blob: 18c0646ec227cedddaaabe5c833e7683fa122558 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
% ----------------------------
\subsection{U-Boot Integrity}
% ----------------------------
\begin{frame}[fragile]
\frametitle{U-Boot Responsibilities}
\begin{itemize}
\item initialize CPU
\item initialize Peripherals
\item prepare Linux Kernel Parameter (cmdline)
\item load Kernel/Devicetree/InitramFS Images (bootm/bootz)
\item opt.: U-Boot Command Line interactions
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{U-Boot Integrity check}
\begin{itemize}
\item Image Signature checks
\item Basic Feature available since v2013.04
\item Supported in U-Boot and SPL
\item Algorithms
\begin{itemize}
\item sha1 (note: not recommended anymore)
\item sha2
\item RSA, keylength 2048 and 4096 bit
\end{itemize}
\item Keyring
\begin{itemize}
\item pre-calculated Key
\item used Algorithm
\item build from external DTB
\end{itemize}
\item Protected commands
\begin{itemize}
\item bootm (FIT Images only)
\item bootz disabled
\end{itemize}
\item Protected Data
\begin{itemize}
\item Kernel Image (Image or zImage)
\item Devicetree
\item InitramFS
\end{itemize}
\end{itemize}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Configuration}
\begin{columns}[onlytextwidth]
\begin{column}{0.40\textwidth}
\begin{beamerboxesrounded}[shadow=true]{defconfig}
\begin{scriptsize}
\begin{verbatim}
CONFIG_FIT=y
CONFIG_FIT_VERBOSE=y
CONFIG_FIT_SIGNATURE=y
CONFIG_SECURE_BOOT=y
CONFIG_OF_CONTROL=y
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{column}
\begin{column}{0.50\textwidth}
\begin{beamerboxesrounded}[shadow=true]{Keyring DT}
\begin{scriptsize}
\begin{verbatim}
/dts-v1/;
/ {
model = "u-boot keystore";
compatible = "linutronix,imx7d";
signature {
image-policy {
required = "conf";
algo = "sha256,rsa4096";
};
keystore {
rsa,r-squared = < [...] >;
rsa,modulus = < [...] >;
rsa,exponent = < [...] >;
rsa,n0-inverse = < [...] >;
rsa,num-bits = < [...] >;
key-name-hint = "mx7-secboot";
};
};
};
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{column}
\end{columns}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{FIT Image Generation}
\begin{columns}[onlytextwidth]
\begin{column}{0.45\textwidth}
\begin{beamerboxesrounded}[shadow=true]{Images}
\begin{scriptsize}
\begin{verbatim}
images {
kernel@1 {
description = "imx7d Kernel";
data = /incbin/("zImage");
type = "kernel";
[...]
hash@1 {
algo = "sha256";
};
};
fdt@1 {
description = "phytec-zeta DTB";
data = /incbin/("imx7d-zeta.dtb");
type = "flat_dt";
[...]
hash@1 {
algo = "sha256";
};
};
};
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{column}
\begin{column}{0.50\textwidth}
\begin{beamerboxesrounded}[shadow=true]{Configurations}
\begin{scriptsize}
\begin{verbatim}
configurations {
default = "conf@1";
conf@1 {
description = "Linux imx7d phytec-zeta";
kernel = "kernel@1";
fdt = "fdt@1";
signature@1 {
algo = "sha256,rsa4096";
key-name-hint = "mx7-secboot";
sign-images = "fdt", "kernel";
};
};
};
\end{verbatim}
\end{scriptsize}
\end{beamerboxesrounded}
\end{column}
\end{columns}
\end{frame}
% ----------------------------
\begin{frame}[fragile]
\frametitle{Verification in System-Context}
\begin{figure}[h]
\centering
\includegraphics[width=8cm]{images/uboot-fit.png}
\end{figure}
\end{frame}
|
