Changes between Version 30 and Version 31 of venice/secure_boot

Timestamp:

05/02/2024 05:11:12 PM (7 months ago)

Author:

Tim Harvey

Comment:

remove extra directory from ramdisk modification step and make minor changes for clarity

venice/secure_boot

@@ -427 +427 @@
 
 This demonstration's main steps for implementing FDE will include: 
- 1) Using Buildroot for Ramdisk Creation
- 
+ 1) Using Buildroot for Ramdisk Creation 
  2) Using the Ramdisk for Provisioning and unlocking the storage device via LUKS
 
+We will be using many files here in the process which we will store in a 'blobs' directory we will refer to with an env variable called BLOBS:
+{{{#!bash
+export BLOBS=$PWD/blobs
+mkdir $BLOBS
+}}}
+ - make sure this is a full path as above to avoid potential problems where we use it
+
+
 === Kernel and DTB
-We are going to need a kernel and DTB for your board. For this demonstration we will use the kernel and DTB's from the pre-built Gateworks Linux tarball:
-{{{#!bash
-mkdir blobs
+We are going to need a kernel Image, DTB for your board, and kernel modules (the modules are only needed if you are using something requiring modules like the TPM). For this demonstration we will use the the pre-built Gateworks Linux tarball and we will untar the contents of the boot dir (where the kernel Image and DTB's are) and the modules dir where the kernel modules are. We will place these in the $BLOBS directory for use later:
+{{{#!bash
 # grab the prebuilt gateworks kernel
 wget https://dev.gateworks.com/venice/kernel/linux-venice-6.6.8.tar.xz
-tar -C blobs/ --strip-components=2 -xvf linux-venice-6.6.8.tar.xz ./boot
+tar -C $BLOBS -xvf linux-venice-6.6.8.tar.xz ./boot ./lib/modules
 # gzip the kernel
-gzip -fk blobs/Image # creates blob/Image.gz
+gzip -fk $BLOBS/boot/Image # creates Image.gz
 }}}
 
@@ -758 +764 @@
 
 
-==== Option1: Downloading a prebuilt ramdisk
-To download the prebuilt root file system and incorporate the needed overlay files manually, follow these steps:
+==== Option1: Downloading a prebuilt ramdisk and modifying
+To download the prebuilt root file system and incorporate the needed extra files manually, follow these steps:
 
 Note: For Gateworks's standard BSP 6.6 Kernel to work seamlessly with the initialization scripts and enable TPM functionality, it's imperative to include the following kernel modules:
-
-- spi-imx.ko
-- tpm_tis_spi.ko
-- virt-dma.ko
-- imx-sdma.ko
+ - spi-imx.ko
+ - tpm_tis_spi.ko
+ - virt-dma.ko
+ - imx-sdma.ko
+
+We will get these modules from the pre-built kernel that you downloaded and extracted to the 'blobs' directory. If you are using a different kernel set the KERNEL directory differently - just understand that the kernel Image version/signature used in the FIT image must match the kernel modules placed in the ramdisk.
+
 Additionally, ensure that the firmware file sdma-imx7d.bin is located in the directory lib/firmware/imx/sdma/. These modules are crucial for proper TPM integration and operation within our secure setup.
 {{{#!bash
-#download the ramdisk
+# download prebuilt ramdisk
 wget https://dev.gateworks.com/buildroot/venice/minimal/rootfs.cpio.xz
 # extract files from an existing gzipped cpio:
 mkdir initrd
 (cd initrd; xz -cd ../rootfs.cpio.xz | fakeroot -s ../initrd.fakeroot cpio -idmv)
-
-#get all the custom files needed in one spot
-mkdir overlay
-cp fs.key init overlay/
-
-#utilize a bsp to copy in required kernel modules to be used for tpm in the init script
-mkdir -p overlay/lib/firmware/imx/sdma/
-export VENICE_BSP=/path/to/venice_bsp
-for i in virt-dma imx-sdma spi-imx tpm_tis_spi; do file=$(find $VENICE_BSP/linux/ -name $i.ko); [ -r "$file" ] && cp $file overlay && echo $file; done
-wget https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/imx/sdma/sdma-imx7d.bin -O overlay/lib/firmware/imx/sdma/sdma-imx7d.bin
-
-# copy needed files to initrd
-cp -r overlay/* initrd/
-
+# copy the filesystem key and custom init script
+cp fs.key init initrd/
+# copy any required kernel modules matching the kernel you are using (ie modules needed for TPM usage) from the $BLOBS dir we discussed earlier:
+for i in virt-dma imx-sdma spi-imx tpm_tis_spi; do file=$(find $BLOBS -name $i.ko); [ -r "$file" ] && cp $file initrd && echo $file; done
+# copy any required firmware files needed (ie SDMA used for SPI)
+mkdir -p initrd/lib/firmware/imx/sdma/
+wget https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/imx/sdma/sdma-imx7d.bin -O initrd/lib/firmware/imx/sdma/sdma-imx7d.bin
 # re-create initrd
 (cd initrd; find | fakeroot -i ../initrd.fakeroot cpio -o -H newc | xz --check=crc32 -c > ../rootfs.cpio.xz)
-}}}
-This will produce the desired rootfs.cpio.xz artifact.
-{{{#!bash
-#copy it over to your tftp server (under the venice sub-dir)
-cp rootfs.cpio.xz /tftpserver/venice
+# copy it to your blobs directory for use when creating the FIT image
+cp rootfs.cpio.xz $BLOBS
 }}}
 
@@ -821 +819 @@
  - Buildroot's make command generates multiple artifacts, however, our focus is solely on the rootfs.cpio.xz file it produces
 {{{#!bash
-# make the custom filesystem
+# beging with the example venice defconfig
 make venice_example_defconfig
 make
-}}}
-
-This will produce output/images/rootfs.cpio.xz which we will copy to our blobs directory for safe keeping:
-{{{#!bash
-cp output/images/rootfs.cpio.xz blobs/
+# copy the cpio image to your blobs directory for use when creating the FIT image
+cp output/images/rootfs.cpio.xz $BLOBS
 }}}
 
@@ -880 +875 @@
  - copy the kernel Image, your dtb, and your rootfs.cpio.xz ramdisk to your tftp server venice directory
 {{{#!bash
-cp blobs/imx8mm-venice-gw73xx-0x.dtb blobs/Image blobs/rootfs.cpio.xz /tftpboot/venice/
+cp $BLOBS/boot/imx8mm-venice-gw73xx-0x.dtb $BLOBS/boot/Image $BLOBS/rootfs.cpio.xz /tftpboot/venice/
 }}}
  - target; boot them via tftp
@@ -953 +948 @@
 To create a new public/private 2048 bit key pair:
 {{{#!bash
-# on host machine
+# on host machine create fit.key (or copy one here)
 openssl genpkey -algorithm RSA -out fit.key -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
-# to create a certificate for this containing the public key:
+# create a certificate fit.crt from fit.key containing the public key
 openssl req -batch -new -x509 -key fit.key -out fit.crt
 # you can see the public key:
@@ -973 +968 @@
                 kernel {
                         description = "Linux Kernel";
-                        data = /incbin/("blobs/Image.gz");
+                        data = /incbin/("$BLOBS/boot/Image.gz");
                         type = "kernel";
                         arch = "arm64";
@@ -986 +981 @@
                 ramdisk {
                         description = "ramdisk";
-                        data = /incbin/("blobs/rootfs.cpio.xz");
+                        data = /incbin/("$BLOBS/rootfs.cpio.xz");
                         type = "ramdisk";
                         arch = "arm64";
@@ -998 +993 @@
                 fdt {
                         description = "fdt";
-                        data = /incbin/("blobs/imx8mm-venice-gw73xx-0x.dtb");
+                        data = /incbin/("$BLOBS/boot/imx8mm-venice-gw73xx-0x.dtb");
                         type = "flat_dt";
                         arch = "arm64";
@@ -1028 +1023 @@
 At this point we have a key (fit.key, fit.crt) and a template to create the FIT image from (fit.its). Note that we have elected above to use a compressed kernel (why not?) so we need to make sure we gzip the kernel to match the 'gzip' property value specified in its 'compression' node above. 
 
-
-Now we can now use the U-Boot mkimage tool (from the u-boot-tools package or from the u-boot build dir) to build the Image. We are going to use the '-K <dtb>' option to add a signature for the key into an existing DTB but U-Boot builds its control DTB itself so we will create a dummy DTB to put the key in then decompile it: 
-{{{#!bash
-# create a dummy its file
-cat <<EOF> blobs/signature.dts
- /dts-v1/;
-
-/ {
-};
-EOF
-# compile the dts to a dtb with device-tree compiler
-dtc -I dts -O dtb blobs/signature.dts > blobs/signature.dtb
+Now we can now use the U-Boot mkimage tool (from the u-boot-tools package or from the u-boot build dir) to build the Image to do two things:
+ 1. create a signed FIT image (fit.itb)
+ 2. store the signature in a 'signature.dtb' file (the '-K <dtb>' parameter) which we can decompile to obtain the signature node we need to put in our secure boot loader
+
+Procedure:
+{{{#!bash
+# create a signature.dtb for 'mkimage -K <dtb>' to modify
+printf "/dts-v1/;\n/ {\n};\n" > signature.dts && dtc -I dts -O dtb signature.dts > signature.dtb
 # create the fit image and add the signature to the dtb
-mkimage -f fit.its -k . -K blobs/signature.dtb -r fit.itb
-# decompile the dummy dtb
-dtc -I dtb -O dts blobs/signature.dtb > blobs/signature.dts
+mkimage -f fit.its -k . -K signature.dtb -r fit.itb
 # now we have a signed fit.itb you can put on your board or tftp
 cp fit.itb /tftpboot/venice
-}}}
- - Note: the -k parameter is the directory that the fit image key resides that is specified by key-name-hint. So for example with key-name-hint "fit" as above; fit.key will be in the directory specified by the -k parameter.
+# decompile the signature.dtb to signature.dts
+dtc -I dtb -O dts signature.dtb > signature.dts
+# then strip the first five lines and the last line out to just obtain the signature node
+cat signature.dts | tail -n +5 | head -n -1 > $BLOBS/signature.dts
+}}}
+ - Note: the -k parameter provides the directory to look for the key file specified by key-name-hint. So for example with key-name-hint "fit" as above; fit.key will be in the directory specified by the -k parameter.
 
 Before continuing with securing uboot, a quick check to make sure this fit image boots is a good idea. This step is strictly to help with debugging if there is an issue with your image blobs or an issue with u-boot's build configuration.
@@ -1056 +1049 @@
 
 ==== Getting FIT key into U-Boot proper and verifying signed images
-In order for U-boot to validate a signed FIT image it must have access to the key used to sign that image. This is why we created a signature.dtb in the previous step by using ‘mkimage -K’ to ‘inject’ a node into our signature.dtb.
+In order for U-boot to validate a signed FIT image it must have access to the key used to sign that image. This is why we created a signature.dts in the previous step by using ‘mkimage -K’ to ‘inject’ a node into our signature.dtb then decompiling it to a signature.dts.
 
 Now we need to modify U-Boot to allow it to verify FIT images against that key:
@@ -1063 +1056 @@
  - disable CONFIG_LEGACY_IMAGE_FORMAT so that unsigned (or signed images that failed verification!) are not allowed to boot
 
-Procedure:
+Procedure: (Note that we require some files from the Venice BSP with an env directory VENICE_BSP pointing to it)
  1. Checkout U-Boot (or use your existing U-Boot that you have been working with):
 {{{#!bash
@@ -1072 +1065 @@
 cp $VENICE_BSP/atf/build/imx8mm/release/bl31.bin . # ATF
 }}}
+ - Note that if you needed to modify the ATF in some way, for example adding OPTEE, copy it from there instead
  2. Make sure your environment is configured for cross-compiling:
 {{{#!bash
-(cd $VENICE_BSP; . ./setup-environment)
+pushd .; cd $VENICE_BSP; . ./setup-environment; popd # do not do this in a subshell or the env vars will not be retained
 make imx8mm_venice_defconfig
 }}}
- 3. Add the signature node from ../blobs/signature.dts to 'arch/arm/dts/imx8mm-venice-u-boot.dtsi' within the root node. You can position it either directly above or below the 'wdt-reboot' node. The 'imx8mm-venice-u-boot.dtsi' is included with all imx8mm-venice boards, which ensures that the signature node appears in all device tree blobs (dtbs) listed in CONFIG_OF_LIST. Placing it in 'imx8mm-venice-u-boot.dtsi' simplifies the process as there's no need to consider which specific board the user has.
+ 3. Add the signature node from $BLOBS/signature.dts to 'arch/arm/dts/imx8mm-venice-u-boot.dtsi' within the root node. You can position it either directly above or below the 'wdt-reboot' node. The 'imx8mm-venice-u-boot.dtsi' is included with all imx8mm-venice boards, which ensures that the signature node appears in all device tree blobs (dtbs) listed in CONFIG_OF_LIST. Placing it in 'imx8mm-venice-u-boot.dtsi' simplifies the process as there's no need to consider which specific board the user has.
  4. Use 'make menuconfig' to make the following changes:
  - CONFIG_FIT_SIGNATURE=y - enable signature verification of FIT uImages using a hash signed and verified using RSA.
- - RSA=y
+ - CONFIG_RSA=y
  - CONFIG_LEGACY_IMAGE_FORMAT is undefined - otherwise this allows booting unsigned images or any image if you lack a signature node 
 {{{#!bash
@@ -1090 +1084 @@
 When complete your differences should look like this:
 {{{#!bash
-$ git diff
+$ diff configs/imx8mm_venice_defconfig configs/imx8mm_venice_signed_fit_defconfig
 diff --git a/arch/arm/dts/imx8mm-venice-u-boot.dtsi b/arch/arm/dts/imx8mm-venice-u-boot.dtsi
 index 6f786b9467..1dd642284f 100644
@@ -1128 +1122 @@
  CONFIG_SPL_LOAD_FIT_ADDRESS=0x44000000
  CONFIG_OF_BOARD_SETUP=y
-
-}}}
-
-Now build it and update your board (by creating a JTAG image or using the 'update_firmware' script on the resulting flash.bin) 
-
-When uboot boots verify that the signature node is in the new controlling fdt:
+}}}
+ - note you won't see CONFIG_RSA=y and CONFIG_LEGACY_IMAGE_FORMAT undefined in your diff because those options are now the default with the above change
+
+Now build it and update the resulting flash.bin to your board (by creating a JTAG image or using the 'update_firmware' script on the resulting flash.bin):
+{{{#!bash
+make && cp flash.bin /tftpboot/venice/venice-imx8mm-flash.bin
+}}}
+
+When you boot your updated firmware verify that the signature node is in the new controlling fdt:
 {{{#!bash
 u=boot-> fdt addr $fdtcontroladdr && fdt print /signature
@@ -1231 +1228 @@
 U-Boot needs a special format for its ramdisk image to ensure proper booting and functionality of the system, and the mkimage command is used to create such images according to U-Boot's requirements.
 {{{#!bash
-mkimage -A arm64 -T ramdisk -C none -d blobs/rootfs.cpio.xz blobs/uramdisk
+mkimage -A arm64 -T ramdisk -C none -d $BLOBS/rootfs.cpio.xz $BLOBS/uramdisk
 }}}
  1. Modify the U-Boot device tree source per SoC (ie arch/arm/dts/imx8mm-u-boot.dtsi) and:
@@ -1244 +1241 @@
 
                                         uboot-blob {
-                                                filename = "blobs/Image";
+                                                filename = "$BLOBS/boot/Image";
                                                 type = "blob-ext";
                                         };
@@ -1257 +1254 @@
 
                                         uboot-blob {
-                                                filename = "blobs/imx8mm-venice-gw73xx-0x.dtb";
+                                                filename = "$BLOBS/boot/imx8mm-venice-gw73xx-0x.dtb";
                                                 type = "blob-ext";
                                         };
@@ -1270 +1267 @@
 
                                         uboot-blob {
-                                                filename = "blobs/uramdisk";
+                                                filename = "$BLOBS/uramdisk";
                                                 type = "blob-ext";
                                         };
@@ -1278 +1275 @@
  1. U-Boot needs a special format for its ramdisk image to ensure proper booting and functionality of the system, and the mkimage command is used to create such images according to U-Boot's requirements.
 {{{#!bash
-mkimage -A arm64 -T ramdisk -C none -d ../blobs/rootfs.cpio.xz ../blobs/uramdisk
+mkimage -A arm64 -T ramdisk -C none -d $BLOBS/rootfs.cpio.xz  $BLOBS/uramdisk
 }}}
 
@@ -1300 +1297 @@
 +
 +                                       uboot-blob {
-+                                               filename = "../blobs/Image";
++                                               filename = "$BLOBS/Image";
 +                                               type = "blob-ext";
 +                                       };
@@ -1313 +1310 @@
 +
 +                                       uboot-blob {
-+                                               filename = "../blobs/imx8mm-venice-gw73xx-0x.dtb";
++                                               filename = "$BLOBS/imx8mm-venice-gw73xx-0x.dtb";
 +                                               type = "blob-ext";
 +                                       };
@@ -1326 +1323 @@
 +
 +                                       uboot-blob {
-+                                               filename = "../blobs/uramdisk";
++                                               filename = "$BLOBS/uramdisk";
 +                                               type = "blob-ext";
 +                                       };
@@ -1484 +1481 @@
 Similarly to the meticulous steps outlined throughout this wiki article, it is essential to confirm the inclusion of the final desired blobs in the FIT Image, while also configuring our end u-boot environment with the specific settings we desire:
 
-For the FIT Image, you must use this rootfs.cpio.xz that we just created above, a standard (built from our BSP) or custom device tree blob specific to the board you are using, and you can use our Gateworks Kernel (built from our BSP) or other custom kernel:
-{{{#!bash
-mkdir blobs
-cp $VENICE_BSP/linux/arch/arm64/boot/Image blobs/
-cp $VENICE_BSP/linux/arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx-0x.dtb blobs/
-cp rootfs.cpio.xz blobs/
-# gzip the kernel
-gzip -fk blobs/Image
-}}}
-
 Once you created a fit.itb comprised of these individual blobs by following the steps outlined in the "Generation of Signed FIT Image" section you just need to copy that FIT image to the tftp server you intend to use (same server ip that you define inside the init script).