Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 1 | U-Boot FIT Signature Verification |
| 2 | ================================= |
| 3 | |
| 4 | Introduction |
| 5 | ------------ |
| 6 | FIT supports hashing of images so that these hashes can be checked on |
| 7 | loading. This protects against corruption of the image. However it does not |
| 8 | prevent the substitution of one image for another. |
| 9 | |
| 10 | The signature feature allows the hash to be signed with a private key such |
| 11 | that it can be verified using a public key later. Provided that the private |
| 12 | key is kept secret and the public key is stored in a non-volatile place, |
| 13 | any image can be verified in this way. |
| 14 | |
| 15 | See verified-boot.txt for more general information on verified boot. |
| 16 | |
| 17 | |
| 18 | Concepts |
| 19 | -------- |
| 20 | Some familiarity with public key cryptography is assumed in this section. |
| 21 | |
| 22 | The procedure for signing is as follows: |
| 23 | |
| 24 | - hash an image in the FIT |
| 25 | - sign the hash with a private key to produce a signature |
| 26 | - store the resulting signature in the FIT |
| 27 | |
| 28 | The procedure for verification is: |
| 29 | |
| 30 | - read the FIT |
| 31 | - obtain the public key |
| 32 | - extract the signature from the FIT |
| 33 | - hash the image from the FIT |
| 34 | - verify (with the public key) that the extracted signature matches the |
| 35 | hash |
| 36 | |
| 37 | The signing is generally performed by mkimage, as part of making a firmware |
| 38 | image for the device. The verification is normally done in U-Boot on the |
| 39 | device. |
| 40 | |
| 41 | |
| 42 | Algorithms |
| 43 | ---------- |
| 44 | In principle any suitable algorithm can be used to sign and verify a hash. |
| 45 | At present only one class of algorithms is supported: SHA1 hashing with RSA. |
| 46 | This works by hashing the image to produce a 20-byte hash. |
| 47 | |
| 48 | While it is acceptable to bring in large cryptographic libraries such as |
| 49 | openssl on the host side (e.g. mkimage), it is not desirable for U-Boot. |
| 50 | For the run-time verification side, it is important to keep code and data |
| 51 | size as small as possible. |
| 52 | |
| 53 | For this reason the RSA image verification uses pre-processed public keys |
| 54 | which can be used with a very small amount of code - just some extraction |
| 55 | of data from the FDT and exponentiation mod n. Code size impact is a little |
| 56 | under 5KB on Tegra Seaboard, for example. |
| 57 | |
| 58 | It is relatively straightforward to add new algorithms if required. If |
| 59 | another RSA variant is needed, then it can be added to the table in |
| 60 | image-sig.c. If another algorithm is needed (such as DSA) then it can be |
| 61 | placed alongside rsa.c, and its functions added to the table in image-sig.c |
| 62 | also. |
| 63 | |
| 64 | |
Andreas Dannenberg | 4c1d5c2 | 2016-03-23 18:24:10 -0500 | [diff] [blame] | 65 | Creating an RSA key pair and certificate |
| 66 | ---------------------------------------- |
| 67 | To create a new public/private key pair, size 2048 bits: |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 68 | |
Michael van der Westhuizen | e0f2f15 | 2014-07-02 10:17:26 +0200 | [diff] [blame] | 69 | $ openssl genpkey -algorithm RSA -out keys/dev.key \ |
| 70 | -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 71 | |
Andreas Dannenberg | 4c1d5c2 | 2016-03-23 18:24:10 -0500 | [diff] [blame] | 72 | To create a certificate for this containing the public key: |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 73 | |
| 74 | $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt |
| 75 | |
| 76 | If you like you can look at the public key also: |
| 77 | |
| 78 | $ openssl rsa -in keys/dev.key -pubout |
| 79 | |
| 80 | |
| 81 | Device Tree Bindings |
| 82 | -------------------- |
| 83 | The following properties are required in the FIT's signature node(s) to |
Masahiro Yamada | e43f74a | 2017-08-22 15:19:20 +0900 | [diff] [blame] | 84 | allow the signer to operate. These should be added to the .its file. |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 85 | Signature nodes sit at the same level as hash nodes and are called |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 86 | signature-1, signature-2, etc. |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 87 | |
Masahiro Yamada | 6af5520 | 2017-10-19 19:37:59 +0900 | [diff] [blame] | 88 | - algo: Algorithm name (e.g. "sha1,rsa2048") |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 89 | |
| 90 | - key-name-hint: Name of key to use for signing. The keys will normally be in |
| 91 | a single directory (parameter -k to mkimage). For a given key <name>, its |
| 92 | private key is stored in <name>.key and the certificate is stored in |
| 93 | <name>.crt. |
| 94 | |
| 95 | When the image is signed, the following properties are added (mandatory): |
| 96 | |
| 97 | - value: The signature data (e.g. 256 bytes for 2048-bit RSA) |
| 98 | |
| 99 | When the image is signed, the following properties are optional: |
| 100 | |
| 101 | - timestamp: Time when image was signed (standard Unix time_t format) |
| 102 | |
| 103 | - signer-name: Name of the signer (e.g. "mkimage") |
| 104 | |
| 105 | - signer-version: Version string of the signer (e.g. "2013.01") |
| 106 | |
| 107 | - comment: Additional information about the signer or image |
| 108 | |
Philippe Reynes | e83cf2f | 2018-11-14 13:51:02 +0100 | [diff] [blame] | 109 | - padding: The padding algorithm, it may be pkcs-1.5 or pss, |
| 110 | if no value is provided we assume pkcs-1.5 |
| 111 | |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 112 | For config bindings (see Signed Configurations below), the following |
| 113 | additional properties are optional: |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 114 | |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 115 | - sign-images: A list of images to sign, each being a property of the conf |
| 116 | node that contains then. The default is "kernel,fdt" which means that these |
| 117 | two images will be looked up in the config and signed if present. |
| 118 | |
| 119 | For config bindings, these properties are added by the signer: |
| 120 | |
| 121 | - hashed-nodes: A list of nodes which were hashed by the signer. Each is |
| 122 | a string - the full path to node. A typical value might be: |
| 123 | |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 124 | hashed-nodes = "/", "/configurations/conf-1", "/images/kernel", |
| 125 | "/images/kernel/hash-1", "/images/fdt-1", |
| 126 | "/images/fdt-1/hash-1"; |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 127 | |
| 128 | - hashed-strings: The start and size of the string region of the FIT that |
| 129 | was hashed |
| 130 | |
| 131 | Example: See sign-images.its for an example image tree source file and |
| 132 | sign-configs.its for config signing. |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 133 | |
| 134 | |
| 135 | Public Key Storage |
| 136 | ------------------ |
| 137 | In order to verify an image that has been signed with a public key we need to |
| 138 | have a trusted public key. This cannot be stored in the signed image, since |
| 139 | it would be easy to alter. For this implementation we choose to store the |
| 140 | public key in U-Boot's control FDT (using CONFIG_OF_CONTROL). |
| 141 | |
| 142 | Public keys should be stored as sub-nodes in a /signature node. Required |
| 143 | properties are: |
| 144 | |
Masahiro Yamada | 6af5520 | 2017-10-19 19:37:59 +0900 | [diff] [blame] | 145 | - algo: Algorithm name (e.g. "sha1,rsa2048") |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 146 | |
| 147 | Optional properties are: |
| 148 | |
| 149 | - key-name-hint: Name of key used for signing. This is only a hint since it |
| 150 | is possible for the name to be changed. Verification can proceed by checking |
| 151 | all available signing keys until one matches. |
| 152 | |
| 153 | - required: If present this indicates that the key must be verified for the |
| 154 | image / configuration to be considered valid. Only required keys are |
| 155 | normally verified by the FIT image booting algorithm. Valid values are |
Masahiro Yamada | e43f74a | 2017-08-22 15:19:20 +0900 | [diff] [blame] | 156 | "image" to force verification of all images, and "conf" to force verification |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 157 | of the selected configuration (which then relies on hashes in the images to |
| 158 | verify those). |
| 159 | |
| 160 | Each signing algorithm has its own additional properties. |
| 161 | |
| 162 | For RSA the following are mandatory: |
| 163 | |
| 164 | - rsa,num-bits: Number of key bits (e.g. 2048) |
| 165 | - rsa,modulus: Modulus (N) as a big-endian multi-word integer |
Michael van der Westhuizen | e0f2f15 | 2014-07-02 10:17:26 +0200 | [diff] [blame] | 166 | - rsa,exponent: Public exponent (E) as a 64 bit unsigned integer |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 167 | - rsa,r-squared: (2^num-bits)^2 as a big-endian multi-word integer |
| 168 | - rsa,n0-inverse: -1 / modulus[0] mod 2^32 |
| 169 | |
| 170 | |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 171 | Signed Configurations |
| 172 | --------------------- |
| 173 | While signing images is useful, it does not provide complete protection |
| 174 | against several types of attack. For example, it it possible to create a |
| 175 | FIT with the same signed images, but with the configuration changed such |
| 176 | that a different one is selected (mix and match attack). It is also possible |
| 177 | to substitute a signed image from an older FIT version into a newer FIT |
| 178 | (roll-back attack). |
| 179 | |
| 180 | As an example, consider this FIT: |
| 181 | |
| 182 | / { |
| 183 | images { |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 184 | kernel-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 185 | data = <data for kernel1> |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 186 | signature-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 187 | algo = "sha1,rsa2048"; |
| 188 | value = <...kernel signature 1...> |
| 189 | }; |
| 190 | }; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 191 | kernel-2 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 192 | data = <data for kernel2> |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 193 | signature-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 194 | algo = "sha1,rsa2048"; |
| 195 | value = <...kernel signature 2...> |
| 196 | }; |
| 197 | }; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 198 | fdt-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 199 | data = <data for fdt1>; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 200 | signature-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 201 | algo = "sha1,rsa2048"; |
| 202 | vaue = <...fdt signature 1...> |
| 203 | }; |
| 204 | }; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 205 | fdt-2 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 206 | data = <data for fdt2>; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 207 | signature-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 208 | algo = "sha1,rsa2048"; |
| 209 | vaue = <...fdt signature 2...> |
| 210 | }; |
| 211 | }; |
| 212 | }; |
| 213 | configurations { |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 214 | default = "conf-1"; |
| 215 | conf-1 { |
| 216 | kernel = "kernel-1"; |
| 217 | fdt = "fdt-1"; |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 218 | }; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 219 | conf-1 { |
| 220 | kernel = "kernel-2"; |
| 221 | fdt = "fdt-2"; |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 222 | }; |
| 223 | }; |
| 224 | }; |
| 225 | |
| 226 | Since both kernels are signed it is easy for an attacker to add a new |
| 227 | configuration 3 with kernel 1 and fdt 2: |
| 228 | |
| 229 | configurations { |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 230 | default = "conf-1"; |
| 231 | conf-1 { |
| 232 | kernel = "kernel-1"; |
| 233 | fdt = "fdt-1"; |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 234 | }; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 235 | conf-1 { |
| 236 | kernel = "kernel-2"; |
| 237 | fdt = "fdt-2"; |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 238 | }; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 239 | conf-3 { |
| 240 | kernel = "kernel-1"; |
| 241 | fdt = "fdt-2"; |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 242 | }; |
| 243 | }; |
| 244 | |
| 245 | With signed images, nothing protects against this. Whether it gains an |
| 246 | advantage for the attacker is debatable, but it is not secure. |
| 247 | |
Masahiro Yamada | e43f74a | 2017-08-22 15:19:20 +0900 | [diff] [blame] | 248 | To solve this problem, we support signed configurations. In this case it |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 249 | is the configurations that are signed, not the image. Each image has its |
| 250 | own hash, and we include the hash in the configuration signature. |
| 251 | |
| 252 | So the above example is adjusted to look like this: |
| 253 | |
| 254 | / { |
| 255 | images { |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 256 | kernel-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 257 | data = <data for kernel1> |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 258 | hash-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 259 | algo = "sha1"; |
| 260 | value = <...kernel hash 1...> |
| 261 | }; |
| 262 | }; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 263 | kernel-2 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 264 | data = <data for kernel2> |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 265 | hash-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 266 | algo = "sha1"; |
| 267 | value = <...kernel hash 2...> |
| 268 | }; |
| 269 | }; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 270 | fdt-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 271 | data = <data for fdt1>; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 272 | hash-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 273 | algo = "sha1"; |
| 274 | value = <...fdt hash 1...> |
| 275 | }; |
| 276 | }; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 277 | fdt-2 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 278 | data = <data for fdt2>; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 279 | hash-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 280 | algo = "sha1"; |
| 281 | value = <...fdt hash 2...> |
| 282 | }; |
| 283 | }; |
| 284 | }; |
| 285 | configurations { |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 286 | default = "conf-1"; |
| 287 | conf-1 { |
| 288 | kernel = "kernel-1"; |
| 289 | fdt = "fdt-1"; |
| 290 | signature-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 291 | algo = "sha1,rsa2048"; |
| 292 | value = <...conf 1 signature...>; |
| 293 | }; |
| 294 | }; |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 295 | conf-2 { |
| 296 | kernel = "kernel-2"; |
| 297 | fdt = "fdt-2"; |
| 298 | signature-1 { |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 299 | algo = "sha1,rsa2048"; |
| 300 | value = <...conf 1 signature...>; |
| 301 | }; |
| 302 | }; |
| 303 | }; |
| 304 | }; |
| 305 | |
| 306 | |
| 307 | You can see that we have added hashes for all images (since they are no |
| 308 | longer signed), and a signature to each configuration. In the above example, |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 309 | mkimage will sign configurations/conf-1, the kernel and fdt that are |
| 310 | pointed to by the configuration (/images/kernel-1, /images/kernel-1/hash-1, |
| 311 | /images/fdt-1, /images/fdt-1/hash-1) and the root structure of the image |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 312 | (so that it isn't possible to add or remove root nodes). The signature is |
Andre Przywara | 8384040 | 2017-12-04 02:05:07 +0000 | [diff] [blame] | 313 | written into /configurations/conf-1/signature-1/value. It can easily be |
Simon Glass | 4d09852 | 2013-06-13 15:10:09 -0700 | [diff] [blame] | 314 | verified later even if the FIT has been signed with other keys in the |
| 315 | meantime. |
| 316 | |
| 317 | |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 318 | Verification |
| 319 | ------------ |
| 320 | FITs are verified when loaded. After the configuration is selected a list |
| 321 | of required images is produced. If there are 'required' public keys, then |
| 322 | each image must be verified against those keys. This means that every image |
| 323 | that might be used by the target needs to be signed with 'required' keys. |
| 324 | |
| 325 | This happens automatically as part of a bootm command when FITs are used. |
| 326 | |
| 327 | |
| 328 | Enabling FIT Verification |
| 329 | ------------------------- |
| 330 | In addition to the options to enable FIT itself, the following CONFIGs must |
| 331 | be enabled: |
| 332 | |
Masahiro Yamada | e43f74a | 2017-08-22 15:19:20 +0900 | [diff] [blame] | 333 | CONFIG_FIT_SIGNATURE - enable signing and verification in FITs |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 334 | CONFIG_RSA - enable RSA algorithm for signing |
| 335 | |
Heiko Schocher | 21d29f7 | 2014-05-28 11:33:33 +0200 | [diff] [blame] | 336 | WARNING: When relying on signed FIT images with required signature check |
| 337 | the legacy image format is default disabled by not defining |
| 338 | CONFIG_IMAGE_FORMAT_LEGACY |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 339 | |
| 340 | Testing |
| 341 | ------- |
Masahiro Yamada | e43f74a | 2017-08-22 15:19:20 +0900 | [diff] [blame] | 342 | An easy way to test signing and verification is to use the test script |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 343 | provided in test/vboot/vboot_test.sh. This uses sandbox (a special version |
| 344 | of U-Boot which runs under Linux) to show the operation of a 'bootm' |
| 345 | command loading and verifying images. |
| 346 | |
| 347 | A sample run is show below: |
| 348 | |
| 349 | $ make O=sandbox sandbox_config |
| 350 | $ make O=sandbox |
| 351 | $ O=sandbox ./test/vboot/vboot_test.sh |
| 352 | Simple Verified Boot Test |
| 353 | ========================= |
| 354 | |
| 355 | Please see doc/uImage.FIT/verified-boot.txt for more information |
| 356 | |
Heiko Schocher | 646257d | 2014-03-03 12:19:26 +0100 | [diff] [blame] | 357 | /home/hs/ids/u-boot/sandbox/tools/mkimage -D -I dts -O dtb -p 2000 |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 358 | Build keys |
Heiko Schocher | 646257d | 2014-03-03 12:19:26 +0100 | [diff] [blame] | 359 | do sha1 test |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 360 | Build FIT with signed images |
| 361 | Test Verified Boot Run: unsigned signatures:: OK |
| 362 | Sign images |
| 363 | Test Verified Boot Run: signed images: OK |
| 364 | Build FIT with signed configuration |
| 365 | Test Verified Boot Run: unsigned config: OK |
| 366 | Sign images |
| 367 | Test Verified Boot Run: signed config: OK |
Heiko Schocher | 29a23f9 | 2014-03-03 12:19:30 +0100 | [diff] [blame] | 368 | check signed config on the host |
Simon Glass | ce1400f | 2014-06-12 07:24:53 -0600 | [diff] [blame] | 369 | Signature check OK |
Heiko Schocher | 29a23f9 | 2014-03-03 12:19:30 +0100 | [diff] [blame] | 370 | OK |
| 371 | Test Verified Boot Run: signed config: OK |
Heiko Schocher | 646257d | 2014-03-03 12:19:26 +0100 | [diff] [blame] | 372 | Test Verified Boot Run: signed config with bad hash: OK |
| 373 | do sha256 test |
| 374 | Build FIT with signed images |
| 375 | Test Verified Boot Run: unsigned signatures:: OK |
| 376 | Sign images |
| 377 | Test Verified Boot Run: signed images: OK |
| 378 | Build FIT with signed configuration |
| 379 | Test Verified Boot Run: unsigned config: OK |
| 380 | Sign images |
| 381 | Test Verified Boot Run: signed config: OK |
Heiko Schocher | 29a23f9 | 2014-03-03 12:19:30 +0100 | [diff] [blame] | 382 | check signed config on the host |
Simon Glass | ce1400f | 2014-06-12 07:24:53 -0600 | [diff] [blame] | 383 | Signature check OK |
Heiko Schocher | 29a23f9 | 2014-03-03 12:19:30 +0100 | [diff] [blame] | 384 | OK |
| 385 | Test Verified Boot Run: signed config: OK |
Heiko Schocher | 646257d | 2014-03-03 12:19:26 +0100 | [diff] [blame] | 386 | Test Verified Boot Run: signed config with bad hash: OK |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 387 | |
| 388 | Test passed |
| 389 | |
Simon Glass | ce1400f | 2014-06-12 07:24:53 -0600 | [diff] [blame] | 390 | |
George McCollister | f1ca1fd | 2017-01-06 13:14:17 -0600 | [diff] [blame] | 391 | Hardware Signing with PKCS#11 |
| 392 | ----------------------------- |
| 393 | |
| 394 | Securely managing private signing keys can challenging, especially when the |
| 395 | keys are stored on the file system of a computer that is connected to the |
| 396 | Internet. If an attacker is able to steal the key, they can sign malicious FIT |
| 397 | images which will appear genuine to your devices. |
| 398 | |
| 399 | An alternative solution is to keep your signing key securely stored on hardware |
| 400 | device like a smartcard, USB token or Hardware Security Module (HSM) and have |
| 401 | them perform the signing. PKCS#11 is standard for interfacing with these crypto |
| 402 | device. |
| 403 | |
| 404 | Requirements: |
| 405 | Smartcard/USB token/HSM which can work with the pkcs11 engine |
| 406 | openssl |
| 407 | libp11 (provides pkcs11 engine) |
| 408 | p11-kit (recommended to simplify setup) |
| 409 | opensc (for smartcards and smartcard like USB devices) |
| 410 | gnutls (recommended for key generation, p11tool) |
| 411 | |
| 412 | The following examples use the Nitrokey Pro. Instructions for other devices may vary. |
| 413 | |
| 414 | Notes on pkcs11 engine setup: |
| 415 | |
| 416 | Make sure p11-kit, opensc are installed and that p11-kit is setup to use opensc. |
| 417 | /usr/share/p11-kit/modules/opensc.module should be present on your system. |
| 418 | |
| 419 | |
| 420 | Generating Keys On the Nitrokey: |
| 421 | |
| 422 | $ gpg --card-edit |
| 423 | |
| 424 | Reader ...........: Nitrokey Nitrokey Pro (xxxxxxxx0000000000000000) 00 00 |
| 425 | Application ID ...: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| 426 | Version ..........: 2.1 |
| 427 | Manufacturer .....: ZeitControl |
| 428 | Serial number ....: xxxxxxxx |
| 429 | Name of cardholder: [not set] |
| 430 | Language prefs ...: de |
| 431 | Sex ..............: unspecified |
| 432 | URL of public key : [not set] |
| 433 | Login data .......: [not set] |
| 434 | Signature PIN ....: forced |
| 435 | Key attributes ...: rsa2048 rsa2048 rsa2048 |
| 436 | Max. PIN lengths .: 32 32 32 |
| 437 | PIN retry counter : 3 0 3 |
| 438 | Signature counter : 0 |
| 439 | Signature key ....: [none] |
| 440 | Encryption key....: [none] |
| 441 | Authentication key: [none] |
| 442 | General key info..: [none] |
| 443 | |
| 444 | gpg/card> generate |
| 445 | Make off-card backup of encryption key? (Y/n) n |
| 446 | |
| 447 | Please note that the factory settings of the PINs are |
| 448 | PIN = '123456' Admin PIN = '12345678' |
| 449 | You should change them using the command --change-pin |
| 450 | |
| 451 | What keysize do you want for the Signature key? (2048) 4096 |
| 452 | The card will now be re-configured to generate a key of 4096 bits |
| 453 | Note: There is no guarantee that the card supports the requested size. |
| 454 | If the key generation does not succeed, please check the |
| 455 | documentation of your card to see what sizes are allowed. |
| 456 | What keysize do you want for the Encryption key? (2048) 4096 |
| 457 | The card will now be re-configured to generate a key of 4096 bits |
| 458 | What keysize do you want for the Authentication key? (2048) 4096 |
| 459 | The card will now be re-configured to generate a key of 4096 bits |
| 460 | Please specify how long the key should be valid. |
| 461 | 0 = key does not expire |
| 462 | <n> = key expires in n days |
| 463 | <n>w = key expires in n weeks |
| 464 | <n>m = key expires in n months |
| 465 | <n>y = key expires in n years |
| 466 | Key is valid for? (0) |
| 467 | Key does not expire at all |
| 468 | Is this correct? (y/N) y |
| 469 | |
| 470 | GnuPG needs to construct a user ID to identify your key. |
| 471 | |
| 472 | Real name: John Doe |
| 473 | Email address: john.doe@email.com |
| 474 | Comment: |
| 475 | You selected this USER-ID: |
| 476 | "John Doe <john.doe@email.com>" |
| 477 | |
| 478 | Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o |
| 479 | |
| 480 | |
| 481 | Using p11tool to get the token URL: |
| 482 | |
| 483 | Depending on system configuration, gpg-agent may need to be killed first. |
| 484 | |
| 485 | $ p11tool --provider /usr/lib/opensc-pkcs11.so --list-tokens |
| 486 | Token 0: |
| 487 | URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=000xxxxxxxxx;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29 |
| 488 | Label: OpenPGP card (User PIN (sig)) |
| 489 | Type: Hardware token |
| 490 | Manufacturer: ZeitControl |
| 491 | Model: PKCS#15 emulated |
| 492 | Serial: 000xxxxxxxxx |
| 493 | Module: (null) |
| 494 | |
| 495 | |
| 496 | Token 1: |
| 497 | URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=000xxxxxxxxx;token=OpenPGP%20card%20%28User%20PIN%29 |
| 498 | Label: OpenPGP card (User PIN) |
| 499 | Type: Hardware token |
| 500 | Manufacturer: ZeitControl |
| 501 | Model: PKCS#15 emulated |
| 502 | Serial: 000xxxxxxxxx |
| 503 | Module: (null) |
| 504 | |
| 505 | Use the portion of the signature token URL after "pkcs11:" as the keydir argument (-k) to mkimage below. |
| 506 | |
| 507 | |
| 508 | Use the URL of the token to list the private keys: |
| 509 | |
| 510 | $ p11tool --login --provider /usr/lib/opensc-pkcs11.so --list-privkeys \ |
| 511 | "pkcs11:model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=000xxxxxxxxx;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29" |
| 512 | Token 'OpenPGP card (User PIN (sig))' with URL 'pkcs11:model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=000xxxxxxxxx;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29' requires user PIN |
| 513 | Enter PIN: |
| 514 | Object 0: |
| 515 | URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=000xxxxxxxxx;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29;id=%01;object=Signature%20key;type=private |
| 516 | Type: Private key |
| 517 | Label: Signature key |
| 518 | Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; |
| 519 | ID: 01 |
| 520 | |
| 521 | Use the label, in this case "Signature key" as the key-name-hint in your FIT. |
| 522 | |
| 523 | Create the fitImage: |
| 524 | $ ./tools/mkimage -f fit-image.its fitImage |
| 525 | |
| 526 | |
| 527 | Sign the fitImage with the hardware key: |
| 528 | |
| 529 | $ ./tools/mkimage -F -k \ |
| 530 | "model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=000xxxxxxxxx;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29" \ |
| 531 | -K u-boot.dtb -N pkcs11 -r fitImage |
| 532 | |
| 533 | |
Simon Glass | 3e569a6 | 2013-06-13 15:10:00 -0700 | [diff] [blame] | 534 | Future Work |
| 535 | ----------- |
| 536 | - Roll-back protection using a TPM is done using the tpm command. This can |
| 537 | be scripted, but we might consider a default way of doing this, built into |
| 538 | bootm. |
| 539 | |
| 540 | |
| 541 | Possible Future Work |
| 542 | -------------------- |
| 543 | - Add support for other RSA/SHA variants, such as rsa4096,sha512. |
| 544 | - Other algorithms besides RSA |
| 545 | - More sandbox tests for failure modes |
| 546 | - Passwords for keys/certificates |
| 547 | - Perhaps implement OAEP |
| 548 | - Enhance bootm to permit scripted signature verification (so that a script |
| 549 | can verify an image but not actually boot it) |
| 550 | |
| 551 | |
| 552 | Simon Glass |
| 553 | sjg@chromium.org |
| 554 | 1-1-13 |