[OE-core] [RFC PATCH 0/4] U-Boot verified boot basic support

Yannick Gicquel yannick.gicquel at iot.bzh
Tue Apr 19 12:46:39 UTC 2016 

Hello,

Please find a patchset proposal for U-Boot verified boot basic support.
Before submitting those, I would like to ask people on this list some feedbacks
on the way it's currently implemented.

The verified boot support principle is to sign a kernel fitImage, thanks to an
SSL keypair, and to append a public key in u-boot device tree blob to enable
software integrity check at runtime.

The proposal depends on the U-Boot CONFIG_OF_SEPARATE which in effect splits
U-Boot binaries allowing the DTB file to be outside the main u-boot binaries.

Thus, regarding the current fitImage generation, the following is proposed:

 - extend the generated fit-images.its file from kernel-fitimage.bbclass in
   order to add a 'signature' tag to the configuration section, then add a call
   to uboot-mkimage to sign the fitImage and append the public key to DTB file.

 - add a task in u-boot.inc 'do_assemble_dtb' which concatenates the device
   tree blob with public key to u-boot binary, and organize the u-boot and
   virtual/kernel recipes' tasks this way:

   u-boot:do_deploy -> virtual/kernel:do_assemble_fitimage -> u-boot:do_assemble_dtb

To enable the verified boot, the following variables can be added in a 
configuration file:

   KERNEL_CLASSES ?= " kernel-fitimage "
   KERNEL_IMAGETYPE ?= "fitImage"
   UBOOT_SIGN_KEYDIR = "/signature/keys/directory"
   UBOOT_SIGN_KEYNAME = "dev"
   UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
   UBOOT_SIGN_ENABLE = "1"

Well, I don't know if these changes are the way to go, but at least I think
this limits the codes changes and it propagates the feature to BSP layers which
uses u-boot.inc. Anyway, I would be pleased to get feedback on this.

Best regards,
Yannick

Yannick Gicquel (4):
  u-boot: basic support of device tree blob reassembly
  u-boot: deploy u-boot nodtb and dtb files
  kernel: fitimage: support device tree compiler options
  kernel: fitimage: basic support for fitimage signature

 meta/classes/kernel-fitimage.bbclass    | 53 +++++++++++++++++++++++++++++++--
 meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++
 meta/recipes-bsp/u-boot/u-boot.inc      | 36 ++++++++++++++++++++++
 3 files changed, 108 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc

-- 
1.9.1

More information about the Openembedded-core mailing list