From patchwork Fri Nov 10 16:51:08 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jagan Teki X-Patchwork-Id: 836795 X-Patchwork-Delegate: jagannadh.teki@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="JEJS3Vfh"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3yYR5J2NjPz9sPs for ; Sat, 11 Nov 2017 03:56:34 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id 99ACCC21DAA; Fri, 10 Nov 2017 16:56:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 9A4DDC21D6A; Fri, 10 Nov 2017 16:56:27 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 0071EC21D6A; Fri, 10 Nov 2017 16:56:25 +0000 (UTC) Received: from mail-pg0-f65.google.com (mail-pg0-f65.google.com [74.125.83.65]) by lists.denx.de (Postfix) with ESMTPS id 534F5C21D63 for ; Fri, 10 Nov 2017 16:56:25 +0000 (UTC) Received: by mail-pg0-f65.google.com with SMTP id j16so2280804pgn.9 for ; Fri, 10 Nov 2017 08:56:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=wPDELGXTI0QjAt1hIzmFxu1fM5eiBbIxJsFh1owG9dM=; b=JEJS3VfhI3jGMjLGF1EhgQy08WE1YujymQSaxvGXE79qomkTA9/9blMtV5OCcQoa1N lw05ATks1oiwFhXAWiADJyUZMDIw3nk0VnW7ta3ud6FmoZjS1yXUuFXwnfTPIj03y5Hi eEUf9CM8yVWr7No+AiIHvI3oLTmVAt4hzYeuLs9o+f/ZnWw5UGe6FiAAiCzQuWkIltq+ 5WL8v6y20x2ia4BjoniD3BFaD/nrQxn11vKKVEdd/0ZOyc+IpK81eb0KaayiqFJZIqfA XbB1g+7rnlY7GaFrPPfId6A0Kw0Kkw3w8zfmap99SigIgpBEhoBcQ9+NtgT6m+U4aWy4 6R9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=wPDELGXTI0QjAt1hIzmFxu1fM5eiBbIxJsFh1owG9dM=; b=O0pKH84Yzaje5SPX4nY1ECi2T3PeytOtobkLd+HjoTl5sOAPl46Yn70c6y28xstaDa OSe4Y9bIGU62iDHN550Uce1oG4w4gn85eCV3tPxL3WAG0LVg2UVHz+cvEpMuib5eE6TL mqVIH+cDcj8aQLSExZmXekzUbXAcmsIatLGmDHX1wamHkGiC70nUMrCII+Toszi+ykCw gl/02L6zP4sHL2FhSf5wqV06bGYYhWtxq10rcUPdTRzaVsck8BGgu8gjwrd8Ba+Fvtc8 6U2Dom0tHlQPqvLCeZ5z5Fv69Wvpeh7I1JcoE9Tcq1IX+Y7sN/tmSGsDewte1i8x0cpA x6Lw== X-Gm-Message-State: AJaThX4MCuHY2SlsVyDToDcLJoBvSszixFaGCIdVeTpA/jX5Dn21Fhqp m5+SRwDOWTldxKPXR4HvBEw= X-Google-Smtp-Source: AGs4zMY/Du3O9ia2FxTs0BBDvGZLz0TGqV6h6G+YVATyZCkMzzPa9XLO28bVOgr7//lnKq1fy8LNCg== X-Received: by 10.99.67.71 with SMTP id q68mr920073pga.163.1510332983512; Fri, 10 Nov 2017 08:56:23 -0800 (PST) Received: from localhost.localdomain ([115.97.180.212]) by smtp.gmail.com with ESMTPSA id n22sm18744173pfa.161.2017.11.10.08.56.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 10 Nov 2017 08:56:22 -0800 (PST) From: Jagan Teki X-Google-Original-From: Jagan Teki To: Maxime Ripard Date: Fri, 10 Nov 2017 22:21:08 +0530 Message-Id: <1510332670-28663-1-git-send-email-jagan@amarulasolutions.com> X-Mailer: git-send-email 2.7.4 Cc: u-boot@lists.denx.de, Icenowy Zheng Subject: [U-Boot] [PATCH v2 1/3] sunxi: a64: Enable FIT Signature X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Enable FIT_SIGNATURE for sunxi a64. Signed-off-by: Jagan Teki --- Changes for v2: - Use imply instead of select arch/arm/mach-sunxi/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm/mach-sunxi/Kconfig b/arch/arm/mach-sunxi/Kconfig index 09cfec6..9ee356f 100644 --- a/arch/arm/mach-sunxi/Kconfig +++ b/arch/arm/mach-sunxi/Kconfig @@ -178,6 +178,7 @@ config MACH_SUN50I select SUNXI_DRAM_DW select SUNXI_DRAM_DW_32BIT select FIT + imply FIT_SIGNATURE select SPL_LOAD_FIT config MACH_SUN50I_H5 From patchwork Fri Nov 10 16:51:09 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jagan Teki X-Patchwork-Id: 836796 X-Patchwork-Delegate: jagannadh.teki@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="oNk0NR3D"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3yYR5z3GPNz9sPs for ; Sat, 11 Nov 2017 03:57:11 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id 2E5B9C21D95; Fri, 10 Nov 2017 16:56:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 3ED56C21DA6; Fri, 10 Nov 2017 16:56:39 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id AEAF8C21DAB; Fri, 10 Nov 2017 16:56:33 +0000 (UTC) Received: from mail-pg0-f68.google.com (mail-pg0-f68.google.com [74.125.83.68]) by lists.denx.de (Postfix) with ESMTPS id 99258C21DA5 for ; Fri, 10 Nov 2017 16:56:28 +0000 (UTC) Received: by mail-pg0-f68.google.com with SMTP id 207so5000773pgc.12 for ; Fri, 10 Nov 2017 08:56:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=puVRD1SIalcly07SrjSl4wCoBJVqtrIYsGHkcsXXbF4=; b=oNk0NR3DDELp2Dt0En36AoTi2xr1ovscUbmnEyyp9Pj299GwCZdQm0rDKZtThACpwh dHI3zP9UTeeB1QWbJPUvSS3Gba3N+dOq/ueGXTThYsFEv0S/7zFwLLcesBwNA90O73XB hFLfjJ4tvla4dyeJCtJwtZNs78p1/p7EJvuAo19V0HH/jYXHVw3rNHqj1lccb2ptTGM3 vwnFy6yecXoRZqjZWARR9Z/Nm0ByG3YFVdi/oX4Gq23vDNL3ToW1UEeBjs8cMpGjvlzW 2RN2drC1x+XROCXpfSxwA1PA79qYbMygnii7AOhvxZUY5EQCtJiAH8oEPP4yeM9G3THX q1IQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=puVRD1SIalcly07SrjSl4wCoBJVqtrIYsGHkcsXXbF4=; b=hlNZtvWUf7A/w5pUgr+KHl5kR31JIA538W/gQ0TwPlyVkfl7A6JS/EiBWB7OkQvedh f5b5XjTlE9a6iENjkJq9HEJKaPYkCJfahq4x4gO7ZXMtq1bPzoW7G/MYoDcAo/CDrVzS n/saJozavMbH+1HmDdKxiQ3ZZu+I9TzboEK6JH+hcuPkaj7a4dm8nVuX2uKAAqGxMgwy w3rDOAq4L7xMdKNGWSA5D63EH7MaU7UOPczSMfyr11i3tgVMZs8Bj4vYkr8IW8soTjp8 uuCX63Bf+KJ/mdaquyUXrtWUXlxCx4bZeeeFSGGMKpNsit2OWTIVZ0FM3YYTdVjSB4Nu b8/w== X-Gm-Message-State: AJaThX7QdifR9TpFOYdErmdYp3xTkdItPIz8kfKsw/Be/kAZgsRPtOjX yM1BN+8vRxSulLqoPpdFcyU= X-Google-Smtp-Source: AGs4zMYjomBX51hZzyyfd97dgLQknKCwKSERsdYKJolgIhsPow7Kn+KOYyvZ+OfH67bbzai1LNvDhA== X-Received: by 10.101.83.5 with SMTP id m5mr932360pgq.350.1510332987169; Fri, 10 Nov 2017 08:56:27 -0800 (PST) Received: from localhost.localdomain ([115.97.180.212]) by smtp.gmail.com with ESMTPSA id n22sm18744173pfa.161.2017.11.10.08.56.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 10 Nov 2017 08:56:25 -0800 (PST) From: Jagan Teki X-Google-Original-From: Jagan Teki To: Maxime Ripard Date: Fri, 10 Nov 2017 22:21:09 +0530 Message-Id: <1510332670-28663-2-git-send-email-jagan@amarulasolutions.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510332670-28663-1-git-send-email-jagan@amarulasolutions.com> References: <1510332670-28663-1-git-send-email-jagan@amarulasolutions.com> Cc: u-boot@lists.denx.de, Icenowy Zheng Subject: [U-Boot] [PATCH v2 2/3] sunxi: arm64: Increase CONFIG_SYS_BOOTM_LEN to 32MB X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" The default value of CONFIG_SYS_BOOTM_LEN, 0x800000, causes error when uncompressing Image.gz out of FIT image. Uncompressing Kernel Image ... Error: inflate() returned -5 Image too large: increase CONFIG_SYS_BOOTM_LEN and loading Image out of FIT image. Loading Kernel Image ... Image too large: increase CONFIG_SYS_BOOTM_LEN Must RESET board to recover Signed-off-by: Jagan Teki --- Changes for v2: - Add in separate patch with proper commit message include/configs/sunxi-common.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/configs/sunxi-common.h b/include/configs/sunxi-common.h index 4391a8c..2bdbc2a 100644 --- a/include/configs/sunxi-common.h +++ b/include/configs/sunxi-common.h @@ -34,6 +34,7 @@ #ifdef CONFIG_ARM64 #define CONFIG_BUILD_TARGET "u-boot.itb" +#define CONFIG_SYS_BOOTM_LEN (32 << 20) #endif /* Serial & console */ From patchwork Fri Nov 10 16:51:10 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jagan Teki X-Patchwork-Id: 836797 X-Patchwork-Delegate: jagannadh.teki@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="tUk9OMJH"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3yYR6h42F0z9sPs for ; Sat, 11 Nov 2017 03:57:48 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id 50372C21D79; Fri, 10 Nov 2017 16:57:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 35AB3C21DD0; Fri, 10 Nov 2017 16:56:49 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id DD260C21DD0; Fri, 10 Nov 2017 16:56:37 +0000 (UTC) Received: from mail-pf0-f180.google.com (mail-pf0-f180.google.com [209.85.192.180]) by lists.denx.de (Postfix) with ESMTPS id 4B927C21E09 for ; Fri, 10 Nov 2017 16:56:32 +0000 (UTC) Received: by mail-pf0-f180.google.com with SMTP id u70so2261488pfa.7 for ; Fri, 10 Nov 2017 08:56:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=dJF6+NHrS+KeB+vboDXBmJEnNtSwApqv+Ltrm2fKxuw=; b=tUk9OMJHnLffdHByQ+XKOXAz4VQwAzr8PYhPncQJrKFoV9L0WNDawsCv6kTa5qW2G/ MJCoUbd0PV99KG3MLRvR5/IilWpa9kt0SPum2QdhW6d8gq8a5bthnLdokIs+ZmPVlai3 UW9RvAElF5F6Yg7zH8AbMpluP4jPT+AhqbfhkRuhOrAkJFdT/uBd/GwDpR5galzesbeN P+6Vc1/BS5YebVNDJT5xWdoDc0LUixSWDsLfRLpD1JC+hrm4GZ6Yr4UYpm6nBGnvkuvC sGdItTCFhxTgDab4RHtrTbvg0UJ56T4uvn3eDdZ1xktoh3kZzereKlL+/54n54IbZ7cP pCYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dJF6+NHrS+KeB+vboDXBmJEnNtSwApqv+Ltrm2fKxuw=; b=WWcCVgG/skdHdnI0PlWgdrWjW0/JwARQTDD51MTOqP9UC3UMCkCCy25Wfu9zDtz7Hd +tNCgrcS2+QWy4ibfg5q72OoNEYgt7D8IomZehwTPH2cKfA7gblucVM60LSbFjmRPVBl NPZlOoJXKA2ED8hAhDzKrRtnNu6+83GC1MshDbv7awXLLKeHuLI7GIYgZdzb1kDp+01h 0ReHf+DNthcYAwrOkUkqN68nq/pxeDAh7Eos7XHLbtwI6EeTLJn/vPYPLrQQwXmyqqwd L2TKz9FsbL+cgTT89OsuNM4KcxkiQfQTrdfTH8xOR3F5tK/Me+R7yL/MKTDPL2emOxtg fAcg== X-Gm-Message-State: AJaThX6vkmDdObnIK4TalfwGSr14J9sX92RlrTTzcHp3xUOAgOOZB0sX TW/2TBN1MnST+gwZnTe4fn8u7/vl X-Google-Smtp-Source: AGs4zMbaVnLb3ZljGpedWDitoYJbpyYm47hZ2r3UbHRRzgDxUa5VLQX7UvztLXk+kxvz10BbjhWj/w== X-Received: by 10.98.24.20 with SMTP id 20mr989819pfy.71.1510332990557; Fri, 10 Nov 2017 08:56:30 -0800 (PST) Received: from localhost.localdomain ([115.97.180.212]) by smtp.gmail.com with ESMTPSA id n22sm18744173pfa.161.2017.11.10.08.56.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 10 Nov 2017 08:56:29 -0800 (PST) From: Jagan Teki X-Google-Original-From: Jagan Teki To: Maxime Ripard Date: Fri, 10 Nov 2017 22:21:10 +0530 Message-Id: <1510332670-28663-3-git-send-email-jagan@amarulasolutions.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510332670-28663-1-git-send-email-jagan@amarulasolutions.com> References: <1510332670-28663-1-git-send-email-jagan@amarulasolutions.com> Cc: u-boot@lists.denx.de, Icenowy Zheng Subject: [U-Boot] [PATCH v2 3/3] sunxi: README.sunxi64: Document verified-boot for a64 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Add verified-boot documentation for sunxi a64 platform. Signed-off-by: Jagan Teki --- Changes for v2: - New patch board/sunxi/README.sunxi64 | 177 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) diff --git a/board/sunxi/README.sunxi64 b/board/sunxi/README.sunxi64 index c492f74..5a2fe69 100644 --- a/board/sunxi/README.sunxi64 +++ b/board/sunxi/README.sunxi64 @@ -160,6 +160,183 @@ Then write this image to a microSD card, replacing /dev/sdx with the right device file (see above): $ dd if=firmware.img of=/dev/sdx bs=8k seek=1 +Verified Boot +============= + +U-Boot supports an image verification method called "Verified Boot". +This is a brief tutorial to utilize this feature for the Sunxi A64 platform. +You will find details documents in the doc/uImage.FIT directory. + +Here, we take Orangepi Win board for example, but it should work for any +other boards including 32 bit SoCs. + +1. Generate RSA key to sign + + $ mkdir keys + $ openssl genpkey -algorithm RSA -out keys/dev.key \ + -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 + $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt + +Two files "dev.key" and "dev.crt" will be created. The base name is arbitrary, +but need to match to the "key-name-hint" property described below. + +2. FIT Input + +---------------------------------------->8---------------------------------------- +/dts-v1/; +/ { + description = "FIT image with single Linux kernel, FDT blob"; + #address-cells = <1>; + + images { + kernel@0 { + description = "ARM64 Linux kernel"; + data = /incbin/("/path/to/linux/dir/arch/arm64/boot/Image.gz"); + type = "kernel"; + arch = "arm64"; + os = "linux"; + compression = "gzip"; + load = <0x50080000>; + entry = <0x50080000>; + hash@1 { + algo = "sha256"; + }; + }; + + fdt@0 { + description = "Orangepi Win/Win+ Devicetree blob"; + data = /incbin/("/path/to/linux/dir/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dtb"); + type = "flat_dt"; + arch = "arm64"; + compression = "none"; + hash@1 { + algo = "sha256"; + }; + }; + }; + + configurations { + default = "conf@0"; + + conf@0 { + description = "Boot Linux kernel, FDT blob"; + kernel = "kernel@0"; + fdt = "fdt@0"; + signature@0 { + algo = "sha256,rsa2048"; + key-name-hint = "dev"; + sign-images = "kernel", "fdt"; + }; + }; + }; +}; +---------------------------------------->8---------------------------------------- + +You need to change the two '/incbin/' lines, depending on the location of +your kernel image and devicetree blob. The "load" and "entry" properties also +need to be adjusted if you want to change the physical placement of the kernel. + +The "key-name-hint" must specify the key name you have created in the step 1. + +The FIT file name is arbitrary. Let's say you saved it into "fit.its". + +3. Compile U-Boot with FIT and signature enabled + +To use the Verified Boot, you need to enable the following two options: + CONFIG_FIT + CONFIG_FIT_SIGNATURE + + $ make orangepi_win_defconfig + $ make CROSS_COMPILE=aarch64-linux-gnu- + +4. FIT Output + +After building U-Boot, you will see tools/mkimage. With this tool, you can +create an image tree blob as follows: + + $ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage + +The -k option must specify the key directory you have created in step 1. + +A file "fitImage" will be created. This includes kernel, DTB, +hash data for each of the three, and signature data. + +The public key needed for the run-time verification is stored in "dts/dt.dtb". + +5. Compile Verified U-Boot + +Since the "dt.dtb" has been updated in step 4, you need to re-compile the +U-Boot. + + $ make CROSS_COMPILE=aarch64-linux-gnu- + +The re-compiled "u-boot.bin" is appended with DTB that contains the public key. + +6. Flash the image + +Flash the "fitImage" to a storage device (SD, NAND, eMMC, or whatever) on your +board. + +7. Boot verified kernel + +Load the fitImage to memory and run the following from the U-Boot command line. + + > bootm + +Here, is the base address of the fitImage. + +If it is successful, you will see messages like follows: + +---------------------------------------->8---------------------------------------- +=> setenv bootargs console=ttyS0,115200 earlyprintk root=/dev/mmcblk0p1 rootwait +=> ext4load mmc 0:1 $kernel_addr_r /boot/fitImage +16321738 bytes read in 1049 ms (14.8 MiB/s) +=> bootm $kernel_addr_r +## Loading kernel from FIT Image at 40080000 ... + Using 'conf@0' configuration + Verifying Hash Integrity ... OK + Trying 'kernel@0' kernel subimage + Description: ARM64 Linux kernel + Type: Kernel Image + Compression: gzip compressed + Data Start: 0x400800e4 + Data Size: 6884659 Bytes = 6.6 MiB + Architecture: AArch64 + OS: Linux + Load Address: 0x50080000 + Entry Point: 0x50080000 + Hash algo: sha256 + Hash value: 6808fe51ea3c15f31c4510d2701d4707b56d20213c9da05bce79fb53bf108f1a + Verifying Hash Integrity ... sha256+ OK +## Loading fdt from FIT Image at 40080000 ... + Using 'conf@0' configuration + Trying 'fdt@0' fdt subimage + Description: Orangepi Win/Win+ Devicetree blob + Type: Flat Device Tree + Compression: uncompressed + Data Start: 0x40710f24 + Data Size: 9032 Bytes = 8.8 KiB + Architecture: AArch64 + Hash algo: sha256 + Hash value: ca3d874cd10466633ff133cc0156828d48c8efb96987fa45f885761d22a25dc1 + Verifying Hash Integrity ... sha256+ OK + Booting using the fdt blob at 0x40710f24 + Uncompressing Kernel Image ... OK + Loading Device Tree to 0000000049ffa000, end 0000000049fff347 ... OK + +Starting kernel ... +---------------------------------------->8---------------------------------------- + +Please pay attention to the lines that start with "Verifying Hash Integrity". + +"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check +passed. + +"Verifying Hash Integrity ... sha256+ OK" (2 times) means the hash check passed +for kernel and DTB. + +If they are not displayed, the Verified Boot is not working. + [1] https://github.com/apritzel/arm-trusted-firmware.git [2] git://github.com/linux-sunxi/sunxi-tools.git [3] https://github.com/apritzel/pine64/