[U-Boot] [PATCH] rpi3: Enable verified boot from FIT image

[AKASHI Takahiro <takahiro.akashi@linaro.org>]

On Mon, Sep 02, 2019 at 01:19:06PM +0200, Heinrich Schuchardt wrote:
> On 9/2/19 12:30 PM, Matthias Brugger wrote:
> >+Alex, Lukas, Heinrich, Bin and Simon
> >
> >On 31/07/2019 10:16, Jun Nie wrote:
> >>Matthias Brugger <mbrugger@suse.com> 于2019年7月31日周三 下午4:05写道：
> >>>
> >>>
> >>>
> >>>On 11/07/2019 05:55, Jun Nie wrote:
> >>>>Enable verified boot from FIT image with select configs
> >>>>and specify boot script image node in FIT image, the FIT
> >>>>image is verified before it is run.
> >>>>
> >>>>Code that reusing dtb in firmware is disabled, so that
> >>>>the dtb with pubic key packed in u-boot.bin can be used
> >>>>to verify the signature of next stage FIT image.
> >>>>
> >>>>Signed-off-by: Jun Nie <jun.nie@linaro.org>
> >>>>---
> >>>>  board/raspberrypi/rpi/rpi.c |  6 ++++++
> >>>>  include/configs/rpi.h       | 15 ++++++++++++++-
> >>>>  2 files changed, 20 insertions(+), 1 deletion(-)
> >>>>
> >>>>diff --git a/board/raspberrypi/rpi/rpi.c b/board/raspberrypi/rpi/rpi.c
> >>>>index 617c892..950ee84 100644
> >>>>--- a/board/raspberrypi/rpi/rpi.c
> >>>>+++ b/board/raspberrypi/rpi/rpi.c
> >>>>@@ -297,6 +297,7 @@ static void set_fdtfile(void)
> >>>>       env_set("fdtfile", fdtfile);
> >>>>  }
> >>>>
> >>>>+#ifndef CONFIG_FIT_SIGNATURE
> >>>>  /*
> >>>>   * If the firmware provided a valid FDT at boot time, let's expose it in
> >>>>   * ${fdt_addr} so it may be passed unmodified to the kernel.
> >>>>@@ -311,6 +312,7 @@ static void set_fdt_addr(void)
> >>>>
> >>>>       env_set_hex("fdt_addr", fw_dtb_pointer);
> >>>>  }
> >>>>+#endif
> >>>>
> >>>>  /*
> >>>>   * Prevent relocation from stomping on a firmware provided FDT blob.
> >>>>@@ -393,7 +395,9 @@ static void set_serial_number(void)
> >>>>
> >>>>  int misc_init_r(void)
> >>>>  {
> >>>>+#ifndef CONFIG_FIT_SIGNATURE
> >>>>       set_fdt_addr();
> >>>>+#endif
> >>>>       set_fdtfile();
> >>>>       set_usbethaddr();
> >>>>  #ifdef CONFIG_ENV_VARS_UBOOT_RUNTIME_CONFIG
> >>>>@@ -470,6 +474,7 @@ int board_init(void)
> >>>>       return bcm2835_power_on_module(BCM2835_MBOX_POWER_DEVID_USB_HCD);
> >>>>  }
> >>>>
> >>>>+#ifndef CONFIG_FIT_SIGNATURE
> >>>>  /*
> >>>>   * If the firmware passed a device tree use it for U-Boot.
> >>>>   */
> >>>>@@ -479,6 +484,7 @@ void *board_fdt_blob_setup(void)
> >>>>               return NULL;
> >>>>       return (void *)fw_dtb_pointer;
> >>>>  }
> >>>>+#endif
> >>>
> >>>Just to get this clear we need this because we want to pass the device tree via
> >>>OF_SEPARATE, correct?
> >>
> >>You are right.  U-boot need to read he signature from dtb.
> >>
> >>>
> >>>>
> >>>>  int ft_board_setup(void *blob, bd_t *bd)
> >>>>  {
> >>>>diff --git a/include/configs/rpi.h b/include/configs/rpi.h
> >>>>index f76c7d1..ba91205 100644
> >>>>--- a/include/configs/rpi.h
> >>>>+++ b/include/configs/rpi.h
> >>>>@@ -180,11 +180,24 @@
> >>>>
> >>>>  #include <config_distro_bootcmd.h>
> >>>>
> >>>>+#ifdef CONFIG_FIT_SIGNATURE
> >>>>+#define FIT_BOOT_CMD                                                 \
> >>>>+     "boot_a_script="                                                \
> >>>>+             "load ${devtype} ${devnum}:${distro_bootpart} "         \
> >>>>+                     "${scriptaddr} ${prefix}${script}; "            \
> >>>>+             "iminfo ${scriptaddr};"                                 \
> >>>>+             "if test $? -eq 1; then reset; fi;"                     \
> >>>>+             "source ${scriptaddr}:bootscr\0"
> >>>>+#else
> >>>>+#define FIT_BOOT_CMD ""
> >>>>+#endif
> >>>>+
> >>>
> >>>Doesn't this overwrite the boot_a_script in distro_bootcmd?
> >>>
> >>>Would it make sense to add FIT booting to the distro boot command?
> >>>
> >>>Regards,
> >>>Matthias
> >>
> >>Yes, it overwrite the boot_a_script in distro_bootcmd. It is make
> >>sense to add this to the distro boot command. I can send another patch
> >>to move these lines to common code later.
> >>
> >
> >Question to the people just added, as you have relevant submission to
> >distroboot. Do you think it makes sense to add FIT_BOOT_CMD to that?
> >
> >Regards,
> >Matthias
> 
> The idea of distro-boot was to make it easier for Linux distributions to
> update the information needed by U-Boot to find the right kernel and
> ramdisk.
> 
> According to doc/README.distro file extlinux.conf should be used for the
> communication between the distribution and U-Boot. Some distributions
> like Debian still rely on boot.scr.
> 
> Many distributions (OpenBSD, FreeBSD, Suse, Fedora) have moved from
> distro-boot to UEFI as booting standard. Unfortunately we have not
> documented our support for this in doc/README.distro (TODO for me).
> Takahiro is working on secure boot using UEFI. Once completed this could
> obsolete FIT images.

Well, UEFI secure boot handles PE(+) images and doesn't cover
dtb, initrd or whatever FIT may contain.

-Takahiro Akashi


> Would we expect Linux distributions to provide FIT images upon kernel
> updates?
> Is there any Linux distribution doing so?
> 
> Only if we can answer these questions with yes, adding FIT_BOOT_CMD to
> distro-boot would make sense to me.
> 
> Best regards
> 
> Heinrich
> 
> >
> >>>
> >>>>  #define CONFIG_EXTRA_ENV_SETTINGS \
> >>>>       "dhcpuboot=usb start; dhcp u-boot.uimg; bootm\0" \
> >>>>       ENV_DEVICE_SETTINGS \
> >>>>       ENV_MEM_LAYOUT_SETTINGS \
> >>>>-     BOOTENV
> >>>>+     BOOTENV \
> >>>>+     FIT_BOOT_CMD
> >>>>
> >>>>
> >>>>  #endif
> >>>>
> >>
> >
>