Context Navigation

Changes between Version 19 and Version 20 of venice/secure_boot

Timestamp:: 04/01/2024 07:59:27 PM (5 weeks ago)
Author:: Samuel Lee
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

venice/secure_boot

-              v19
+              v20
   b. Unpack the CST :
 {{{#!bash
 tar xvf cst-3.3.2.tgz
 cd cst-3.3.2/keys
+tar xvf cst-3.4.0.tgz
+cd cst-3.4.0/keys
 }}}
   c. Create a text file named "serial", which contains 8 digits. OpenSSL uses the contents of this file for the 'certificate serial numbers'.
 …
  - https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/introduction_habv4.txt
  - https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
+== HABv4 encrypted boot architecture
+The IMX HABv4 also provides an extra optional security operation by using cryptography (AES-CCM) to obscure the boot image so it can not be seen or used by unauthorized users.
+Encrypted boot adds an extra layer of security to the boot sequence using cryptographic techniques to obscure the bootloader data (which can be extended to the entire firmware image)so that it can not be seen or used by unauthorized users. This mechanism protects and conceals the bootloader code residing in flash.
+The Data Encryption Key (DEK) is an AES key used to encrypt the boot image (via the Code Signing Tool) and decrypt the boot image (using the DEK blob appended to the image). The DEK blob is used as a security layer to wrap and store the DEK off-chip which is unique to the chip that generated the blob.
+Generation of the DEK blob that gets appended to your image must be done on the IMX via the U-Boot dek_blob command which is enabled with CONFIG_CMD_DEKBLOB=y.
+References:
+ - https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/introduction_habv4.txt
+ - https://elixir.bootlin.com/u-boot/v2021.07/source/doc/imx/habv4/guides/encrypted_boot.txt
+ - NXP AN12056 - Encrypted Boot on HABv4 and CAAM Enabled devices
 …
 The init script we will use can be created like this:
+* '''''You need to set SERVERIP variable to your tftp IP address'''''
 {{{#!bash
 cat <<\EOF> init
 …
 # Some basic vars
+DEV=/dev/mmcblk2 # storage device to be used for the encrypted file system
+DEVICE=mmcblk2 # storage device to be used for the encrypted file system
+DEV=/dev/$DEVICE
 P1_OFFSETMB=64
 PART=p1
 …
 NIC=eth0
 INIT=/sbin/init # init of final OS
+SERVERIP=<YOUR_SERVER_IP> # serverip for tftp server
+# Boot firmware support
+BOOT_FIRMWARE=http://$SERVERIP/tftpboot/venice/flash.bin
+FIT_IMAGE=http://$SERVERIP/tftpboot/venice/fit.itb
+# TPM support
+KEY_HANDLE=0x81234567 #TPM2 Owner Persistent Handle Range: 0x81000000 - 0x81800000
 # Mount things needed by this script
 …
 mount -n -t tmpfs tmpfs /run
+# Check if "tpm" is present in bootargs
+for arg in $(cat /proc/cmdline); do
+        [ "$arg" == "tpm" ] && {
+                insmod /virt-dma.ko
+                insmod /imx-sdma.ko
+                insmod /spi-imx.ko
+                insmod /tpm_tis_spi.ko
+                [ -c /dev/tpm0 ] && {
+                        TPM=/dev/tpm0
+                        echo "Using TPM: $TPM"
+                }
+        }
+done
 error() {
         printf "\n\nErro: $@"
         while [ 1 ]; do sleep 1; done
+        printf "\n\nErro: $@"
+        while [ 1 ]; do sleep 1; done
+}
 user_data() {
         echo "Applying user changes..."
         # in any board specific changes to rootfs
         case "$(cat /proc/device-tree/board)" in
                 GW74*)
                         mkdir -p /mnt/etc/udev/rules.d
                         echo 'SUBSYSTEM=="net", ACTION=="add", DEVPATH=="/devices/platform/soc@0/30800000.bus/30bf0000.ethernet/net/eth*", NAME="en0"' > /mnt/etc/udev/rules.d/70-persistent-net.rules
                         echo 'SUBSYSTEM=="net", ACTION=="add", DEVPATH=="/devices/platform/soc@0/30800000.bus/30be0000.ethernet/net/eth*", NAME="en1"' >> /mnt/etc/udev/rules.d/70-persistent-net.rules
                         sed -i 's/eth0/en0/' /mnt/etc/network/interfaces
                         ;;
         esac
+        echo "Applying user changes..."
+        # in any board specific changes to rootfs
+        case "$(cat /proc/device-tree/board)" in
+                GW74*)
+                        mkdir -p /mnt/etc/udev/rules.d
+                        echo 'SUBSYSTEM=="net", ACTION=="add", DEVPATH=="/devices/platform/soc@0/30800000.bus/30bf0000.ethernet/net/eth*", NAME="en0"' > /mnt/etc/udev/rules.d/70-persistent-net.rules
+                        echo 'SUBSYSTEM=="net", ACTION=="add", DEVPATH=="/devices/platform/soc@0/30800000.bus/30be0000.ethernet/net/eth*", NAME="en1"' >> /mnt/etc/udev/rules.d/70-persistent-net.rules
+                        sed -i 's/eth0/en0/' /mnt/etc/network/interfaces
+                        ;;
+        esac
+}
 …
 #  - gateworks ubuntu tarbarll and linux kernel tarball
 ROOTFS_TARS="\
         https://dev.gateworks.com/ubuntu/jammy/jammy-venice.tar.xz \
         https://dev.gateworks.com/venice/kernel/linux-venice-6.6.8.tar.xz \
+        https://dev.gateworks.com/ubuntu/jammy/jammy-venice.tar.xz \
+        https://dev.gateworks.com/venice/kernel/linux-venice-6.6.8.tar.xz \
+"
 rootfs1() {
         # Create an ext4 file system on the opened LUKS device
         echo "Creating filesystem..."
         mkfs.ext4 -q -F -L rootfs /dev/mapper/$NAME || error "mkfs.ext4 failed"
         # Mount the LUKS device to /mnt
         mount /dev/mapper/$NAME /mnt || error "mount failed"
         for url in $ROOTFS_TARS; do
                 echo "Downloading $url..."
                 wget -q --show-progress --no-check-certificate -O data $url || error "wget failed"
                 echo "Extracting..."
                 pv data | tar -C /mnt -mxJ --keep-directory-symlink || error "tar extract failed"
         done
         user_data
         # Unmount the LUKS device
         echo "Unmounting LUKS device..."
         umount /dev/mapper/$NAME || error "umount failed"
+        # Create an ext4 file system on the opened LUKS device
+        echo "Creating filesystem..."
+        mkfs.ext4 -q -F -L rootfs /dev/mapper/$NAME || error "mkfs.ext4 failed"
+        # Mount the LUKS device to /mnt
+        mount /dev/mapper/$NAME /mnt || error "mount failed"
+        for url in $ROOTFS_TARS; do
+                echo "Downloading $url..."
+                wget -q --show-progress --no-check-certificate -O data $url || error "wget failed"
+                echo "Extracting..."
+                pv data | tar -C /mnt -mxJ --keep-directory-symlink || error "tar extract failed"
+        done
+        user_data
+        # Unmount the LUKS device
+        echo "Unmounting LUKS device..."
+        umount /dev/mapper/$NAME || error "umount failed"
+}
 # example2: rootfs via compressed disk image
 rootfs2() {
         FILESYSTEM=https://dev.gateworks.com/venice/images/jammy-venice.img.gz
         # a compressed disk image contains a partition table as well as
         # partitions. Here we assume an MBR partition with the OS on P1.
         # we will extract the MBR, determine the start/end of P1 and copy
         # it to the LUKS device.
         echo "Downloading $FILESYSTEM..."
         wget -q --show-progress --no-check-certificate -O data $FILESYSTEM || exit 1
         # Extract the MBR
         zcat data | dd of=mbr count=1
         start=$(sfdisk -l mbr | tail -1 | tr -s ' ' | cut -d ' ' -f3)
         end=$(sfdisk -l mbr | tail -1 | tr -s ' ' | cut -d ' ' -f4)
         # copy the filesystem in P1 to the LUKS device
         echo "Copying..."
         pv data | zcat | dd of=/dev/mapper/$NAME skip=$start count=$((end-start))
         # apply user data
         mount /dev/mapper/$NAME /mnt || error "mount failed"
         user_data
         umount /dev/mapper/$NAME || error "umount failed"
+        FILESYSTEM=https://dev.gateworks.com/venice/images/jammy-venice.img.gz
+        # a compressed disk image contains a partition table as well as
+        # partitions. Here we assume an MBR partition with the OS on P1.
+        # we will extract the MBR, determine the start/end of P1 and copy
+        # it to the LUKS device.
+        echo "Downloading $FILESYSTEM..."
+        wget -q --show-progress --no-check-certificate -O data $FILESYSTEM || exit 1
+        # Extract the MBR
+        zcat data | dd of=mbr count=1
+        start=$(sfdisk -l mbr | tail -1 | tr -s ' ' | cut -d ' ' -f3)
+        end=$(sfdisk -l mbr | tail -1 | tr -s ' ' | cut -d ' ' -f4)
+        # copy the filesystem in P1 to the LUKS device
+        echo "Copying..."
+        pv data | zcat | dd of=/dev/mapper/$NAME skip=$start count=$((end-start))
+        # apply user data
+        mount /dev/mapper/$NAME /mnt || error "mount failed"
+        user_data
+        umount /dev/mapper/$NAME || error "umount failed"
+}
 # example3: rootfs via existing filesystem
 rootfs3() {
         FILESYSTEM=https://dev.gateworks.com/buildroot/venice/minimal/rootfs.ext2.xz
         echo "Downloading $FILESYSTEM..."
         wget -q --show-progress --no-check-certificate -O data $FILESYSTEM || exit 1
         # copy the filesystem in P1 to the LUKS device
         echo "Copying..."
         pv data | xzcat | dd of=/dev/mapper/$NAME bs=16M
         # apply user data
         mount /dev/mapper/$NAME /mnt || error "mount failed"
         user_data
         umount /dev/mapper/$NAME || error "umount failed"
+        FILESYSTEM=https://dev.gateworks.com/buildroot/venice/minimal/rootfs.ext2.xz
+        echo "Downloading $FILESYSTEM..."
+        wget -q --show-progress --no-check-certificate -O data $FILESYSTEM || exit 1
+        # copy the filesystem in P1 to the LUKS device
+        echo "Copying..."
+        pv data | xzcat | dd of=/dev/mapper/$NAME bs=16M
+        # apply user data
+        mount /dev/mapper/$NAME /mnt || error "mount failed"
+        user_data
+        umount /dev/mapper/$NAME || error "umount failed"
+}
 …
         rootfs=${1:-rootfs1}
+        echo "Provision $DEV via $rootfs..."
+        # board specific customizations
+        case "$(cat /proc/device-tree/board)" in
+                GW74*) NIC=eth1;;
+        esac
+        # Mount the /tmp directory as a tmpfs with 75% of the available memory
+        mount -t tmpfs /tmp -o size=75%
+        # Change the current working directory to /tmp
+        cd /tmp
+        # bring up network
+        echo "Bringing up network $NIC..."
+        udhcpc -i $NIC
+        echo "Creating partition table..."
+        # partition disk:
+        #   - you could use MBR or GPT based on your needs
+        #   - ensure that you do not start your partition data until after your boot firmware
+        # Create MBR with a single partition taking up the entire device
+        printf "$((P1_OFFSETMB*1024*1024/512)),,L,*" | sfdisk -u S $DEV || exit 1
+        DEV=${DEV}${PART}
+        # Format the partition as a LUKS encrypted file system using the encryption key
+        echo "Formating LUKS device..."
+        echo "YES" | cryptsetup luksFormat $DEV $KEY - || exit 1
+        # Open the LUKS encrypted partition and map it to the specified name ($NAME)
+        echo "Opening LUKS device..."
+        cryptsetup luksOpen $DEV $NAME --key-file=$KEY || exit 1
+        # call rootfs option
+        $rootfs
+        # Close the LUKS device and remove the mapping
+        echo "Closing LUKS device..."
+        cryptsetup luksClose $NAME || exit 1
+        echo "Provisioning complete"
+        # Wait forever
+        #while [ 1 ]; do sleep 1; done
+        # power cycle
+        echo 2 > /sys/bus/i2c/devices/0-0020/powerdown
+        echo "Provision $DEV via $rootfs..."
+        # board specific customizations
+        case "$(cat /proc/device-tree/board)" in
+                GW74*) NIC=eth1;;
+        esac
+        # Mount the /tmp directory as a tmpfs with 75% of the available memory
+        mount -t tmpfs /tmp -o size=75%
+        # Change the current working directory to /tmp
+        cd /tmp
+        # bring up network
+        echo "Bringing up network $NIC..."
+        udhcpc -i $NIC
+        [ "$BOOT_FIRMWARE" ] && {
+                echo "Writing locked down U-Boot to memory..."
+                wget -q --show-progress --no-check-certificate -O data $BOOT_FIRMWARE || exit 1
+                # create 4MB boot0 image and flash it
+                truncate -s 4M boot-firmware
+                dd if=data of=boot-firmware bs=1K seek=33 conv=notrunc # note this seek=0 for imx8mm/imx8mp for boot0/boot1
+                # BOOT partitions by default are read-only as they are typically used for sensitive boot firmware. To write to them you must disable force_ro in sysfs
+                echo 0 > /sys/class/block/${DEVICE}boot0/force_ro
+                # write the flash.bin with proper offset to unlocked BOOTpart
+                dd if=boot-firmware of=/dev/${DEVICE}boot0
+        }
+        [ "$FIT_IMAGE" ] && {
+                echo "Flashing FIT Image to memory..."
+                wget -q --show-progress --no-check-certificate -O data $FIT_IMAGE || exit 1
+                # sanity check its not too big for P1_OFFSETMB
+                #  - we don't want to automatically choose P1_OFFSETMB as you may want to support
+                #    firmware updates and you should allow it to grow and thus choose your slack space
+                FIT_SIZEMB=$(($(stat -c '%s' data) / 1024 / 1024))
+                [ $FIT_SIZEMB -lt $(($P1_OFFSETMB + 1)) ] || {
+                        echo "Error: $FIT_IMAGE is too large; adjust P1_OFFSETMB"
+                        exit 1
+                }
+                # Write fit Image to memory
+                dd if=data of=$DEV bs=1M seek=1
+        }
+        echo "Creating partition table..."
+        # partition disk:
+        #   - you could use MBR or GPT based on your needs
+        #   - ensure that you do not start your partition data until after your boot firmware
+        # Create MBR with a single partition taking up the entire device
+        printf "$((P1_OFFSETMB*1024*1024/512)),,L,*" | sfdisk -u S $DEV || exit 1
+        [ "$TPM" ] && {
+                # Get inital PCR measurment values
+                echo "Retrieving initial PCR measurement values..."
+                # PCR0: boot-firmware
+                tpm2 pcrextend 0:sha1=$(sha1sum boot-firmware | cut -d" " -f1)
+                # PCR8: partition table and FIT image (kernel, dtb, ramdisk)
+                dd if=$DEV of=data bs=1M count=$P1_OFFSETMB
+                tpm2 pcrextend 8:sha1=$(sha1sum data | cut -d" " -f1)
+                echo "Creating Key from TPM2.0..."
+                tpm2_evictcontrol -C o -c $KEY_HANDLE # delete any existing key
+                echo "Your Keyphrase (up to 256BYTE)" > $KEY
+                tpm2_createpolicy --policy-pcr -l sha1:0,8 -L policy.digest #only sha1 works for our current TPM's PCRs
+                tpm2_createprimary -g sha256 -G rsa -c primary.context
+                tpm2_create -g sha256 -u obj.pub -r obj.priv -C primary.context -L policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i $KEY
+                tpm2_load -C primary.context -u obj.pub -r obj.priv -c load.context
+                tpm2_evictcontrol -C o -c load.context $KEY_HANDLE # save key to TPM handle
+                rm -rf policy.digest primary.context obj.pub obj.priv load.context
+        }
+        # Format the partition as a LUKS encrypted file system using the encryption key
+        echo "Formating LUKS device..."
+        echo "YES" | cryptsetup luksFormat ${DEV}${PART} $KEY - || exit 1
+        # Open the LUKS encrypted partition and map it to the specified name ($NAME)
+        echo "Opening LUKS device..."
+        cryptsetup luksOpen ${DEV}${PART} $NAME --key-file=$KEY || exit 1
+        # call rootfs option
+        $rootfs
+        # Close the LUKS device and remove the mapping
+        echo "Closing LUKS device..."
+        cryptsetup luksClose $NAME || exit 1
+        echo "Provisioning complete"
+        # Wait forever
+        #while [ 1 ]; do sleep 1; done
+        # power cycle
+        echo 2 > /sys/bus/i2c/devices/0-0020/powerdown
+}
 for x in $(cat /proc/cmdline); do
         case "$x" in
                 bypass)
+        case "$x" in
+                bypass)
 echo "Booting straight to ramdisk..."
 umount /proc
 …
 fi
 exec /sbin/init "$@"
                         ;;
                 provision=*) provision ${x//provision=};;
         esac
+                        ;;
+                provision=*) provision ${x//provision=};;
+        esac
 done
 …
 echo "Waiting for $DEV..."
 while [ ! -b "$DEV" ]; do
         sleep 1
         echo -n .
+        sleep 1
+        echo -n .
 done
 # Open the LUKS encrypted partition and map it to the specified name ($NAME)
+[ "$TPM" ] && {
+        echo "Fetching Key from TPM..."
+        tpm2_unseal -c $KEY_HANDLE -p pcr:sha1:0,8 -o fs.keyphrase_decrypted
+        KEY=fs.keyphrase_decrypted
+}
 DEV=${DEV}${PART}
 echo "Opening $DEV..."
 cryptsetup luksOpen $DEV $NAME --key-file=$KEY || exit 1
+[ "$TPM" ] && {
+        # reseal the key by extending the PCR's
+        rm -rf fs.keyphrase_decrypted
+        tpm2_pcrextend 0:sha1=0000000000000000000000000000000000000000
+        tpm2_pcrextend 8:sha1=0000000000000000000000000000000000000000
+}
 # Mount the LUKS device to /mnt
 …
 ==== Option1: Downloading a prebuilt ramdisk
+To download the prebuilt root file system and incorporate your script manually, follow these steps:
+{{{#!bash
+# download the ramdisk
+To download the prebuilt root file system and incorporate the needed overlay files manually, follow these steps:
+Note: For Gateworks's standard BSP 6.6 Kernel to work seamlessly with the initialization scripts and enable TPM functionality, it's imperative to include the following kernel modules:
+- spi-imx.ko
+- tpm_tis_spi.ko
+- virt-dma.ko
+- imx-sdma.ko
+Additionally, ensure that the firmware file sdma-imx7d.bin is located in the directory lib/firmware/imx/sdma/. These modules are crucial for proper TPM integration and operation within our secure setup.
+{{{#!bash
+#download the ramdisk
 wget https://dev.gateworks.com/buildroot/venice/minimal/rootfs.cpio.xz
 # extract files from an existing gzipped cpio:
 mkdir initrd
 (cd initrd; xz -cd ../rootfs.cpio.xz | fakeroot -s ../initrd.fakeroot cpio -idmv)
+# copy key and init to it
+cp fs.key init initrd/
+#get all the custom files needed in one spot
+mkdir overlay
+cp fs.key init overlay/
+#utilize a bsp to copy in required kernel modules to be used for tpm in the init script
+mkdir -p overlay/lib/firmware/imx/sdma/
+export VENICE_BSP=/path/to/venice_bsp
+for i in virt-dma imx-sdma spi-imx tpm_tis_spi; do file=$(find $VENICE_BSP/linux/ -name $i.ko); [ -r "$file" ] && cp $file overlay && echo $file; done
+wget https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/imx/sdma/sdma-imx7d.bin -O overlay/lib/firmware/imx/sdma/sdma-imx7d.bin
+# copy needed files to initrd
+cp -r overlay/* initrd/
 # re-create initrd
 (cd initrd; find | fakeroot -i ../initrd.fakeroot cpio -o -H newc | xz --check=crc32 -c > ../rootfs.cpio.xz)
 }}}
+This will produce the desired rootfs.cpio.xz artifact which we will copy to our blobs directory for safe keeping:
+{{{#!bash
 cp rootfs.cpio.xz blobs/
+This will produce the desired rootfs.cpio.xz artifact.
+{{{#!bash
+#copy it over to your tftp server (under the venice sub-dir)
+cp rootfs.cpio.xz /tftpserver/venice
 }}}
 …
 In comparing Option 1 and Option 2, both provide robust firmware security through code signing and verification. However, Option 2 goes a step further by integrating the verification into the hardware root-of-trust using platform security features like HABv4.
 Option 1 provides more versatility in terms of being able to construct different FIT image payloads signed by the same key that U-Boot can universally verify and boot from. This modularity can be advantageous, especially for deployment scenarios that need frequent kernel/filesystem updates without modifying the secure bootloader components.
+Option 1 provides more versatility in terms of being able to construct different FIT image payloads signed by the same key that U-Boot can universally verify and boot from. This modularity can be advantageous, especially for deployment scenarios that need frequent kernel/filesystem updates without modifying the secure bootloader components. This is also appears to be the standard when implementing a secure boot process. We strongly recommend using this option.
 …
 [=#embedded-fit]
 ==== Option 2 - Embed the kernel/dtb/ramdisk in the U-Boot ITB
+'''''We Strongly recommend using option 1, we keep this option documented here in the off chance someone would want to implement this edge case for whatever reason'''''
 For IMX you can utilize the fact that the SPL is using HABv4 and the SRK keys to verify the entire U-Boot FIT image (u-boot.itb) which already contains the ARM Trusted Firmware, U-Boot propper, and the U-Boot control DTB's.
 …
  - change CONFIG_BOOTCOMMAND to what you need to directly boot (depending on the options above)
+== HABv4 encrypted boot architecture
+The IMX HABv4 also provides an extra optional security operation by using cryptography (AES-CCM) to obscure the boot image so it can not be seen or used by unauthorized users.
+Encrypted boot adds an extra layer of security to the boot sequence using cryptographic techniques to obscure the bootloader data (which can be extended to the entire firmware image)so that it can not be seen or used by unauthorized users. This mechanism protects and conceals the bootloader code residing in flash.
+The Data Encryption Key (DEK) is an AES key used to encrypt the boot image (via the Code Signing Tool) and decrypt the boot image (using the DEK blob appended to the image). The DEK blob is used as a security layer to wrap and store the DEK off-chip which is unique to the chip that generated the blob.
+Generation of the DEK blob that gets appended to your image must be done on the IMX via the U-Boot dek_blob command which is enabled with CONFIG_CMD_DEKBLOB=y.
+References:
+ - https://elixir.bootlin.com/u-boot/latest/source/doc/imx/habv4/introduction_habv4.txt
+ - https://elixir.bootlin.com/u-boot/v2021.07/source/doc/imx/habv4/guides/encrypted_boot.txt
+ - NXP AN12056 - Encrypted Boot on HABv4 and CAAM Enabled devices
+== TPMv2.0
+Now that we've implemented encrypted storage, providing a solid layer of security for data-at-rest protection, we can consider an optional step to further enhance our system's security. This step involves integrating TPM 2.0 technology, which offers features like measured boot and secure key storage. By opting for TPM 2.0 integration, we can extend the chain of trust and manage encryption keys with enhanced security. Next, we'll outline the steps to integrate TPM 2.0 into our secure setup for those who wish to implement this additional security measure. For this example we are building of the base blocks of "Option 1 - using an External FIT Image" above.
+TPMv2.0 (Trusted Platform Module) is a hardware-based security solution designed to provide secure storage and processing of cryptographic keys, digital certificates, and other security-related data on computing platforms. It is an international standard developed by the Trusted Computing Group (TCG) and serves as an evolution of the original TPM specification (TPMv1.2). Platform Configuration Registers (PCRs) are specialized registers within the TPM that store cryptographic hashes, also known as digests or integrity measurements, of the software components running on the system. These digests are generated using secure hashing algorithms, such as SHA-256, and represent the measured state of the code running on your computer at various stages of the boot process.
+The process of extending a PCR involves updating its current value by combining it with a new digest using a one-way operation. The integrity measurement is hashed together with the existing PCR value, and the result is stored back in the PCR. This process ensures that any change to the system's software state, including the order in which components are loaded, will alter the final PCR values, enabling detection of unauthorized modifications or tampering.
+The TPM contains a small amount of Non-Volatile RAM (NV RAM) that can be used to store persistent data and configurations. The NV RAM is divided into several areas, each with its own access policies and permissions.
+One of the main features of the TPM is the ability to perform a "measured boot" process. During boot, it is intended that the system firmware (BIOS/UEFI) measures and records the hash of each component involved in the boot process, such as the bootloader, kernel, drivers, and just about any other software blob running on your system that can be hashed. These measurements are stored in the TPM's PCRs.
+By comparing the PCR values against known good values, the system can detect if any unauthorized modifications have been made to the boot components. This allows for a secure boot process and provides a chain of trust for the entire system.
+In our example, the PCRs and NV RAM are leveraged together to implement measured boot and secure storage of data. Sensitive data can be "sealed" to specific PCR values, meaning it is encrypted by the TPM and can only be decrypted if the PCR values match the expected values (i.e., the system is in a known good state).
+You can read more about the TPMv2.0 spec here: https://trustedcomputinggroup.org/wp-content/uploads/TCG_ServerManagementDomainFirmwareProfile_v1p00_11aug2020.pdf
+Although we intend to adhere to the Trusted Computing Group's guidelines for utilizing TPMv2.0 as outlined in the specification, the support for TPMv2.0 in U-Boot is still somewhat limited due to its relatively newer adoption. Consequently, we will primarily rely on our IMX High Assurance Boot (IMX.HAB) feature, which is part of the on-chip BOOT ROM, to serve as our Code Root of Trust for Measurement (CRTM). Once the boot process reaches U-Boot, we will extend the PCRs with SHA-1 digests of our firmware components and of our FIT Image Blob.
+In this example we are using PCR 0 to measure the entire boot firmware including the SPL, ATF, U-Boot DTB's and the u-boot environment. Additionally, we are dedicating PCR 8 specifically for measuring the contents of the fit.itb, which includes the device tree blob (.dtb), kernel Image, and ramdisk as those are part of the OS. Technically you can consider things like bootargs and ramdisk as OS configuration (PCR9) but we don't care to make that distinction here.
+According to the TCG specification's Table 1 PCR Usage, PCR 0 is designated for the SRTM (Static Root of Trust for Measurement) and Boot Loader, which aligns with our decision to use it for measuring the entire boot firmware. PCR 8, on the other hand, is defined for use by the Management Domain OS, making it a suitable choice for measuring the contents of our fit.itb, which will be essential for the operating system's boot process.
+This mechanism is used in the provided script to protect the encryption key for the root filesystem. The key is sealed to specific PCR values representing the boot firmware and FIT Image (kernel & device tree blob & initrd) measurements. During the boot process, the script unseals the key from the TPM using the current PCR values, allowing the encrypted root filesystem to be unlocked and mounted.
+We'll securely store the key necessary for unlocking our encrypted storage device and filesystem within the TPM. Access to this key will be restricted to the ramdisk only if the PCRs have been extended with precise data from our firmware components and FIT Image Blob. Once this key is utilized to unlock the encrypted disk device, we'll update the PCRs again. Any subsequent attempts to access the key post-separation event will be unsuccessful since the PCRs will no longer align with the sealing policy.
+In order to successfully integrate the TPM into our secure setup, these components and configurations are necessary:
+. A Gateworks board that has a tpm (from the following list) with a regular Gateworks u-boot enviroment:
+ - GW71x1-E
+ - GW72x1-F+
+ - GW73x1-F+
+ - GW74x1-B+
+ - GW830x
+ - GW890x
+. A TFTP server with the following files:
+ - The final FIT Image Tree Blob (fit.itb) you want to use for flashing
+ - The final flash.bin from U-Boot with appropriate tpm, lockdown, and boot command configurations you want to use for flashing
+We are choosing the following PCR conventions:
+ * PCR0 - SRTM & Boot Loader:
+  - boot firmware (emmc boot0 hardware partition)
+ * PCR8 - Management Domain OS
+  - OS (partition table, FIT image) (not root filesystem as we assume that is read/write and encrypted in this example)
+We are choosing to store our fs key in the TPM NVRAM (0x81000000 - 0x81800000) in a somewhat random location:
+ * 0x81234567
+=== Using the TPM with the init script
+If you want to utilize the discrete TPM on your Gateworks board, simply add the 'tpm' argument at the end of the bootargs in U-Boot.
+{{{#!bash
+#How to use the tpm with provisioning
+setenv bootargs provision=rootfs1 tpm
+#How to use the TPM for unlocking
+setenv bootargs tpm
+}}}
+=== Final u-boot flash.bin and FIT Image
+This section serves as a summary step for this wiki article.
+Similarly to the meticulous steps outlined throughout this wiki article, it is essential to confirm the inclusion of the final desired blobs in the FIT Image, while also configuring our end u-boot environment with the specific settings we desire:
+For the FIT Image, you must use this rootfs.cpio.xz that we just created above, a standard (built from our BSP) or custom device tree blob specific to the board you are using, and you can use our Gateworks Kernel (built from our BSP) or other custom kernel:
+{{{#!bash
+mkdir blobs
+cp $VENICE_BSP/linux/arch/arm64/boot/Image blobs/
+cp $VENICE_BSP/linux/arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx-0x.dtb blobs/
+cp rootfs.cpio.xz blobs/
+# gzip the kernel
+gzip -fk blobs/Image
+}}}
+Once you created a fit.itb comprised of these individual blobs by following the steps outlined in the "Generation of Signed FIT Image" section you just need to copy that FIT image to the tftp server you intend to use (same server ip that you define inside the init script).
+Now we need to modify U-Boot to enable which security features you wish to leverage and change the boot command:
+* '''''i.MX HAB CONFIG OPTIONS'''''
+ - CONFIG_IMX_HAB=y #'hab_auto_img', 'hab_status' and 'hab_version' commands
+ - CONFIG_SPL_LOAD_FIT_ADDRESS=0x44000000
+* '''''SIGNED FIT IMAGE CONFIG OPTIONS'''''
+ - CONFIG_FIT_SIGNATURE=y #enable signature verification of FIT uImages using a hash signed and verified using RSA.
+ - RSA=y # enable RSA library
+ - CONFIG_LEGACY_IMAGE_FORMAT=n #undefined - otherwise this allows booting unsigned images or any image if you lack a signature node
+    - Include signature Node in u-boot build (See "Getting FIT key into U-Boot proper and verifying signed images" section)
+* '''''LOCKED DOWN U-BOOT CONFIG OPTIONS'''''
+ - CONFIG_BOOTDELAY=-1 #disables use of u-boot prompt
+ - CONFIG_ENV_IS_NOWHERE=y #disable env load/save
+ - CONFIG_ENV_IS_IN_MMC=n
+* '''''Choose BOOTCOMMAND CONFIG OPTION depending on if you want to use a TPM or not'''''
+ - CONFIG_BOOTCOMMAND="tpm2 init && tpm2 startup TPM2_SU_CLEAR && tpm2 self_test full && tpm2 self_test continue && mmc dev 2 1 && mmc read $loadaddr 0 0x2000 && hash sha1 $loadaddr 0x400000 *0x40200000 && md.b 0x40200000 0x20 && tpm2 pcr_extend 0 0x40200000 sha1 && tpm2 pcr_read 0 0x40200000 sha1 && mmc dev 2 0 && mmc read $loadaddr 0x0 0x20000 && hash sha1 $loadaddr 0x4000000 *0x40200000 && md.b 0x40200000 0x20 && tpm2 pcr_extend 8 0x40200000 sha1 && tpm2 pcr_read 8 0x40200000 sha1 && setenv bootargs tpm && mmc dev 2 0 && mmc read 0x40200000 0x800 0x1f800 && bootm 0x40200000" #If you are using a TPM
+ - CONFIG_BOOTCOMMAND="setenv bootargs; mmc dev 2 0 && mmc read 0x40200000 0x800 0x1f800 && bootm 0x40200000" # If you are not using the TPM
+Procedure:
+. Checkout U-Boot (or use your existing U-Boot that you have been working with):
+{{{#!bash
+git clone https://github.com/Gateworks/uboot-venice.git
+cd uboot-venice
+# copy necessary artifacts from bsp
+cp $VENICE_BSP/u-boot/lpddr4*.bin . # DDR firmware
+cp $VENICE_BSP/atf/build/imx8mm/release/bl31.bin . # ATF
+}}}
+. Make sure your environment is configured for cross-compiling:
+{{{#!bash
+(cd $VENICE_BSP; . ./setup-environment)
+make imx8mm_venice_defconfig
+}}}
+. Use 'make menuconfig' to make the changes above
+{{{#!bash
+make menuconfig # enable CONFIG options described above
+make savedefconfig && cp defconfig configs/imx8mm_venice_defconfig
+}}}
+. Make the flash.bin and sign it and tftp it over
+{{{#!bash
+make flash.bin
+# sign flash.bin; see "i.MX secure boot" section
+/bin/sh doc/imx/habv4/csf_examples/mx8m/csf.sh
+}}}
+. Its a good idea for troubleshooting to enable DEBUG in common/spl/spl_fit.c by adding '#define DEBUG' to the top of that file
+When complete your differences should look like this:
+{{{#!bash
+$ git diff
+diff --git a/configs/imx8mm_venice_defconfig b/configs/imx8mm_venice_defconfig
+index dc391e47da..556052a7ce 100644
+--- a/configs/imx8mm_venice_defconfig
++++ b/configs/imx8mm_venice_defconfig
+@@ -6,7 +6,6 @@ CONFIG_SPL_GPIO=y
+ CONFIG_SPL_LIBCOMMON_SUPPORT=y
+ CONFIG_SPL_LIBGENERIC_SUPPORT=y
+ CONFIG_ENV_SIZE=0x8000
+-CONFIG_ENV_OFFSET=0x3f0000
+ CONFIG_DM_GPIO=y
+ CONFIG_DEFAULT_DEVICE_TREE="imx8mm-venice"
+ CONFIG_SPL_TEXT_BASE=0x7E1000
+@@ -17,7 +16,8 @@ CONFIG_SPL_SERIAL=y
+ CONFIG_SPL_DRIVERS_MISC=y
+ CONFIG_SPL_STACK=0x920000
+ CONFIG_SPL=y
+-CONFIG_ENV_OFFSET_REDUND=0x3f8000
++CONFIG_IMX_HAB=y
++# CONFIG_CMD_DEKBLOB is not set
+ CONFIG_SYS_LOAD_ADDR=0x48200000
+ CONFIG_SYS_MEMTEST_START=0x40000000
+ CONFIG_SYS_MEMTEST_END=0x80000000
+@@ -25,11 +25,14 @@ CONFIG_LTO=y
+ CONFIG_SYS_MONITOR_LEN=524288
+ CONFIG_FIT=y
+ CONFIG_FIT_EXTERNAL_OFFSET=0x3000
++CONFIG_FIT_SIGNATURE=y
+ CONFIG_SPL_LOAD_FIT=y
+ CONFIG_SPL_LOAD_FIT_ADDRESS=0x44000000
+ CONFIG_OF_BOARD_SETUP=y
+ CONFIG_OF_SYSTEM_SETUP=y
+ CONFIG_DISTRO_DEFAULTS=y
++CONFIG_BOOTDELAY=1
++CONFIG_BOOTCOMMAND="tpm2 init && tpm2 startup TPM2_SU_CLEAR && tpm2 self_test full && tpm2 self_test continue && mmc dev 2 1 && mmc read $loadaddr 0 0x2000 && hash sha1 $loadaddr 0x400000 *0x40200000 && md.b 0x40200000 0x20 && tpm2 pcr_extend 0 0x40200000 sha1 && tpm2 pcr_read 0 0x40200000 sha1 && mmc dev 2 0 && mmc read $loadaddr 0x0 0x20000 && hash sha1 $loadaddr 0x4000000 *0x40200000 && md.b 0x40200000 0x20 && tpm2 pcr_extend 8 0x40200000 sha1 && tpm2 pcr_read 8 0x40200000 sha1 && setenv bootargs tpm && mmc dev 2 0 && mmc read 0x40200000 0x800 0x1f800 && bootm 0x40200000"
+ CONFIG_USE_PREBOOT=y
+ CONFIG_PREBOOT="gsc wd-disable"
+ CONFIG_BOARD_LATE_INIT=y
+@@ -77,9 +80,7 @@ CONFIG_CMD_EXT4_WRITE=y
+ CONFIG_OF_CONTROL=y
+ CONFIG_SPL_OF_CONTROL=y
+ CONFIG_OF_LIST="imx8mm-venice imx8mm-venice-gw71xx-0x imx8mm-venice-gw72xx-0x imx8mm-venice-gw73xx-0x imx8mm-venice-gw7901 imx8mm-venice-gw7902 imx8mm-venice-gw7903 imx8mm-venice-gw7904 imx8mm-venice-gw75xx-0x"
+-CONFIG_ENV_IS_IN_MMC=y
+ CONFIG_SYS_REDUNDAND_ENVIRONMENT=y
+-CONFIG_SYS_MMC_ENV_DEV=2
+ CONFIG_ENV_VARS_UBOOT_RUNTIME_CONFIG=y
+ CONFIG_USE_ETHPRIME=y
+ CONFIG_ETHPRIME="eth0"
+}}}
+=== Provisioning
+Now that we have all the necessary files in our tftp server, instantiating the provisioning of a FDE on a Gateworks board will look something like this:
+{{{#!bash
+u-boot=> dhcp && setenv serverip <YOUR_SERVER_IP> && setenv bootargs provision=rootfs1 && tftpboot 0x40200000 venice/fit.itb && bootm 0x40200000
+}}}
+If you opt to use the TPM for enhanced security it will look like this instead:
+{{{#!bash
+u-boot=> dhcp && setenv serverip <YOUR_SERVER_IP> && setenv bootargs provision=rootfs1 tpm && tftpboot 0x40200000 venice/fit.itb && bootm 0x40200000
+}}}
+Once the board completes provisioning its storage device, the secure system setup for your Venice board is complete.
+=== further tpm reading/sources
+For more info on TPM see:
+ - https://trustedcomputinggroup.org/wp-content/uploads/TCG_ServerManagementDomainFirmwareProfile_v1p00_11aug2020.pdf
+ - https://community.infineon.com/t5/Blogs/Sealing-and-unsealing-data-in-TPM/ba-p/465547
+ - https://community.infineon.com/t5/Blogs/Storing-and-reporting-system-measurements-with-TPM/ba-p/443590
+ - https://trustedcomputinggroup.org/resource/tpm-library-specification/
+ - https://tpm2-tools.readthedocs.io/en/latest/