Hi all,
I need to sign kernel image with my own secured keys.generally lk bootloader authenticates the kernel.
But here in snappy u-boot loads kernel. so now my question is how to authenticate kernel from u-boot.
does u-boot provides mechanism for signing the kernel.if so,are there any reference documents to do so and android kernel have some mechanisms to sign through android build system but how does linux kernel gets signed?
it seems such a feature is available in u-boot since 2013.07, so you could theroetically modify uboot.env.in and the uboot.patch of your gadget to enable that feature and make use of it.
(and additionally modify your kernel snap to actually do the signing)
Hi ondra,
I tried building gadget snap by switching to verified boot branch.getting the below error
In file included from tools/aisimage.c:10:0:
include/image.h:1023:27: fatal error: openssl/evp.h: No such file or directory
compilation terminated.
scripts/Makefile.host:116: recipe for target ‘tools/aisimage.o’ failed
make[1]: *** [tools/aisimage.o] Error 1
make[1]: *** Waiting for unfinished jobs…
In file included from tools/atmelimage.c:11:0:
include/image.h:1023:27: fatal error: openssl/evp.h: No such file or directory
compilation terminated.
scripts/Makefile.host:116: recipe for target ‘tools/atmelimage.o’ failed
make[1]: *** [tools/atmelimage.o] Error 1
Makefile:1234: recipe for target ‘tools’ failed
make: *** [tools] Error 2
Command ‘[’/bin/sh’, ‘/tmp/tmpms4g3qw4’, ‘make’, ‘-j2’, ‘ARCH=arm’, ‘CROSS_COMPILE=arm-linux-gnueabihf-’]’ returned non-zero exit status 2
i fear currently only the booti (for uncompressed kernels (the default)) or bootz (for compressed ones) commands are supported with arm64 kernels, we do currently not modify the vmlinuz binary to turn it into a uImage …
well, booti means “boot raw image” (which your file above seems to be), while bootz means “boot compressed image” (plain vmlinuz file and used everywhere else in our setup) and bootm means “boot application image from memory” which means you need to create a uImage file fom the kernel binary by using mkimage from the u-boot tree.
u-boot checks the file magic before calling the boot{i,m,z} command and will refuse to execute something that does not fit the specific boot command.
If bootm is a requirement for authenticated boot you need to change your kernel snap build to actually produce a uImage file as kernel.img…
is adding the below part correct in kernel snapcraft.yaml?
install:
mkimage -A arm -O linux -T kernel -C none -a 0x81000000 -e 0x83000000 -n “Linux kernel” -d parts/kernel/build/arch/arm64/boot/Image parts/kernel/build/arch/arm64/boot/uImage
if so will above change reflect in parts/kernel/install/kernel.img?
or can you kindly provide details of how to do it?
you need something like a mv uImage kernel.img after generating the file so the snap will use it … but yeah, something like this would be required, though i am not 100% sure if the dragonboard u-boot even supports booting uImages, it might need more patching …
(alternatively re-working the patch to apply to booti instead of bootm might be another option)
you mean the “bad magic one” ?
the use of an uImage should sohave solved that (but again i dont know if the dragonboard is even capable of using this, that would be a question for 96boards)
Hi @laxman456
sorry for late response.
If you want to use verified boot option, you also need to tweak kernel snap so it used fit image. What you are seeing here is bootm expecting fit image and you feeding it with just kernel image……
So I guess part which you are missing is rebuilding kernel snap. If you have used my verified boot branch, this will force u-boot to accept only signed fit images, as security measure.
So if you will pair this with default dragboard kernel snap it will fail badly.
You can use my reference kernel snap from here https://code.launchpad.net/~ondrak/ondras-snaps/+git/linux-kernel/+ref/snapdragon
Or just pull snap from https://code.launchpad.net/~ondrak/+snap/snapdragon-kernel-src and sign image inside. If you use unsigned one, you should see u-boot complaining about wrong signature……
Remember for both gadget and kernel snap. If you build those on LP it will not have your keys
So either you repack/sign gadget once it’s build, or you build them locally where you have your keys.
Process is a bit cumbersome for adding secret to u-boot, as you need to actually sign fit image, though its fine to signed fit image which will include fake image files inside. You can see I’m doing this un gadget snapcraft.yaml
Let me know if this make sense, I hope to have some time in next few days to assist you if this does not work for you