-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
odroid-m1-secure-boot.md: wip, first part
Dependencies, needed repositories how to build SPL that can burn OTP keys Signed-off-by: Michał Iwanicki <[email protected]>
- Loading branch information
1 parent
34f7cd8
commit e53252b
Showing
1 changed file
with
201 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,201 @@ | ||
| --- | ||
| title: Enabling Secure Boot on ODROID M1 (rk3568) | ||
| abstract: 'Abstract first sentence. | ||
| Abstract second sentence. | ||
| Abstract third sentence.' | ||
| cover: /covers/image-file.png | ||
| author: michal.iwanicki | ||
| layout: post | ||
| published: true | ||
| date: 2024-04-12 | ||
| archives: "2024" | ||
|
|
||
| tags: | ||
| - bootloader | ||
| - secure-boot | ||
| - rockchip | ||
| - u-boot | ||
| categories: | ||
| - Firmware | ||
| - Security | ||
|
|
||
| --- | ||
|
|
||
| ## Intro | ||
|
|
||
| In this post I'll describe how to write key hash into OTP memory and enable | ||
| pre-loader signature verification on ODROID-M1 which uses RK3568B2 SoC and also | ||
| how to enable signature verification in U-Boot SPL. | ||
|
|
||
| ## Enabling Secure Mode | ||
|
|
||
| ### Preparation | ||
|
|
||
| #### Repositories | ||
|
|
||
| Writing key hash into OTP memory is done by U-Boot SPL which we will need to | ||
| build. I used [Rockchip U-Boot](https://github.com/rockchip-linux/u-boot/) | ||
| because it contains needed functionality implemented in | ||
| `lib/rsa/rsa-verify.c`. | ||
| [Hardkernel U-Boot](https://github.com/hardkernel/u-boot/tree/odroidm1-v2017.09) | ||
| should also work. \ | ||
| We will also need [upgrade_tool](https://github.com/hardkernel/rk3568-linux-tools/tree/master/linux/Linux_Upgrade_Tool/Linux_Upgrade_Tool) and | ||
| [rkbin](https://github.com/rockchip-linux/rkbin) | ||
|
|
||
| #### Generating RSA Keys | ||
|
|
||
| TODO | ||
|
|
||
| #### Final directory structure | ||
|
|
||
| ```shell | ||
| tree -FL 1 | ||
| ./ | ||
| ├── Linux_Upgrade_Tool/ | ||
| ├── rkbin/ | ||
| ├── u-boot/ | ||
| ├── keys/ | ||
| └── upgrade_tool -> Linux_Upgrade_Tool/upgrade_tool | ||
| ``` | ||
|
|
||
| ### Dependencies | ||
|
|
||
| Below are packages needed to build U-Boot on Debian 11 OS. | ||
|
|
||
| ```shell | ||
| apt install gcc make bison flex python3 python3-dev python3-setuptools python3-pyelftools swig libssl-dev device-tree-compiler python2 bc | ||
| ``` | ||
|
|
||
| To build Rockchip U-Boot without errors we will also need | ||
| [Linaro gcc aarch64 toolchain](https://releases.linaro.org/components/toolchain/binaries/6.3-2017.05/aarch64-linux-gnu/). | ||
|
|
||
| ### Configuration | ||
|
|
||
| #### rkbin | ||
|
|
||
| In `rkbin/RKBOOT/RK3568MINIALL.ini` update FlashBoot so it points to | ||
| `u-boot-spl.bin` file | ||
|
|
||
| ```diff | ||
| diff --git a/RKBOOT/RK3568MINIALL.ini b/RKBOOT/RK3568MINIALL.ini | ||
| index ef6d071bc5ac..c80d817f4b94 100644 | ||
| --- a/RKBOOT/RK3568MINIALL.ini | ||
| +++ b/RKBOOT/RK3568MINIALL.ini | ||
| @@ -15,7 +15,7 @@ NUM=2 | ||
| LOADER1=FlashData | ||
| LOADER2=FlashBoot | ||
| FlashData=bin/rk35/rk3568_ddr_1560MHz_v1.21.bin | ||
| -FlashBoot=bin/rk35/rk356x_spl_v1.13.bin | ||
| +FlashBoot=../u-boot/spl/u-boot-spl.bin | ||
| [OUTPUT] | ||
| PATH=rk356x_spl_loader_v1.21.113.bin | ||
| [SYSTEM] | ||
| ``` | ||
|
|
||
| #### U-Boot | ||
|
|
||
| Update `CROSS_COMPILE_ARM64` variable inside `make.sh` with correct path to | ||
| Linaro gcc toolchain | ||
|
|
||
| ```diff | ||
| -CROSS_COMPILE_ARM64=../prebuilts/gcc/linux-x86/aarch64/gcc-linaro-6.3.1-2017.05-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu- | ||
| +CROSS_COMPILE_ARM64=/opt/toolchains/gcc-linaro-6.3.1-2017.05-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu- | ||
| ``` | ||
|
|
||
| Use rk3568 defconfig | ||
|
|
||
| ```shell | ||
| make rk3568_defconfig | ||
| ``` | ||
|
|
||
| Enable FIT_SIGNATURE and SPL_FIT_SIGNATURE with `make menuconfig`. | ||
| It's needed for building `tools/mkimage` with capability to write public key | ||
| into `u-boot-spl.dtb`. | ||
|
|
||
| ### Building U-Boot | ||
|
|
||
| To build needed binaries just use `./make.sh` script. | ||
| Build should fail near the end because of enabling FIT_SIGNATURE and | ||
| SPL_FIT_SIGNATURE but we will have everything we need to write key hash to OTP. | ||
|
|
||
| ```text | ||
| Failed: external offset 0x1000 overlaps FIT length 0x1200 | ||
| ./tools/mkimage Can't add hashes to FIT blob: -22 | ||
| ``` | ||
|
|
||
| You should now have `./spl/u-boot-spl.dtb` and `./u-boot.itb` files. | ||
| Now it's time to add public key to u-boot-spl.dtb | ||
|
|
||
| ```shell | ||
| tools/mkimage -F -k ../keys -K spl/u-boot-spl.dtb -r u-boot.itb | ||
| FIT description: FIT Image with ATF/OP-TEE/U-Boot/MCU | ||
| Created: Fri Apr 12 13:02:03 2024 | ||
| Image 0 (uboot) | ||
| Description: U-Boot | ||
| Created: Fri Apr 12 13:02:03 2024 | ||
| Type: Standalone Program | ||
| Compression: gzip compressed | ||
| Data Size: 590701 Bytes = 576.86 KiB = 0.56 MiB | ||
| Architecture: AArch64 | ||
| Load Address: 0x00a00000 | ||
| Entry Point: unavailable | ||
| Hash algo: sha256 | ||
| Hash value: 646283aaf9152fb852230b29261f97645526b24ae8e1bff3204dd1cac1cb7117 | ||
| Image 1 (atf-1) | ||
| Description: ARM Trusted Firmware | ||
| Created: Fri Apr 12 13:02:03 2024 | ||
| Type: Firmware | ||
| Compression: gzip compressed | ||
| Data Size: 57097 Bytes = 55.76 KiB = 0.05 MiB | ||
| Architecture: AArch64 | ||
| Load Address: 0x00040000 | ||
| Hash algo: sha256 | ||
| Hash value: 6b7aa1822c907c53c1dbd8f6afe1f25c62592f940fd853892ed3b1a64afabbc0 | ||
| (...) | ||
| Default Configuration: 'conf' | ||
| Configuration 0 (conf) | ||
| Description: rk3568-evb | ||
| Kernel: unavailable | ||
| Firmware: atf-1 | ||
| FDT: fdt | ||
| Loadables: uboot | ||
| atf-2 | ||
| atf-3 | ||
| atf-4 | ||
| atf-5 | ||
| atf-6 | ||
| optee | ||
| ``` | ||
|
|
||
| To verify that public key was indeed inserted into dtb file you can use: | ||
|
|
||
| ```shell | ||
| fdtget -p spl/u-boot-spl.dtb /signature/key-dev | ||
| required | ||
| algo | ||
| rsa,np | ||
| rsa,c | ||
| rsa,r-squared | ||
| rsa,modulus | ||
| rsa,exponent-BN | ||
| rsa,exponent | ||
| rsa,n0-inverse | ||
| rsa,num-bits | ||
| key-name-hint | ||
| ``` | ||
|
|
||
| ## Summary | ||
|
|
||
| Summary of the post. | ||
|
|
||
| OPTIONAL ending (may be based on post content): | ||
|
|
||
| Unlock the full potential of your hardware and secure your firmware with the | ||
| experts at 3mdeb! If you're looking to boost your product's performance and | ||
| protect it from potential security threats, our team is here to help. | ||
| [Schedule a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) | ||
| or drop us an email at `contact<at>3mdeb<dot>com` to start unlocking the hidden | ||
| benefits of your hardware. And if you want to stay up-to-date on all things | ||
| firmware security and optimization, be sure to | ||
| [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). | ||
| Don't let your hardware hold you back, work with 3mdeb to achieve more! |