[U-Boot] Secure booting

[U-Boot] Secure booting

[JYOTI DUBEY]

Can anybody inform me why u-boot 2013 does not support secure booting?
Basically what are the differences between u-boot2009.08 and u-boot2013
related to secure boot feature? What changes are required to develop secure
booting in u-boot 2013?


Thanks in Advance!

[U-Boot] Secure booting

[TigerLiu at viatech.com.cn]

Hi, JYOTI:
>Can anybody inform me why u-boot 2013 does not support secure booting?
>Basically what are the differences between u-boot2009.08 and u-boot2013
>related to secure boot feature? What changes are required to develop
secure
>booting in u-boot 2013?

Based on Simon's PPT, U-boot 2013.06 version was the first code package
for verified boot.

Best wishes,

[U-Boot] Secure booting

[JYOTI DUBEY]

Can I obtain information as how secure booting works.How the keys and
certificates are generated and also encryption and decryption steps
involved in the authentication process. i would like to know just the
theory behind it not and commands or technical details.
I have attached pictorial representation of 3 consecutive steps involved in
secure booting but while I tried to understanding the working though the
diagram I felt that authentication might never succeed as no decryption is
taking place.Can anyone please inform how the steps are taking place? I
have also attached the documentation related to high assurance booting.
Thanks in Advance!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: High_Assurance_Boot_L3.0.35_1.1.0.pdf
Type: application/pdf
Size: 296783 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20140213/3dce00f8/attachment.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.png
Type: image/png
Size: 14296 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20140213/3dce00f8/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2.png
Type: image/png
Size: 8068 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20140213/3dce00f8/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3.png
Type: image/png
Size: 15034 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20140213/3dce00f8/attachment-0002.png>

[U-Boot] Secure booting

[Heiko Schocher]

Hello JYOTI,

Am 13.02.2014 08:42, schrieb JYOTI DUBEY:
> Can I obtain information as how secure booting works.How the keys and
> certificates are generated and also encryption and decryption steps
> involved in the authentication process. i would like to know just the
> theory behind it not and commands or technical details.
> I have attached pictorial representation of 3 consecutive steps involved in
> secure booting but while I tried to understanding the working though the
> diagram I felt that authentication might never succeed as no decryption is
> taking place.Can anyone please inform how the steps are taking place? I
> have also attached the documentation related to high assurance booting.

Maybe this 2 documents in the u-boot source help you:

u-boot:doc/uImage.FIT/signature.txt
u-boot:doc/uImage.FIT/verified-boot.txt

bye,
Heiko
-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[U-Boot] Secure booting

[Simon Glass]

Hi.

On 12 February 2014 17:56, <TigerLiu@viatech.com.cn> wrote:
>
> Hi, JYOTI:
> >Can anybody inform me why u-boot 2013 does not support secure booting?
> >Basically what are the differences between u-boot2009.08 and u-boot2013
> >related to secure boot feature? What changes are required to develop
> secure
> >booting in u-boot 2013?
>
> Based on Simon's PPT, U-boot 2013.06 version was the first code package
> for verified boot.

There were quite a few changes in FIT handling, bootm and the like.
The verified boot implementation itself was only about 15 patches but
it builds on perhaps 100 more which refactor related code to make it
possible.

There is documentation in the U-Boot tree (e.g.
doc/uImage.FIT/verified-boot.txt ) and also a test you can run with
sandbox.

A rough overview is here http://lwn.net/Articles/571031/

You will find slides here: http://www.denx.de/wiki/U-Boot/MiniSummitELCE2013

There was also a talk at ELCE last year - you can find the slide and
video for that "Verified Boot on Chrome OS and How to do it yourself"

Regards,
Simon

[U-Boot] Secure booting

[Simon Glass]

Hi,

On 13 February 2014 00:42, JYOTI DUBEY <jyoti0801@gmail.com> wrote:
> Can I obtain information as how secure booting works.How the keys and
> certificates are generated and also encryption and decryption steps
> involved in the authentication process. i would like to know just the
> theory behind it not and commands or technical details.
> I have attached pictorial representation of 3 consecutive steps involved in
> secure booting but while I tried to understanding the working though the
> diagram I felt that authentication might never succeed as no decryption is
> taking place.Can anyone please inform how the steps are taking place? I
> have also attached the documentation related to high assurance booting.

One thing you may have missed in your reading is that secure boot is
about authentication rather than encryption. So we sign and verify,
rather than encrypt and decrypt.

Regards,
Simon

[U-Boot] Secure booting

[JYOTI DUBEY]

Can I obtain information regarding what hab_status command will return if
i.mx board is not fused i.e security in not enabled and also the board is
in open configuration.


Thanks in Advance!

[U-Boot] Secure booting

[JYOTI DUBEY]

Can somebody inform me what all changes I need to make in U-boot 2013
source code to enable secure booting?


Thanks in Advance!

[U-Boot] Secure booting

[Simon Glass]

Hi,

On 15 March 2014 21:39, JYOTI DUBEY <jyoti0801@gmail.com> wrote:
>
> Can somebody inform me what all changes I need to make in U-boot 2013
> source code to enable secure booting?


Please can you provide more details?

- What board?
- What docs have you already read?
- Did you look at the settings in sandbox?
- What problems do you have getting it running?

Regards,
Simon

>
>
>
> Thanks in Advance!
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
>

[U-Boot] Secure booting

[Simon Glass]

+U-Boot mailing list

Hi Jyoti,

On 17 March 2014 22:25, JYOTI DUBEY <jyoti0801@gmail.com> wrote:

> I am using i.mx6 board (Sabre lite design). The document that I have
> followed is attached with this mail. But since there are differences
> between u-boot 2009(as per the document) and u-boot 2013 I am not able to
> figure out the locations at which the changes to be made. I am not sure the
> value that should be made available in the csf pointer and also the size of
> CSF data. Also since the size of u-boot 2009 is 2ec00 whereas that of
> u-boot 2013 is 51c00 I am not sure if any addition padding is required(as
> per the document) while using u-boot 2013.
>
Thanks in Advance!
>

Actually this is an SOC-specific secure boot, so not something I know
anything about, sorry. Perhaps someone from the mx6 side will have some
ideas.

Regards,
Simon


>
>
> On Mon, Mar 17, 2014 at 9:25 AM, Simon Glass <sjg@chromium.org> wrote:
>
>> Hi,
>>
>> On 15 March 2014 21:39, JYOTI DUBEY <jyoti0801@gmail.com> wrote:
>> >
>> > Can somebody inform me what all changes I need to make in U-boot 2013
>> > source code to enable secure booting?
>>
>>
>> Please can you provide more details?
>>
>> - What board?
>> - What docs have you already read?
>> - Did you look at the settings in sandbox?
>> - What problems do you have getting it running?
>>
>> Regards,
>> Simon
>>
>> >
>> >
>> >
>> > Thanks in Advance!
>> >
>> > _______________________________________________
>> > U-Boot mailing list
>> > U-Boot at lists.denx.de
>> > http://lists.denx.de/mailman/listinfo/u-boot
>> >
>>
>
>