* [U-Boot] Booting a second stage Bootloader in FIT image
@ 2015-08-03 22:34 KJ H. Kiran
0 siblings, 0 replies; 3+ messages in thread
From: KJ H. Kiran @ 2015-08-03 22:34 UTC (permalink / raw)
To: u-boot
Hi Simon,
I am implementing the secure u-boot for our custom board and have a question with the current implementation of secure framework with u-boot loading the "loadables" images.
I got the latest 2015.07 mainline branch and am trying to load a bootloader( FIT format) from already loaded bootloader !
First stage--------------> 2nd stage -------------------> OS FIT
(MLO,u-boot) (u-boot.bin) (kernel, RFS,DTB)
I created an .its file just to boot a 2nd stage bootloader
/dts-v1/;
/ {
description = "ABB Measurement Product images";
#address-cells = <1>;
images {
u-boot at 1 {
data = /incbin/("u-boot.bin");
type = "u-boot";
arch = "arm";
compression = "none";
load = <0x82000000>;
entry = <0x82000000>;
hash at 1 {
algo = "sha1";
};
};
};
configurations {
default = "2100000 at xx";
2100000 at xx {
description = "2nd stage BL";
u-boot = "u-boot at 1";
loadables = "u-boot at 1"
signature at 1 {
algo = "sha1,rsa2048";
key-name-hint = "dev";
sign-images = "u-boot";
};
};
};
};
I am able to load it on my device and successfully verify the signature. How ever the bootm command is trying to find an os image every time. I have looked at the cmd_bootm.c file and looks like it checks for the valid os image for booting.
I think it would be good if a special case in bootm is introduced which can just load the "loadable" images independent of the kernel image. This will allow the users to support multiple image scenario without any depencies. I think a separate command is necessary which can verify a signature and just load the "loadable" images in the required memory addresses.
Is there a way kernel images loading can be ignored in bootm ?
Testing:
I tried to load my bootloader fit image and run it with bootm $loadaddr:u-boot command
U-Boot# bootm $loadaddr:u-boot
## Loading kernel from FIT Image at 82800000 ...
Trying 'u-boot' kernel subimage
Description: unavailable
Created: 2015-08-03 21:45:12 UTC
Type: Standalone Program
Compression: uncompressed
Data Start: 0x828000b4
Data Size: 385283 Bytes = 376.3 KiB
Architecture: ARM
Load Address: 0x82000000
Entry Point: 0x82000000
Hash algo: sha1
Hash value: d44663a203a151fe52c93029ec1fecee0d30192a
Verifying Hash Integrity ... sha1+ OK
No Unknown OS ARM Kernel Image Image
ERROR: can't get kernel image!
If I use the bootm $loadaddr#configuration command it tries to run the kernel image and it crashes but loads my required image at the memory address.
Thanks,
[cid:image002.png at 01CFF360.603F39C0]
Harsha Kiran KJ
Software engineer II
ABB Inc.
7051 Industrial Boulevard
74006, Bartlesville, Oklahoma, UNITED STATES
Phone: +1 9183384851
Mobile: +1 4053854043
email: k<mailto:ricardo.andujar@us.abb.com>j.h.kiran at us.abb.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2174 bytes
Desc: image001.png
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20150803/cda59a4a/attachment.png>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [U-Boot] Booting a second stage Bootloader in FIT image
2015-08-04 16:53 KJ H. Kiran
@ 2015-08-04 23:24 ` Simon Glass
0 siblings, 0 replies; 3+ messages in thread
From: Simon Glass @ 2015-08-04 23:24 UTC (permalink / raw)
To: u-boot
Hi Harsha,
On 4 August 2015 at 10:53, KJ H. Kiran <kj.h.kiran@us.abb.com> wrote:
> HI !
>
>
>
> I think I found a solution. I have created a new cmd in cmd_bootm file and I
> just loaded the loadable images. Now I am able to boot the second stage
> bootloader(or any application).
>
OK that is good. If you have figured out a good solution please send a
patch to the mailing list. The loadable support was added recently
and should support verified boot if you use the configuration
approach.
>
>
> Thanks,
>
> Harsha
>
>
>
> From: KJ H. Kiran
> Sent: Monday, August 03, 2015 5:34 PM
> To: 'sjg at chromium.org'; 'sjg at google.com'; u-boot at lists.denx.de
> Subject: RE: Booting a second stage Bootloader in FIT image
>
>
>
>
>
> Hi Simon,
>
>
>
> I am implementing the secure u-boot for our custom board and have a question
> with the current implementation of secure framework with u-boot loading the
> ?loadables? images.
>
>
>
> I got the latest 2015.07 mainline branch and am trying to load a bootloader(
> FIT format) from already loaded bootloader !
>
>
>
> First stage--------------> 2nd stage -------------------> OS FIT
>
> (MLO,u-boot) (u-boot.bin) (kernel, RFS,DTB)
>
>
>
>
>
> I created an .its file just to boot a 2nd stage bootloader
>
>
>
> /dts-v1/;
>
>
>
> / {
>
> description = "ABB Measurement Product images";
>
> #address-cells = <1>;
>
>
>
> images {
>
> u-boot at 1 {
>
> data = /incbin/("u-boot.bin");
>
> type = "u-boot";
>
> arch = "arm";
>
> compression = "none";
>
> load = <0x82000000>;
>
> entry = <0x82000000>;
>
> hash at 1 {
>
> algo = "sha1";
>
> };
>
> };
>
>
>
> };
>
> configurations {
>
> default = "2100000 at xx";
>
> 2100000 at xx {
>
> description = "2nd stage
> BL";
>
> u-boot = "u-boot at 1";
>
> loadables =
> ?u-boot at 1?
>
> signature at 1 {
>
> algo =
> "sha1,rsa2048";
>
> key-name-hint =
> "dev";
>
> sign-images =
> "u-boot";
>
> };
>
> };
>
>
>
> };
>
>
>
> };
>
>
>
> I am able to load it on my device and successfully verify the signature.
> How ever the bootm command is trying to find an os image every time. I have
> looked at the cmd_bootm.c file and looks like it checks for the valid os
> image for booting.
>
>
>
> I think it would be good if a special case in bootm is introduced which can
> just load the ?loadable? images independent of the kernel image. This will
> allow the users to support multiple image scenario without any depencies. I
> think a separate command is necessary which can verify a signature and just
> load the ?loadable? images in the required memory addresses.
>
>
>
> Is there a way kernel images loading can be ignored in bootm ?
>
>
>
> Testing:
>
>
>
> I tried to load my bootloader fit image and run it with bootm
> $loadaddr:u-boot command
>
> U-Boot# bootm $loadaddr:u-boot
>
> ## Loading kernel from FIT Image at 82800000 ...
>
> Trying 'u-boot' kernel subimage
>
> Description: unavailable
>
> Created: 2015-08-03 21:45:12 UTC
>
> Type: Standalone Program
>
> Compression: uncompressed
>
> Data Start: 0x828000b4
>
> Data Size: 385283 Bytes = 376.3 KiB
>
> Architecture: ARM
>
> Load Address: 0x82000000
>
> Entry Point: 0x82000000
>
> Hash algo: sha1
>
> Hash value: d44663a203a151fe52c93029ec1fecee0d30192a
>
> Verifying Hash Integrity ... sha1+ OK
>
> No Unknown OS ARM Kernel Image Image
>
> ERROR: can't get kernel image!
>
>
>
> If I use the bootm $loadaddr#configuration command it tries to run the
> kernel image and it crashes but loads my required image at the memory
> address.
Regards,
Simon
^ permalink raw reply [flat|nested] 3+ messages in thread
* [U-Boot] Booting a second stage Bootloader in FIT image
@ 2015-08-04 16:53 KJ H. Kiran
2015-08-04 23:24 ` Simon Glass
0 siblings, 1 reply; 3+ messages in thread
From: KJ H. Kiran @ 2015-08-04 16:53 UTC (permalink / raw)
To: u-boot
HI !
I think I found a solution. I have created a new cmd in cmd_bootm file and I just loaded the loadable images. Now I am able to boot the second stage bootloader(or any application).
Thanks,
Harsha
From: KJ H. Kiran
Sent: Monday, August 03, 2015 5:34 PM
To: 'sjg at chromium.org'; 'sjg at google.com'; u-boot at lists.denx.de
Subject: RE: Booting a second stage Bootloader in FIT image
Hi Simon,
I am implementing the secure u-boot for our custom board and have a question with the current implementation of secure framework with u-boot loading the "loadables" images.
I got the latest 2015.07 mainline branch and am trying to load a bootloader( FIT format) from already loaded bootloader !
First stage--------------> 2nd stage -------------------> OS FIT
(MLO,u-boot) (u-boot.bin) (kernel, RFS,DTB)
I created an .its file just to boot a 2nd stage bootloader
/dts-v1/;
/ {
description = "ABB Measurement Product images";
#address-cells = <1>;
images {
u-boot at 1 {
data = /incbin/("u-boot.bin");
type = "u-boot";
arch = "arm";
compression = "none";
load = <0x82000000>;
entry = <0x82000000>;
hash at 1 {
algo = "sha1";
};
};
};
configurations {
default = "2100000 at xx";
2100000 at xx {
description = "2nd stage BL";
u-boot = "u-boot at 1";
loadables = "u-boot at 1"
signature at 1 {
algo = "sha1,rsa2048";
key-name-hint = "dev";
sign-images = "u-boot";
};
};
};
};
I am able to load it on my device and successfully verify the signature. How ever the bootm command is trying to find an os image every time. I have looked at the cmd_bootm.c file and looks like it checks for the valid os image for booting.
I think it would be good if a special case in bootm is introduced which can just load the "loadable" images independent of the kernel image. This will allow the users to support multiple image scenario without any depencies. I think a separate command is necessary which can verify a signature and just load the "loadable" images in the required memory addresses.
Is there a way kernel images loading can be ignored in bootm ?
Testing:
I tried to load my bootloader fit image and run it with bootm $loadaddr:u-boot command
U-Boot# bootm $loadaddr:u-boot
## Loading kernel from FIT Image at 82800000 ...
Trying 'u-boot' kernel subimage
Description: unavailable
Created: 2015-08-03 21:45:12 UTC
Type: Standalone Program
Compression: uncompressed
Data Start: 0x828000b4
Data Size: 385283 Bytes = 376.3 KiB
Architecture: ARM
Load Address: 0x82000000
Entry Point: 0x82000000
Hash algo: sha1
Hash value: d44663a203a151fe52c93029ec1fecee0d30192a
Verifying Hash Integrity ... sha1+ OK
No Unknown OS ARM Kernel Image Image
ERROR: can't get kernel image!
If I use the bootm $loadaddr#configuration command it tries to run the kernel image and it crashes but loads my required image at the memory address.
Thanks,
[cid:image002.png at 01CFF360.603F39C0]
Harsha Kiran KJ
Software engineer II
ABB Inc.
7051 Industrial Boulevard
74006, Bartlesville, Oklahoma, UNITED STATES
Phone: +1 9183384851
Mobile: +1 4053854043
email: k<mailto:ricardo.andujar@us.abb.com>j.h.kiran at us.abb.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2174 bytes
Desc: image001.png
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20150804/e7137f93/attachment.png>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-08-04 23:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-03 22:34 [U-Boot] Booting a second stage Bootloader in FIT image KJ H. Kiran
2015-08-04 16:53 KJ H. Kiran
2015-08-04 23:24 ` Simon Glass
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.