-boot.make b/rules/u-boot.make > index 204475b7843b..d3ea65cf2a53 100644 > --- a/rules/u-boot.make > +++ b/rules/u-boot.make > @@ -120,6 +120,19 @@ endif > $(STATEDIR)/u-boot.compile: > @$(call targetinfo) > @$(call world/compile, U_BOOT) > +ifdef PTXCONF_U_BOOT_VERIFY_SIGNATURE > + @mv $(U_BOOT_BUILD_DIR)/u-boot.dtb $(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb > + @$(CODE_SIGNING_ENV) $(U_BOOT_BUILD_DIR)/tools/mkimage \ > + -f auto-conf -d /dev/null -r \ > + -g image-kernel-fit -N pkcs11 -o "sha256,rsa4096" \ > + -k "$(shell cs_get_uri image-kernel-fit)" \ > + -K "$(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb" \ > + $(U_BOOT_BUILD_DIR)/unused.itb > +# # retrigger building dts/dt.dtb to use EXT_DTB, might stay as is otherwise > + @rm $(U_BOOT_BUILD_DIR)/dts/dt.dtb > + @$(call compile, U_BOOT, $(U_BOOT_MAKE_OPT) EXT_DTB=$(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb) > +endif > + > ifdef PTXCONF_U_BOOT_BOOT_SCRIPT > @$(U_BOOT_BUILD_DIR)/tools/mkimage -T script -C none \ > -d $(U_BOOT_BOOT_SCRIPT_TXT) \ ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-05-16 22:03 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2025-05-13 14:06 [ptxdist] [PATCH v1 0/2] u-boot: Add verified boot support Alexander Dahl via ptxdist 2025-05-13 14:06 ` [ptxdist] [PATCH v1 1/2] u-boot-tools: Version bump 2020.07 -> 2025.04 Alexander Dahl via ptxdist 2025-05-16 22:02 ` [ptxdist] [APPLIED] " Michael Olbrich 2025-05-13 14:06 ` [ptxdist] [PATCH v1 2/2] u-boot: Add option to load signed kernel FIT images Alexander Dahl via ptxdist 2025-05-16 22:02 ` [ptxdist] [APPLIED] " Michael Olbrich
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox