[U-Boot] [PATCH v3 0/12] Verified boot implementation based on FIT

[Tom Rini <trini@ti.com>]

On Thu, Jun 13, 2013 at 03:09:59PM -0700, Simon Glass wrote:

> This series implemented a verified boot system based around FIT images
> as discussed on the U-Boot mailing list, including on this thread:
> 
> http://permalink.gmane.org/gmane.comp.boot-loaders.u-boot/147830
> 
> RSA is used to implement the encryption. Images are signed by mkimage
> using private keys created by the user. Public keys are written into
> U-Boot control FDT (CONFIG_OF_CONTROL) for access by bootm etc. at
> run-time. The control FDT must be stored in a secure place where it
> cannot be changed after manufacture. Some notes are provided in the
> documentaion on how this can be achieved. The implementation is fairly
> efficient and fits nicely into U-Boot. FIT plus RSA adds around 18KB
> to SPL size which is manageable on modern SoCs.
> 
> When images are loaded, they are verified with the public keys.
> 
> It is important to have a test framework for this series. For this, sandbox
> is used, and a script is provided which signs images and gets sandbox to
> load them using a script, to check that all is well.
> 
> Rollback prevention has been added in a separate TPM patch. This ensures
> that an attacker cannot boot your system with an old image that has been
> compromised. Support for this is not built into bootm, but instead must
> be scripted in U-Boot. It is possible that a standard scheme for this could
> be devised by adding version number tags to the signing procedure. However
> scripts do provide more flexibility. See the 'tpm' command for more
> information.
> 
> Two patches affect libfdt and have material which is not yet upstream in
> that project:
> 
>    image: Add support for signing of FIT configurations
>    libfdt: Add fdt_find_regions()
> 
> If these are not desired, then the rest of the series can stand alone,
> just without the configuration-signing feature.
> 
> This series requires the 'trace' series since it sits on top of the bootm
> refactor there.
> 
> This series is available at:
> 
> http://git.denx.de/u-boot-x86.git
> 
> in the branch 'vboot'.
> 
> Changes in v3:
> - Fix 'compile' typo
> - Rebase to master
> - Use new fdt_first/next_subnode()
> 
> Changes in v2:
> - Add sanity checks on key sizes in RSA (improves security)
> - Adjust how signing enable works in image.h
> - Adjust mkimage help to separate out signing options
> - Avoid using malloc in RSA routines (for smaller SPL code size)
> - Build signing support unconditionally in mkimage
> - Fix FDT error handling in fit_image_write_sig()
> - Fix checkpatch checks about parenthesis alignment
> - Fix checkpatch warnings about split strings
> - Fix spelling of multiply in rsa-verify.c
> - Only build RSA support into mkimage if CONFIG_RSA is defined
> - Rebase on previous patches
> - Require CONFIG_FIT_SIGNATURE in image.h for mkimage to support signing
> - Support RSA library version without ERR_remove_thread_state()
> - Tweak tools/Makefile to make image signing optional
> - Update README to fix typos
> - Update README to fix typos and clarify some points
> - Use U-Boot's -c option instead of hard-coding a boot script
> - Use stack instead of calloc() within U-Boot's signature verification code
> - gd->fdt_blob is now available on all archs (generic board landed)
> 
> Simon Glass (12):
>   image: Add signing infrastructure
>   image: Support signing of images
>   image: Add RSA support for image signing
>   mkimage: Add -k option to specify key directory
>   mkimage: Add -K to write public keys to an FDT blob
>   mkimage: Add -F option to modify an existing .fit file
>   mkimage: Add -c option to specify a comment for key signing
>   mkimage: Add -r option to specify keys that must be verified
>   libfdt: Add fdt_find_regions()
>   image: Add support for signing of FIT configurations
>   sandbox: config: Enable FIT signatures with RSA
>   Add verified boot information and test
> 
>  Makefile                         |   1 +
>  README                           |  15 ++
>  common/Makefile                  |   1 +
>  common/image-fit.c               |  83 ++++--
>  common/image-sig.c               | 422 +++++++++++++++++++++++++++++++
>  config.mk                        |   1 +
>  doc/mkimage.1                    |  73 +++++-
>  doc/uImage.FIT/sign-configs.its  |  45 ++++
>  doc/uImage.FIT/sign-images.its   |  42 ++++
>  doc/uImage.FIT/signature.txt     | 382 ++++++++++++++++++++++++++++
>  doc/uImage.FIT/verified-boot.txt | 104 ++++++++
>  include/configs/sandbox.h        |   2 +
>  include/image.h                  | 165 +++++++++++-
>  include/libfdt.h                 |  64 +++++
>  include/rsa.h                    | 108 ++++++++
>  lib/libfdt/fdt_wip.c             | 129 ++++++++++
>  lib/rsa/Makefile                 |  48 ++++
>  lib/rsa/rsa-sign.c               | 460 ++++++++++++++++++++++++++++++++++
>  lib/rsa/rsa-verify.c             | 385 ++++++++++++++++++++++++++++
>  test/vboot/.gitignore            |   3 +
>  test/vboot/sandbox-kernel.dts    |   7 +
>  test/vboot/sandbox-u-boot.dts    |   7 +
>  test/vboot/sign-configs.its      |  45 ++++
>  test/vboot/sign-images.its       |  42 ++++
>  test/vboot/vboot_test.sh         | 126 ++++++++++
>  tools/Makefile                   |  19 +-
>  tools/fit_image.c                |  44 +++-
>  tools/image-host.c               | 527 ++++++++++++++++++++++++++++++++++++++-
>  tools/mkimage.c                  |  36 ++-
>  tools/mkimage.h                  |   4 +
>  30 files changed, 3333 insertions(+), 57 deletions(-)
>  create mode 100644 common/image-sig.c
>  create mode 100644 doc/uImage.FIT/sign-configs.its
>  create mode 100644 doc/uImage.FIT/sign-images.its
>  create mode 100644 doc/uImage.FIT/signature.txt
>  create mode 100644 doc/uImage.FIT/verified-boot.txt
>  create mode 100644 include/rsa.h
>  create mode 100644 lib/rsa/Makefile
>  create mode 100644 lib/rsa/rsa-sign.c
>  create mode 100644 lib/rsa/rsa-verify.c
>  create mode 100644 test/vboot/.gitignore
>  create mode 100644 test/vboot/sandbox-kernel.dts
>  create mode 100644 test/vboot/sandbox-u-boot.dts
>  create mode 100644 test/vboot/sign-configs.its
>  create mode 100644 test/vboot/sign-images.its
>  create mode 100755 test/vboot/vboot_test.sh

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20130626/a15a5544/attachment.pgp>