Quick reminder / refresher

[nsk ksn]

I need a bit of a refresher. I am trying to remember how I acquired the armory-boot.sec to begin with.

I set my into mxs_dcp: Trusted State detected a couple of years ago.

I remember following all the steps in secure boot to create the hab keys. I burned the fuses.

I updated my linux distro a couple of days ago and all I needed to do was run

signify -S -s ~/hab_keys/armory-boot.sec -m armory-boot.conf -x armory-boot.conf.sig

it asks for the .sec file's password and done.

Made sure the sha256 match, and everything is working hondy dorrie.

I have all this stuff backed up just in case. So at this point its all routine.

If I were to lose the .sec file (but still have the hab files) how could create a new one?

Also, is this the proper way to secure the system. I have a mild feeling that I'm not doing this properly. Is the password asked by signify the same used during the creation of the hab  keys?

Do I not need to sign the linux image itself for it to be "accepted"?

Signing the .conf is essentially just saying 'ok if the hash in here matches the images hash, we're good to go'

So all the trust falls on the .conf and its corresponding .sig?

Btw I absolutely love this tiny beast. Are there any plans for an upgraded unit in the future?

Thanks so much for all your hard work,

nsk

[Andrea Barisani]

Hello,

instructions for armory-boot are located at https://github.com/usbarmory/armory-boot?tab=readme-ov-file#secure-boot

You can always recreate the key pair as long as you update the bootloader with one that embeds the public key, then the bootloader needs to be signed with HAB.

Personally I create a throwaway set of keys each time I update the bootloader, or its configuration, showing that holding on armory-boot.sec is only relevant if you want to just update armory-boot.conf and re-sign it without ever updating the bootloader binary.

I hope this helps.

Cheers

[Carlos Gruberman]

See this is whats throwing me off. So I did a dist-upgrade.  I don't think my installation is done correctly (or rather fully secure). I have linux installed in the emmc and I use the uSD as an encrypted volume. I also have interlock installed on the same uSD when I just want to access the encrypted volume without loading linux. I suspect just signing the armory-boot.conf is allowing me to see the "mxs_dcp: Trusted State" in dmesg. Since I have SDP disabled (as recommended in the instructions), I use a separate uSD (with armory_ums) to load the emmc. Mounting the emmc just shows the linux file system, and no armory-boot image.

I know I used crucible to burn the fuses properly, because armory_ums had to be build and signed using HAB. Otherwise it won't boot.

I hope I'm being clear enough, and why I am having a bit of trouble wrapping my head around all this.

[Carlos Gruberman]

Ok, after rereading the whole process. In order for me to properly set up armory-boot in emmc and linux in emmc, should make two partitions. One for armory-boot pointing (settings the BOOT ant START) to where the linux partition is located?

[Andrea Barisani]

The trusted state is not related to armory-boot verification of the Linux kernel.

The trusted state is all about HAB being enabled, HAB authenticates armory-boot, armory-boot authenticates the Linux kernel.

Having armory-boot authenticating the Linux kernel without HAB enabled is not useful, either there is a full chain of trust or there isn't.

There is no need for two partitions to have armory-boot, on the eMMC, booting Linux from the eMMC, you can follow https://github.com/usbarmory/usbarmory/wiki/Boot-Modes-(Mk-II)#flashing-imx-native-images to flash it once signed.

[Carlos Gruberman]

"The trusted state is all about HAB being enabled, HAB authenticates armory-boot, armory-boot authenticates the Linux kernel."

Perfect, thanks!

It's been so long since I've gone through the whole process, that I completely forgot how this worked. I was looking for the actual armory-boot file in the partitions.

Its actually written in the first bytes with "sudo dd if=image.imx of=$TARGET_DEV bs=512 seek=2"

The same .sec used  in the 'make imx_signed armory-boot...' must be used to sign the armory-boot.config.

What threw me off was the following in the Flashing raw disk images section.

"Raw disk images are meant to fill the entire boot media"

I just successfully created a uSD linux installation from scratch. I just didn't want to touch the emmc, because I had lots done in that installation.

In short, you dd the debian.raw image, then dd armory-boot-signed.imx, sign the armory-boot.conf.

Did I understand all this correctly?

[Andrea Barisani]

Yes, the mention of raw images filling the disk refers to the Linux one, the bootloader comes afterwards to just overwrite the first sections.