Changes between Version 3 and Version 4 of secure_boot

04/07/2021 11:51:11 PM (17 months ago)
Tim Harvey

added dm-crypt documentation


  • secure_boot

    v3 v4  
    13= Secure Boot
    24Secure Boot refers to hardware and software that does not allow an attacker to obtain sensitive data or boot altered firmware. This can be accomplished on modern embedded System on Chip devices by creating a Chain of Trust.
    2225== Secure U-Boot
    2326For a secure U-Boot you want to disable the ability to stop autoboot and get to a U-Boot console. Additionally you do not want to use env variables that can be used by an attacker to affect the boot sequence.
    7782== Securing the Kernel, FDT, ramdisk via FIT images
    7883The simplest way to secure the Kernel, the FDT, and the (optional) ramdisk image used to boot a Linux based OS is to use a U-Boot FIT image to contain signed versions of these.
    235240  * Make sure the address you are loading the FIT image to does not cause an overlap in memory with where the kernel load/entry point is. The bootm command will copy or uncompress the kernel to the load/entry point and copy the initramfs and the fdt to a location following that. You may need to alter loadaddr to somewhere in memory other than the default.
     244== Secure filesystem with dm_crypt
     245Linux dm-crypt is a transparent disk encryption sybsystem. It is part of the device mapper infrastructure and uses the kernel crypto API. Being implemented at the device mapper layer means it can be stacked on top of other devices or even other device mappers thus it can be used to encrypted whole disks, partitions, software RAID volumes, and logical volumes. Linux Unified Key Step (LUKS) is the format used on the device in place of a file system which provides a whole host of key options.
     247Kernel requirements for dm-crypt:
     248 - CONFIG_MD (RAID and LVM)
     249 - CONFIG_BLK_DEV_DM (device-mapper)
     250 - CONFIG_DM_CRYPT (dm-crypt)
     251 - CONFIG_CRYPTO_* options for various cipher/hash you want to use, for example:
     253  - CONFIG_ARM64_CRYPTO
     256  - CONFIG_CRYPTO_SHA512_ARM64_CE
     262Userspace requirements for dm-crypt:
     263 - cryptsetup (Buildroot BR2_PACKAGE_CRYPTSETUP)
     265For more info:
     266 -
     269 1. Create a key to use for encryption:
     271dd if=/dev/urandom of=$KEY_DIR/fs.key bs=1 count=4096
     273 1. Boot a Linux provisioning kernel+ramdisk such as the prebuilt images at (see wiki:buildroot)
     274 1. Create encrypted device using dm-crypt
     276# get key file, ie via network
     277ifconfig eth0
     278cd /tmp
     279wget http://server/fs.key
     280# format a LUKS device
     281echo "YES" | cryptsetup luksFormat /dev/mmcblk0p1 fs.key -
     283  * use 'cryptsetup benchmark' to show all cipher and hash algos available in your running kernel as well as their performance
     284  * use 'cryptsetup --help' to see options; options you may wish to change are --cipher (default aes-xts-plain64), --key-size (default is 256) --hash (default is sha256) and --use-urandom (default is --use-random)
     285 1. Open (unlock) the LUKS device
     287# open (unlock) LUKS device and map it to /dev/mapper/rootfs
     288cryptsetup luksOpen /dev/mmcblk0p1 rootfs --key-file=fs.key
     290 1. Create your filesystem:
     292wget http://server/rootfs.tar.xz
     293mkfs.ext4 -q -F -L rootfs /dev/mapper/rootfs
     294mount /dev/mapper/rootfs /mnt
     295tar -C /mnt -xf rootfs.tar.xz --keep-directory-symlink
     296umount /dev/mapper/rootfs
     298 1. Close (lock) LUKS device
     300cryptsetup luksClose rootfs
     302 1. Create a simple initramdisk responsible for unlocking dm-crypt via buildroot:
     304cat <<EOF >output/target/init
     307# Mount things needed by this script
     308mount -n -t devtmpfs devtmpfs /dev
     309mount -n -t proc proc /proc
     310mount -n -t sysfs sysfs /sys
     311mount -n -t tmpfs tmpfs /run
     317# Wait for device to exist
     318echo "Waiting for /dev/${root}..."
     319while [ ! -b "/dev/${root}" ]; do
     320        sleep 1
     321        echo -n .
     324#Open encrypted partition
     325mkdir -p /run/cryptsetup
     326echo "Opening /dev/$root..."
     327cryptsetup luksOpen "/dev/${root}" "${root}" --key-file=$key
     329#Mount the root device
     330echo "Mounting /dev/mapper/${root}..."
     331mkdir /newroot
     332mount "/dev/mapper/${root}" /newroot
     334#Switch to the new root and execute init
     335echo "Switching to new root..."
     336cd /newroot
     337exec switch_root . "${init}" "$@"
     339#This will only be run if the above line failed
     340echo "Failed to switch_root"
     342chmod +x output/target/init
     344 1. Create a FIT image (see above) containing your kernel fdt and initramfs and boot it with boom or built it as a kernel+ramdisk