secureboot

Signed-off-by: Holger Dengler <dengler@linutronix.de>

1 files changed, 159 insertions, 0 deletions

diff --git a/security/secureboot/frm_secboot_u-boot.tex b/security/secureboot/frm_secboot_u-boot.tex
new file mode 100644
index 0000000..18c0646
--- /dev/null
+++ b/security/secureboot/frm_secboot_u-boot.tex
@@ -0,0 +1,159 @@
+% ----------------------------
+\subsection{U-Boot Integrity}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{U-Boot Responsibilities}
+\begin{itemize}
+\item initialize CPU
+\item initialize Peripherals
+\item prepare Linux Kernel Parameter (cmdline)
+\item load Kernel/Devicetree/InitramFS Images (bootm/bootz)
+\item opt.: U-Boot Command Line interactions
+\end{itemize}
+\end{frame}
+
+\begin{frame}[fragile]
+\frametitle{U-Boot Integrity check}
+\begin{itemize}
+\item Image Signature checks
+\item Basic Feature available since v2013.04
+\item Supported in U-Boot and SPL
+\item Algorithms
+ \begin{itemize}
+ \item sha1 (note: not recommended anymore)
+ \item sha2
+ \item RSA, keylength 2048 and 4096 bit
+ \end{itemize}
+\item Keyring
+ \begin{itemize}
+ \item pre-calculated Key
+ \item used Algorithm
+ \item build from external DTB
+ \end{itemize}
+\item Protected commands
+ \begin{itemize}
+ \item bootm (FIT Images only)
+ \item bootz disabled
+ \end{itemize}
+\item Protected Data
+ \begin{itemize}
+ \item Kernel Image (Image or zImage)
+ \item Devicetree
+ \item InitramFS
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Configuration}
+\begin{columns}[onlytextwidth]
+ \begin{column}{0.40\textwidth}
+ \begin{beamerboxesrounded}[shadow=true]{defconfig}
+ \begin{scriptsize}
+ \begin{verbatim}
+CONFIG_FIT=y
+CONFIG_FIT_VERBOSE=y
+CONFIG_FIT_SIGNATURE=y
+CONFIG_SECURE_BOOT=y
+CONFIG_OF_CONTROL=y
+ \end{verbatim}
+ \end{scriptsize}
+ \end{beamerboxesrounded}
+ \end{column}
+ \begin{column}{0.50\textwidth}
+ \begin{beamerboxesrounded}[shadow=true]{Keyring DT}
+ \begin{scriptsize}
+ \begin{verbatim}
+/dts-v1/;
+/ {
+    model = "u-boot keystore";
+    compatible = "linutronix,imx7d";
+    signature {
+        image-policy {
+            required = "conf";
+            algo = "sha256,rsa4096";
+        };
+
+        keystore {
+            rsa,r-squared  = < [...] >;
+            rsa,modulus    = < [...] >;
+            rsa,exponent   = < [...] >;
+            rsa,n0-inverse = < [...] >;
+            rsa,num-bits   = < [...] >;
+            key-name-hint  = "mx7-secboot";
+        };
+    };
+};
+ \end{verbatim}
+ \end{scriptsize}
+ \end{beamerboxesrounded}
+ \end{column}
+\end{columns}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{FIT Image Generation}
+\begin{columns}[onlytextwidth]
+\begin{column}{0.45\textwidth}
+ \begin{beamerboxesrounded}[shadow=true]{Images}
+ \begin{scriptsize}
+ \begin{verbatim}
+images {
+  kernel@1 {
+    description = "imx7d Kernel";
+    data = /incbin/("zImage");
+    type = "kernel";
+    [...]
+    hash@1 {
+      algo = "sha256";
+    };
+  };
+  fdt@1 {
+    description = "phytec-zeta DTB";
+    data = /incbin/("imx7d-zeta.dtb");
+    type = "flat_dt";
+    [...]
+    hash@1 {
+      algo = "sha256";
+    };
+  };
+};
+ \end{verbatim}
+ \end{scriptsize}
+ \end{beamerboxesrounded}
+\end{column}
+\begin{column}{0.50\textwidth}
+ \begin{beamerboxesrounded}[shadow=true]{Configurations}
+ \begin{scriptsize}
+ \begin{verbatim}
+configurations {
+  default = "conf@1";
+  conf@1 {
+    description = "Linux imx7d phytec-zeta";
+    kernel = "kernel@1";
+    fdt = "fdt@1";
+    signature@1 {
+      algo = "sha256,rsa4096";
+      key-name-hint = "mx7-secboot";
+      sign-images = "fdt", "kernel";
+    };
+  };
+};
+ \end{verbatim}
+ \end{scriptsize}
+ \end{beamerboxesrounded}
+\end{column}
+\end{columns}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Verification in System-Context}
+\begin{figure}[h]
+\centering
+\includegraphics[width=8cm]{images/uboot-fit.png}
+\end{figure}
+\end{frame}