[U-Boot] [PATCH v3 3/5] docs: Document verified-boot for sunxi a64

[Jagan Teki <jagan@amarulasolutions.com>]

Add verified-boot documentation for sunxi a64 platform.

Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
---
Changes for v3:
- Create separate document file
Changes for v2:
- New patch

 doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 193 insertions(+)
 create mode 100644 doc/README.sunxi

diff --git a/doc/README.sunxi b/doc/README.sunxi
new file mode 100644
index 0000000..ef4f735
--- /dev/null
+++ b/doc/README.sunxi
@@ -0,0 +1,193 @@
+#
+# Copyright (C) 2017 Amarula Solutions
+#
+# SPDX-License-Identifier:	GPL-2.0+
+#
+
+U-Boot on SunXi
+==============
+
+Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform. 
+
+	1. Verified Boot
+
+1. Verified Boot
+================
+
+U-Boot supports an image verification method called "Verified Boot".
+This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
+You will find details documents in the doc/uImage.FIT directory.
+
+Here, we take Orangepi Win board for example, but it should work for any
+other boards including 32 bit SoCs.
+
+1. Generate RSA key to sign
+
+  $ mkdir keys
+  $ openssl genpkey -algorithm RSA -out keys/dev.key \
+    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
+  $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
+
+Two files "dev.key" and "dev.crt" will be created.  The base name is arbitrary,
+but need to match to the "key-name-hint" property described below.
+
+2. FIT Input
+
+---------------------------------------->8----------------------------------------
+/dts-v1/;
+/ {
+	description = "FIT image with single Linux kernel, FDT blob";
+	#address-cells = <1>;
+
+	images {
+		kernel at 0 {
+			description = "ARM64 Linux kernel";
+			data = /incbin/("/path/to/linux/dir/arch/arm64/boot/Image.gz");
+			type = "kernel";
+			arch = "arm64";
+			os = "linux";
+			compression = "gzip";
+			load = <0x50080000>;
+			entry = <0x50080000>;
+			hash at 1 {
+				algo = "sha256";
+			};
+		};
+
+		fdt at 0 {
+			description = "Orangepi Win/Win+ Devicetree blob";
+			data = /incbin/("/path/to/linux/dir/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dtb");
+			type = "flat_dt";
+			arch = "arm64";
+			compression = "none";
+			hash at 1 {
+				algo = "sha256";
+			};
+		};
+	};
+
+	configurations {
+		default = "conf at 0";
+
+		conf at 0 {
+			description = "Boot Linux kernel, FDT blob";
+			kernel = "kernel at 0";
+			fdt = "fdt at 0";
+			signature at 0 {
+				algo = "sha256,rsa2048";
+				key-name-hint = "dev";
+				sign-images = "kernel", "fdt";
+			};
+		};
+	};
+};
+---------------------------------------->8----------------------------------------
+
+You need to change the two '/incbin/' lines, depending on the location of
+your kernel image and devicetree blob.  The "load" and "entry" properties also
+need to be adjusted if you want to change the physical placement of the kernel.
+
+The "key-name-hint" must specify the key name you have created in the step 1.
+
+The FIT file name is arbitrary.  Let's say you saved it into "fit.its".
+
+3. Compile U-Boot with FIT and signature enabled
+
+To use the Verified Boot, you need to enable the following two options:
+  CONFIG_FIT
+  CONFIG_FIT_SIGNATURE
+
+  $ make orangepi_win_defconfig
+  $ make CROSS_COMPILE=aarch64-linux-gnu-
+
+4. FIT Output
+
+After building U-Boot, you will see tools/mkimage.  With this tool, you can
+create an image tree blob as follows:
+
+  $ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage
+
+The -k option must specify the key directory you have created in step 1.
+
+A file "fitImage" will be created.  This includes kernel, DTB,
+hash data for each of the three, and signature data.
+
+The public key needed for the run-time verification is stored in "dts/dt.dtb".
+
+5. Compile Verified U-Boot
+
+Since the "dt.dtb" has been updated in step 4, you need to re-compile the
+U-Boot.
+
+  $ make CROSS_COMPILE=aarch64-linux-gnu-
+
+The re-compiled "u-boot.bin" is appended with DTB that contains the public key.
+
+6. Flash the image
+
+Flash the "fitImage" to a storage device (SD, NAND, eMMC, or whatever) on your
+board.
+
+7. Boot verified kernel
+
+Load the fitImage to memory and run the following from the U-Boot command line.
+
+  > bootm <addr>
+
+Here, <addr> is the base address of the fitImage.
+
+If it is successful, you will see messages like follows:
+
+---------------------------------------->8----------------------------------------
+=> setenv bootargs console=ttyS0,115200 earlyprintk root=/dev/mmcblk0p1 rootwait
+=> ext4load mmc 0:1 $kernel_addr_r /boot/fitImage
+16321738 bytes read in 1049 ms (14.8 MiB/s)
+=> bootm $kernel_addr_r
+## Loading kernel from FIT Image at 40080000 ...
+   Using 'conf at 0' configuration
+   Verifying Hash Integrity ... OK
+   Trying 'kernel at 0' kernel subimage
+     Description:  ARM64 Linux kernel
+     Type:         Kernel Image
+     Compression:  gzip compressed
+     Data Start:   0x400800e4
+     Data Size:    6884659 Bytes = 6.6 MiB
+     Architecture: AArch64
+     OS:           Linux
+     Load Address: 0x50080000
+     Entry Point:  0x50080000
+     Hash algo:    sha256
+     Hash value:   6808fe51ea3c15f31c4510d2701d4707b56d20213c9da05bce79fb53bf108f1a
+   Verifying Hash Integrity ... sha256+ OK
+## Loading fdt from FIT Image at 40080000 ...
+   Using 'conf at 0' configuration
+   Trying 'fdt at 0' fdt subimage
+     Description:  Orangepi Win/Win+ Devicetree blob
+     Type:         Flat Device Tree
+     Compression:  uncompressed
+     Data Start:   0x40710f24
+     Data Size:    9032 Bytes = 8.8 KiB
+     Architecture: AArch64
+     Hash algo:    sha256
+     Hash value:   ca3d874cd10466633ff133cc0156828d48c8efb96987fa45f885761d22a25dc1
+   Verifying Hash Integrity ... sha256+ OK
+   Booting using the fdt blob at 0x40710f24
+   Uncompressing Kernel Image ... OK
+   Loading Device Tree to 0000000049ffa000, end 0000000049fff347 ... OK
+
+Starting kernel ...
+---------------------------------------->8----------------------------------------
+
+Please pay attention to the lines that start with "Verifying Hash Integrity".
+
+"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check
+passed.
+
+"Verifying Hash Integrity ... sha256+ OK" (2 times) means the hash check passed
+for kernel and DTB.
+
+If they are not displayed, the Verified Boot is not working.
+
+--
+Jagan Teki <jagan@amarulasolutions.com>
+13 Dec 2017
-- 
2.7.4