On Tue, Feb 19, 2019 at 9:31 AM <jeridiah.we...@bench.com> wrote: > I am working on an application needing the ability to update to a verified > image from the running kernel/application. > > We can follow the "normal" verified image boot sequence, where the chain > of trust is verified from U-Boot to image to execution, etc, but unsure how > to verify a new image after already running. > > Is there a way to extract the public key hash from the U-Boot image so > that we can compute a hash on an upgrade image and verify a match? Either > an existing tool, or some means that is accessibly from a Linux kernel that > we could use to grab this information. > > I've done a lot of googling, and I have not seen any means to get to this > once the image is already booted and running. > > Thank you for any guidance you can provide for this. > > Jeridiah Welti > _______________________________________________ > U-Boot mailing list > U-Boot@lists.denx.de > https://lists.denx.de/listinfo/u-boot
I'll take a stab at answering this since I recently went through implementing verified boot. The public key data used to verify the boot images isn't passed on for use inside those images. However it would be possible to get them. The public key is usually stored in the device tree of the object doing the verification (SPL or u-boot). This device tree is stored as an object inside the FIT boot image. The FIT boot image is simply another device tree which contains configuration, device trees and binary executables. Within a running Linux image, you could read the u-boot FIT image (or SPL FIT image if CONFIG_SPL_FIT_SIGNATURE is used) from wherever it's stored. Use dtc tools to find the traverse to the /images/fdt-1/data object. This data object is the device tree containing the public key that u-boot used to verify the kernel (or in case of SPL, this is the public key used to verify u-boot). Use dtc tools again to decode the device tree blob and traverse to /signature/[signature name]. This node will have your public key in the format: key-somekeyname { required = "image"; algo = "sha256,rsa2048"; rsa,r-squared = <0x1874a2f....>; rsa,modulus = <0x4a7b31eb....>; rsa,exponent = <0x0 0x10001>; rsa,n0-inverse = <0x93a4cd16>; rsa,num-bits = <0x800>; key-name-hint = "somekeyname"; }; -Doug -- This email and any attachments are for the exclusive use of the intended recipient(s) and may contain confidential and/or privileged information. Inadvertent disclosure of this message does not constitute a waiver of any privilege, right or remedy. If you are not the intended recipient, please do not directly or indirectly use, disclose or distribute this message, and please contact the sender and delete this email, any attachments and all copies. Climate and its affiliates may use, read or archive email communications (including attachments) through its computer network, as permitted by applicable law. Climate and its affiliates (or an external service provider) may also scan emails and attachments on its computer network to ensure systems operate efficiently and to minimize security risks. Thank you. _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot