Hi Simon, When I was generating the keys ie., Step 4: Create a key pair
Am facing one more error while generating private key & certificate containing public key used for verification when I execute the below openssl commands it is saying can't open config file: srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl genrsa -F4 -out keys/dev.key 2048 WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Generating RSA private key, 2048 bit long modulus ............................+++ ...............................................+++ e is 65537 (0x10001) srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Unable to load config info from /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Could you pls do the needful in resolving this errors cz of which am not able to proceed further Many Thanks in advance ________________________________________ From: s...@google.com <s...@google.com> on behalf of Simon Glass <s...@chromium.org> Sent: Tuesday, November 4, 2014 12:07 PM To: Srinivasan S Cc: srinivasan; U-Boot Mailing List Subject: Re: verifying & signing Hi, On 3 November 2014 20:01, Srinivasan S <srinivasa...@tataelxsi.co.in> wrote: > Hi Simon, > > Good Morning! > > Many Thanks a lot for all your support so far, > > 1. With respect to the verified boot , I want to put the images onto NAND > FLASH, Could you please let me know what is the procedure of flashing the > verified boot images onto NAND instead of micro-SD One option would be to use UBI to provide a consistent block interface and then sit verity on top of that. But there may be other options, I'm not sure. > > 2.Does dm-verity works only on read-only rootfs?.. or it works on read-write > rootfs?.. because as of now we are looking out only for a bare minimal > rootfs , could you please suggest me if any rootfs with minimal support where > dm-verity can be applied & verified apart from android It requires a read-only rootfs. You can enable it on a filesystem fairly easily - you need to run a tool to generate the hashes and root hash, then pass that to the kernel on boot. You don't need to use Android or Chrome OS - it is available in mainline Linux. I'm not sure if there is a cogent guide somewhere though. > > I want to implement the automatic software update & recovery feature (ie., > firmware update of uboot, kernel & rootfs) in ti-sdk-am335x-evm-07.00.00.00 > BSP's , if in case if it bricks to unbrick by itself, > Could you please help me with suitable pointers & source code links for > implementing this feature This is one way. http://www.chromium.org/chromium-os/u-boot-porting-guide/2-concepts So ensure there can be no bricking you probably need to have a U-Boot that you never update. It can then check the signature of a secondary updateable U-Boot, and jump to it if it is OK. This is what Chrome OS does. BTW as this is a mailing list you should normally put the replies below the text, not above. Regards, Simon > > Awaiting for your replies > Many Thanks in advance again, > > Srinivasan S > > > ________________________________________ > From: s...@google.com <s...@google.com> on behalf of Simon Glass > <s...@chromium.org> > Sent: Monday, November 3, 2014 5:08 AM > To: srinivasan > Cc: U-Boot Mailing List; Srinivasan S > Subject: Re: verifying & signing > > Hi, > > On 2 November 2014 07:06, srinivasan <srinivasan....@gmail.com> wrote: >> >> >> >> >> Hi Simon, >> >> http://lists.denx.de/pipermail/u-boot/2014-June/180845.html >> >> As the above link explains the Signing of kernel & verifying with uboot, >> >> Could you please let me know do you have any methods of signing & verifying >> the linux kernel with root file system ie., am using >> ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only >> & would be planning to use rootfs as my Angstrom filesystem or any others > > If you use dm-verity you can verify your root disk using a hash which > is stored in the verified part of U-Boot. This is the method used by > Chrome OS. This requires a read-only rootfs though. Is that > acceptable? > > See this page for some info on how Android does this: > > https://source.android.com/devices/tech/security/dm-verity.html > >> >> Could you please let me know how do we sign & verify the kernel with rootfs >> with detailed steps as am using beaglebone black as my development board >> with ti-sdk-am335x-evm-07.00.00.00 BSP's > > I don't have details steps of this part sorry. An overview is here: > > http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy_vboot_0.pdf > > >> >> Awaiting for your replies >> Many Thanks in advance >> >> >> > > Regards, > Simon _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot