[U-Boot] U-boot FIT Signature

[U-Boot] U-boot FIT Signature

[Maria Sepulveda]

Good morning,

I am working with FIT image in U-Boot 2013.07. I have configured the 
image verification with signed image and kernel boots fine so, I would 
like to know if I can store my public key in an external device (like 
crypto-memory or an i2c device) because I am storing the key in DBT with 
the CONFIG_OF_CONTROL configuration.
  The aim of this is that U-Boot should check the i2c address of my 
external device, read the public key and verify the signed image later.
I work with am335x board and Kernel 3.14.

Thanks in advanced,

-- 
Mar?a Sep?lveda Pa?os Engineering Department COJALI, S. L.

[U-Boot] U-boot FIT Signature

[Rick Altherr]

How would you verify that the public key hasn't been tampered with?

On Fri, Feb 17, 2017 at 12:37 AM, Maria Sepulveda <electronica@cojali.com>
wrote:

> Good morning,
>
> I am working with FIT image in U-Boot 2013.07. I have configured the image
> verification with signed image and kernel boots fine so, I would like to
> know if I can store my public key in an external device (like crypto-memory
> or an i2c device) because I am storing the key in DBT with the
> CONFIG_OF_CONTROL configuration.
>  The aim of this is that U-Boot should check the i2c address of my
> external device, read the public key and verify the signed image later.
> I work with am335x board and Kernel 3.14.
>
> Thanks in advanced,
>
> --
> Mar?a Sep?lveda Pa?os Engineering Department COJALI, S. L.
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
>

[U-Boot] U-boot FIT Signature

[Markus Valentin]

Hi,

On Fri, 2017-02-17 at 13:55 -0800, Rick Altherr wrote:
> How would you verify that the public key hasn't been tampered with?
> 
> On Fri, Feb 17, 2017 at 12:37 AM, Maria Sepulveda <electronica@cojali.com>
> wrote:
> 
> > 
> > Good morning,
> > 
> > I am working with FIT image in U-Boot 2013.07. I have configured the image
> > verification with signed image and kernel boots fine so, I would like to
> > know if I can store my public key in an external device (like crypto-memory
> > or an i2c device) because I am storing the key in DBT with the
> > CONFIG_OF_CONTROL configuration.
Imho is perfectly fine to store the public key in the u-boot.dtb for most
needs(specially for using it with fit-images). Do you have a specific reason
for wanting to store it elsewhere?
> > ?The aim of this is that U-Boot should check the i2c address of my
> > external device, read the public key and verify the signed image later.
> > I work with am335x board and Kernel 3.14.
As Rick suggests you should verify your public key with a checksum which is
somehow protected from being tampered. In the most cases there is some OTP-
Fuse-Register that can do the job.

best regards

Markus

[U-Boot] U-boot FIT Signature

[Maria Sepulveda]

Hi Markus,

> Hi Maria,
>
> On Mon, 2017-02-20 at 12:33 +0100, Maria Sepulveda wrote:
>> The reason to store the public key on an external device is to verify
>> that it is our hardware.
> Do you want to verify it is your hardware or do you want to verify the Software
> is the one you designated to run on this hardware?
I want to avoid that someone could use my Software in a different hardware.
>> This is my idea:
>>
>> In the host:
>>
>> 1. Sign my fit image with mkimage.
>> 2. Store the public key in some i2c device ( crypto-memory, read-only
>> device, TPM)
>>
>> In the target:
>>
>> 1. Start U-boot and load my standalone application.
>> Using i2c functions, I would like to check the i2c address of my
>> external device (i2c_probe function) and read the public key stored
>> inside. Then, I want to pass the public key to the U-boot to do the
>> verification.
>> I am not sure about if the public key has to be always stored in DBT to
>> do the verification (in both: DBT and external device) or it could just
>> be in the external device.
>> This is my configuration to enable verification:
>>
>> [...]
>> 2. U-boot load the fit image  (bootm command)
>>
>> This is the general idea but first of all, I need to know if it is
>> possible to do that and how I could store the public key in somewhere
>> else, not only in dtb.
> As far as i know it is not designated to store the public key outside the DTB
> so it would need some coding on your side.
>
> As i said before you can do the verification with less effort, storing a
> checksum of your public key in a save place. It will take less space and you
> can make sure your public key, stored in the DTB, has not been modified by a
> third party.
>
> You just need to calculate a checksum over your public key at runtime and compare it to the securely stored one, if they match your public key is authenticated
>
> Maybe your processor has some builtin secure boot mechanism?
I am using an AM3352 processor and I think it doesn't have any secure 
boot mechanism. That's why I would like to do the security part of my 
project in U-Boot before load the kernel image.

Maybe your idea could satisfy my needs. I will calculate a checksum over 
the public key that will be stored in an external device. With a 
standalone U-Boot Application, I will read the checksum from the 
external device and check that the public key hasn't been tampered with. 
If everything is right, U-Boot will load the FIT image.

My question now is how to do that. I have read about 'crc' command but I 
don't know if there is a better way to check at runtime the checksum of 
the public key stored in dtb and compare it with the one stored in my 
external device.

Thank you,
María
> best regards
>
> Markus
>> El 20/02/2017 a las 10:49, Markus Valentin escribió:
>>> Hi,
>>>
>>> On Fri, 2017-02-17 at 13:55 -0800, Rick Altherr wrote:
>>>> How would you verify that the public key hasn't been tampered with?
>>>>
>>>> On Fri, Feb 17, 2017 at 12:37 AM, Maria Sepulveda <electronica@cojali.com
>>>> wrote:
>>>>
>>>>> Good morning,
>>>>>
>>>>> I am working with FIT image in U-Boot 2013.07. I have configured the
>>>>> image
>>>>> verification with signed image and kernel boots fine so, I would like
>>>>> to
>>>>> know if I can store my public key in an external device (like crypto-
>>>>> memory
>>>>> or an i2c device) because I am storing the key in DBT with the
>>>>> CONFIG_OF_CONTROL configuration.
>>> Imho is perfectly fine to store the public key in the u-boot.dtb for most
>>> needs(specially for using it with fit-images). Do you have a specific
>>> reason
>>> for wanting to store it elsewhere?
>>>>>    The aim of this is that U-Boot should check the i2c address of my
>>>>> external device, read the public key and verify the signed image later.
>>>>> I work with am335x board and Kernel 3.14.
>>> As Rick suggests you should verify your public key with a checksum which is
>>> somehow protected from being tampered. In the most cases there is some OTP-
>>> Fuse-Register that can do the job.
>>>
>>> best regards
>>>
>>> Markus
>>>

--

[U-Boot] U-boot FIT Signature

[Markus Valentin]

Hi Maria,
On Tue, 2017-02-28 at 08:50 +0100, Maria Sepulveda wrote:
> > On Mon, 2017-02-20 at 12:33 +0100, Maria Sepulveda wrote:
> > > 
> > > The reason to store the public key on an external device is to verify
> > > that it is our hardware.
> > Do you want to verify it is your hardware or do you want to verify the
> > Software
> > is the one you designated to run on this hardware?
> I want to avoid that someone could use my Software in a different hardware.
> > 
> > > 
> > > This is my idea:
> > > 
> > > In the host:
> > > 
> > > 1. Sign my fit image with mkimage.
> > > 2. Store the public key in some i2c device ( crypto-memory, read-only
> > > device, TPM)
> > > 
> > > In the target:
> > > 
> > > 1. Start U-boot and load my standalone application.
> > > Using i2c functions, I would like to check the i2c address of my
> > > external device (i2c_probe function) and read the public key stored
> > > inside. Then, I want to pass the public key to the U-boot to do the
> > > verification.
> > > I am not sure about if the public key has to be always stored in DBT to
> > > do the verification (in both: DBT and external device) or it could just
> > > be in the external device.
> > > This is my configuration to enable verification:
> > > 
> > > [...]
> > > 2. U-boot load the fit image  (bootm command)
> > > 
> > > This is the general idea but first of all, I need to know if it is
> > > possible to do that and how I could store the public key in somewhere
> > > else, not only in dtb.
> > As far as i know it is not designated to store the public key outside the
> > DTB
> > so it would need some coding on your side.
> > 
> > As i said before you can do the verification with less effort, storing a
> > checksum of your public key in a save place. It will take less space and
> > you
> > can make sure your public key, stored in the DTB, has not been modified by
> > a
> > third party.
> > 
> > You just need to calculate a checksum over your public key at runtime and
> > compare it to the securely stored one, if they match your public key is
> > authenticated
> > 
> > Maybe your processor has some builtin secure boot mechanism?
> I am using an AM3352 processor and I think it doesn't have any secure 
> boot mechanism. That's why I would like to do the security part of my 
> project in U-Boot before load the kernel image.
Ok, then you are on the right path :)

> Maybe your idea could satisfy my needs. I will calculate a checksum over 
> the public key that will be stored in an external device. With a 
> standalone U-Boot Application, I will read the checksum from the 
> external device and check that the public key hasn't been tampered with. 
> If everything is right, U-Boot will load the FIT image.
correct.

> My question now is how to do that. I have read about 'crc' command but I 
> don't know if there is a better way to check at runtime the checksum of 
> the public key stored in dtb and compare it with the one stored in my 
> external device.
In U-Boot there is a function called "calculate_hash" in "common/image-fit.c".
For ease of use you can just verify the whole devicetree. You could use the
function to calculate the hash over your devicetree in u-boot runtime. The hash
to be stored in your external device you can calculate using openssl. I suggest
you use sha256 as hash-function. 

On your host:
openssl dgst -sha256 -binary -out checksum.bin u-boot.dtb 


in u-boot code:

uint8_t value[SHA256_SUM_LEN];
int value_len;

calculate_hash(start_address, size, "sha256", (unsigned char *)value,
&value_len);

And then memcmp "value" to the hash you took from the external
device(checksum.bin).


best regards

Markus
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-60 Fax: (+49)-8142-66989-80 Email: mv at denx.de