[U-Boot,v3,3/5] docs: Document verified-boot for sunxi a64

Add verified-boot documentation for sunxi a64 platform.

Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
---
Changes for v3:
- Create separate document file
Changes for v2:
- New patch

 doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 193 insertions(+)
 create mode 100644 doc/README.sunxi

Hi,

On Wed, Dec 13, 2017 at 11:33:04AM +0530, Jagan Teki wrote:
> Add verified-boot documentation for sunxi a64 platform.
> 
> Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
> ---
> Changes for v3:
> - Create separate document file
> Changes for v2:
> - New patch
> 
>  doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 193 insertions(+)
>  create mode 100644 doc/README.sunxi
> 
> diff --git a/doc/README.sunxi b/doc/README.sunxi
> new file mode 100644
> index 0000000..ef4f735
> --- /dev/null
> +++ b/doc/README.sunxi
> @@ -0,0 +1,193 @@
> +#
> +# Copyright (C) 2017 Amarula Solutions
> +#
> +# SPDX-License-Identifier:	GPL-2.0+
> +#
> +
> +U-Boot on SunXi
> +==============
> +
> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform. 
> +
> +	1. Verified Boot
> +
> +1. Verified Boot
> +================
> +
> +U-Boot supports an image verification method called "Verified Boot".
> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
> +You will find details documents in the doc/uImage.FIT directory.
> +
> +Here, we take Orangepi Win board for example, but it should work for any
> +other boards including 32 bit SoCs.
> +
> +1. Generate RSA key to sign
> +
> +  $ mkdir keys
> +  $ openssl genpkey -algorithm RSA -out keys/dev.key \
> +    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
> +  $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
> +
> +Two files "dev.key" and "dev.crt" will be created.  The base name is arbitrary,
> +but need to match to the "key-name-hint" property described below.

I really think that the very first thing you must talk about in that
documentation is that it will not protect the SPL itself and that this
is not a secure setup.

Maxime

Hi Jagan,

On 13/12/2017 07:03, Jagan Teki wrote:
> Add verified-boot documentation for sunxi a64 platform.
> 
> Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
> ---
> Changes for v3:
> - Create separate document file
> Changes for v2:
> - New patch
> 
>  doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 193 insertions(+)
>  create mode 100644 doc/README.sunxi
> 
> diff --git a/doc/README.sunxi b/doc/README.sunxi
> new file mode 100644
> index 0000000..ef4f735
> --- /dev/null
> +++ b/doc/README.sunxi
> @@ -0,0 +1,193 @@
> +#
> +# Copyright (C) 2017 Amarula Solutions
> +#
> +# SPDX-License-Identifier:	GPL-2.0+
> +#
> +
> +U-Boot on SunXi
> +==============
> +
> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform. 
> +
> +	1. Verified Boot
> +
> +1. Verified Boot
> +================
> +
> +U-Boot supports an image verification method called "Verified Boot".
> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
> +You will find details documents in the doc/uImage.FIT directory.
> +
> +Here, we take Orangepi Win board for example, but it should work for any
> +other boards including 32 bit SoCs.
> +
> +1. Generate RSA key to sign
> +
> +  $ mkdir keys
> +  $ openssl genpkey -algorithm RSA -out keys/dev.key \
> +    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
> +  $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
> +
> +Two files "dev.key" and "dev.crt" will be created.  The base name is arbitrary,
> +but need to match to the "key-name-hint" property described below.
> +
> +2. FIT Input
> +
> +---------------------------------------->8----------------------------------------
> +/dts-v1/;
> +/ {
> +	description = "FIT image with single Linux kernel, FDT blob";
> +	#address-cells = <1>;
> +
> +	images {
> +		kernel@0 {
> +			description = "ARM64 Linux kernel";
> +			data = /incbin/("/path/to/linux/dir/arch/arm64/boot/Image.gz");
> +			type = "kernel";
> +			arch = "arm64";
> +			os = "linux";
> +			compression = "gzip";
> +			load = <0x50080000>;
> +			entry = <0x50080000>;
> +			hash@1 {
> +				algo = "sha256";
> +			};
> +		};
> +
> +		fdt@0 {
> +			description = "Orangepi Win/Win+ Devicetree blob";
> +			data = /incbin/("/path/to/linux/dir/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dtb");
> +			type = "flat_dt";
> +			arch = "arm64";
> +			compression = "none";
> +			hash@1 {
> +				algo = "sha256";
> +			};
> +		};
> +	};
> +
> +	configurations {
> +		default = "conf@0";
> +
> +		conf@0 {
> +			description = "Boot Linux kernel, FDT blob";
> +			kernel = "kernel@0";
> +			fdt = "fdt@0";
> +			signature@0 {
> +				algo = "sha256,rsa2048";
> +				key-name-hint = "dev";
> +				sign-images = "kernel", "fdt";
> +			};
> +		};
> +	};
> +};
> +---------------------------------------->8----------------------------------------
> +
> +You need to change the two '/incbin/' lines, depending on the location of
> +your kernel image and devicetree blob.  The "load" and "entry" properties also
> +need to be adjusted if you want to change the physical placement of the kernel.
> +
> +The "key-name-hint" must specify the key name you have created in the step 1.
> +
> +The FIT file name is arbitrary.  Let's say you saved it into "fit.its".
> +
> +3. Compile U-Boot with FIT and signature enabled
> +
> +To use the Verified Boot, you need to enable the following two options:
> +  CONFIG_FIT
> +  CONFIG_FIT_SIGNATURE
> +
> +  $ make orangepi_win_defconfig
> +  $ make CROSS_COMPILE=aarch64-linux-gnu-
> +
> +4. FIT Output
> +
> +After building U-Boot, you will see tools/mkimage.  With this tool, you can
> +create an image tree blob as follows:
> +
> +  $ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage
> +
> +The -k option must specify the key directory you have created in step 1.
> +
> +A file "fitImage" will be created.  This includes kernel, DTB,
> +hash data for each of the three, and signature data.
> +
> +The public key needed for the run-time verification is stored in "dts/dt.dtb".
> +
> +5. Compile Verified U-Boot
> +
> +Since the "dt.dtb" has been updated in step 4, you need to re-compile the
> +U-Boot.
> +
> +  $ make CROSS_COMPILE=aarch64-linux-gnu-
> +
> +The re-compiled "u-boot.bin" is appended with DTB that contains the public key.
> +
> +6. Flash the image
> +
> +Flash the "fitImage" to a storage device (SD, NAND, eMMC, or whatever) on your
> +board.
> +
> +7. Boot verified kernel
> +
> +Load the fitImage to memory and run the following from the U-Boot command line.
> +
> +  > bootm <addr>
> +
> +Here, <addr> is the base address of the fitImage.
> +
> +If it is successful, you will see messages like follows:
> +
> +---------------------------------------->8----------------------------------------
> +=> setenv bootargs console=ttyS0,115200 earlyprintk root=/dev/mmcblk0p1 rootwait
> +=> ext4load mmc 0:1 $kernel_addr_r /boot/fitImage
> +16321738 bytes read in 1049 ms (14.8 MiB/s)
> +=> bootm $kernel_addr_r
> +## Loading kernel from FIT Image at 40080000 ...
> +   Using 'conf@0' configuration
> +   Verifying Hash Integrity ... OK
> +   Trying 'kernel@0' kernel subimage
> +     Description:  ARM64 Linux kernel
> +     Type:         Kernel Image
> +     Compression:  gzip compressed
> +     Data Start:   0x400800e4
> +     Data Size:    6884659 Bytes = 6.6 MiB
> +     Architecture: AArch64
> +     OS:           Linux
> +     Load Address: 0x50080000
> +     Entry Point:  0x50080000
> +     Hash algo:    sha256
> +     Hash value:   6808fe51ea3c15f31c4510d2701d4707b56d20213c9da05bce79fb53bf108f1a
> +   Verifying Hash Integrity ... sha256+ OK
> +## Loading fdt from FIT Image at 40080000 ...
> +   Using 'conf@0' configuration
> +   Trying 'fdt@0' fdt subimage
> +     Description:  Orangepi Win/Win+ Devicetree blob
> +     Type:         Flat Device Tree
> +     Compression:  uncompressed
> +     Data Start:   0x40710f24
> +     Data Size:    9032 Bytes = 8.8 KiB
> +     Architecture: AArch64
> +     Hash algo:    sha256
> +     Hash value:   ca3d874cd10466633ff133cc0156828d48c8efb96987fa45f885761d22a25dc1
> +   Verifying Hash Integrity ... sha256+ OK
> +   Booting using the fdt blob at 0x40710f24
> +   Uncompressing Kernel Image ... OK
> +   Loading Device Tree to 0000000049ffa000, end 0000000049fff347 ... OK
> +
> +Starting kernel ...
> +---------------------------------------->8----------------------------------------
> +
> +Please pay attention to the lines that start with "Verifying Hash Integrity".
> +
> +"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check
> +passed.
> +
> +"Verifying Hash Integrity ... sha256+ OK" (2 times) means the hash check passed
> +for kernel and DTB.
> +
> +If they are not displayed, the Verified Boot is not working.
> +
> +--
> +Jagan Teki <jagan@amarulasolutions.com>
> +13 Dec 2017
> 

What's specific to sunxi boards in this README?

We already have an extensive documentation in doc/uImage.FIT/. Could a
few parts of your README make it to this documentation instead if it
isn't already there?

Thanks,
Quentin

On Wed, Dec 13, 2017 at 9:08 PM, Maxime Ripard
<maxime.ripard@free-electrons.com> wrote:
> Hi,
>
> On Wed, Dec 13, 2017 at 11:33:04AM +0530, Jagan Teki wrote:
>> Add verified-boot documentation for sunxi a64 platform.
>>
>> Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
>> ---
>> Changes for v3:
>> - Create separate document file
>> Changes for v2:
>> - New patch
>>
>>  doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>  1 file changed, 193 insertions(+)
>>  create mode 100644 doc/README.sunxi
>>
>> diff --git a/doc/README.sunxi b/doc/README.sunxi
>> new file mode 100644
>> index 0000000..ef4f735
>> --- /dev/null
>> +++ b/doc/README.sunxi
>> @@ -0,0 +1,193 @@
>> +#
>> +# Copyright (C) 2017 Amarula Solutions
>> +#
>> +# SPDX-License-Identifier:   GPL-2.0+
>> +#
>> +
>> +U-Boot on SunXi
>> +==============
>> +
>> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
>> +
>> +     1. Verified Boot
>> +
>> +1. Verified Boot
>> +================
>> +
>> +U-Boot supports an image verification method called "Verified Boot".
>> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
>> +You will find details documents in the doc/uImage.FIT directory.
>> +
>> +Here, we take Orangepi Win board for example, but it should work for any
>> +other boards including 32 bit SoCs.
>> +
>> +1. Generate RSA key to sign
>> +
>> +  $ mkdir keys
>> +  $ openssl genpkey -algorithm RSA -out keys/dev.key \
>> +    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
>> +  $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
>> +
>> +Two files "dev.key" and "dev.crt" will be created.  The base name is arbitrary,
>> +but need to match to the "key-name-hint" property described below.
>
> I really think that the very first thing you must talk about in that
> documentation is that it will not protect the SPL itself and that this
> is not a secure setup.

Based on my experience with U-boot, verified-boot here doesn't relate
to protect SPL or U-Boot. it's generally for kernel and followed
stages. I don't think we can think here too-much. some reference
doc/README.uniphier

You're true if we protect boot stages, then it becomes secure
boot(from BROM) like HABv4 in i.MX6, but verified boot in U-Boot is
different.

thanks!

On Wed, Dec 13, 2017 at 9:29 PM, Quentin Schulz
<quentin.schulz@free-electrons.com> wrote:
> Hi Jagan,
>
> On 13/12/2017 07:03, Jagan Teki wrote:
>> Add verified-boot documentation for sunxi a64 platform.
>>
>> Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
>> ---
>> Changes for v3:
>> - Create separate document file
>> Changes for v2:
>> - New patch
>>
>>  doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>  1 file changed, 193 insertions(+)
>>  create mode 100644 doc/README.sunxi
>>
>> diff --git a/doc/README.sunxi b/doc/README.sunxi
>> new file mode 100644
>> index 0000000..ef4f735
>> --- /dev/null
>> +++ b/doc/README.sunxi
>> @@ -0,0 +1,193 @@
>> +#
>> +# Copyright (C) 2017 Amarula Solutions
>> +#
>> +# SPDX-License-Identifier:   GPL-2.0+
>> +#
>> +
>> +U-Boot on SunXi
>> +==============
>> +
>> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
>> +
>> +     1. Verified Boot
>> +
>> +1. Verified Boot
>> +================
>> +
>> +U-Boot supports an image verification method called "Verified Boot".
>> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
>> +You will find details documents in the doc/uImage.FIT directory.
>> +
>> +Here, we take Orangepi Win board for example, but it should work for any
>> +other boards including 32 bit SoCs.
>> +
>> +1. Generate RSA key to sign
>> +
>> +  $ mkdir keys
>> +  $ openssl genpkey -algorithm RSA -out keys/dev.key \
>> +    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
>> +  $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
>> +
>> +Two files "dev.key" and "dev.crt" will be created.  The base name is arbitrary,
>> +but need to match to the "key-name-hint" property described below.
>> +
>> +2. FIT Input
>> +
>> +---------------------------------------->8----------------------------------------
>> +/dts-v1/;
>> +/ {
>> +     description = "FIT image with single Linux kernel, FDT blob";
>> +     #address-cells = <1>;
>> +
>> +     images {
>> +             kernel@0 {
>> +                     description = "ARM64 Linux kernel";
>> +                     data = /incbin/("/path/to/linux/dir/arch/arm64/boot/Image.gz");
>> +                     type = "kernel";
>> +                     arch = "arm64";
>> +                     os = "linux";
>> +                     compression = "gzip";
>> +                     load = <0x50080000>;
>> +                     entry = <0x50080000>;
>> +                     hash@1 {
>> +                             algo = "sha256";
>> +                     };
>> +             };
>> +
>> +             fdt@0 {
>> +                     description = "Orangepi Win/Win+ Devicetree blob";
>> +                     data = /incbin/("/path/to/linux/dir/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dtb");
>> +                     type = "flat_dt";
>> +                     arch = "arm64";
>> +                     compression = "none";
>> +                     hash@1 {
>> +                             algo = "sha256";
>> +                     };
>> +             };
>> +     };
>> +
>> +     configurations {
>> +             default = "conf@0";
>> +
>> +             conf@0 {
>> +                     description = "Boot Linux kernel, FDT blob";
>> +                     kernel = "kernel@0";
>> +                     fdt = "fdt@0";
>> +                     signature@0 {
>> +                             algo = "sha256,rsa2048";
>> +                             key-name-hint = "dev";
>> +                             sign-images = "kernel", "fdt";
>> +                     };
>> +             };
>> +     };
>> +};
>> +---------------------------------------->8----------------------------------------
>> +
>> +You need to change the two '/incbin/' lines, depending on the location of
>> +your kernel image and devicetree blob.  The "load" and "entry" properties also
>> +need to be adjusted if you want to change the physical placement of the kernel.
>> +
>> +The "key-name-hint" must specify the key name you have created in the step 1.
>> +
>> +The FIT file name is arbitrary.  Let's say you saved it into "fit.its".
>> +
>> +3. Compile U-Boot with FIT and signature enabled
>> +
>> +To use the Verified Boot, you need to enable the following two options:
>> +  CONFIG_FIT
>> +  CONFIG_FIT_SIGNATURE
>> +
>> +  $ make orangepi_win_defconfig
>> +  $ make CROSS_COMPILE=aarch64-linux-gnu-
>> +
>> +4. FIT Output
>> +
>> +After building U-Boot, you will see tools/mkimage.  With this tool, you can
>> +create an image tree blob as follows:
>> +
>> +  $ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage
>> +
>> +The -k option must specify the key directory you have created in step 1.
>> +
>> +A file "fitImage" will be created.  This includes kernel, DTB,
>> +hash data for each of the three, and signature data.
>> +
>> +The public key needed for the run-time verification is stored in "dts/dt.dtb".
>> +
>> +5. Compile Verified U-Boot
>> +
>> +Since the "dt.dtb" has been updated in step 4, you need to re-compile the
>> +U-Boot.
>> +
>> +  $ make CROSS_COMPILE=aarch64-linux-gnu-
>> +
>> +The re-compiled "u-boot.bin" is appended with DTB that contains the public key.
>> +
>> +6. Flash the image
>> +
>> +Flash the "fitImage" to a storage device (SD, NAND, eMMC, or whatever) on your
>> +board.
>> +
>> +7. Boot verified kernel
>> +
>> +Load the fitImage to memory and run the following from the U-Boot command line.
>> +
>> +  > bootm <addr>
>> +
>> +Here, <addr> is the base address of the fitImage.
>> +
>> +If it is successful, you will see messages like follows:
>> +
>> +---------------------------------------->8----------------------------------------
>> +=> setenv bootargs console=ttyS0,115200 earlyprintk root=/dev/mmcblk0p1 rootwait
>> +=> ext4load mmc 0:1 $kernel_addr_r /boot/fitImage
>> +16321738 bytes read in 1049 ms (14.8 MiB/s)
>> +=> bootm $kernel_addr_r
>> +## Loading kernel from FIT Image at 40080000 ...
>> +   Using 'conf@0' configuration
>> +   Verifying Hash Integrity ... OK
>> +   Trying 'kernel@0' kernel subimage
>> +     Description:  ARM64 Linux kernel
>> +     Type:         Kernel Image
>> +     Compression:  gzip compressed
>> +     Data Start:   0x400800e4
>> +     Data Size:    6884659 Bytes = 6.6 MiB
>> +     Architecture: AArch64
>> +     OS:           Linux
>> +     Load Address: 0x50080000
>> +     Entry Point:  0x50080000
>> +     Hash algo:    sha256
>> +     Hash value:   6808fe51ea3c15f31c4510d2701d4707b56d20213c9da05bce79fb53bf108f1a
>> +   Verifying Hash Integrity ... sha256+ OK
>> +## Loading fdt from FIT Image at 40080000 ...
>> +   Using 'conf@0' configuration
>> +   Trying 'fdt@0' fdt subimage
>> +     Description:  Orangepi Win/Win+ Devicetree blob
>> +     Type:         Flat Device Tree
>> +     Compression:  uncompressed
>> +     Data Start:   0x40710f24
>> +     Data Size:    9032 Bytes = 8.8 KiB
>> +     Architecture: AArch64
>> +     Hash algo:    sha256
>> +     Hash value:   ca3d874cd10466633ff133cc0156828d48c8efb96987fa45f885761d22a25dc1
>> +   Verifying Hash Integrity ... sha256+ OK
>> +   Booting using the fdt blob at 0x40710f24
>> +   Uncompressing Kernel Image ... OK
>> +   Loading Device Tree to 0000000049ffa000, end 0000000049fff347 ... OK
>> +
>> +Starting kernel ...
>> +---------------------------------------->8----------------------------------------
>> +
>> +Please pay attention to the lines that start with "Verifying Hash Integrity".
>> +
>> +"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check
>> +passed.
>> +
>> +"Verifying Hash Integrity ... sha256+ OK" (2 times) means the hash check passed
>> +for kernel and DTB.
>> +
>> +If they are not displayed, the Verified Boot is not working.
>> +
>> +--
>> +Jagan Teki <jagan@amarulasolutions.com>
>> +13 Dec 2017
>>
>
> What's specific to sunxi boards in this README?

it not board specific, it's generic sunxi platform README.

>
> We already have an extensive documentation in doc/uImage.FIT/. Could a
> few parts of your README make it to this documentation instead if it
> isn't already there?

Since we've plenty of sunxi boards, showing readme with specific
feature in single board with all details does make more sense rather
than pointing out existing docs. It would be very beneficial for new
user to try with detailed info.

thanks!

Hi,

On 13/12/17 16:16, Jagan Teki wrote:
> On Wed, Dec 13, 2017 at 9:29 PM, Quentin Schulz
> <quentin.schulz@free-electrons.com> wrote:
>> Hi Jagan,
>>
>> On 13/12/2017 07:03, Jagan Teki wrote:
>>> Add verified-boot documentation for sunxi a64 platform.
>>>
>>> Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
>>> ---
>>> Changes for v3:
>>> - Create separate document file
>>> Changes for v2:
>>> - New patch
>>>
>>>  doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>  1 file changed, 193 insertions(+)
>>>  create mode 100644 doc/README.sunxi
>>>
>>> diff --git a/doc/README.sunxi b/doc/README.sunxi
>>> new file mode 100644
>>> index 0000000..ef4f735
>>> --- /dev/null
>>> +++ b/doc/README.sunxi
>>> @@ -0,0 +1,193 @@
>>> +#
>>> +# Copyright (C) 2017 Amarula Solutions
>>> +#
>>> +# SPDX-License-Identifier:   GPL-2.0+
>>> +#
>>> +
>>> +U-Boot on SunXi
>>> +==============
>>> +
>>> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
>>> +
>>> +     1. Verified Boot
>>> +
>>> +1. Verified Boot
>>> +================
>>> +
>>> +U-Boot supports an image verification method called "Verified Boot".
>>> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
>>> +You will find details documents in the doc/uImage.FIT directory.
>>> +
>>> +Here, we take Orangepi Win board for example, but it should work for any
>>> +other boards including 32 bit SoCs.
>>> +
>>> +1. Generate RSA key to sign
>>> +
>>> +  $ mkdir keys
>>> +  $ openssl genpkey -algorithm RSA -out keys/dev.key \
>>> +    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
>>> +  $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
>>> +
>>> +Two files "dev.key" and "dev.crt" will be created.  The base name is arbitrary,
>>> +but need to match to the "key-name-hint" property described below.
>>> +
>>> +2. FIT Input
>>> +
>>> +---------------------------------------->8----------------------------------------
>>> +/dts-v1/;
>>> +/ {
>>> +     description = "FIT image with single Linux kernel, FDT blob";
>>> +     #address-cells = <1>;
>>> +
>>> +     images {
>>> +             kernel@0 {
>>> +                     description = "ARM64 Linux kernel";
>>> +                     data = /incbin/("/path/to/linux/dir/arch/arm64/boot/Image.gz");
>>> +                     type = "kernel";
>>> +                     arch = "arm64";
>>> +                     os = "linux";
>>> +                     compression = "gzip";
>>> +                     load = <0x50080000>;
>>> +                     entry = <0x50080000>;
>>> +                     hash@1 {
>>> +                             algo = "sha256";
>>> +                     };
>>> +             };
>>> +
>>> +             fdt@0 {
>>> +                     description = "Orangepi Win/Win+ Devicetree blob";
>>> +                     data = /incbin/("/path/to/linux/dir/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dtb");
>>> +                     type = "flat_dt";
>>> +                     arch = "arm64";
>>> +                     compression = "none";
>>> +                     hash@1 {
>>> +                             algo = "sha256";
>>> +                     };
>>> +             };
>>> +     };
>>> +
>>> +     configurations {
>>> +             default = "conf@0";
>>> +
>>> +             conf@0 {
>>> +                     description = "Boot Linux kernel, FDT blob";
>>> +                     kernel = "kernel@0";
>>> +                     fdt = "fdt@0";
>>> +                     signature@0 {
>>> +                             algo = "sha256,rsa2048";
>>> +                             key-name-hint = "dev";
>>> +                             sign-images = "kernel", "fdt";
>>> +                     };
>>> +             };
>>> +     };
>>> +};
>>> +---------------------------------------->8----------------------------------------
>>> +
>>> +You need to change the two '/incbin/' lines, depending on the location of
>>> +your kernel image and devicetree blob.  The "load" and "entry" properties also
>>> +need to be adjusted if you want to change the physical placement of the kernel.
>>> +
>>> +The "key-name-hint" must specify the key name you have created in the step 1.
>>> +
>>> +The FIT file name is arbitrary.  Let's say you saved it into "fit.its".
>>> +
>>> +3. Compile U-Boot with FIT and signature enabled
>>> +
>>> +To use the Verified Boot, you need to enable the following two options:
>>> +  CONFIG_FIT
>>> +  CONFIG_FIT_SIGNATURE
>>> +
>>> +  $ make orangepi_win_defconfig
>>> +  $ make CROSS_COMPILE=aarch64-linux-gnu-
>>> +
>>> +4. FIT Output
>>> +
>>> +After building U-Boot, you will see tools/mkimage.  With this tool, you can
>>> +create an image tree blob as follows:
>>> +
>>> +  $ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage
>>> +
>>> +The -k option must specify the key directory you have created in step 1.
>>> +
>>> +A file "fitImage" will be created.  This includes kernel, DTB,
>>> +hash data for each of the three, and signature data.
>>> +
>>> +The public key needed for the run-time verification is stored in "dts/dt.dtb".
>>> +
>>> +5. Compile Verified U-Boot
>>> +
>>> +Since the "dt.dtb" has been updated in step 4, you need to re-compile the
>>> +U-Boot.
>>> +
>>> +  $ make CROSS_COMPILE=aarch64-linux-gnu-
>>> +
>>> +The re-compiled "u-boot.bin" is appended with DTB that contains the public key.
>>> +
>>> +6. Flash the image
>>> +
>>> +Flash the "fitImage" to a storage device (SD, NAND, eMMC, or whatever) on your
>>> +board.
>>> +
>>> +7. Boot verified kernel
>>> +
>>> +Load the fitImage to memory and run the following from the U-Boot command line.
>>> +
>>> +  > bootm <addr>
>>> +
>>> +Here, <addr> is the base address of the fitImage.
>>> +
>>> +If it is successful, you will see messages like follows:
>>> +
>>> +---------------------------------------->8----------------------------------------
>>> +=> setenv bootargs console=ttyS0,115200 earlyprintk root=/dev/mmcblk0p1 rootwait
>>> +=> ext4load mmc 0:1 $kernel_addr_r /boot/fitImage
>>> +16321738 bytes read in 1049 ms (14.8 MiB/s)
>>> +=> bootm $kernel_addr_r
>>> +## Loading kernel from FIT Image at 40080000 ...
>>> +   Using 'conf@0' configuration
>>> +   Verifying Hash Integrity ... OK
>>> +   Trying 'kernel@0' kernel subimage
>>> +     Description:  ARM64 Linux kernel
>>> +     Type:         Kernel Image
>>> +     Compression:  gzip compressed
>>> +     Data Start:   0x400800e4
>>> +     Data Size:    6884659 Bytes = 6.6 MiB
>>> +     Architecture: AArch64
>>> +     OS:           Linux
>>> +     Load Address: 0x50080000
>>> +     Entry Point:  0x50080000
>>> +     Hash algo:    sha256
>>> +     Hash value:   6808fe51ea3c15f31c4510d2701d4707b56d20213c9da05bce79fb53bf108f1a
>>> +   Verifying Hash Integrity ... sha256+ OK
>>> +## Loading fdt from FIT Image at 40080000 ...
>>> +   Using 'conf@0' configuration
>>> +   Trying 'fdt@0' fdt subimage
>>> +     Description:  Orangepi Win/Win+ Devicetree blob
>>> +     Type:         Flat Device Tree
>>> +     Compression:  uncompressed
>>> +     Data Start:   0x40710f24
>>> +     Data Size:    9032 Bytes = 8.8 KiB
>>> +     Architecture: AArch64
>>> +     Hash algo:    sha256
>>> +     Hash value:   ca3d874cd10466633ff133cc0156828d48c8efb96987fa45f885761d22a25dc1
>>> +   Verifying Hash Integrity ... sha256+ OK
>>> +   Booting using the fdt blob at 0x40710f24
>>> +   Uncompressing Kernel Image ... OK
>>> +   Loading Device Tree to 0000000049ffa000, end 0000000049fff347 ... OK
>>> +
>>> +Starting kernel ...
>>> +---------------------------------------->8----------------------------------------
>>> +
>>> +Please pay attention to the lines that start with "Verifying Hash Integrity".
>>> +
>>> +"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check
>>> +passed.
>>> +
>>> +"Verifying Hash Integrity ... sha256+ OK" (2 times) means the hash check passed
>>> +for kernel and DTB.
>>> +
>>> +If they are not displayed, the Verified Boot is not working.
>>> +
>>> +--
>>> +Jagan Teki <jagan@amarulasolutions.com>
>>> +13 Dec 2017
>>>
>>
>> What's specific to sunxi boards in this README?
> 
> it not board specific, it's generic sunxi platform README.

I guess Quentin's point was that those instructions are generic to every
U-Boot platform. There is nothing sunxi specific in there.
docs/uImage.FIT is definitely the place for this doc to go.

>> We already have an extensive documentation in doc/uImage.FIT/. Could a
>> few parts of your README make it to this documentation instead if it
>> isn't already there?
> 
> Since we've plenty of sunxi boards, showing readme with specific
> feature in single board with all details does make more sense rather
> than pointing out existing docs. It would be very beneficial for new
> user to try with detailed info.

I don't really get what you are after.
Please check doc/uImage.FIT/verified-boot.txt and see if you can extend
this file. As you pointed out yourself this is verified boot, a U-Boot
feature, which is totally architecture, platform and board agnostic.

Cheers,
Andre

On Wed, Dec 13, 2017 at 9:55 PM, Andre Przywara <andre.przywara@arm.com> wrote:
> Hi,
>
> On 13/12/17 16:16, Jagan Teki wrote:
>> On Wed, Dec 13, 2017 at 9:29 PM, Quentin Schulz
>> <quentin.schulz@free-electrons.com> wrote:
>>> Hi Jagan,
>>>
>>> On 13/12/2017 07:03, Jagan Teki wrote:
>>>> Add verified-boot documentation for sunxi a64 platform.
>>>>
>>>> Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
>>>> ---
>>>> Changes for v3:
>>>> - Create separate document file
>>>> Changes for v2:
>>>> - New patch
>>>>
>>>>  doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>  1 file changed, 193 insertions(+)
>>>>  create mode 100644 doc/README.sunxi
>>>>
>>>> diff --git a/doc/README.sunxi b/doc/README.sunxi
>>>> new file mode 100644
>>>> index 0000000..ef4f735
>>>> --- /dev/null
>>>> +++ b/doc/README.sunxi
>>>> @@ -0,0 +1,193 @@
>>>> +#
>>>> +# Copyright (C) 2017 Amarula Solutions
>>>> +#
>>>> +# SPDX-License-Identifier:   GPL-2.0+
>>>> +#
>>>> +
>>>> +U-Boot on SunXi
>>>> +==============
>>>> +
>>>> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
>>>> +
>>>> +     1. Verified Boot
>>>> +
>>>> +1. Verified Boot
>>>> +================
>>>> +
>>>> +U-Boot supports an image verification method called "Verified Boot".
>>>> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
>>>> +You will find details documents in the doc/uImage.FIT directory.
>>>> +
>>>> +Here, we take Orangepi Win board for example, but it should work for any
>>>> +other boards including 32 bit SoCs.
>>>> +
>>>> +1. Generate RSA key to sign
>>>> +
>>>> +  $ mkdir keys
>>>> +  $ openssl genpkey -algorithm RSA -out keys/dev.key \
>>>> +    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
>>>> +  $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
>>>> +
>>>> +Two files "dev.key" and "dev.crt" will be created.  The base name is arbitrary,
>>>> +but need to match to the "key-name-hint" property described below.
>>>> +
>>>> +2. FIT Input
>>>> +
>>>> +---------------------------------------->8----------------------------------------
>>>> +/dts-v1/;
>>>> +/ {
>>>> +     description = "FIT image with single Linux kernel, FDT blob";
>>>> +     #address-cells = <1>;
>>>> +
>>>> +     images {
>>>> +             kernel@0 {
>>>> +                     description = "ARM64 Linux kernel";
>>>> +                     data = /incbin/("/path/to/linux/dir/arch/arm64/boot/Image.gz");
>>>> +                     type = "kernel";
>>>> +                     arch = "arm64";
>>>> +                     os = "linux";
>>>> +                     compression = "gzip";
>>>> +                     load = <0x50080000>;
>>>> +                     entry = <0x50080000>;
>>>> +                     hash@1 {
>>>> +                             algo = "sha256";
>>>> +                     };
>>>> +             };
>>>> +
>>>> +             fdt@0 {
>>>> +                     description = "Orangepi Win/Win+ Devicetree blob";
>>>> +                     data = /incbin/("/path/to/linux/dir/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dtb");
>>>> +                     type = "flat_dt";
>>>> +                     arch = "arm64";
>>>> +                     compression = "none";
>>>> +                     hash@1 {
>>>> +                             algo = "sha256";
>>>> +                     };
>>>> +             };
>>>> +     };
>>>> +
>>>> +     configurations {
>>>> +             default = "conf@0";
>>>> +
>>>> +             conf@0 {
>>>> +                     description = "Boot Linux kernel, FDT blob";
>>>> +                     kernel = "kernel@0";
>>>> +                     fdt = "fdt@0";
>>>> +                     signature@0 {
>>>> +                             algo = "sha256,rsa2048";
>>>> +                             key-name-hint = "dev";
>>>> +                             sign-images = "kernel", "fdt";
>>>> +                     };
>>>> +             };
>>>> +     };
>>>> +};
>>>> +---------------------------------------->8----------------------------------------
>>>> +
>>>> +You need to change the two '/incbin/' lines, depending on the location of
>>>> +your kernel image and devicetree blob.  The "load" and "entry" properties also
>>>> +need to be adjusted if you want to change the physical placement of the kernel.
>>>> +
>>>> +The "key-name-hint" must specify the key name you have created in the step 1.
>>>> +
>>>> +The FIT file name is arbitrary.  Let's say you saved it into "fit.its".
>>>> +
>>>> +3. Compile U-Boot with FIT and signature enabled
>>>> +
>>>> +To use the Verified Boot, you need to enable the following two options:
>>>> +  CONFIG_FIT
>>>> +  CONFIG_FIT_SIGNATURE
>>>> +
>>>> +  $ make orangepi_win_defconfig
>>>> +  $ make CROSS_COMPILE=aarch64-linux-gnu-
>>>> +
>>>> +4. FIT Output
>>>> +
>>>> +After building U-Boot, you will see tools/mkimage.  With this tool, you can
>>>> +create an image tree blob as follows:
>>>> +
>>>> +  $ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage
>>>> +
>>>> +The -k option must specify the key directory you have created in step 1.
>>>> +
>>>> +A file "fitImage" will be created.  This includes kernel, DTB,
>>>> +hash data for each of the three, and signature data.
>>>> +
>>>> +The public key needed for the run-time verification is stored in "dts/dt.dtb".
>>>> +
>>>> +5. Compile Verified U-Boot
>>>> +
>>>> +Since the "dt.dtb" has been updated in step 4, you need to re-compile the
>>>> +U-Boot.
>>>> +
>>>> +  $ make CROSS_COMPILE=aarch64-linux-gnu-
>>>> +
>>>> +The re-compiled "u-boot.bin" is appended with DTB that contains the public key.
>>>> +
>>>> +6. Flash the image
>>>> +
>>>> +Flash the "fitImage" to a storage device (SD, NAND, eMMC, or whatever) on your
>>>> +board.
>>>> +
>>>> +7. Boot verified kernel
>>>> +
>>>> +Load the fitImage to memory and run the following from the U-Boot command line.
>>>> +
>>>> +  > bootm <addr>
>>>> +
>>>> +Here, <addr> is the base address of the fitImage.
>>>> +
>>>> +If it is successful, you will see messages like follows:
>>>> +
>>>> +---------------------------------------->8----------------------------------------
>>>> +=> setenv bootargs console=ttyS0,115200 earlyprintk root=/dev/mmcblk0p1 rootwait
>>>> +=> ext4load mmc 0:1 $kernel_addr_r /boot/fitImage
>>>> +16321738 bytes read in 1049 ms (14.8 MiB/s)
>>>> +=> bootm $kernel_addr_r
>>>> +## Loading kernel from FIT Image at 40080000 ...
>>>> +   Using 'conf@0' configuration
>>>> +   Verifying Hash Integrity ... OK
>>>> +   Trying 'kernel@0' kernel subimage
>>>> +     Description:  ARM64 Linux kernel
>>>> +     Type:         Kernel Image
>>>> +     Compression:  gzip compressed
>>>> +     Data Start:   0x400800e4
>>>> +     Data Size:    6884659 Bytes = 6.6 MiB
>>>> +     Architecture: AArch64
>>>> +     OS:           Linux
>>>> +     Load Address: 0x50080000
>>>> +     Entry Point:  0x50080000
>>>> +     Hash algo:    sha256
>>>> +     Hash value:   6808fe51ea3c15f31c4510d2701d4707b56d20213c9da05bce79fb53bf108f1a
>>>> +   Verifying Hash Integrity ... sha256+ OK
>>>> +## Loading fdt from FIT Image at 40080000 ...
>>>> +   Using 'conf@0' configuration
>>>> +   Trying 'fdt@0' fdt subimage
>>>> +     Description:  Orangepi Win/Win+ Devicetree blob
>>>> +     Type:         Flat Device Tree
>>>> +     Compression:  uncompressed
>>>> +     Data Start:   0x40710f24
>>>> +     Data Size:    9032 Bytes = 8.8 KiB
>>>> +     Architecture: AArch64
>>>> +     Hash algo:    sha256
>>>> +     Hash value:   ca3d874cd10466633ff133cc0156828d48c8efb96987fa45f885761d22a25dc1
>>>> +   Verifying Hash Integrity ... sha256+ OK
>>>> +   Booting using the fdt blob at 0x40710f24
>>>> +   Uncompressing Kernel Image ... OK
>>>> +   Loading Device Tree to 0000000049ffa000, end 0000000049fff347 ... OK
>>>> +
>>>> +Starting kernel ...
>>>> +---------------------------------------->8----------------------------------------
>>>> +
>>>> +Please pay attention to the lines that start with "Verifying Hash Integrity".
>>>> +
>>>> +"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check
>>>> +passed.
>>>> +
>>>> +"Verifying Hash Integrity ... sha256+ OK" (2 times) means the hash check passed
>>>> +for kernel and DTB.
>>>> +
>>>> +If they are not displayed, the Verified Boot is not working.
>>>> +
>>>> +--
>>>> +Jagan Teki <jagan@amarulasolutions.com>
>>>> +13 Dec 2017
>>>>
>>>
>>> What's specific to sunxi boards in this README?
>>
>> it not board specific, it's generic sunxi platform README.
>
> I guess Quentin's point was that those instructions are generic to every
> U-Boot platform. There is nothing sunxi specific in there.
> docs/uImage.FIT is definitely the place for this doc to go.

Yeah, I understand instructions are generic for all platforms but what
I'm trying to show how these generic things are applying or verified
on sunxi like what other platforms does. (like README.unipher)
wouldn't be beneficial to show these details on sunxi?

thanks!

Hi,

On 13/12/17 16:35, Jagan Teki wrote:
> On Wed, Dec 13, 2017 at 9:55 PM, Andre Przywara <andre.przywara@arm.com> wrote:
>> Hi,
>>
>> On 13/12/17 16:16, Jagan Teki wrote:
>>> On Wed, Dec 13, 2017 at 9:29 PM, Quentin Schulz
>>> <quentin.schulz@free-electrons.com> wrote:
>>>> Hi Jagan,
>>>>
>>>> On 13/12/2017 07:03, Jagan Teki wrote:
>>>>> Add verified-boot documentation for sunxi a64 platform.
>>>>>
>>>>> Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
>>>>> ---
>>>>> Changes for v3:
>>>>> - Create separate document file
>>>>> Changes for v2:
>>>>> - New patch
>>>>>
>>>>>  doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>>>  1 file changed, 193 insertions(+)
>>>>>  create mode 100644 doc/README.sunxi
>>>>>
>>>>> diff --git a/doc/README.sunxi b/doc/README.sunxi
>>>>> new file mode 100644
>>>>> index 0000000..ef4f735
>>>>> --- /dev/null
>>>>> +++ b/doc/README.sunxi
>>>>> @@ -0,0 +1,193 @@
>>>>> +#
>>>>> +# Copyright (C) 2017 Amarula Solutions
>>>>> +#
>>>>> +# SPDX-License-Identifier:   GPL-2.0+
>>>>> +#
>>>>> +
>>>>> +U-Boot on SunXi
>>>>> +==============
>>>>> +
>>>>> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
>>>>> +
>>>>> +     1. Verified Boot
>>>>> +
>>>>> +1. Verified Boot
>>>>> +================
>>>>> +
>>>>> +U-Boot supports an image verification method called "Verified Boot".
>>>>> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
>>>>> +You will find details documents in the doc/uImage.FIT directory.
>>>>> +
>>>>> +Here, we take Orangepi Win board for example, but it should work for any
>>>>> +other boards including 32 bit SoCs.
>>>>> +
>>>>> +1. Generate RSA key to sign
>>>>> +
>>>>> +  $ mkdir keys
>>>>> +  $ openssl genpkey -algorithm RSA -out keys/dev.key \
>>>>> +    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
>>>>> +  $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
>>>>> +
>>>>> +Two files "dev.key" and "dev.crt" will be created.  The base name is arbitrary,
>>>>> +but need to match to the "key-name-hint" property described below.
>>>>> +
>>>>> +2. FIT Input
>>>>> +
>>>>> +---------------------------------------->8----------------------------------------
>>>>> +/dts-v1/;
>>>>> +/ {
>>>>> +     description = "FIT image with single Linux kernel, FDT blob";
>>>>> +     #address-cells = <1>;
>>>>> +
>>>>> +     images {
>>>>> +             kernel@0 {
>>>>> +                     description = "ARM64 Linux kernel";
>>>>> +                     data = /incbin/("/path/to/linux/dir/arch/arm64/boot/Image.gz");
>>>>> +                     type = "kernel";
>>>>> +                     arch = "arm64";
>>>>> +                     os = "linux";
>>>>> +                     compression = "gzip";
>>>>> +                     load = <0x50080000>;
>>>>> +                     entry = <0x50080000>;
>>>>> +                     hash@1 {
>>>>> +                             algo = "sha256";
>>>>> +                     };
>>>>> +             };
>>>>> +
>>>>> +             fdt@0 {
>>>>> +                     description = "Orangepi Win/Win+ Devicetree blob";
>>>>> +                     data = /incbin/("/path/to/linux/dir/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dtb");
>>>>> +                     type = "flat_dt";
>>>>> +                     arch = "arm64";
>>>>> +                     compression = "none";
>>>>> +                     hash@1 {
>>>>> +                             algo = "sha256";
>>>>> +                     };
>>>>> +             };
>>>>> +     };
>>>>> +
>>>>> +     configurations {
>>>>> +             default = "conf@0";
>>>>> +
>>>>> +             conf@0 {
>>>>> +                     description = "Boot Linux kernel, FDT blob";
>>>>> +                     kernel = "kernel@0";
>>>>> +                     fdt = "fdt@0";
>>>>> +                     signature@0 {
>>>>> +                             algo = "sha256,rsa2048";
>>>>> +                             key-name-hint = "dev";
>>>>> +                             sign-images = "kernel", "fdt";
>>>>> +                     };
>>>>> +             };
>>>>> +     };
>>>>> +};
>>>>> +---------------------------------------->8----------------------------------------
>>>>> +
>>>>> +You need to change the two '/incbin/' lines, depending on the location of
>>>>> +your kernel image and devicetree blob.  The "load" and "entry" properties also
>>>>> +need to be adjusted if you want to change the physical placement of the kernel.
>>>>> +
>>>>> +The "key-name-hint" must specify the key name you have created in the step 1.
>>>>> +
>>>>> +The FIT file name is arbitrary.  Let's say you saved it into "fit.its".
>>>>> +
>>>>> +3. Compile U-Boot with FIT and signature enabled
>>>>> +
>>>>> +To use the Verified Boot, you need to enable the following two options:
>>>>> +  CONFIG_FIT
>>>>> +  CONFIG_FIT_SIGNATURE
>>>>> +
>>>>> +  $ make orangepi_win_defconfig
>>>>> +  $ make CROSS_COMPILE=aarch64-linux-gnu-
>>>>> +
>>>>> +4. FIT Output
>>>>> +
>>>>> +After building U-Boot, you will see tools/mkimage.  With this tool, you can
>>>>> +create an image tree blob as follows:
>>>>> +
>>>>> +  $ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage
>>>>> +
>>>>> +The -k option must specify the key directory you have created in step 1.
>>>>> +
>>>>> +A file "fitImage" will be created.  This includes kernel, DTB,
>>>>> +hash data for each of the three, and signature data.
>>>>> +
>>>>> +The public key needed for the run-time verification is stored in "dts/dt.dtb".
>>>>> +
>>>>> +5. Compile Verified U-Boot
>>>>> +
>>>>> +Since the "dt.dtb" has been updated in step 4, you need to re-compile the
>>>>> +U-Boot.
>>>>> +
>>>>> +  $ make CROSS_COMPILE=aarch64-linux-gnu-
>>>>> +
>>>>> +The re-compiled "u-boot.bin" is appended with DTB that contains the public key.
>>>>> +
>>>>> +6. Flash the image
>>>>> +
>>>>> +Flash the "fitImage" to a storage device (SD, NAND, eMMC, or whatever) on your
>>>>> +board.
>>>>> +
>>>>> +7. Boot verified kernel
>>>>> +
>>>>> +Load the fitImage to memory and run the following from the U-Boot command line.
>>>>> +
>>>>> +  > bootm <addr>
>>>>> +
>>>>> +Here, <addr> is the base address of the fitImage.
>>>>> +
>>>>> +If it is successful, you will see messages like follows:
>>>>> +
>>>>> +---------------------------------------->8----------------------------------------
>>>>> +=> setenv bootargs console=ttyS0,115200 earlyprintk root=/dev/mmcblk0p1 rootwait
>>>>> +=> ext4load mmc 0:1 $kernel_addr_r /boot/fitImage
>>>>> +16321738 bytes read in 1049 ms (14.8 MiB/s)
>>>>> +=> bootm $kernel_addr_r
>>>>> +## Loading kernel from FIT Image at 40080000 ...
>>>>> +   Using 'conf@0' configuration
>>>>> +   Verifying Hash Integrity ... OK
>>>>> +   Trying 'kernel@0' kernel subimage
>>>>> +     Description:  ARM64 Linux kernel
>>>>> +     Type:         Kernel Image
>>>>> +     Compression:  gzip compressed
>>>>> +     Data Start:   0x400800e4
>>>>> +     Data Size:    6884659 Bytes = 6.6 MiB
>>>>> +     Architecture: AArch64
>>>>> +     OS:           Linux
>>>>> +     Load Address: 0x50080000
>>>>> +     Entry Point:  0x50080000
>>>>> +     Hash algo:    sha256
>>>>> +     Hash value:   6808fe51ea3c15f31c4510d2701d4707b56d20213c9da05bce79fb53bf108f1a
>>>>> +   Verifying Hash Integrity ... sha256+ OK
>>>>> +## Loading fdt from FIT Image at 40080000 ...
>>>>> +   Using 'conf@0' configuration
>>>>> +   Trying 'fdt@0' fdt subimage
>>>>> +     Description:  Orangepi Win/Win+ Devicetree blob
>>>>> +     Type:         Flat Device Tree
>>>>> +     Compression:  uncompressed
>>>>> +     Data Start:   0x40710f24
>>>>> +     Data Size:    9032 Bytes = 8.8 KiB
>>>>> +     Architecture: AArch64
>>>>> +     Hash algo:    sha256
>>>>> +     Hash value:   ca3d874cd10466633ff133cc0156828d48c8efb96987fa45f885761d22a25dc1
>>>>> +   Verifying Hash Integrity ... sha256+ OK
>>>>> +   Booting using the fdt blob at 0x40710f24
>>>>> +   Uncompressing Kernel Image ... OK
>>>>> +   Loading Device Tree to 0000000049ffa000, end 0000000049fff347 ... OK
>>>>> +
>>>>> +Starting kernel ...
>>>>> +---------------------------------------->8----------------------------------------
>>>>> +
>>>>> +Please pay attention to the lines that start with "Verifying Hash Integrity".
>>>>> +
>>>>> +"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check
>>>>> +passed.
>>>>> +
>>>>> +"Verifying Hash Integrity ... sha256+ OK" (2 times) means the hash check passed
>>>>> +for kernel and DTB.
>>>>> +
>>>>> +If they are not displayed, the Verified Boot is not working.
>>>>> +
>>>>> +--
>>>>> +Jagan Teki <jagan@amarulasolutions.com>
>>>>> +13 Dec 2017
>>>>>
>>>>
>>>> What's specific to sunxi boards in this README?
>>>
>>> it not board specific, it's generic sunxi platform README.
>>
>> I guess Quentin's point was that those instructions are generic to every
>> U-Boot platform. There is nothing sunxi specific in there.
>> docs/uImage.FIT is definitely the place for this doc to go.
> 
> Yeah, I understand instructions are generic for all platforms but what
> I'm trying to show how these generic things are applying or verified
> on sunxi like what other platforms does. (like README.unipher)
> wouldn't be beneficial to show these details on sunxi?

A single line like: "Verified boot like described in
doc/uImage.FIT/verified works on sunxi boards." would be sufficient for
that.

So looking closer I see that you copied and modified that part from
README.uniphier - where I consider this misplaced as well. I would
recommend to instead move that verified boot part out of that file, and
add it to doc/uImage.FIT/verified-boot.txt under an example section.
Then you can point from both the sunxi and uniphier documentation to
that generic documentation.

Duplicating the documentation definitely does not make sense to me.
If you want to spoon-feed beginners with step-by-step instructions, feel
free to add a page to the linux-sunxi wiki with all those details.

Cheers,
Andre.

On Wed, Dec 13, 2017 at 04:47:29PM +0000, Andre Przywara wrote:
> Hi,
> 
> On 13/12/17 16:35, Jagan Teki wrote:
> > On Wed, Dec 13, 2017 at 9:55 PM, Andre Przywara <andre.przywara@arm.com> wrote:
> >> Hi,
> >>
> >> On 13/12/17 16:16, Jagan Teki wrote:
> >>> On Wed, Dec 13, 2017 at 9:29 PM, Quentin Schulz
> >>> <quentin.schulz@free-electrons.com> wrote:
> >>>> Hi Jagan,
> >>>>
> >>>> On 13/12/2017 07:03, Jagan Teki wrote:
> >>>>> Add verified-boot documentation for sunxi a64 platform.
> >>>>>
> >>>>> Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
> >>>>> ---
> >>>>> Changes for v3:
> >>>>> - Create separate document file
> >>>>> Changes for v2:
> >>>>> - New patch
> >>>>>
> >>>>>  doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>>>>  1 file changed, 193 insertions(+)
> >>>>>  create mode 100644 doc/README.sunxi
> >>>>>
> >>>>> diff --git a/doc/README.sunxi b/doc/README.sunxi
> >>>>> new file mode 100644
> >>>>> index 0000000..ef4f735
> >>>>> --- /dev/null
> >>>>> +++ b/doc/README.sunxi
> >>>>> @@ -0,0 +1,193 @@
> >>>>> +#
> >>>>> +# Copyright (C) 2017 Amarula Solutions
> >>>>> +#
> >>>>> +# SPDX-License-Identifier:   GPL-2.0+
> >>>>> +#
> >>>>> +
> >>>>> +U-Boot on SunXi
> >>>>> +==============
> >>>>> +
> >>>>> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
> >>>>> +
> >>>>> +     1. Verified Boot
> >>>>> +
> >>>>> +1. Verified Boot
> >>>>> +================
> >>>>> +
> >>>>> +U-Boot supports an image verification method called "Verified Boot".
> >>>>> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
> >>>>> +You will find details documents in the doc/uImage.FIT directory.
> >>>>> +
> >>>>> +Here, we take Orangepi Win board for example, but it should work for any
> >>>>> +other boards including 32 bit SoCs.
> >>>>> +
> >>>>> +1. Generate RSA key to sign
> >>>>> +
> >>>>> +  $ mkdir keys
> >>>>> +  $ openssl genpkey -algorithm RSA -out keys/dev.key \
> >>>>> +    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
> >>>>> +  $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
> >>>>> +
> >>>>> +Two files "dev.key" and "dev.crt" will be created.  The base name is arbitrary,
> >>>>> +but need to match to the "key-name-hint" property described below.
> >>>>> +
> >>>>> +2. FIT Input
> >>>>> +
> >>>>> +---------------------------------------->8----------------------------------------
> >>>>> +/dts-v1/;
> >>>>> +/ {
> >>>>> +     description = "FIT image with single Linux kernel, FDT blob";
> >>>>> +     #address-cells = <1>;
> >>>>> +
> >>>>> +     images {
> >>>>> +             kernel@0 {
> >>>>> +                     description = "ARM64 Linux kernel";
> >>>>> +                     data = /incbin/("/path/to/linux/dir/arch/arm64/boot/Image.gz");
> >>>>> +                     type = "kernel";
> >>>>> +                     arch = "arm64";
> >>>>> +                     os = "linux";
> >>>>> +                     compression = "gzip";
> >>>>> +                     load = <0x50080000>;
> >>>>> +                     entry = <0x50080000>;
> >>>>> +                     hash@1 {
> >>>>> +                             algo = "sha256";
> >>>>> +                     };
> >>>>> +             };
> >>>>> +
> >>>>> +             fdt@0 {
> >>>>> +                     description = "Orangepi Win/Win+ Devicetree blob";
> >>>>> +                     data = /incbin/("/path/to/linux/dir/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dtb");
> >>>>> +                     type = "flat_dt";
> >>>>> +                     arch = "arm64";
> >>>>> +                     compression = "none";
> >>>>> +                     hash@1 {
> >>>>> +                             algo = "sha256";
> >>>>> +                     };
> >>>>> +             };
> >>>>> +     };
> >>>>> +
> >>>>> +     configurations {
> >>>>> +             default = "conf@0";
> >>>>> +
> >>>>> +             conf@0 {
> >>>>> +                     description = "Boot Linux kernel, FDT blob";
> >>>>> +                     kernel = "kernel@0";
> >>>>> +                     fdt = "fdt@0";
> >>>>> +                     signature@0 {
> >>>>> +                             algo = "sha256,rsa2048";
> >>>>> +                             key-name-hint = "dev";
> >>>>> +                             sign-images = "kernel", "fdt";
> >>>>> +                     };
> >>>>> +             };
> >>>>> +     };
> >>>>> +};
> >>>>> +---------------------------------------->8----------------------------------------
> >>>>> +
> >>>>> +You need to change the two '/incbin/' lines, depending on the location of
> >>>>> +your kernel image and devicetree blob.  The "load" and "entry" properties also
> >>>>> +need to be adjusted if you want to change the physical placement of the kernel.
> >>>>> +
> >>>>> +The "key-name-hint" must specify the key name you have created in the step 1.
> >>>>> +
> >>>>> +The FIT file name is arbitrary.  Let's say you saved it into "fit.its".
> >>>>> +
> >>>>> +3. Compile U-Boot with FIT and signature enabled
> >>>>> +
> >>>>> +To use the Verified Boot, you need to enable the following two options:
> >>>>> +  CONFIG_FIT
> >>>>> +  CONFIG_FIT_SIGNATURE
> >>>>> +
> >>>>> +  $ make orangepi_win_defconfig
> >>>>> +  $ make CROSS_COMPILE=aarch64-linux-gnu-
> >>>>> +
> >>>>> +4. FIT Output
> >>>>> +
> >>>>> +After building U-Boot, you will see tools/mkimage.  With this tool, you can
> >>>>> +create an image tree blob as follows:
> >>>>> +
> >>>>> +  $ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage
> >>>>> +
> >>>>> +The -k option must specify the key directory you have created in step 1.
> >>>>> +
> >>>>> +A file "fitImage" will be created.  This includes kernel, DTB,
> >>>>> +hash data for each of the three, and signature data.
> >>>>> +
> >>>>> +The public key needed for the run-time verification is stored in "dts/dt.dtb".
> >>>>> +
> >>>>> +5. Compile Verified U-Boot
> >>>>> +
> >>>>> +Since the "dt.dtb" has been updated in step 4, you need to re-compile the
> >>>>> +U-Boot.
> >>>>> +
> >>>>> +  $ make CROSS_COMPILE=aarch64-linux-gnu-
> >>>>> +
> >>>>> +The re-compiled "u-boot.bin" is appended with DTB that contains the public key.
> >>>>> +
> >>>>> +6. Flash the image
> >>>>> +
> >>>>> +Flash the "fitImage" to a storage device (SD, NAND, eMMC, or whatever) on your
> >>>>> +board.
> >>>>> +
> >>>>> +7. Boot verified kernel
> >>>>> +
> >>>>> +Load the fitImage to memory and run the following from the U-Boot command line.
> >>>>> +
> >>>>> +  > bootm <addr>
> >>>>> +
> >>>>> +Here, <addr> is the base address of the fitImage.
> >>>>> +
> >>>>> +If it is successful, you will see messages like follows:
> >>>>> +
> >>>>> +---------------------------------------->8----------------------------------------
> >>>>> +=> setenv bootargs console=ttyS0,115200 earlyprintk root=/dev/mmcblk0p1 rootwait
> >>>>> +=> ext4load mmc 0:1 $kernel_addr_r /boot/fitImage
> >>>>> +16321738 bytes read in 1049 ms (14.8 MiB/s)
> >>>>> +=> bootm $kernel_addr_r
> >>>>> +## Loading kernel from FIT Image at 40080000 ...
> >>>>> +   Using 'conf@0' configuration
> >>>>> +   Verifying Hash Integrity ... OK
> >>>>> +   Trying 'kernel@0' kernel subimage
> >>>>> +     Description:  ARM64 Linux kernel
> >>>>> +     Type:         Kernel Image
> >>>>> +     Compression:  gzip compressed
> >>>>> +     Data Start:   0x400800e4
> >>>>> +     Data Size:    6884659 Bytes = 6.6 MiB
> >>>>> +     Architecture: AArch64
> >>>>> +     OS:           Linux
> >>>>> +     Load Address: 0x50080000
> >>>>> +     Entry Point:  0x50080000
> >>>>> +     Hash algo:    sha256
> >>>>> +     Hash value:   6808fe51ea3c15f31c4510d2701d4707b56d20213c9da05bce79fb53bf108f1a
> >>>>> +   Verifying Hash Integrity ... sha256+ OK
> >>>>> +## Loading fdt from FIT Image at 40080000 ...
> >>>>> +   Using 'conf@0' configuration
> >>>>> +   Trying 'fdt@0' fdt subimage
> >>>>> +     Description:  Orangepi Win/Win+ Devicetree blob
> >>>>> +     Type:         Flat Device Tree
> >>>>> +     Compression:  uncompressed
> >>>>> +     Data Start:   0x40710f24
> >>>>> +     Data Size:    9032 Bytes = 8.8 KiB
> >>>>> +     Architecture: AArch64
> >>>>> +     Hash algo:    sha256
> >>>>> +     Hash value:   ca3d874cd10466633ff133cc0156828d48c8efb96987fa45f885761d22a25dc1
> >>>>> +   Verifying Hash Integrity ... sha256+ OK
> >>>>> +   Booting using the fdt blob at 0x40710f24
> >>>>> +   Uncompressing Kernel Image ... OK
> >>>>> +   Loading Device Tree to 0000000049ffa000, end 0000000049fff347 ... OK
> >>>>> +
> >>>>> +Starting kernel ...
> >>>>> +---------------------------------------->8----------------------------------------
> >>>>> +
> >>>>> +Please pay attention to the lines that start with "Verifying Hash Integrity".
> >>>>> +
> >>>>> +"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check
> >>>>> +passed.
> >>>>> +
> >>>>> +"Verifying Hash Integrity ... sha256+ OK" (2 times) means the hash check passed
> >>>>> +for kernel and DTB.
> >>>>> +
> >>>>> +If they are not displayed, the Verified Boot is not working.
> >>>>> +
> >>>>> +--
> >>>>> +Jagan Teki <jagan@amarulasolutions.com>
> >>>>> +13 Dec 2017
> >>>>>
> >>>>
> >>>> What's specific to sunxi boards in this README?
> >>>
> >>> it not board specific, it's generic sunxi platform README.
> >>
> >> I guess Quentin's point was that those instructions are generic to every
> >> U-Boot platform. There is nothing sunxi specific in there.
> >> docs/uImage.FIT is definitely the place for this doc to go.
> > 
> > Yeah, I understand instructions are generic for all platforms but what
> > I'm trying to show how these generic things are applying or verified
> > on sunxi like what other platforms does. (like README.unipher)
> > wouldn't be beneficial to show these details on sunxi?
> 
> A single line like: "Verified boot like described in
> doc/uImage.FIT/verified works on sunxi boards." would be sufficient for
> that.
> 
> So looking closer I see that you copied and modified that part from
> README.uniphier - where I consider this misplaced as well. I would
> recommend to instead move that verified boot part out of that file, and
> add it to doc/uImage.FIT/verified-boot.txt under an example section.
> Then you can point from both the sunxi and uniphier documentation to
> that generic documentation.
> 
> Duplicating the documentation definitely does not make sense to me.
> If you want to spoon-feed beginners with step-by-step instructions, feel
> free to add a page to the linux-sunxi wiki with all those details.

Agreed, thanks Andre!

On Wed, Dec 13, 2017 at 09:41:35PM +0530, Jagan Teki wrote:
> On Wed, Dec 13, 2017 at 9:08 PM, Maxime Ripard
> <maxime.ripard@free-electrons.com> wrote:
> > Hi,
> >
> > On Wed, Dec 13, 2017 at 11:33:04AM +0530, Jagan Teki wrote:
> >> Add verified-boot documentation for sunxi a64 platform.
> >>
> >> Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
> >> ---
> >> Changes for v3:
> >> - Create separate document file
> >> Changes for v2:
> >> - New patch
> >>
> >>  doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>  1 file changed, 193 insertions(+)
> >>  create mode 100644 doc/README.sunxi
> >>
> >> diff --git a/doc/README.sunxi b/doc/README.sunxi
> >> new file mode 100644
> >> index 0000000..ef4f735
> >> --- /dev/null
> >> +++ b/doc/README.sunxi
> >> @@ -0,0 +1,193 @@
> >> +#
> >> +# Copyright (C) 2017 Amarula Solutions
> >> +#
> >> +# SPDX-License-Identifier:   GPL-2.0+
> >> +#
> >> +
> >> +U-Boot on SunXi
> >> +==============
> >> +
> >> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
> >> +
> >> +     1. Verified Boot
> >> +
> >> +1. Verified Boot
> >> +================
> >> +
> >> +U-Boot supports an image verification method called "Verified Boot".
> >> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
> >> +You will find details documents in the doc/uImage.FIT directory.
> >> +
> >> +Here, we take Orangepi Win board for example, but it should work for any
> >> +other boards including 32 bit SoCs.
> >> +
> >> +1. Generate RSA key to sign
> >> +
> >> +  $ mkdir keys
> >> +  $ openssl genpkey -algorithm RSA -out keys/dev.key \
> >> +    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
> >> +  $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
> >> +
> >> +Two files "dev.key" and "dev.crt" will be created.  The base name is arbitrary,
> >> +but need to match to the "key-name-hint" property described below.
> >
> > I really think that the very first thing you must talk about in that
> > documentation is that it will not protect the SPL itself and that this
> > is not a secure setup.
> 
> Based on my experience with U-boot, verified-boot here doesn't relate
> to protect SPL or U-Boot. it's generally for kernel and followed
> stages. I don't think we can think here too-much. some reference
> doc/README.uniphier

Except that when you read verified boot, it also comes with the
assumption that you're actually protected against something.

In this particular case, you're protected against exactly
nothing. Anyone could come up, replace the bootloader to remove the
signature check, and you're doomed. It's trivial to do, and you're not
mentionning it anywhere.

Maxime