https://wiki.dh-electronics.com/api.php?action=feedcontributions&feedformat=atom&user=DkiernerWiki-DB - User contributions [en]2026-04-27T19:41:57ZUser contributionsMediaWiki 1.45.3https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3658DHCOM STM32MP15 Secure Boot2022-03-22T12:24:39Z<p>Dkierner: Undo revision 3657 by Dkierner (talk)</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
* swig<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<br />
==== Add STM32CubeProrammer binaries to user environment ====<br />
<syntaxhighlight lang="shell"><br />
export PATH=${PATH}:~/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin<br />
</syntaxhighlight><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_stm32mp1_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with [mailto:info@dh-electronics.com us] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without errors, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoCs only support one key pair for authenticating images through the BootROM.<br />
To generate a ECDSA key pair for the STM32MP Secure Boot use the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" />:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password <a secure password><br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password <a secure password> --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoCs.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> per TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3657DHCOM STM32MP15 Secure Boot2022-03-22T12:01:40Z<p>Dkierner: Add separate out directory for the STM32_MP_SigningTool_CLI instruction /* Sign U-Boot SPL with STM32MP_SigningTool_CLI */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
* swig<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<br />
==== Add STM32CubeProrammer binaries to user environment ====<br />
<syntaxhighlight lang="shell"><br />
export PATH=${PATH}:~/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin<br />
</syntaxhighlight><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_stm32mp1_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with [mailto:info@dh-electronics.com us] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without errors, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoCs only support one key pair for authenticating images through the BootROM.<br />
To generate a ECDSA key pair for the STM32MP Secure Boot use the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" />:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password <a secure password><br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
mkdir out<br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password <a secure password> --output out/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoCs.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> per TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3656DHCOM STM32MP15 Secure Boot2022-03-22T11:55:09Z<p>Dkierner: Add instruction for adding the STM32CubeProgrammer tools to the user PATH-variable /* Tutorial: Secure boot from BootROM to Linux with basic boot */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
* swig<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<br />
==== Add STM32CubeProrammer binaries to user environment ====<br />
<syntaxhighlight lang="shell"><br />
export PATH=${PATH}:~/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin<br />
</syntaxhighlight><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_stm32mp1_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with [mailto:info@dh-electronics.com us] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without errors, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoCs only support one key pair for authenticating images through the BootROM.<br />
To generate a ECDSA key pair for the STM32MP Secure Boot use the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" />:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password <a secure password><br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password <a secure password> --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoCs.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> per TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3655DHCOM STM32MP15 Secure Boot2022-03-22T11:20:39Z<p>Dkierner: Fix plural in /* Run the build script build_signed_uboot.sh */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
* swig<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_stm32mp1_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with [mailto:info@dh-electronics.com us] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without errors, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoCs only support one key pair for authenticating images through the BootROM.<br />
To generate a ECDSA key pair for the STM32MP Secure Boot use the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" />:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password <a secure password><br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password <a secure password> --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoCs.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> per TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3654DHCOM STM32MP15 Secure Boot2022-03-22T11:18:37Z<p>Dkierner: Add swig to required debian packages /* System requirements and needed tools */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
* swig<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_stm32mp1_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with [mailto:info@dh-electronics.com us] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoCs only support one key pair for authenticating images through the BootROM.<br />
To generate a ECDSA key pair for the STM32MP Secure Boot use the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" />:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password <a secure password><br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password <a secure password> --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoCs.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> per TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3653DHCOM STM32MP15 Secure Boot2022-03-22T11:12:33Z<p>Dkierner: Fix branch name in "git clone" command /* Checkout source code for Verified Boot */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_stm32mp1_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with [mailto:info@dh-electronics.com us] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoCs only support one key pair for authenticating images through the BootROM.<br />
To generate a ECDSA key pair for the STM32MP Secure Boot use the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" />:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password <a secure password><br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password <a secure password> --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoCs.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> per TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3652DHCOM STM32MP15 Secure Boot2022-03-22T10:52:45Z<p>Dkierner: Fix prepositions in /* Program publicKeyhash.bin into OTP with stm32key command */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with [mailto:info@dh-electronics.com us] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoCs only support one key pair for authenticating images through the BootROM.<br />
To generate a ECDSA key pair for the STM32MP Secure Boot use the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" />:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password <a secure password><br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password <a secure password> --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoCs.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> per TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3651DHCOM STM32MP15 Secure Boot2022-03-22T10:49:47Z<p>Dkierner: Fix plural of SoC /* Write U-Boot SPL and U-Boot to your boot media */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with [mailto:info@dh-electronics.com us] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoCs only support one key pair for authenticating images through the BootROM.<br />
To generate a ECDSA key pair for the STM32MP Secure Boot use the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" />:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password <a secure password><br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password <a secure password> --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoCs.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3650DHCOM STM32MP15 Secure Boot2022-03-22T10:39:45Z<p>Dkierner: Replace example password with a reminder to use a secure password /* Sign U-Boot SPL with STM32MP_SigningTool_CLI */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with [mailto:info@dh-electronics.com us] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoCs only support one key pair for authenticating images through the BootROM.<br />
To generate a ECDSA key pair for the STM32MP Secure Boot use the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" />:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password <a secure password><br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password <a secure password> --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoC's.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3649DHCOM STM32MP15 Secure Boot2022-03-22T10:36:11Z<p>Dkierner: Replace example password with a reminder to use a secure password /* Generate key pair with STM32MP_KeyGen_CLI */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with [mailto:info@dh-electronics.com us] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoCs only support one key pair for authenticating images through the BootROM.<br />
To generate a ECDSA key pair for the STM32MP Secure Boot use the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" />:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password <a secure password><br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password 12345678 --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoC's.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3648DHCOM STM32MP15 Secure Boot2022-03-22T10:31:47Z<p>Dkierner: Reword /* Generate key pair with STM32MP_KeyGen_CLI */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with [mailto:info@dh-electronics.com us] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoCs only support one key pair for authenticating images through the BootROM.<br />
To generate a ECDSA key pair for the STM32MP Secure Boot use the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" />:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password 12345678<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password 12345678 --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoC's.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3647DHCOM STM32MP15 Secure Boot2022-03-22T10:23:27Z<p>Dkierner: Fix contact info /* Run the build script build_signed_uboot.sh */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with [mailto:info@dh-electronics.com us] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoC's only support one key pair for authenticating images through the BootROM.<br />
To generate ECDSA key pairs for the STM32MP Secure Boot we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" /> to generate a single key pair.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password 12345678<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password 12345678 --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoC's.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3646DHCOM STM32MP15 Secure Boot2022-03-22T10:19:12Z<p>Dkierner: Fix preposition in /* Checkout source code for Verified Boot */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> in my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with the script author [mailto:jneuhauser@dh-electronics.com Johann Neuhauser] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoC's only support one key pair for authenticating images through the BootROM.<br />
To generate ECDSA key pairs for the STM32MP Secure Boot we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" /> to generate a single key pair.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password 12345678<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password 12345678 --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoC's.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3645DHCOM STM32MP15 Secure Boot2022-03-22T10:04:59Z<p>Dkierner: Correct full stop to colon in: /* Run the build script build_signed_uboot.sh */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> of my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix:<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with the script author [mailto:jneuhauser@dh-electronics.com Johann Neuhauser] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoC's only support one key pair for authenticating images through the BootROM.<br />
To generate ECDSA key pairs for the STM32MP Secure Boot we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" /> to generate a single key pair.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password 12345678<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password 12345678 --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoC's.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3644DHCOM STM32MP15 Secure Boot2022-03-22T09:53:35Z<p>Dkierner: Fix links to /* Verified Boot */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#Verified Boot|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> of my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix.<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with the script author [mailto:jneuhauser@dh-electronics.com Johann Neuhauser] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoC's only support one key pair for authenticating images through the BootROM.<br />
To generate ECDSA key pairs for the STM32MP Secure Boot we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" /> to generate a single key pair.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password 12345678<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password 12345678 --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoC's.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3643DHCOM STM32MP15 Secure Boot2022-03-22T09:34:20Z<p>Dkierner: Shorten title of /* What does Secure Boot mean? */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== Secure Boot ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#What is meant by Verified Boot?|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#What is meant by Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> of my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix.<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with the script author [mailto:jneuhauser@dh-electronics.com Johann Neuhauser] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoC's only support one key pair for authenticating images through the BootROM.<br />
To generate ECDSA key pairs for the STM32MP Secure Boot we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" /> to generate a single key pair.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password 12345678<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password 12345678 --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoC's.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3642DHCOM STM32MP15 Secure Boot2022-03-22T09:29:14Z<p>Dkierner: Improve wording of /* What is meant by Verified Boot? */ including title</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== What does Secure Boot mean? ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#What is meant by Verified Boot?|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#What is meant by Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== Verified Boot ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes care the signature creation for the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> of my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix.<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with the script author [mailto:jneuhauser@dh-electronics.com Johann Neuhauser] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoC's only support one key pair for authenticating images through the BootROM.<br />
To generate ECDSA key pairs for the STM32MP Secure Boot we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" /> to generate a single key pair.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password 12345678<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password 12345678 --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoC's.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3641DHCOM STM32MP15 Secure Boot2022-03-22T09:08:52Z<p>Dkierner: Add TF-A and OP-TEE to section /* Abbreviations */</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| OP-TEE || Open Portable Trusted Execution Environment<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|-<br />
| TF-A || Trusted Firmware A<br />
|}<br />
<br />
=== What does Secure Boot mean? ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#What is meant by Verified Boot?|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#What is meant by Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== What is meant by Verified Boot? ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes over the creation of the signatures in the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with the included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> of my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix.<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with the script author [mailto:jneuhauser@dh-electronics.com Johann Neuhauser] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoC's only support one key pair for authenticating images through the BootROM.<br />
To generate ECDSA key pairs for the STM32MP Secure Boot we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" /> to generate a single key pair.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password 12345678<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password 12345678 --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoC's.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3640DHCOM STM32MP15 Secure Boot2022-03-22T09:06:33Z<p>Dkierner: Improve wording and correct grammar issue in section /* What is meant by Secure Boot with basic/trusted boot? */ including headline</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|}<br />
<br />
=== What does Secure Boot mean? ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== Basic and trusted boot in the context of Secure Boot ===<br />
<br />
When booting Linux on the STM32MP1 SoC with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#What is meant by Verified Boot?|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#What is meant by Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== What is meant by Verified Boot? ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes over the creation of the signatures in the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with the included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> of my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix.<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with the script author [mailto:jneuhauser@dh-electronics.com Johann Neuhauser] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoC's only support one key pair for authenticating images through the BootROM.<br />
To generate ECDSA key pairs for the STM32MP Secure Boot we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" /> to generate a single key pair.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password 12345678<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password 12345678 --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoC's.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkiernerhttps://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot&diff=3639DHCOM STM32MP15 Secure Boot2022-03-22T09:00:50Z<p>Dkierner: Improve wording of section "What is meant by Secure Boot?" including headline</p>
<hr />
<div><!--<br />
https://wiki.dh-electronics.com/index.php?title=DHCOM_STM32MP15_Secure_Boot<br />
--><br />
<br />
<!--http://automaten-karl.de/blog/?p=74--><br />
<!--https://www.mediawiki.org/wiki/Template:TOC--><br />
<!--https://www.mediawiki.org/wiki/Manual:$wgAllowUserCss--><br />
<!--https://www.mediawiki.org/wiki/Manual:CSS--><br />
<div class="toclimit-3">__TOC__</div><br />
<br />
== Introduction ==<br />
<br />
=== Abbreviations ===<br />
<!--TODO: Check for non listed/used abbreviation--><br />
{| class="wikitable sortable"<br />
|-<br />
! Abbreviation !! Description<br />
|-<br />
| BSI || Bundesamt für Sicherheit in der Informationstechnik<br />
|-<br />
| CoM || Computer on module<br />
|-<br />
| FIT || Flattened Image Tree<br />
|-<br />
| FSBL || Fist Stage Bootloader (TF-A or U-Boot SPL)<br />
|-<br />
| OTP || One Time Programmable (eFuses)<br />
|-<br />
| PKH || Public Key Hash<br />
|-<br />
| ROM || Read-Only Memory<br />
|-<br />
| RSA || Rivest, Shamir und Adleman (asynchronous encryption)<br />
|-<br />
| SHA || Secure Hash Algorithm<br />
|-<br />
| SoC || System on chip<br />
|-<br />
| SoM || System on module<br />
|-<br />
| SSBL || Second Stage Bootloader (U-Boot)<br />
|}<br />
<br />
=== What does Secure Boot mean? ===<br />
<br />
The term Secure Boot originally comes from the UEFI specification<ref name="UEFI specification" /> and describes a secure boot process in which only signed software is loaded and executed during the boot process.<br />
<br />
Secure Boot is a necessary cornerstone for enforcing security mechanisms in a trusted computing environment.<br />
Enforcing the execution of signed software only during the boot process, as long as the chain of trust is secure, can guarantee that said software is free from tampering, as any manipulation will invalidate the software's signature and prevent the software from being executed.<br />
<br />
[[File:Secure Boot Generic en.png|600px|Secure Boot Generic]]<br />
<br />
The figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]] shows an example of a secure boot process that leads to a reset in the event of an error in the signature check. Each stage uses the certificate and signature to check the origin and integrity of the next stage. On success, the next stage is executed, and in the event of an error, this always leads to a defined error state. In the simplest case, the certificates are integrated into the binary image of the previous stage.<br />
<br />
Program code and certificate need to be trustworthy and therefore protected against tampering in each stage, otherwise the secure boot chain can be compromised. Except for the first stage, all binary images are protected against third-party tampering by the signature. As this is practically impossible for the first stage, manipulation protection has to be enforced by hardware measures to make said stage immutable, with the first stage's program code and the verification certificate for the second stage being stored in read-only memory (ROM).<br />
<br />
=== What is meant by Secure Boot with basic/trusted boot? ===<br />
<br />
When booting Linux on the STM32MP1 SoC's with U-Boot SPL and U-Boot only, STM speaks of "Basic Boot"<ref name="Basic Boot" />.<br />
However, if Linux is booted with a combination of TF-A, U-Boot and OP-TEE, STM refers to this as "Trusted Boot"<ref name="Trusted Boot" />.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Boot chain !! Description<br />
|-<br />
| Basic boot || BootROM -> U-Boot SPL -> U-Boot -> Linux<br />
|-<br />
| Trusted boot || BootROM -> TF-A -> U-Boot + OP-TEE -> Linux<br />
|}<br />
<br />
== Secure Boot in Basic Boot with BootROM authentication and Verified Boot ==<br />
<br />
This Secure Boot implementation does use the the BootROM integrated image authentication to authenticate the U-Boot SPL as FSBL.<br />
Authentication of U-Boot as SSBL by the U-Boot SPL and authentication of the Linux kernel, Device Tree and ramdisk by U-Boot is done using the open source implementation [[#What is meant by Verified Boot?|Verified Boot]].<br />
<!--The authentication of U-Boot as an SSBL image and the Linux kernel, Device Tree and ramdisk is done by the open source [[#What is meant by Verified Boot?|Verified Boot]] implementation of U-Boot itself.--><br />
This also means that everything from U-Boot SPL onwards is platform independent, as we do not rely on hardware specific implementations.<br />
<br />
=== What is meant by Verified Boot? ===<br />
<br />
Developers of Google's Chromium project worked out a concept for the Verified Boot called Secure Boot mechanism on the basis of the boot loader "Das U-Boot".<br />
They use the existing infrastructure of the FIT images and for the system configuration at runtime via a Device Tree.<br />
The description language for the FIT images was extended by an additional signature node and the Device Tree of the platform was used to store the certificate(s) for the authentication of the images.<br />
The signature node can be used to sign individual subimages as well as combinations of individual subimages in the FIT image.<br />
The tool <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> takes over the creation of the signatures in the FIT images and the addition of the certificate in a Device Tree.<br />
<br />
With Verified Boot, the Device Tree with the included public key is integrated into the program image of the stage, which accomplishes the authentication and is thus very similar to the general procedure shown in figure [[Media:Secure Boot Generic en.png|Secure Boot Generic]].<br />
The number of public keys that can be integrated is theoretically unlimited, but they must be distinguishable by name.<br />
<br />
==== Technical details of Verified Boot ====<br />
<br />
{| class="wikitable"<br />
|-<br />
| '''Name'''<br />
| Verified Boot<br />
|-<br />
| '''Implementierung'''<br />
| Software (Open Source)<br />
|-<br />
| '''Hash algorithms'''<br />
|<br />
* SHA1 (deprecated)<ref name="BSI TR-02102" /><br />
* SHA256<br />
* SHA384<br />
* SHA512<br />
|-<br />
| '''Crypto algorithms<br />
|<br />
* RSA2048 (deprecated as of 2024)<ref name="BSI TR-02102" /><br />
* RSA4096<br />
<!--TODO: Mention ECDSA limitations--><br />
* ECDSA256 (currently limited to U-Boot SPL)<br />
|-<br />
| '''Number of key pairs'''<br />
| unlimited<br />
|-<br />
|}<br />
<br />
==== In-depth references for Verified Boot ====<br />
<!--TODO: Use <references group="XYZ"><ref group="A" name="O">ABCDEF</ref></references>--><br />
<br />
===== Flatten Image Tree =====<br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT U-Boot Documentation: doc/uImage.FIT]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/d5934ad7 U-Boot Commit d5934ad7: "new uImage: Add dual format uImage support framework"]<br />
* ...<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3310c549 U-Boot Commit d5934ad7: "new uImage: Add new uImage format documentation and examples"]<br />
<br />
===== Verified Boot =====<br />
<!--<references group="Verified Boot">--><br />
* [https://source.denx.de/u-boot/u-boot/tree/master/doc/uImage.FIT/signature.txt U-Boot Documentation: doc/uImage.FIT/signature.txt]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/3e569a6b U-Boot Commit 3e569a6b: "image: Add signing infrastructure"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/56518e71 U-Boot Commit 56518e71: "image: Support signing of images"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/4d098529 U-Boot Commit 4d098529: "image: Add support for signing of FIT configurations"]<br />
<br />
===== ECDSA signature verification =====<br />
<br />
<div style="color:red">TODO: Mention ECDSA limitations</div><br />
Note: This has currently some limitations!<br />
<br />
<!--<references group="Verified Boot ECDSA">--><br />
* [https://source.denx.de/u-boot/u-boot/-/commit/928a8be7 U-Boot Commit 928a8be7: "lib: ecdsa: Implement UCLASS_ECDSA verification on target"]<br />
* [https://source.denx.de/u-boot/u-boot/-/commit/ee870859 U-Boot Commit ee870859: "arm: stm32mp1: Implement ECDSA signature verification"]<br />
<br />
=== Tutorial: Secure boot from BootROM to Linux with basic boot ===<br />
<br />
==== System requirements and needed tools ====<br />
<br />
The following table lists all requirements to create the key pairs and build the signed images with embedded public keys.<br />
<br />
{| class="wikitable"<br />
|-<br />
! Category !! Description<br />
|-<br />
| '''Host operating system''' ||<br />
* Linux (Debian 9, Ubuntu 18.04 or higher prefered)<br />
|-<br />
| '''Debian packages''' ||<br />
* bison<br />
* device-tree-compiler<br />
* flex<br />
* gcc-arm-linux-gnueabihf (>= gcc 6)<br />
* git<br />
* make<br />
* openssl<br />
|-<br />
| '''STM32 Tools''' ||<br />
* [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer]<br />
** STM32MP_KeyGen_CLI<br />
** STM32MP_SigningTool_CLI<br />
|}<br />
<br />
<div style="color:red">TODO: Should we give host setup instructions?</div><br />
<!--<br />
'''Install debian packages:'''<br />
<syntaxhighlight lang="shell"><br />
sudo apt-get install bison device-tree-compiler flex gcc-arm-linux-gnueabihf git make openssl<br />
</syntaxhighlight><br />
<br />
'''Download and install STM32CubeProgrammer:''' [https://www.st.com/en/development-tools/stm32cubeprog.html STM32CubeProgrammer].<br />
--><br />
<br />
==== Intended use of the four generated key pairs ====<br />
<br />
We've decided to create and use as few certificates as reasonable to ensure a high level of security.<br />
Therefore, we chose a separate key pair for each boot stage and also a separate key pair for image and configuration nodes.<br />
If you're confused about the difference between image and configuration nodes, head over to [[#Flatten Image Tree|Flatten Image Tree]] to refresh your knowledge.<br />
The exact purpose of the four key pairs generated for Verified Boot is described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File name !! Intended use<br />
|-<br />
| '''fsbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot SPL (U-Boot, Device Tree, firmware)<br />
|-<br />
| '''fsbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot SPL (U-Boot + Device Tree + firmware)<br />
|-<br />
| '''ssbl-img''' || Authenticate image nodes of FIT images loaded by U-Boot (Kernel, Device Tree, InitRamFS)<br />
|-<br />
| '''ssbl-cfg''' || Authenticate config nodes of FIT images loaded by U-Boot (Kernel + Device Tree + InitRamFS)<br />
|-<br />
|}<br />
<br />
==== Created/Modified files in the U-Boot source for Verified Boot ====<br />
<br />
The created or modified files to build U-Boot with Verified Boot on STM32MP15 are described in the following table.<br />
<br />
{| class="wikitable"<br />
|-<br />
! File<br />
! Description<br />
|-<br />
| build_signed_uboot.sh<br />
| Shell script that automates the creation of key pairs, the modification of FIT source files and Device Tree's and building of U-Boot SPL and U-Boot.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/u-boot-dhco?.its<br />
| FIT source files with defined U-Boot image and Device Tree's for DHSOM platforms.<br />
|-<br />
| board/dhelectronics/dh_stm32mp1/linux-dhcom.its<br />
| Dummy FIT source file with defined dummy kernel image and dummy Device Tree for DHSOM platforms.<br>To avoid relying on a built kernel image on a fixed path, we created this dummy, since adding the public keys with <syntaxhighlight lang="shell" inline>mkimage</syntaxhighlight> requires a valid FIT source file.<br />
|-<br />
| configs/stm32mp15_dhco?_secure_defconfig<br />
| Example U-Boot defconfig's with enabled <syntaxhighlight lang="shell" inline>CONFIG_FIT_SIGNATURE</syntaxhighlight> and <syntaxhighlight lang="shell" inline>CONFIG_SPL_FIT_SIGNATURE</syntaxhighlight>.<br />
|}<br />
<br />
==== Build Verified Boot enabled U-Boot SPL and U-Boot ====<br />
<br />
To build the U-Boot SPL and U-Boot images, you need to check out the source code and run a build script that automates everything from key generation to image creation and signing.<br />
<br />
===== Checkout source code for Verified Boot =====<br />
<br />
<div style="color:red">TODO: Replace my personal GitLab by a public available repository</div><br />
Checkout the branch <syntaxhighlight lang="shell" inline>v2022.01_dhcom_secure_boot</syntaxhighlight> of my personal GitLab repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
git clone git@dhplgl01:jneuhauser/u-boot.git -b v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
If you already have a cloned U-Boot source code, you can also fetch it into your existing repository with:<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
git remote add jneuhauser git@dhplgl01:jneuhauser/u-boot.git<br />
git fetch jneuhauser<br />
git checkout v2022.01_dhcom_secure_boot<br />
</syntaxhighlight><br />
<br />
===== Run the build script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> =====<br />
<br />
The shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> included in the U-Boot source performs the following steps.<br />
# Prebuild U-Boat SPL and U-Boat to build the required tools and Device Tree's<br />
# Generate the [[#Intended use of the four generated key pairs|four key pairs]] if not already created<br />
# Generate/Modify FIT image source files for Linux (dummy) and U-Boot<br />
# Add public keys to the built Device Tree's used by U-Boot SPL and U-Boot<br />
# Rebuild U-Boot SPL and U-Boot with new Device Tree's containing the public keys<br />
<br />
<br />
The script supports the following environment variables to configure the target architecture, the cross compiler, the defconfig, the key algorithm, the key directory, and a key postfix.<br />
{| class="wikitable sortable"<br />
|-<br />
! Name !! Description !! Default<br />
|-<br />
| ARCH || Target architecture for the U-Boot build || arm<br />
|-<br />
| CROSS_COMPILE || Used cross compiler to build U-Boot || arm-linux-gnueabihf-<br />
|-<br />
| DEFCONFIG || Used defconfig for the U-Boot build || stm32mp15_dhcom_secure_defconfig<br />
|-<br />
| KEY_ALGO || Signature algorithm used for Verified Boot || rsa<br />
|-<br />
| KEY_DIR || Directory where the key pairs are stored || ../keys<br />
|-<br />
| KEY_POSTFIX || Postfix which is appended to the key names || -$(date +%F)<br />
|}<br />
<br />
To perform the steps mentioned above, you just need to run the shell script <syntaxhighlight lang="shell" inline>build_signed_uboot.sh</syntaxhighlight> like below.<br />
In this example, we override the default value for <syntaxhighlight lang="shell" inline>KEY_POSTFIX</syntaxhighlight> with <syntaxhighlight lang="shell" inline>-testing</syntaxhighlight> to append this string to the [[#Intended use of the four generated key pairs|four key file names]].<br />
The script has debug output enabled by default, which should output all the statements in the script itself and the output of the commands used in the script.<br />
If you have any problems with the script, feel free to get in touch with the script author [mailto:jneuhauser@dh-electronics.com Johann Neuhauser] and attach a logfile.<br />
<br />
<syntaxhighlight lang="shell"><br />
cd /path/to/u-boot<br />
KEY_POSTFIX="-testing" ./build_signed_uboot.sh | tee build_signed_uboot.log<br />
</syntaxhighlight><br />
<br />
If this process completes without error, there are two boot loader images in the root directory of the U-Boot source.<br />
{| class="wikitable sortable"<br />
|-<br />
! File name !! Stage !! Description<br />
|-<br />
| u-boot-spl.stm32 || FSBL || U-Boot SPL binary with appended Device Tree and prepended STM32 image header<ref name="STM32 image header" />.<br />
|-<br />
| u-boot.itb || SSBL || U-Boot and Device Tree's contained in a signed FIT image.<br />
|}<br />
<br />
==== Generate key pair and sign U-Boot SPL for BootROM authentication ====<br />
<br />
To sign the U-Boot SPL as SSBL image for authentication with the BootROM we have to use the STM32 tools <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> and <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight>.<br />
<br />
===== Generate key pair with <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight> =====<br />
<br />
All STM32MP15 SoC's only support one key pair for authenticating images through the BootROM.<br />
To generate ECDSA key pairs for the STM32MP Secure Boot we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_KeyGen_CLI</syntaxhighlight><ref name="KeyGen_tool" /> to generate a single key pair.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_KeyGen_CLI --absolute-path "$(pwd)" --password 12345678<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Key Generator v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
AES_256_cbc algorithm is selected for private key encryption<br />
Generating Prime256v1 keys... <br />
Private key PEM file created <br />
Public key PEM file created <br />
public key hash file created <br />
Keys generated successfully.<br />
+ public key: publicKey.pem<br />
+ private key: privateKey.pem<br />
+ public hash key: publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
===== Sign U-Boot SPL with <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight> =====<br />
<br />
To add the public key and the image signature to our built U-Boot SPL binary with STM32 image header, we are using the tool <syntaxhighlight lang="shell" inline>STM32MP_SigningTool_CLI</syntaxhighlight><ref name="Signing_tool" /> to update the existing STM32 image header of <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> with the required details.<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --binary-image /path/to/u-boot/u-boot-spl.stm32 --public-key publicKey.pem --private-key privateKey.pem --password 12345678 --output /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
Prime256v1 curve is selected. <br />
Header version 1 preparation ... <br />
Reading Private Key File... <br />
ECDSA signature generated.<br />
Signature verification: SUCCESS <br />
The Signed image file generated successfully: /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<br />
You can check the STM32 image header details with:<br />
<syntaxhighlight lang="shell"><br />
STM32MP_SigningTool_CLI --dump-header /path/to/u-boot/u-boot-spl.stm32<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
-------------------------------------------------------------------<br />
STM32MP Signing Tool v2.9.0 <br />
-------------------------------------------------------------------<br />
<br />
<br />
Header description:<br />
<br />
Magic: 0x53544d32<br />
Signature: c8 30 a0 62 2d 6d 4e 1b b9 f7 fe 38 27 65 e0 44 f0 f5 9d e6 8a a6 02 cb 74 52 26 9c 1e e9 07 17 <br />
1a c7 da 8e 96 fa 82 d3 b1 dc d5 3a 05 0e 87 83 94 4d 47 ad 17 07 88 0d b5 ae 2e 38 1d 90 22 ad <br />
Checksum: 0xa8ca85<br />
Header version: 0x10000<br />
Size: 0x22dec<br />
Load address: 0x2ffc2500<br />
Entry point: 0x2ffc2500<br />
Image version: 0x0<br />
Option flags: 0x0<br />
ECDSA Algo: 0x1<br />
ECDSA pub key: 3b 71 8e 59 f1 ee 4c a8 4b 72 5f 4a 1c 63 8b 6e b8 01 ec 1a 3f 8c 98 2f d2 1d 77 f9 09 10 8f 04 <br />
30 da 5c 3a 24 53 0d 71 93 f0 a5 d9 c9 a7 27 b4 5f a5 c4 4d 55 8b 7a 25 e3 03 ef ca 87 ff 04 25 <br />
Binary type: 0x0<br />
</syntaxhighlight><br />
The difference to an unsigned STM32 image header is that the values for "Signature" and "ECDSA pub key" are not all zeros and that "Option flags" is 0x0 for enabled signature verification instead of 0x1 for disabled signature verification.<br />
<br />
==== Write U-Boot SPL and U-Boot to your boot media ====<br />
<br />
The first step to verify that the built U-Boot SPL and U-Boot works as expected is to program both images to your boot media.<br />
Depending on the boot configuration, your DHSOM will boot from the module's SPI-NOR flash, from the module's or baseboard's eMMC or from an SD card.<br />
The boot configuration is always defined by the boot pins by default, because the boot pins have no alternative function on the STM32MP15 SoC's.<br />
<br />
<div style="color:red">TODO: How can a user determine the used boot media?</div><br />
<div style="color:red">TODO: How to enforce boot media on Secure Boot enabled devices?</div><br />
<br />
===== Write U-Boot SPL and U-Boot to the SPI-NOR flash of the SoM =====<br />
<br />
The following '''commands for the U-Boot Shell''' calculate some addresses based on the image offsets expected by the BootROM, load the required images from SD card or via TFTP into memory and finally write the prepared memory into the SPI-NOR flash on the SoM.<br />
<br />
Prepare for loading <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> into memory:<br />
<syntaxhighlight lang="shell"><br />
mw.b ${loadaddr} 0xff 0x200000<br />
setexpr fsbl1addr ${loadaddr} + 0x0<br />
setexpr fsbl2addr ${loadaddr} + 0x40000<br />
setexpr ssbl1addr ${loadaddr} + 0x80000<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${fsbl1addr} u-boot-spl.stm32<br />
load mmc 0:4 ${fsbl2addr} u-boot-spl.stm32<br />
load mmc 0:4 ${ssbl1addr} u-boot.itb<br />
</syntaxhighlight><br />
<br />
Load <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> from tftp server:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${fsbl1addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${fsbl2addr} ${serverip}:u-boot-spl.stm32<br />
tftp ${ssbl1addr} ${serverip}:u-boot.itb<br />
</syntaxhighlight><br />
<br />
Check for magic numbers of expected image headers and conditionally program the SPI-NOR flash:<br />
<syntaxhighlight lang="shell"><br />
if itest *${fsbl1addr} == 0x324d5453 && itest *${fsbl2addr} == 0x324d5453 && itest *${ssbl1addr} == 0xedfe0dd0; then<br />
sf probe && sf update ${loadaddr} 0 0x200000<br />
fi<br />
</syntaxhighlight><br />
<br />
===== Write U-Boot SPL and U-Boot to an SD card =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Make on module SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 0<br />
</syntaxhighlight><br />
<br />
Make on baseboard SD card of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 2<br />
</syntaxhighlight><br />
--><br />
<br />
===== Write U-Boot SPL and U-Boot to the eMMC =====<br />
<br />
<div style="color:red">TODO:</div><br />
<!--<br />
Write <syntaxhighlight lang="shell" inline>u-boot-spl.stm32</syntaxhighlight> and <syntaxhighlight lang="shell" inline>u-boot.itb</syntaxhighlight> to eMMC boot hardware partition:<br />
<syntaxhighlight lang="shell"><br />
mmc dev 1 1<br />
mmc write X X X<br />
</syntaxhighlight><br />
<br />
Make eMMC of STM32MP15xx on PDK2 with cmd "ums" available per USB-OTG-Port:<br />
<syntaxhighlight lang="shell"><br />
usb start<br />
ums 0 mmc 1<br />
</syntaxhighlight><br />
--><br />
<br />
==== Enroll, test and enforce BootROM image authentication ====<br />
<br />
To enroll, test and enforce image authentication by the BootROM you need to program the PKH into the OTP of the STM32MP15 SoC.<br />
The <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> file that you created in the [[#Generate key pair with STM32MP_KeyGen_CLI|Generate key pair with STM32MP_KeyGen_CLI]] step contains the PKH in binary format for use with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> U-Boot command.<br />
If the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command does fail or is not available on the target U-Boot, you can also write the PKH manually with the more generic <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command into the OTP.<br />
<br />
===== Program public key hash to eFuses =====<br />
<br />
The following '''commands for the U-Boot Shell''' load the file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into memory and program the contained PKH to the OTP of the STM32MP15 SoC.<br />
The used command <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> writes and locks the words of the OTP automatically without knowing anything about the OTP layout/addresses.<br />
If this fails or the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command is not available, you can also write and lock the OTP with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command <br />
<br />
====== Program <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> into OTP with <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command ====== <br />
<br />
Load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by SD card:<br />
<syntaxhighlight lang="shell"><br />
load mmc 0:4 ${loadaddr} publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Or load <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> by TFTP:<br />
<syntaxhighlight lang="shell"><br />
setenv serverip 10.20.30.1<br />
setenv ipaddr 10.20.30.100<br />
setenv netmask 255.255.255.0<br />
tftp ${loadaddr} ${serverip}:publicKeyhash.bin<br />
</syntaxhighlight><br />
<br />
Show the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight>:<br />
<syntaxhighlight lang="shell"><br />
stm32key read ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
Read KEY at 0xc2000000<br />
OTP value 24: 4e31bbcd<br />
OTP value 25: 51e827dd<br />
OTP value 26: 3511f521<br />
OTP value 27: fd9c11a2<br />
OTP value 28: 5b997b82<br />
OTP value 29: 8150adc5<br />
OTP value 30: a9c68fa9<br />
OTP value 31: 72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the contents of <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> to OTP with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
stm32key fuse ${loadaddr}<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
TODO: Add output<br />
</syntaxhighlight><br />
<br />
====== Program PKH manually into OTP with <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command ======<br />
<br />
Generate fuse command with hexdump from file <syntaxhighlight lang="shell" inline>publicKeyhash.bin</syntaxhighlight> on linux host:<br />
<div style="color:red">Warning: Do not use the example output! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
echo fuse prog -y 0 0x18 $(hexdump -e '/4 "0x"' -e '/1 "%x"' -e '" "' /path/to/publicKeyhash.bin)<br />
</syntaxhighlight><br />
<syntaxhighlight lang="console"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Write the PKH into OTP manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: Do not use the example command! Only use your unique values for programming the PKH in the OTP!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x18 0x4e31bbcd 0x51e827dd 0x3511f521 0xfd9c11a2 0x5b997b82 0x8150adc5 0xa9c68fa9 0x72a3ba74<br />
</syntaxhighlight><br />
<br />
Lock the related OTP words manually with the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<syntaxhighlight lang="shell"><br />
fuse prog -y 0 0x10000018 1 1 1 1 1 1 1 1<br />
</syntaxhighlight><br />
<br />
===== Test BootROM image authentication =====<br />
<br />
To verify the image authentication by the BootROM with the programmed PKH and the programmed signed images, you must reboot your device.<br />
<br />
On the third line of the U-Boot SPL output, check the BootROM authentication status.<br />
The status output should look like this: <syntaxhighlight lang="console" inline>Bootrom authentication: succeeded</syntaxhighlight>.<br />
Note the <syntaxhighlight lang="console" inline>succeeded</syntaxhighlight> status for successful authentication of the U-Boot SPL image by the BootROM.<br />
<br />
The following output shows successful authentication of the U-Boot-SPL image in line 3, as well as successful authentication of the used configuration in line 7 and the U-Boot and Device Tree subimages in lines 8 and 9 of the U-Boot-FIT image.<br />
<syntaxhighlight lang="console" line highlight="3,7-9"><br />
U-Boot SPL 2022.01-00012-g6c5892c90c28 (Feb 16 2022 - 11:11:16 +0100)<br />
Model: STMicroelectronics STM32MP15xx DHCOM Premium Developer Kit (2)<br />
Bootrom authentication: succeeded<br />
Code: SoM:rev=1,ddr3=3 Board:rev=0<br />
RAM: DDR3L 32bits 2x4Gb 533MHz<br />
Trying to boot from SPI<br />
## Checking hash(es) for config config-2 ... sha256,rsa4096:fsbl-cfg-2022-02-16+ OK<br />
## Checking hash(es) for Image uboot ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
## Checking hash(es) for Image fdt-1 ... sha256,rsa4096:fsbl-img-2022-02-16+ sha256+ OK<br />
</syntaxhighlight><br />
<br />
===== Enforce BootROM image authentication =====<br />
<br />
Without any further changes, the BootROM is able to perform authentication of the FSBL image, but unauthenticated images can still be used and executed.<br />
The device is still open, let's see this as a kind of test mode to check if the PKH is set correctly.<br />
<br />
Once the authentication process is confirmed, the device can be closed and the user is forced to use signed images.<br />
<br />
The 6th bit in the 1st word of the OTP is responsible that the BootROM only accepts signed images.<br />
Burning this bit enforces authentication of images by the BootROM and unsigned binaries are no longer supported on the target device.<br />
<br />
To program this bit, the U-Boot Shell can be used with the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command or with the more general <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command.<br />
<br />
With usage of the <syntaxhighlight lang="shell" inline>stm32key</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
stm32key close<br />
</syntaxhighlight><br />
<br />
Or with usage of the <syntaxhighlight lang="shell" inline>fuse</syntaxhighlight> command:<br />
<div style="color:red">Warning: After running the following command, your device will only be able to boot signed images!</div><br />
<syntaxhighlight lang="shell"><br />
fuse prog 0 0x0 0x40<br />
</syntaxhighlight><br />
<br />
== Secure Boot in Trusted Boot with BootROM authentication, TF-A and OP-TEE ==<br />
<br />
<div style="color:red">TODO:</div><br />
# Add support for STM32MP15 DHCOM in <ref name="TF-A" /><br />
# Add support for STM32MP15 DHCOM in <ref name="OP-TEE/optee_os" /><br />
# Create stm32mp15_dhcom_trusted_defconfig???<br />
# Integrate STM32MP15 DHCOM into <ref name="OP-TEE/build" /><br />
<br />
== References ==<br />
<br />
<references><br />
<ref name="UEFI specification">[http://www.uefi.org/specifications http://www.uefi.org/specifications]</ref><br />
<ref name="Basic Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_basic_defconfig U-Boot Source stm32mp15_basic_defconfig]</ref><br />
<ref name="Trusted Boot">[https://source.denx.de/u-boot/u-boot/-/blob/master/configs/stm32mp15_trusted_defconfig U-Boot Source stm32mp15_trusted_defconfig]</ref><br />
<ref name="BSI TR-02102">[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf BSI - Technische Richtlinie, "Kryptographische Algorithmen und Schlüssellängen", BSI TR-02102-1]</ref><br />
<ref name="STM32 image header">[https://wiki.st.com/stm32mpu/wiki/STM32_header_for_binary_files STM32 header for binary files]</ref><br />
<ref name="KeyGen_tool">[https://wiki.st.com/stm32mpu/wiki/KeyGen_tool STM32MP KeyGen tool]</ref><br />
<ref name="Signing_tool">[https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32MP Signing tool]</ref><br />
<ref name="TF-A">[https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/ Trusted Firmware-A (TF-A)]</ref><br />
<ref name="OP-TEE/optee_os">[https://github.com/OP-TEE/optee_os OP-TEE Trusted OS]</ref><br />
<ref name="OP-TEE/build">[https://github.com/OP-TEE/build Makefiles to use OP-TEE on various platforms]</ref><br />
</references></div>Dkierner