Secure boot questions
391 views
Skip to first unread message
bau...@gmail.com
Mar 26, 2017, 12:51:43 AM3/26/17
to USB armory
Hello list,
I've had my Armory for a few weeks and think it's great. I am particularly interested in using the security controller - which requires enabling secure boot.
I've done all the steps so far, and tested a few times with various different changes made to verify that my procedure works. All is well (I haven't fused anything yet), but verified boot seems to be working
I have noticed, however, that even when not applying the patch to turn off the u-boot CLI (0003-Disable-CLI.patch) I can't seem to get into the UBoot CLI to actually carry out the fusing / closed security config steps. I've tried holding down any key, etc, it just zooms by without any delay. I also tried putting a uenv.txt with uenvcmd=hab_status in /boot which I naively thought would work (just to see the output) but it does not.
It seems that as soon as I turn on verified booting I can't get into the CLI again to actually fuse anything, and I would really like to be able to see the output of hab_status after fusing the SRK before turning on closed security.
Thanks!
-Justin
I've had my Armory for a few weeks and think it's great. I am particularly interested in using the security controller - which requires enabling secure boot.
I've done all the steps so far, and tested a few times with various different changes made to verify that my procedure works. All is well (I haven't fused anything yet), but verified boot seems to be working
I have noticed, however, that even when not applying the patch to turn off the u-boot CLI (0003-Disable-CLI.patch) I can't seem to get into the UBoot CLI to actually carry out the fusing / closed security config steps. I've tried holding down any key, etc, it just zooms by without any delay. I also tried putting a uenv.txt with uenvcmd=hab_status in /boot which I naively thought would work (just to see the output) but it does not.
It seems that as soon as I turn on verified booting I can't get into the CLI again to actually fuse anything, and I would really like to be able to see the output of hab_status after fusing the SRK before turning on closed security.
Thanks!
-Justin
Andrej Rosano
Mar 27, 2017, 9:19:27 AM3/27/17
to bau...@gmail.com, USB armory
Hi Justin,
On 2017-03-25, bau...@gmail.com wrote:
> Hello list,
>
> I've had my Armory for a few weeks and think it's great. I am particularly
> interested in using the security controller - which requires enabling
> secure boot.
>
> I've done all the steps so far, and tested a few times with various
> different changes made to verify that my procedure works. All is well (I
> haven't fused anything yet), but verified boot seems to be working
>
> I have noticed, however, that even when not applying the patch to turn off
> the u-boot CLI (0003-Disable-CLI.patch) I can't seem to get into the UBoot
> CLI to actually carry out the fusing / closed security config steps. I've
> tried holding down any key, etc, it just zooms by without any delay. I also
> tried putting a uenv.txt with uenvcmd=hab_status in /boot which I naively
> thought would work (just to see the output) but it does not.
This because of the
#define CONFIG_BOOTDELAY -2
present in the second patch. You can modify this variable to something
greater then 0 or move away /boot/usbarmory.itb to drop U-Boot in his prompt.
Cheers,
Andrej
>
> It seems that as soon as I turn on verified booting I can't get into the
> CLI again to actually fuse anything, and I would really like to be able to
> see the output of hab_status after fusing the SRK before turning on closed
> security.
>
> Thanks!
>
> -Justin
>
> --
> You received this message because you are subscribed to the Google Groups "USB armory" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com.
> To post to this group, send email to usba...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/usbarmory/fb6e27f1-fc73-466b-a20f-35f22399a789%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Andrej Rosano
Hardware Security | Inverse Path | F-Secure
www.inversepath.com | www.f-secure.com
5BB8 574E 68E8 D841 E18F D5E9 CEAD E0CF 0193 9B21
On 2017-03-25, bau...@gmail.com wrote:
> Hello list,
>
> I've had my Armory for a few weeks and think it's great. I am particularly
> interested in using the security controller - which requires enabling
> secure boot.
>
> I've done all the steps so far, and tested a few times with various
> different changes made to verify that my procedure works. All is well (I
> haven't fused anything yet), but verified boot seems to be working
>
> I have noticed, however, that even when not applying the patch to turn off
> the u-boot CLI (0003-Disable-CLI.patch) I can't seem to get into the UBoot
> CLI to actually carry out the fusing / closed security config steps. I've
> tried holding down any key, etc, it just zooms by without any delay. I also
> tried putting a uenv.txt with uenvcmd=hab_status in /boot which I naively
> thought would work (just to see the output) but it does not.
#define CONFIG_BOOTDELAY -2
present in the second patch. You can modify this variable to something
greater then 0 or move away /boot/usbarmory.itb to drop U-Boot in his prompt.
Cheers,
Andrej
>
> It seems that as soon as I turn on verified booting I can't get into the
> CLI again to actually fuse anything, and I would really like to be able to
> see the output of hab_status after fusing the SRK before turning on closed
> security.
>
> Thanks!
>
> -Justin
>
> You received this message because you are subscribed to the Google Groups "USB armory" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com.
> To post to this group, send email to usba...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/usbarmory/fb6e27f1-fc73-466b-a20f-35f22399a789%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Andrej Rosano
Hardware Security | Inverse Path | F-Secure
www.inversepath.com | www.f-secure.com
5BB8 574E 68E8 D841 E18F D5E9 CEAD E0CF 0193 9B21
bau...@gmail.com
Mar 28, 2017, 2:06:40 PM3/28/17
to USB armory, bau...@gmail.com, and...@inversepath.com
This because of the
#define CONFIG_BOOTDELAY -2
present in the second patch. You can modify this variable to something
greater then 0 or move away /boot/usbarmory.itb to drop U-Boot in his prompt.
Cheers,
Andrej
Hi Andrej,
Thanks a lot for that - I have spent a lot more time looking at u-boot code over the last few days, I missed this entirely. Should have been more obvious. :/
Now I have a followup question - has anyone tried 4096-bit SRK keys with secure boot? This is supposed to work according to the HAB4 API documentation. I have tried using the NXP tools and the CAAM engine (some Googling suggested using CAAM is a requirement to make 4096-bit keys work) - both by using the NXP tools and by modifying usbarmory_csftool a bit (so it adds a Set Default Engine command).
With the NXP tools I get:
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x2d 0xc0 0x00
0xbe 0x00 0x0c 0x02 0x09 0x00 0x00 0x01
0x00 0x00 0x08 0x88
STS = HAB_FAILURE (0x33)
RSN = HAB_OVR_STORAGE (0x2D)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
no matter what engine I specify. Is it the case that I should expect ENG to never match what is actually set in the CSF? It always says ANY for all the errors.
With the patch I made to the usbarmory CSF tool, I get a different error:
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x40 0x33 0x1b 0xc0 0x00
0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
0x00 0x00 0x00 0x88
STS = HAB_FAILURE (0x33)
RSN = HAB_UNS_KEY (0x1B)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
My CSF is as follows. I tried to set CAAM everywhere it was an option, it makes no difference for the errors I get.
[Header]
Version = 4.0
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
Engine Configuration = 0
[Set Engine]
Hash Algorithm = SHA256
Engine = CAAM
Engine Configuration = 0
# Install the SRK table, this should match the fused sha256
[Install SRK]
File = "../sb_keys/SRK_1_2_3_4_table.bin"
Source Index = 0
# Install the certificate used to verify the CSF signature
[Install CSFK]
File = "../sb_keys/CSF_1_crt.pem"
[Authenticate CSF]
Engine = CAAM
# Install the certificate used to verify the U-Boot signature
[Install Key]
Verification Index = 0
Target Index = 2
File = "/srv/usbarmory/sb_keys/IMG_1_crt.pem"
[Authenticate Data]
Verification Index = 2
# Copy here the three hex values given by u-boot mkimage tool
# HAB Blocks: 777ff400 00000000 00049c00
Blocks = 0x777FF400 0x0 0x5bc00 "../u-boot-2016.05/u-boot-dtb.imx"
Engine = CAAM
Engine Configuration = 0
If the answer is simply "why did you do this, use 2048-bit" I will do that for the next ones in the future, but this *is* supposed to work. :P
Thanks,
-Justin
p.s. as an aside the addition to csftool looks like:
class SetDefaultEngine < BitStruct
unsigned :tag, 8, :default => HAB_CMD_SET
unsigned :len, 16, :default => 64
unsigned :itm, 8, :default => HAB_VAR_CFG_ITM_ENG
unsigned :type, 8, :default => 0
unsigned :alg, 8, :default => HAB_ALG_ANY
unsigned :eng, 8, :default => HAB_ENG_CAAM
unsigned :cfg, 8, :default => 0
end
...which I believe is correct, because I don't get INV_COMMAND.
Andrej Rosano
Mar 29, 2017, 4:25:04 AM3/29/17
to bau...@gmail.com, USB armory
On 2017-03-28, bau...@gmail.com wrote:
>
>
> > This because of the
> >
> > #define CONFIG_BOOTDELAY -2
> >
> > present in the second patch. You can modify this variable to something
> > greater then 0 or move away /boot/usbarmory.itb to drop U-Boot in his
> > prompt.
> >
> > Cheers,
> > Andrej
> >
> >
> >
> Hi Andrej,
>
> Thanks a lot for that - I have spent a lot more time looking at u-boot code
> over the last few days, I missed this entirely. Should have been more
> obvious. :/
>
> Now I have a followup question - has anyone tried 4096-bit SRK keys with
> secure boot? This is supposed to work according to the HAB4 API
> documentation. I have tried using the NXP tools and the CAAM engine (some
> Googling suggested using CAAM is a requirement to make 4096-bit keys work)
> - both by using the NXP tools and by modifying usbarmory_csftool a bit (so
> it adds a Set Default Engine command).
I did not try 4096 bit keys, but if the CAAM is a requirement, then USB armory
>
>
> > This because of the
> >
> > #define CONFIG_BOOTDELAY -2
> >
> > present in the second patch. You can modify this variable to something
> > greater then 0 or move away /boot/usbarmory.itb to drop U-Boot in his
> > prompt.
> >
> > Cheers,
> > Andrej
> >
> >
> >
> Hi Andrej,
>
> Thanks a lot for that - I have spent a lot more time looking at u-boot code
> over the last few days, I missed this entirely. Should have been more
> obvious. :/
>
> Now I have a followup question - has anyone tried 4096-bit SRK keys with
> secure boot? This is supposed to work according to the HAB4 API
> documentation. I have tried using the NXP tools and the CAAM engine (some
> Googling suggested using CAAM is a requirement to make 4096-bit keys work)
> - both by using the NXP tools and by modifying usbarmory_csftool a bit (so
> it adds a Set Default Engine command).
can not use them as it has no CAAM. The crypto engine embedded in the USB
armory's SoC (i.MX53) is SAHARA, while CAAM is present in the i.MX6 family.
Andrej
volkan.h...@gmail.com
Mar 26, 2018, 3:23:56 AM3/26/18
to USB armory
I have several questions in order to better understand the secure boot process.
1. We generate a PKI tree with CA, 4 SRK, CSF and IMG for each SRK. So CA is used to certify the SRK public keys, SRK is used to certify CSF and IMG public keys. Is it correct ?
2. When I use this github https://github.com/inversepath/usbarmory/wiki/Secure-boot#setting-up-the-secure-boot-pki-infrastructure
4. Where do the public keys are stored ? I think they are stored in the CSF.bin generated using this guide: https://github.com/inversepath/usbarmory/wiki/Secure-boot#prepare-the-csf-file
5. The public key used to verify the signed kernel is stored in usbarmory.itb. Is it correct ?
6. Can we use RSA key of 4096 bits for the PKI tree and for the kernel signature ? How ?
7. If the kernel is signed, does it mean that I cannot change the kernel configuration or cannot run binaries if I don't sign them ? What is not allowed to do in a signed kernel even if the signature verification was successful?
Sorry for the number of questions but I really need to understand the full process.
Thank you in advance.
1. We generate a PKI tree with CA, 4 SRK, CSF and IMG for each SRK. So CA is used to certify the SRK public keys, SRK is used to certify CSF and IMG public keys. Is it correct ?
2. When I use this github https://github.com/inversepath/usbarmory/wiki/Secure-boot#setting-up-the-secure-boot-pki-infrastructure
. It does not provide the CA. How can I generate the CA ?
3. Why do we generate 4 SRK if we only use SRK1 ?4. Where do the public keys are stored ? I think they are stored in the CSF.bin generated using this guide: https://github.com/inversepath/usbarmory/wiki/Secure-boot#prepare-the-csf-file
5. The public key used to verify the signed kernel is stored in usbarmory.itb. Is it correct ?
6. Can we use RSA key of 4096 bits for the PKI tree and for the kernel signature ? How ?
7. If the kernel is signed, does it mean that I cannot change the kernel configuration or cannot run binaries if I don't sign them ? What is not allowed to do in a signed kernel even if the signature verification was successful?
Sorry for the number of questions but I really need to understand the full process.
Thank you in advance.
Andrej Rosano
Mar 27, 2018, 3:27:38 AM3/27/18
to volkan.h...@gmail.com, USB armory
Hi Volkan,
On 2018-03-26, volkan.h...@gmail.com wrote:
> I have several questions in order to better understand the secure boot
> process.
> 1. We generate a PKI tree with CA, 4 SRK, CSF and IMG for each SRK. So CA
> is used to certify the SRK public keys, SRK is used to certify CSF and IMG
> public keys. Is it correct ?
> 2. When I use this github
> https://github.com/inversepath/usbarmory/wiki/Secure-boot#setting-up-the-secure-boot-pki-infrastructure
> . It does not provide the CA. How can I generate the CA ?
The root of the chain are the 4 SRK public keys, the CA used to generate them
is not used in later verifications. In fact [1] does not even generate the CA,
each SRK is a CA by itself.
> 3. Why do we generate 4 SRK if we only use SRK1 ?
The i.MX53 gives you the opportunity to use 4 different SRKs. If required
you can also revoke at some point those SRKs individually. You can revoke
all but the last SRK, otherwise the system would remain unbootable.
> 4. Where do the public keys are stored ? I think they are stored in the
> CSF.bin generated using this guide:
> https://github.com/inversepath/usbarmory/wiki/Secure-boot#prepare-the-csf-file
Correct.
> 5. The public key used to verify the signed kernel is stored in
> usbarmory.itb. Is it correct ?
The public key used for kernel verification is embedded in the U-Boot image.
This one is not related with the SRKs of the i.MX53. Please check U-Boot
documentation regarding the "verified boot".
> 6. Can we use RSA key of 4096 bits for the PKI tree and for the kernel
> signature ? How ?
Yes, if you are using [1] you can pass "KEY_LENGTH=4096", as documented in [2].
> 7. If the kernel is signed, does it mean that I cannot change the kernel
> configuration or cannot run binaries if I don't sign them ? What is not
> allowed to do in a signed kernel even if the signature verification was
> successful?
When the varified boot is enforced you can not boot a non-signed kernel.
The binaries are not verified.
Cheers,
Andrej
[1] https://github.com/inversepath/usbarmory/blob/master/software/secure_boot/Makefile-pki
[2] https://github.com/inversepath/usbarmory/wiki/Secure-boot
>
> Sorry for the number of questions but I really need to understand the full
> process.
> Thank you in advance.
>
On 2018-03-26, volkan.h...@gmail.com wrote:
> I have several questions in order to better understand the secure boot
> process.
> 1. We generate a PKI tree with CA, 4 SRK, CSF and IMG for each SRK. So CA
> is used to certify the SRK public keys, SRK is used to certify CSF and IMG
> public keys. Is it correct ?
> 2. When I use this github
> https://github.com/inversepath/usbarmory/wiki/Secure-boot#setting-up-the-secure-boot-pki-infrastructure
> . It does not provide the CA. How can I generate the CA ?
is not used in later verifications. In fact [1] does not even generate the CA,
each SRK is a CA by itself.
> 3. Why do we generate 4 SRK if we only use SRK1 ?
you can also revoke at some point those SRKs individually. You can revoke
all but the last SRK, otherwise the system would remain unbootable.
> 4. Where do the public keys are stored ? I think they are stored in the
> CSF.bin generated using this guide:
> https://github.com/inversepath/usbarmory/wiki/Secure-boot#prepare-the-csf-file
> 5. The public key used to verify the signed kernel is stored in
> usbarmory.itb. Is it correct ?
This one is not related with the SRKs of the i.MX53. Please check U-Boot
documentation regarding the "verified boot".
> 6. Can we use RSA key of 4096 bits for the PKI tree and for the kernel
> signature ? How ?
> 7. If the kernel is signed, does it mean that I cannot change the kernel
> configuration or cannot run binaries if I don't sign them ? What is not
> allowed to do in a signed kernel even if the signature verification was
> successful?
The binaries are not verified.
Cheers,
Andrej
[1] https://github.com/inversepath/usbarmory/blob/master/software/secure_boot/Makefile-pki
[2] https://github.com/inversepath/usbarmory/wiki/Secure-boot
>
> Sorry for the number of questions but I really need to understand the full
> process.
> Thank you in advance.
>
> --
> You received this message because you are subscribed to the Google Groups "USB armory" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com.
> To post to this group, send email to usba...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/usbarmory/b1e80447-a5a8-4c91-8844-2101cd7c40fc%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "USB armory" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+...@googlegroups.com.
> To post to this group, send email to usba...@googlegroups.com.
Volkan Herekoglu
Mar 29, 2018, 4:45:41 AM3/29/18
to USB armory
volkan.h...@gmail.com
Apr 3, 2018, 4:50:06 AM4/3/18
to USB armory
Hello everybody,
I have followed this GitHub https://github.com/inversepath/usbarmory/wiki/Secure-boot
Once I have
u-boot-signed.imx and usbarmory.itb I don't know how I can flash the image to the target microSD card.I saw this command
sudo dd if=u-boot-signed.imx of=/dev/sdX bs=512 seek=2 conv=fsync
But I also need to useusbarmory.itb.
How and when should I use usbarmory.itb ?
Could you describe the steps for flashing the image to the microSD card once we have u-boot-signed.imx and usbarmory.itb ?
Thank you in advance.
Andrea Barisani
Apr 3, 2018, 5:02:21 AM4/3/18
to volkan.h...@gmail.com, USB armory
The page you link mentions:
usbarmory.itb: image tree blob file containing the kernel, to be copied under /boot on the target microSD card (replaces zImage/uImage).
Cheers
--
You received this message because you are subscribed to the Google Groups "USB armory" group.
To unsubscribe from this group and stop receiving emails from it, send an email to usbarmory+unsubscribe@googlegroups.com.
To post to this group, send email to usba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/usbarmory/1ffd2b7b-9780-4ae7-b599-d3cb8a99268c%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages