Enabling Secure Boot on ODROID M1 #593
Conversation
m-iwanicki
force-pushed
the
odroid-m1-rk3568-secure-boot
branch
from
e53252b
to
af72329
Compare
m-iwanicki
changed the title
There was a problem hiding this comment.
@m-iwanicki are we considering this blog post ready for review?
|
@m-iwanicki please cherry pick c670c52 and 0ab8b78, it should help with SEO fails |
@TomaszAIR Done, but some links still fail. |
There was a problem hiding this comment.
@m-iwanicki I left a review, basically it is nice that everything worked but this blog post needs some edits and definitely a plan for itself. Right now it is hard to read, please let me know if I could help more.
| Enabling Secure Mode is based on storing the hash of the public key in | ||
| the OTP memory and enabling verification of the pre-loader’s signature. | ||
| After correctly executing this step, the RK3568B SoC will check if the hash | ||
| of the public key that is contained in the booted image matches the hash |
There was a problem hiding this comment.
@m-iwanicki it does that? Does it not check if the signature was signed with priv key which public key is saved in OTP? https://archive.fosdem.org/2023/schedule/event/arm_secure_boot_2/attachments/slides/5852/export/events/attachments/arm_secure_boot_2/slides/5852/Overview_of_Secure_Boot_in_Arm_based_SoCs_2nd_Edition.pdf; slide 6 and 18
There was a problem hiding this comment.
Also, some diagram here explaining what is happening would be nice
There was a problem hiding this comment.
Changed in 9605d08, rewrote it a little and added a diagram.
Even on your slide (18) there is information that it only saves hash to OTP/EFUSE.
There was a problem hiding this comment.
@TomaszAIR And I'm not sure if I can use/store this diagram from Rockchip. I took it from Rockchip Secure Boot Application Note_v1.2_20160202.pdf that's inside this zip. There are also interesting diagrams in Rockchip Secure Boot Application Note.
Or should I make one myself?
There was a problem hiding this comment.
@m-iwanicki Since the linked document is classified as "Publicity," it indicates that it is likely meant to be shared publicly, but this doesn't always automatically grant permission for unrestricted use. What we can do is:
- Create our own simple diagram
- Add the annotation with the source
There was a problem hiding this comment.
@m-iwanicki, have you addressed this?
There was a problem hiding this comment.
@artur-rs Should I embed link inside diagram or is using  enough? Though it's probably not good from accessibility point.
There was a problem hiding this comment.
@m-iwanicki, you can as well add the link into MD comment below the image.
There was a problem hiding this comment.
I guess you are right. Just checked to make sure that comments are also added in html page.
| ### U-Boot configuration | ||
|
|
||
| To build U-Boot I used `odroid-m1-rk3568_defconfig` configuration. The only | ||
| change I needed to make to this configuration was changing |
There was a problem hiding this comment.
@m-iwanicki we now what is happening here? Can we explain?
There was a problem hiding this comment.
I didn't debug this too deeply so I can't say much more than what's can be glanced from error itself which is it tries to allocate more memory than it's allowed. Maybe it needs to load whole FIT image before verifying/calculating hashes/signatures and with added signature it's too big.
|
@m-iwanicki @TomaszAIR we can resolve SEO fails on the |
|
@m-iwanicki, I am currently reviewing this PR, could you meanwhile rebase it on the latest |
How to write key hash to OTP, changes needed to U-Boot to verify signature, how to sign loader. Signed-off-by: Michał Iwanicki <[email protected]>
Add requested changes Signed-off-by: Michał Iwanicki <[email protected]>
Signed-off-by: Michał Iwanicki <[email protected]>
Signed-off-by: Michał Iwanicki <[email protected]>
Signed-off-by: Michał Iwanicki <[email protected]>
Signed-off-by: Michał Iwanicki <[email protected]>
Signed-off-by: Michał Iwanicki <[email protected]>
m-iwanicki
force-pushed
the
odroid-m1-rk3568-secure-boot
branch
from
d5f3c23
to
a35e823
Compare
|
@DaniilKl rebased on current develop |
Signed-off-by: Michał Iwanicki <[email protected]>
There was a problem hiding this comment.
@m-iwanicki, I really was trying not to argue about the form of the blog post or the way language is being used. Here are my recommendations for future:
- Pay attention to perfect tenses, these (especially past or future) are not needed in technical articles, almost everything can be explained using simple tenses. The perfects only complicate the situation.
- Pay attention to articles and use some tools to check them if you are not sure.
- Pay attention to readability. Sometimes (when an article is too big) it is not enough to write an intro with a sum up, reader will forget it somewhere in the half of the article and will get lost. First thing you can do here: add an intro and sum up into every chapter, so the reader will be able to connect everything in line while reading.
Actually, have you checked this blog post with e.g. Grammarly?
| contained in rkbin repository can't handle loaders generated with new idb | ||
| header. | ||
|
|
||
| I used newest commits available in those repositories. |
There was a problem hiding this comment.
"newest" is a relative version, could you use absolute versioning?
There was a problem hiding this comment.
I do, check links. newest (at the time of writing) is explanation why those commits in particular.
| return -EINVAL; | ||
| ``` | ||
|
|
||
| To generate RSA keys and certificate I decided to use `openssl` command. |
There was a problem hiding this comment.
| To generate RSA keys and certificate I decided to use `openssl` command. | |
| To generate RSA keys and certificate I decided to use `openssl` tool. |
| python3-setuptools python3-pyelftools swig libssl-dev device-tree-compiler python2 bc | ||
| ``` | ||
|
|
||
| To build Rockchip U-Boot I also needed cross-compiler. By default `make.sh` |
There was a problem hiding this comment.
Could you specify more precisely the make.sh you are referring to?
| openssl rsa -in keys/dev.key -pubout -out keys/dev.pubkey | ||
| openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt | ||
| ``` | ||
|
|
There was a problem hiding this comment.
You can add here a sentence where the keys will be used, so the reader will note this and will be able to track progress more easily. This will improve navigation and readability of your blog post.
|
|
||
| In `rkbin/RKBOOT/RK3568MINIALL.ini` I had to update FlashBoot so it points to | ||
| `u-boot-spl.bin` file. Later this `.ini` file will be used by `boot_merger` tool | ||
| to create `rk356x_spl_loader_v1.21.113.bin` file which will contain U-Boot SPL. |
There was a problem hiding this comment.
You have described the .ini file. But what is the rk356x_spl_loader_v1.21.113.bin file used for? Maybe you could mention that this is the loader, that loads the keys.
| ## What's next | ||
|
|
||
| While I managed enable Secure Boot on Odroid it would be good to more | ||
| thoroughly test its security and capability. |
There was a problem hiding this comment.
| thoroughly test its security and capability. | |
| thoroughly test its security and capabilities. |
| While I managed enable Secure Boot on Odroid it would be good to more | ||
| thoroughly test its security and capability. | ||
| Some of the questions that I would like to find answers for are whether there | ||
| really isn't way to overwrite key hash and if it's possible to store more than |
There was a problem hiding this comment.
| really isn't way to overwrite key hash and if it's possible to store more than | |
| really isn't any way to overwrite the hash stoored in OTP and if it's possible to store more than |
| one. OTP has 8k bits of memory based on RK3568 datasheet while hashes are only | ||
| 256 bits in size so theoretically we could store 32 different hashes. | ||
|
|
||
| Good next step would be to transfer capability of writing hash to OTP from |
There was a problem hiding this comment.
| Good next step would be to transfer capability of writing hash to OTP from | |
| Good next step would be to mainstream capability of writing hash to OTP from |
|
|
||
| Good next step would be to transfer capability of writing hash to OTP from | ||
| Rockchip U-Boot to mainline U-Boot which would simplify whole implementation | ||
| quite a bit. |
There was a problem hiding this comment.
| quite a bit. | |
| a lot. |
There was a problem hiding this comment.
Why not quite a lot?
There was a problem hiding this comment.
Not perfect picture for a blog post, too complicated and needs additional explanation. I have not understood it fully yet.
Tried to but it went poorly. Currently I'm using |
That is the main point, and Grammarly should provide improvements if used correctly.
Please provide more details about the issues. |
Maybe it can be configured (custom rules/words?) and used e.g. from cli? |
Why do you assume those are false positives?
Everyone who writes public-facing text should try to make it as high-quality as possible. If that means copying to a tool that improves that, then why not do that? Is copying to another window at the end of writing that much overhead?
True. But that is not the goal of that tool, and AFAIK, it deals quite well with markdown syntax not showing markdown
Code blocks should not be copied for editorial corrections, so that is unnecessary.
We use the premium version with certain guarantees. I don't know what the precise issue is. We ask to use Grammarly with text we plan to make public, e.g., blog posts.
You can always ignore some suggestions if you know better.
It can be configured and trained but has no support for cli. Also, I don't like the lack of integration with Vim/vim. Still, it is much better than wasting the time of a reviewer correcting articles or improving sentence quality if you can delegate that to the machine. We pay for that service, so I would ask you to use it for public text. If you have some better alternatives, we should consider those. |
No description provided.