* [Buildroot] [PATCH next] uboot: support external DTB in U-Boot images @ 2018-03-04 17:18 Clemens Gruber 2018-10-15 19:50 ` Matthew Weber 2019-02-03 19:52 ` Thomas Petazzoni 0 siblings, 2 replies; 5+ messages in thread From: Clemens Gruber @ 2018-03-04 17:18 UTC (permalink / raw) To: buildroot Allows signed FIT images to be verified with the public key in the DTB. The public key is stored in the bootloader image, which must have been verified by the previous stage in the trust chain, before loading it. Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com> --- boot/uboot/Config.in | 14 ++++++++++++++ boot/uboot/uboot.mk | 5 +++++ 2 files changed, 19 insertions(+) diff --git a/boot/uboot/Config.in b/boot/uboot/Config.in index 264f343767..620aa02bb9 100644 --- a/boot/uboot/Config.in +++ b/boot/uboot/Config.in @@ -460,6 +460,20 @@ config BR2_TARGET_UBOOT_CUSTOM_DTS_PATH To use this device tree source file, the U-Boot configuration file must refer to it. +config BR2_TARGET_UBOOT_EXT_DTB + bool "External DTB" + help + Put an external DTB in the U-Boot image. Used to store public + keys for verifying signed FIT images. + +config BR2_TARGET_UBOOT_EXT_DTB_PATH + string "Path to external DTB" + depends on BR2_TARGET_UBOOT_EXT_DTB + help + Path to external DTB to be put in the U-Boot image. + Prepend ${TOPDIR}/ to specify paths relative to the top + buildroot source directory. + endif endif # BR2_TARGET_UBOOT diff --git a/boot/uboot/uboot.mk b/boot/uboot/uboot.mk index d2f241cd8b..469673bebf 100644 --- a/boot/uboot/uboot.mk +++ b/boot/uboot/uboot.mk @@ -134,6 +134,11 @@ UBOOT_MAKE_OPTS += \ HOSTCC="$(HOSTCC) $(HOST_CFLAGS)" \ HOSTLDFLAGS="$(HOST_LDFLAGS)" +ifeq ($(BR2_TARGET_UBOOT_EXT_DTB),y) +UBOOT_MAKE_OPTS += \ + EXT_DTB="$(call qstrip,$(BR2_TARGET_UBOOT_EXT_DTB_PATH))" +endif + ifeq ($(BR2_TARGET_UBOOT_NEEDS_ATF_BL31),y) UBOOT_DEPENDENCIES += arm-trusted-firmware UBOOT_MAKE_OPTS += BL31=$(BINARIES_DIR)/bl31.bin -- 2.16.2 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH next] uboot: support external DTB in U-Boot images 2018-03-04 17:18 [Buildroot] [PATCH next] uboot: support external DTB in U-Boot images Clemens Gruber @ 2018-10-15 19:50 ` Matthew Weber 2018-10-18 22:07 ` Clemens Gruber 2019-02-03 19:52 ` Thomas Petazzoni 1 sibling, 1 reply; 5+ messages in thread From: Matthew Weber @ 2018-10-15 19:50 UTC (permalink / raw) To: buildroot Clemens, On Mon, Oct 15, 2018 at 2:43 PM Clemens Gruber <clemens.gruber@pqgruber.com> wrote: > > Allows signed FIT images to be verified with the public key in the DTB. > The public key is stored in the bootloader image, which must have been > verified by the previous stage in the trust chain, before loading it. > > Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com> > --- > boot/uboot/Config.in | 14 ++++++++++++++ > boot/uboot/uboot.mk | 5 +++++ > 2 files changed, 19 insertions(+) > > diff --git a/boot/uboot/Config.in b/boot/uboot/Config.in > index 264f343767..620aa02bb9 100644 > --- a/boot/uboot/Config.in > +++ b/boot/uboot/Config.in > @@ -460,6 +460,20 @@ config BR2_TARGET_UBOOT_CUSTOM_DTS_PATH > To use this device tree source file, the U-Boot configuration > file must refer to it. > > +config BR2_TARGET_UBOOT_EXT_DTB > + bool "External DTB" > + help > + Put an external DTB in the U-Boot image. Used to store public > + keys for verifying signed FIT images. > + > +config BR2_TARGET_UBOOT_EXT_DTB_PATH > + string "Path to external DTB" > + depends on BR2_TARGET_UBOOT_EXT_DTB > + help > + Path to external DTB to be put in the U-Boot image. > + Prepend ${TOPDIR}/ to specify paths relative to the top > + buildroot source directory. > + > endif Would the existing BR2_TARGET_UBOOT_CUSTOM_DTS_PATH option already allow you to place your custom DTS files? Then to use them, you would need to either add a kconfig BR2_TARGET_UBOOT_CONFIG_FRAGMENT_FILES fragment to build on your default board kconfig or if you have a custom board, set the kconfig path in BR2_TARGET_UBOOT_CUSTOM_CONFIG_FILE to your custom kconfig. I believe the combination KCONFIG values that point at DTS files can get your BR2_TARGET_UBOOT_CUSTOM_DTS_PATH dts files included in the uboot build without setting EXT_DTB. What do you think? Matt ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH next] uboot: support external DTB in U-Boot images 2018-10-15 19:50 ` Matthew Weber @ 2018-10-18 22:07 ` Clemens Gruber 2018-10-18 23:26 ` Matthew Weber 0 siblings, 1 reply; 5+ messages in thread From: Clemens Gruber @ 2018-10-18 22:07 UTC (permalink / raw) To: buildroot Hi Matthew, On Mon, Oct 15, 2018 at 02:50:13PM -0500, Matthew Weber wrote: > Clemens, > > On Mon, Oct 15, 2018 at 2:43 PM Clemens Gruber > <clemens.gruber@pqgruber.com> wrote: > > > > Allows signed FIT images to be verified with the public key in the DTB. > > The public key is stored in the bootloader image, which must have been > > verified by the previous stage in the trust chain, before loading it. > > > > Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com> > > --- > > boot/uboot/Config.in | 14 ++++++++++++++ > > boot/uboot/uboot.mk | 5 +++++ > > 2 files changed, 19 insertions(+) > > > > diff --git a/boot/uboot/Config.in b/boot/uboot/Config.in > > index 264f343767..620aa02bb9 100644 > > --- a/boot/uboot/Config.in > > +++ b/boot/uboot/Config.in > > @@ -460,6 +460,20 @@ config BR2_TARGET_UBOOT_CUSTOM_DTS_PATH > > To use this device tree source file, the U-Boot configuration > > file must refer to it. > > > > +config BR2_TARGET_UBOOT_EXT_DTB > > + bool "External DTB" > > + help > > + Put an external DTB in the U-Boot image. Used to store public > > + keys for verifying signed FIT images. > > + > > +config BR2_TARGET_UBOOT_EXT_DTB_PATH > > + string "Path to external DTB" > > + depends on BR2_TARGET_UBOOT_EXT_DTB > > + help > > + Path to external DTB to be put in the U-Boot image. > > + Prepend ${TOPDIR}/ to specify paths relative to the top > > + buildroot source directory. > > + > > endif > > Would the existing BR2_TARGET_UBOOT_CUSTOM_DTS_PATH option already > allow you to place your custom DTS files? Then to use them, you would > need to either add a kconfig BR2_TARGET_UBOOT_CONFIG_FRAGMENT_FILES > fragment to build on your default board kconfig or if you have a > custom board, set the kconfig path in > BR2_TARGET_UBOOT_CUSTOM_CONFIG_FILE to your custom kconfig. > > I believe the combination KCONFIG values that point at DTS files can > get your BR2_TARGET_UBOOT_CUSTOM_DTS_PATH dts files included in the > uboot build without setting EXT_DTB. What do you think? This would not work, afaik. The dtb passed with EXT_DTB is not just a "normal" device tree blob, directly generated from a dts file. It's a special dtb into which the public keys (used to verify the FIT image signatures) were written once and the blob is then reused everytime the bootloader image is generated. It is described in chapter 5 of https://wiki.linaro.org/WorkingGroups/Security/Verified-U-boot And also in http://git.denx.de/?p=u-boot.git;a=blob;f=doc/uImage.FIT/beaglebone_vboot.txt Best regards, Clemens ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH next] uboot: support external DTB in U-Boot images 2018-10-18 22:07 ` Clemens Gruber @ 2018-10-18 23:26 ` Matthew Weber 0 siblings, 0 replies; 5+ messages in thread From: Matthew Weber @ 2018-10-18 23:26 UTC (permalink / raw) To: buildroot Clemens, On Thu, Oct 18, 2018 at 5:07 PM Clemens Gruber <clemens.gruber@pqgruber.com> wrote: > > Hi Matthew, > > On Mon, Oct 15, 2018 at 02:50:13PM -0500, Matthew Weber wrote: > > Clemens, > > > > On Mon, Oct 15, 2018 at 2:43 PM Clemens Gruber > > <clemens.gruber@pqgruber.com> wrote: > > > > > > Allows signed FIT images to be verified with the public key in the DTB. > > > The public key is stored in the bootloader image, which must have been > > > verified by the previous stage in the trust chain, before loading it. > > > > > > Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com> > > > --- > > > boot/uboot/Config.in | 14 ++++++++++++++ > > > boot/uboot/uboot.mk | 5 +++++ > > > 2 files changed, 19 insertions(+) > > > > > > diff --git a/boot/uboot/Config.in b/boot/uboot/Config.in > > > index 264f343767..620aa02bb9 100644 > > > --- a/boot/uboot/Config.in > > > +++ b/boot/uboot/Config.in > > > @@ -460,6 +460,20 @@ config BR2_TARGET_UBOOT_CUSTOM_DTS_PATH > > > To use this device tree source file, the U-Boot configuration > > > file must refer to it. > > > > > > +config BR2_TARGET_UBOOT_EXT_DTB > > > + bool "External DTB" > > > + help > > > + Put an external DTB in the U-Boot image. Used to store public > > > + keys for verifying signed FIT images. > > > + > > > +config BR2_TARGET_UBOOT_EXT_DTB_PATH > > > + string "Path to external DTB" > > > + depends on BR2_TARGET_UBOOT_EXT_DTB > > > + help > > > + Path to external DTB to be put in the U-Boot image. > > > + Prepend ${TOPDIR}/ to specify paths relative to the top > > > + buildroot source directory. > > > + > > > endif > > > > Would the existing BR2_TARGET_UBOOT_CUSTOM_DTS_PATH option already > > allow you to place your custom DTS files? Then to use them, you would > > need to either add a kconfig BR2_TARGET_UBOOT_CONFIG_FRAGMENT_FILES > > fragment to build on your default board kconfig or if you have a > > custom board, set the kconfig path in > > BR2_TARGET_UBOOT_CUSTOM_CONFIG_FILE to your custom kconfig. > > > > I believe the combination KCONFIG values that point at DTS files can > > get your BR2_TARGET_UBOOT_CUSTOM_DTS_PATH dts files included in the > > uboot build without setting EXT_DTB. What do you think? > > This would not work, afaik. The dtb passed with EXT_DTB is not just a > "normal" device tree blob, directly generated from a dts file. > It's a special dtb into which the public keys (used to verify the FIT > image signatures) were written once and the blob is then reused > everytime the bootloader image is generated. > Ok sure, for a pre-built keys only blob. (ie what mkimage puts out as part of the signing process) Couple items I can think to mention 1) From when we looked at verified boot for a project, the blob is appended to the boot binary when a uboot.bin format is used. We found that there were cases where we wanted a boot.bin without the dtb appended and with. If we add the EX_DTB option, the output will always include that file per the defconfig. As once an image is built that way, at runtime it solely enforces verified boot for all items you're loading. This didn't seem ideal for factory/lab integration. Similar to rootfs building, it's nice to have the unwrapped file and final compressed/wrapped. A solution which would leave both original uboot and the one with signatures would be to do the DTB append in Buildroot's uboot.mk's logic. However you'd have to first confirm that the DTB is only appended in the case of the raw uboot.bin binary case and no other output formats. 2) It would be possible to handle the (1) case in a post image script without the proposed Buildroot change, if the .bin is the only file every appended with the DTB. 3) As another option, you could reverse compile the DTB that comes out of mkimage and include the source using the BR2_TARGET_UBOOT_CUSTOM_DTS_PATH and an include in your existing dts. That way everything is compiled at build time and not binaries are committed to repositories for the DTB. This also would not required the proposed Buildroot change. So it would be good to confirm if the EXT_DTB provides support for non uboot.bin formats. If that's the case, then a BR2_TARGET_UBOOT_EXT_DTB_PATH option or reverse compile your DTB, make the most sense vs using a post script. Matt ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH next] uboot: support external DTB in U-Boot images 2018-03-04 17:18 [Buildroot] [PATCH next] uboot: support external DTB in U-Boot images Clemens Gruber 2018-10-15 19:50 ` Matthew Weber @ 2019-02-03 19:52 ` Thomas Petazzoni 1 sibling, 0 replies; 5+ messages in thread From: Thomas Petazzoni @ 2019-02-03 19:52 UTC (permalink / raw) To: buildroot Hello, On Sun, 4 Mar 2018 18:18:15 +0100 Clemens Gruber <clemens.gruber@pqgruber.com> wrote: > Allows signed FIT images to be verified with the public key in the DTB. > The public key is stored in the bootloader image, which must have been > verified by the previous stage in the trust chain, before loading it. > > Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com> For the record, this patch is a bit related to http://patchwork.ozlabs.org/patch/1018245/, on which I made an alternate proposal, that would cover both this patch and patch 1018245. (This e-mail is sent mainly so that others looking at patchwork for this patch will realize there is some related discussion in another thread.) Thanks, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-02-03 19:52 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-03-04 17:18 [Buildroot] [PATCH next] uboot: support external DTB in U-Boot images Clemens Gruber 2018-10-15 19:50 ` Matthew Weber 2018-10-18 22:07 ` Clemens Gruber 2018-10-18 23:26 ` Matthew Weber 2019-02-03 19:52 ` Thomas Petazzoni
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.