| Message ID | 20210326201410.13906-1-klaus@linux.vnet.ibm.com |
|---|---|
| Headers | show |
| Series | u-boot: Support for SPL verified boot | expand |
On Fri, 2021-03-26 at 17:14 -0300, Klaus Heinrich Kiwi wrote: > This patch series aims at extending U-Boot's verified boot support to > also include SPL. > > Presently, setting UBOOT_SIGN_ENABLE instructs the classes uboot-sign > and kernel-fitimage to create and sign a Linux Kernel fitImage. This > proposal introduces the variables UBOOT_FITIMAGE_ENABLE and > SPL_SIGN_ENABLE that will, respectively, create and sign a U-Boot > (proper) fitImage that the SPL can load (and verify if enabled) > > In order to accomplish this, the first patch moves some of necessary > infrastructure (variables, functions) used to sign the Kernel > fitImage to more common locations, and then essentially duplicates the > method currently used to sign the Kernel fitImage to also sign the > U-Boot fitImage. > > If the variable UBOOT_FITIMAGE_ENABLE = "1", the uboot-sign class will > copy the SPL files (nodtb image and dtb file) from the u-boot recipe to > the staging area, so that the Kernel recipe can then create the U-Boot > fitImage. > > In case SPL_SIGN_ENABLE = "1", the U-Boot fitImage will be signed using > the key provided by SPL_SIGN_KEYNAME / SPL_SIGN_KEYDIR, or will > auto-generate keys based on UBOOT_FIT_HASH_ALG, UBOOT_FIT_SIGN_ALG and > UBOOT_FIT_SIGN_NUMBITS if UBOOT_FIT_GENERATE_KEYS is "1". > > After the operations above, the Kernel recipe will deploy the (signed) > U-Boot fitImage, the ITS script used to create it, as well as the SPL > concatenated with the DTB containing the pubkey to the images directory. > > The reason why the U-Boot fitImage is created by the Kernel is in order > to make sure that, when UBOOT_SIGN_ENABLE is set (and the Kernel > fitImage is signed), the U-Boot fitImage being created/signed contains > the pubkey used by the Kernel recipe to sign the Kernel fitImage. > > I added oe-selftest testcases and also tested this on upstream OpenBMC > with AST2600 BMC devices. > > Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> I've merged this, I wanted to say a big thanks for writing some test cases for these code paths. It should start to help a lot in this area in the future. I'm going to be asking that future fixes in this area add/improve test cases to cover issues too. Cheers, Richard
On 4/6/2021 7:57 AM, Richard Purdie wrote: > On Fri, 2021-03-26 at 17:14 -0300, Klaus Heinrich Kiwi wrote: >> This patch series aims at extending U-Boot's verified boot support to >> also include SPL. >> Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> > > I've merged this, I wanted to say a big thanks for writing some test cases > for these code paths. It should start to help a lot in this area in the > future. I'm going to be asking that future fixes in this area add/improve > test cases to cover issues too. > Thanks Richard. FYI, there's a patch I sent recently with relatively important fixes (for some corner cases) that should apply on top of the patches above: Subject: [PATCH] uboot: Fixes SPL verified boot on corner cases Date: Mar 31, 2021 I'd recommend applying that patch as well, before yocto / other projects start pulling from oe-core. Thanks, -Klaus
On Tue, 2021-04-06 at 10:21 -0300, Klaus Heinrich Kiwi wrote: > > On 4/6/2021 7:57 AM, Richard Purdie wrote: > > On Fri, 2021-03-26 at 17:14 -0300, Klaus Heinrich Kiwi wrote: > > > This patch series aims at extending U-Boot's verified boot support to > > > also include SPL. > > > > Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> > > > > I've merged this, I wanted to say a big thanks for writing some test cases > > for these code paths. It should start to help a lot in this area in the > > future. I'm going to be asking that future fixes in this area add/improve > > test cases to cover issues too. > > > > > Thanks Richard. > > FYI, there's a patch I sent recently with relatively important fixes (for some > corner cases) that should apply on top of the patches above: > > Subject: [PATCH] uboot: Fixes SPL verified boot on corner cases > Date: Mar 31, 2021 > > I'd recommend applying that patch as well, before yocto / other projects start > pulling from oe-core. Thanks, it didn't apply 100% cleanly which is why I'd deferred it but I've got to apply and am testing... Cheers, Richard
This patch series aims at extending U-Boot's verified boot support to also include SPL. Presently, setting UBOOT_SIGN_ENABLE instructs the classes uboot-sign and kernel-fitimage to create and sign a Linux Kernel fitImage. This proposal introduces the variables UBOOT_FITIMAGE_ENABLE and SPL_SIGN_ENABLE that will, respectively, create and sign a U-Boot (proper) fitImage that the SPL can load (and verify if enabled) In order to accomplish this, the first patch moves some of necessary infrastructure (variables, functions) used to sign the Kernel fitImage to more common locations, and then essentially duplicates the method currently used to sign the Kernel fitImage to also sign the U-Boot fitImage. If the variable UBOOT_FITIMAGE_ENABLE = "1", the uboot-sign class will copy the SPL files (nodtb image and dtb file) from the u-boot recipe to the staging area, so that the Kernel recipe can then create the U-Boot fitImage. In case SPL_SIGN_ENABLE = "1", the U-Boot fitImage will be signed using the key provided by SPL_SIGN_KEYNAME / SPL_SIGN_KEYDIR, or will auto-generate keys based on UBOOT_FIT_HASH_ALG, UBOOT_FIT_SIGN_ALG and UBOOT_FIT_SIGN_NUMBITS if UBOOT_FIT_GENERATE_KEYS is "1". After the operations above, the Kernel recipe will deploy the (signed) U-Boot fitImage, the ITS script used to create it, as well as the SPL concatenated with the DTB containing the pubkey to the images directory. The reason why the U-Boot fitImage is created by the Kernel is in order to make sure that, when UBOOT_SIGN_ENABLE is set (and the Kernel fitImage is signed), the U-Boot fitImage being created/signed contains the pubkey used by the Kernel recipe to sign the Kernel fitImage. I added oe-selftest testcases and also tested this on upstream OpenBMC with AST2600 BMC devices. Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> --- Changes since V1: * Separated SPL_SIGN_ENABLE from UBOOT_FITIMAGE_ENABLE so that an U-Boot fitImage can be created without a signature * Completely moved the task of creating/signing the U-Boot fitImage to the Kernel recipe, so that we don't get collisions when reusing the build tree while changing the configuration. This is apparently also necessary for testcases to be sane. * Testcases changes and additions, covering the above scenarios meta/classes/kernel-fitimage.bbclass | 82 ++--- meta/classes/uboot-config.bbclass | 58 ++++ meta/classes/uboot-sign.bbclass | 407 +++++++++++++++++++++++-- meta/lib/oeqa/selftest/cases/fitimage.py | 468 +++++++++++++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot.inc | 46 --- 5 files changed, 928 insertions(+), 133 deletions(-)