[PATCH v2 2/4] bootm: Add a bootm command for type IH_OS_EFI

From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
To: u-boot@lists.denx.de
Subject: [PATCH v2 2/4] bootm: Add a bootm command for type IH_OS_EFI
Date: Wed, 11 Dec 2019 10:54:57 +0200	[thread overview]
Message-ID: <20191211085457.GA1210@BV030612LT> (raw)
In-Reply-To: <a19784cb-8259-2e2d-fbc4-8037b4b9961e@gmx.de>

On Tue, Dec 10, 2019 at 08:32:17PM +0100, Heinrich Schuchardt wrote:
> On 12/10/19 9:56 AM, Cristian Ciocaltea wrote:
> > Add support for booting EFI binaries contained in FIT images.
> > A typical usage scenario is chain-loading GRUB2 in a verified
> > boot environment.
> > 
> > Signed-off-by: Cristian Ciocaltea<cristian.ciocaltea@gmail.com>
> 
> Reading through the code it looks good. What I really need to do is
> analyze the address usage on the sandbox. To me it is unclear if
> images->fdt_addr is a physical address or an address in the address
> space of the sandbox.
> 
> Did you test this on the sandbox? You can use
> lib/efi_loader/helloworld.efi as a binary and the 'host load hostfs'
> command for loading the FIT image.

I only tested on qemu, I've never used the sandbox, so it's a good
opportunity to give it a try.

> Shouldn't we add booting a UEFI FIT image to the Python test in
> test/py/tests/test_fit.py?

Unfortunately I'm not familiar with the testing framework (including
Python scripting), but I'll do my best to add such a test.

> doc/uImage.FIT/signature.txt describes that several properties of the
> RSA public key should be stored in the control device tree.
> Unfortunately no example is supplied in which format they should be
> stored. Could you send me an example, please.
> 
> I found the following
> 
> https://github.com/bn121rajesh/ipython-notebooks/blob/master/BehindTheScene/RSAPublicKeyParamsUBoot/rsa_public_key_params_uboot.ipynb
> 
> Is this an accurate description? Or how do you get the parameters from
> your RSA public key?

My test scenario involves the following steps:

1. Create a public/private key pair
$ openssl genpkey -algorithm RSA -out ${DEV_KEY} \
        -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537

2. Create a certificate containing the public key
$ openssl req -batch -new -x509 -key ${DEV_KEY} -out ${DEV_CRT}

3. Dump QEMU virt board DTB
$ qemu-system-arm -nographic -M virt,dumpdtb=${BOARD_DTB} \
        -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin [...]

4. Create (unsigned) FIT image and put the public key into DTB, with
   the 'required' property set, telling U-Boot that this key MUST be
   verified for the image to be valid
$ mkimage -f ${FIT_ITS} -K ${BOARD_DTB} -k ${KEYS_DIR} -r ${FIT_IMG}

5. Sign the FIT image
$ fit_check_sign -f ${FIT_IMG} -k ${BOARD_DTB}

6. Run QEMU supplying the DTB containing the public key and the
   u-boot binary built with CONFIG_OF_BOARD
$ qemu-system-arm -nographic \
    -M virt -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin \
    -dtb ${BOARD_DTB} [...]

This is what I get after booting QEMU with the command above:

=> fdt addr $fdtcontroladdr
=> fdt print
/ {
    [...]
	signature {
		key-dev {
			required = "conf";
			algo = "sha256,rsa2048";
			rsa,r-squared = * 0x5ef05188 [0x00000100];
			rsa,modulus = * 0x5ef05294 [0x00000100];
			rsa,exponent = <0x00000000 0x00010001>;
			rsa,n0-inverse = <0x649cd557>;
			rsa,num-bits = <0x00000800>;
			key-name-hint = "dev";
		};
	};
    [...]

> Best regards
> 
> Heinrich