% ---------------------------- \subsection{U-Boot Integrity} % ---------------------------- \begin{frame}[fragile] \frametitle{U-Boot Responsibilities} \begin{itemize} \item initialize CPU \item initialize Peripherals \item prepare Linux Kernel Parameter (cmdline) \item load Kernel/Devicetree/InitramFS Images (bootm/bootz) \item opt.: U-Boot Command Line interactions \end{itemize} \end{frame} \begin{frame}[fragile] \frametitle{U-Boot Integrity check} \begin{itemize} \item Image Signature checks \item Basic Feature available since v2013.04 \item Supported in U-Boot and SPL \item Algorithms \begin{itemize} \item sha1 (note: not recommended anymore) \item sha2 \item RSA, keylength 2048 and 4096 bit \end{itemize} \item Keyring \begin{itemize} \item pre-calculated Key \item used Algorithm \item build from external DTB \end{itemize} \item Protected commands \begin{itemize} \item bootm (FIT Images only) \item bootz disabled \end{itemize} \item Protected Data \begin{itemize} \item Kernel Image (Image or zImage) \item Devicetree \item InitramFS \end{itemize} \end{itemize} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Configuration} \begin{columns}[onlytextwidth] \begin{column}{0.40\textwidth} \begin{beamerboxesrounded}[shadow=true]{defconfig} \begin{scriptsize} \begin{verbatim} CONFIG_FIT=y CONFIG_FIT_VERBOSE=y CONFIG_FIT_SIGNATURE=y CONFIG_SECURE_BOOT=y CONFIG_OF_CONTROL=y \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{column} \begin{column}{0.50\textwidth} \begin{beamerboxesrounded}[shadow=true]{Keyring DT} \begin{scriptsize} \begin{verbatim} /dts-v1/; / { model = "u-boot keystore"; compatible = "linutronix,imx7d"; signature { image-policy { required = "conf"; algo = "sha256,rsa4096"; }; keystore { rsa,r-squared = < [...] >; rsa,modulus = < [...] >; rsa,exponent = < [...] >; rsa,n0-inverse = < [...] >; rsa,num-bits = < [...] >; key-name-hint = "mx7-secboot"; }; }; }; \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{column} \end{columns} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{FIT Image Generation} \begin{columns}[onlytextwidth] \begin{column}{0.45\textwidth} \begin{beamerboxesrounded}[shadow=true]{Images} \begin{scriptsize} \begin{verbatim} images { kernel@1 { description = "imx7d Kernel"; data = /incbin/("zImage"); type = "kernel"; [...] hash@1 { algo = "sha256"; }; }; fdt@1 { description = "phytec-zeta DTB"; data = /incbin/("imx7d-zeta.dtb"); type = "flat_dt"; [...] hash@1 { algo = "sha256"; }; }; }; \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{column} \begin{column}{0.50\textwidth} \begin{beamerboxesrounded}[shadow=true]{Configurations} \begin{scriptsize} \begin{verbatim} configurations { default = "conf@1"; conf@1 { description = "Linux imx7d phytec-zeta"; kernel = "kernel@1"; fdt = "fdt@1"; signature@1 { algo = "sha256,rsa4096"; key-name-hint = "mx7-secboot"; sign-images = "fdt", "kernel"; }; }; }; \end{verbatim} \end{scriptsize} \end{beamerboxesrounded} \end{column} \end{columns} \end{frame} % ---------------------------- \begin{frame}[fragile] \frametitle{Verification in System-Context} \begin{figure}[h] \centering \includegraphics[width=8cm]{images/uboot-fit.png} \end{figure} \end{frame}