Enabling secure boot on the USB armory

Discussion:

오지수

2016-09-28 05:10:22 UTC

Hello

I'm currently trying to boot Genode 15.02 on the USB Armory.

[1] provides tutorial of secure boot on USB Armory.

But, [1] only handle linux zImage.

Is this possible to generate signed U-boot for Genode image?

[1] https://github.com/inversepath/usbarmory/wiki/Secure-boot

Stefan Kalkowski

2016-09-28 06:59:51 UTC

Permalink

Hi,

Post by ì¤ì§ì
Hello
I'm currently trying to boot Genode 15.02 on the USB Armory.
[1] provides tutorial of secure boot on USB Armory.
But, [1] only handle linux zImage.
Is this possible to generate signed U-boot for Genode image?

From my naive understanding, you can follow the same approach like
described in the tutorial, although you have to exchange the uImage of
the Linux kernel with the one produced by the Genode run-tool.
But this would leave out verification of the Linux root-filesystem as it
is used in our current USB armory example. In contrast to our example,
the original USB armory Linux images used by the tutorial embed a
file-system within the Linux' image. Thereby the file-system gets
signed, and verified too when booting.

But I have to admit, I only skimmed through the tutorial, and never did
secure booting of Genode on the USB armory myself. Thereby, it is
probably a good idea to ask the people from Inversepath before fusing
your device. They really went through the process of secure booting the
USB armory, and they patched U-boot accordingly. There is a
corresponding discussion group here:

https://groups.google.com/forum/#!forum/usbarmory

When you successfully boot a Genode image securely, I would be glad if
you find the time to provide a rough how-to to all of us.

Btw. is there a reason for you to use this old release of Genode,
instead of the current release 16.08?

Regards
Stefan

Post by ì¤ì§ì
[1] https://github.com/inversepath/usbarmory/wiki/Secure-boot
------------------------------------------------------------------------------
_______________________________________________
genode-main mailing list
https://lists.sourceforge.net/lists/listinfo/genode-main

--
Stefan Kalkowski
Genode Labs

https://github.com/skalk · http://genode.org/

------------------------------------------------------------------------------

오지수

2016-09-28 09:08:52 UTC

Permalink

Thank you for your reply.

I use release 15.02 only because I used it last year.

There is no special reason.

-----Original Message-----
From: "Stefan Kalkowski"<***@genode-labs.com>
To: <genode-***@lists.sourceforge.net>;
Cc:
Sent: 2016-09-28 (ì) 15:59:51
Subject: Re: Enabling secure boot on the USB armory

Hi,

On 09/28/2016 07:10 AM, ì€ì§ì wrote:
> Hello
>
>
> I'm currently trying to boot Genode 15.02 on the USB Armory.
>
> [1] provides tutorial of secure boot on USB Armory.
>
> But, [1] only handle linux zImage.
>
> Is this possible to generate signed U-boot for Genode image?
>

From my naive understanding, you can follow the same approach like
described in the tutorial, although you have to exchange the uImage of
the Linux kernel with the one produced by the Genode run-tool.
But this would leave out verification of the Linux root-filesystem as it
is used in our current USB armory example. In contrast to our example,
the original USB armory Linux images used by the tutorial embed a
file-system within the Linux' image. Thereby the file-system gets
signed, and verified too when booting.

But I have to admit, I only skimmed through the tutorial, and never did
secure booting of Genode on the USB armory myself. Thereby, it is
probably a good idea to ask the people from Inversepath before fusing
your device. They really went through the process of secure booting the
USB armory, and they patched U-boot accordingly. There is a
corresponding discussion group here:

https://groups.google.com/forum/#!forum/usbarmory

When you successfully boot a Genode image securely, I would be glad if
you find the time to provide a rough how-to to all of us.

Btw. is there a reason for you to use this old release of Genode,
instead of the current release 16.08?

Regards
Stefan

>
>
> [1] https://github.com/inversepath/usbarmory/wiki/Secure-boot
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> genode-main mailing list
> genode-***@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/genode-main
>

--
Stefan Kalkowski
Genode Labs

https://github.com/skalk Â· http://genode.org/

------------------------------------------------------------------------------

Martin Stein

2016-10-05 13:46:47 UTC

Permalink

Hi 오지수,

Post by ì¤ì§ì
Hello
I'm currently trying to boot Genode 15.02 on the USB Armory.

If just want to boot Genode without the need for secure booting, have
you tried article [1]?

Post by ì¤ì§ì
[1] provides tutorial of secure boot on USB Armory.
But, [1] only handle linux zImage.
Is this possible to generate signed U-boot for Genode image?

The current mainline Genode toolchain doesn't support creation of
verified uBoot images. As far as I know, nobody tried to secure-boot
Genode on the USB Armory yet. Thus, I can't give you any approved
information on how to add support. I had a quick look at the tutorial:

"... The U-Boot compilation (with Verified Boot and HAB support)
requires a precompiled zImage Linux kernel image source tree path ..."

This makes me wonder whether the Verified Boot/HAB tools support kernels
other then Linux at all. For this question it might be better to ask the
imx53 community [2] / manuals [3] or at the USB Armory forum [4].

[1] https://github.com/inversepath/usbarmory/wiki/Genode-OS
[2] https://community.nxp.com/
[3] http://cache.nxp.com/files/32bit/doc/app_note/AN4581.pdf
[4] https://groups.google.com/forum/#!forum/usbarmory