Hi Jagan,
On 13/12/2017 07:03, Jagan Teki wrote:
> Add verified-boot documentation for sunxi a64 platform.
>
> Signed-off-by: Jagan Teki <ja...@amarulasolutions.com>
> ---
> Changes for v3:
> - Create separate document file
> Changes for v2:
> - New patch
>
> doc/README.sunxi | 193
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 193 insertions(+)
> create mode 100644 doc/README.sunxi
>
> diff --git a/doc/README.sunxi b/doc/README.sunxi
> new file mode 100644
> index 0000000..ef4f735
> --- /dev/null
> +++ b/doc/README.sunxi
> @@ -0,0 +1,193 @@
> +#
> +# Copyright (C) 2017 Amarula Solutions
> +#
> +# SPDX-License-Identifier: GPL-2.0+
> +#
> +
> +U-Boot on SunXi
> +==============
> +
> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi
> platform.
> +
> + 1. Verified Boot
> +
> +1. Verified Boot
> +================
> +
> +U-Boot supports an image verification method called "Verified Boot".
> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
> +You will find details documents in the doc/uImage.FIT directory.
> +
> +Here, we take Orangepi Win board for example, but it should work for any
> +other boards including 32 bit SoCs.
> +
> +1. Generate RSA key to sign
> +
> + $ mkdir keys
> + $ openssl genpkey -algorithm RSA -out keys/dev.key \
> + -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
> + $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
> +
> +Two files "dev.key" and "dev.crt" will be created. The base name is
> arbitrary,
> +but need to match to the "key-name-hint" property described below.
> +
> +2. FIT Input
> +
> +---------------------------------------->8----------------------------------------
> +/dts-v1/;
> +/ {
> + description = "FIT image with single Linux kernel, FDT blob";
> + #address-cells = <1>;
> +
> + images {
> + kernel@0 {
> + description = "ARM64 Linux kernel";
> + data =
> /incbin/("/path/to/linux/dir/arch/arm64/boot/Image.gz");
> + type = "kernel";
> + arch = "arm64";
> + os = "linux";
> + compression = "gzip";
> + load = <0x50080000>;
> + entry = <0x50080000>;
> + hash@1 {
> + algo = "sha256";
> + };
> + };
> +
> + fdt@0 {
> + description = "Orangepi Win/Win+ Devicetree blob";
> + data =
> /incbin/("/path/to/linux/dir/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dtb");
> + type = "flat_dt";
> + arch = "arm64";
> + compression = "none";
> + hash@1 {
> + algo = "sha256";
> + };
> + };
> + };
> +
> + configurations {
> + default = "conf@0";
> +
> + conf@0 {
> + description = "Boot Linux kernel, FDT blob";
> + kernel = "kernel@0";
> + fdt = "fdt@0";
> + signature@0 {
> + algo = "sha256,rsa2048";
> + key-name-hint = "dev";
> + sign-images = "kernel", "fdt";
> + };
> + };
> + };
> +};
> +---------------------------------------->8----------------------------------------
> +
> +You need to change the two '/incbin/' lines, depending on the location of
> +your kernel image and devicetree blob. The "load" and "entry" properties
> also
> +need to be adjusted if you want to change the physical placement of the
> kernel.
> +
> +The "key-name-hint" must specify the key name you have created in the step 1.
> +
> +The FIT file name is arbitrary. Let's say you saved it into "fit.its".
> +
> +3. Compile U-Boot with FIT and signature enabled
> +
> +To use the Verified Boot, you need to enable the following two options:
> + CONFIG_FIT
> + CONFIG_FIT_SIGNATURE
> +
> + $ make orangepi_win_defconfig
> + $ make CROSS_COMPILE=aarch64-linux-gnu-
> +
> +4. FIT Output
> +
> +After building U-Boot, you will see tools/mkimage. With this tool, you can
> +create an image tree blob as follows:
> +
> + $ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage
> +
> +The -k option must specify the key directory you have created in step 1.
> +
> +A file "fitImage" will be created. This includes kernel, DTB,
> +hash data for each of the three, and signature data.
> +
> +The public key needed for the run-time verification is stored in
> "dts/dt.dtb".
> +
> +5. Compile Verified U-Boot
> +
> +Since the "dt.dtb" has been updated in step 4, you need to re-compile the
> +U-Boot.
> +
> + $ make CROSS_COMPILE=aarch64-linux-gnu-
> +
> +The re-compiled "u-boot.bin" is appended with DTB that contains the public
> key.
> +
> +6. Flash the image
> +
> +Flash the "fitImage" to a storage device (SD, NAND, eMMC, or whatever) on
> your
> +board.
> +
> +7. Boot verified kernel
> +
> +Load the fitImage to memory and run the following from the U-Boot command
> line.
> +
> + > bootm <addr>
> +
> +Here, <addr> is the base address of the fitImage.
> +
> +If it is successful, you will see messages like follows:
> +
> +---------------------------------------->8----------------------------------------
> +=> setenv bootargs console=ttyS0,115200 earlyprintk root=/dev/mmcblk0p1
> rootwait
> +=> ext4load mmc 0:1 $kernel_addr_r /boot/fitImage
> +16321738 bytes read in 1049 ms (14.8 MiB/s)
> +=> bootm $kernel_addr_r
> +## Loading kernel from FIT Image at 40080000 ...
> + Using 'conf@0' configuration
> + Verifying Hash Integrity ... OK
> + Trying 'kernel@0' kernel subimage
> + Description: ARM64 Linux kernel
> + Type: Kernel Image
> + Compression: gzip compressed
> + Data Start: 0x400800e4
> + Data Size: 6884659 Bytes = 6.6 MiB
> + Architecture: AArch64
> + OS: Linux
> + Load Address: 0x50080000
> + Entry Point: 0x50080000
> + Hash algo: sha256
> + Hash value:
> 6808fe51ea3c15f31c4510d2701d4707b56d20213c9da05bce79fb53bf108f1a
> + Verifying Hash Integrity ... sha256+ OK
> +## Loading fdt from FIT Image at 40080000 ...
> + Using 'conf@0' configuration
> + Trying 'fdt@0' fdt subimage
> + Description: Orangepi Win/Win+ Devicetree blob
> + Type: Flat Device Tree
> + Compression: uncompressed
> + Data Start: 0x40710f24
> + Data Size: 9032 Bytes = 8.8 KiB
> + Architecture: AArch64
> + Hash algo: sha256
> + Hash value:
> ca3d874cd10466633ff133cc0156828d48c8efb96987fa45f885761d22a25dc1
> + Verifying Hash Integrity ... sha256+ OK
> + Booting using the fdt blob at 0x40710f24
> + Uncompressing Kernel Image ... OK
> + Loading Device Tree to 0000000049ffa000, end 0000000049fff347 ... OK
> +
> +Starting kernel ...
> +---------------------------------------->8----------------------------------------
> +
> +Please pay attention to the lines that start with "Verifying Hash Integrity".
> +
> +"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature
> check
> +passed.
> +
> +"Verifying Hash Integrity ... sha256+ OK" (2 times) means the hash check
> passed
> +for kernel and DTB.
> +
> +If they are not displayed, the Verified Boot is not working.
> +
> +--
> +Jagan Teki <ja...@amarulasolutions.com>
> +13 Dec 2017
>
What's specific to sunxi boards in this README?
We already have an extensive documentation in doc/uImage.FIT/. Could a
few parts of your README make it to this documentation instead if it
isn't already there?
Thanks,
Quentin
--
Quentin Schulz, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
