Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 1 | .. SPDX-License-Identifier: GPL-2.0+ |
| 2 | |
| 3 | U-Boot FIT Signature Verification |
| 4 | ================================= |
| 5 | |
| 6 | Introduction |
| 7 | ------------ |
| 8 | |
| 9 | FIT supports hashing of images so that these hashes can be checked on |
| 10 | loading. This protects against corruption of the image. However it does not |
| 11 | prevent the substitution of one image for another. |
| 12 | |
| 13 | The signature feature allows the hash to be signed with a private key such |
| 14 | that it can be verified using a public key later. Provided that the private |
| 15 | key is kept secret and the public key is stored in a non-volatile place, |
| 16 | any image can be verified in this way. |
| 17 | |
| 18 | See verified-boot.txt for more general information on verified boot. |
| 19 | |
| 20 | |
| 21 | Concepts |
| 22 | -------- |
| 23 | |
| 24 | Some familiarity with public key cryptography is assumed in this section. |
| 25 | |
| 26 | The procedure for signing is as follows: |
| 27 | |
| 28 | - hash an image in the FIT |
| 29 | - sign the hash with a private key to produce a signature |
| 30 | - store the resulting signature in the FIT |
| 31 | |
| 32 | The procedure for verification is: |
| 33 | |
| 34 | - read the FIT |
| 35 | - obtain the public key |
| 36 | - extract the signature from the FIT |
| 37 | - hash the image from the FIT |
| 38 | - verify (with the public key) that the extracted signature matches the |
| 39 | hash |
| 40 | |
| 41 | The signing is generally performed by mkimage, as part of making a firmware |
| 42 | image for the device. The verification is normally done in U-Boot on the |
| 43 | device. |
| 44 | |
| 45 | |
| 46 | Algorithms |
| 47 | ---------- |
| 48 | In principle any suitable algorithm can be used to sign and verify a hash. |
| 49 | U-Boot supports a few hashing and verification algorithms. See below for |
| 50 | details. |
| 51 | |
| 52 | While it is acceptable to bring in large cryptographic libraries such as |
| 53 | openssl on the host side (e.g. mkimage), it is not desirable for U-Boot. |
| 54 | For the run-time verification side, it is important to keep code and data |
| 55 | size as small as possible. |
| 56 | |
| 57 | For this reason the RSA image verification uses pre-processed public keys |
| 58 | which can be used with a very small amount of code - just some extraction |
| 59 | of data from the FDT and exponentiation mod n. Code size impact is a little |
| 60 | under 5KB on Tegra Seaboard, for example. |
| 61 | |
| 62 | It is relatively straightforward to add new algorithms if required. If |
| 63 | another RSA variant is needed, then it can be added with the |
| 64 | U_BOOT_CRYPTO_ALGO() macro. If another algorithm is needed (such as DSA) then |
| 65 | it can be placed in a directory alongside lib/rsa/, and its functions added |
| 66 | using U_BOOT_CRYPTO_ALGO(). |
| 67 | |
| 68 | |
| 69 | Creating an RSA key pair and certificate |
| 70 | ---------------------------------------- |
| 71 | To create a new public/private key pair, size 2048 bits:: |
| 72 | |
| 73 | $ openssl genpkey -algorithm RSA -out keys/dev.key \ |
| 74 | -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 |
| 75 | |
| 76 | To create a certificate for this containing the public key:: |
| 77 | |
| 78 | $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt |
| 79 | |
| 80 | If you like you can look at the public key also:: |
| 81 | |
| 82 | $ openssl rsa -in keys/dev.key -pubout |
| 83 | |
| 84 | |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 85 | Public Key Storage |
| 86 | ------------------ |
| 87 | In order to verify an image that has been signed with a public key we need to |
| 88 | have a trusted public key. This cannot be stored in the signed image, since |
| 89 | it would be easy to alter. For this implementation we choose to store the |
| 90 | public key in U-Boot's control FDT (using CONFIG_OF_CONTROL). |
| 91 | |
| 92 | Public keys should be stored as sub-nodes in a /signature node. Required |
| 93 | properties are: |
| 94 | |
| 95 | algo |
Sean Anderson | 72a09cc | 2023-12-02 14:33:14 -0500 | [diff] [blame] | 96 | Algorithm name (e.g. "sha256,rsa2048" or "sha512,ecdsa256") |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 97 | |
| 98 | Optional properties are: |
| 99 | |
| 100 | key-name-hint |
| 101 | Name of key used for signing. This is only a hint since it |
| 102 | is possible for the name to be changed. Verification can proceed by checking |
| 103 | all available signing keys until one matches. |
| 104 | |
| 105 | required |
| 106 | If present this indicates that the key must be verified for the |
| 107 | image / configuration to be considered valid. Only required keys are |
| 108 | normally verified by the FIT image booting algorithm. Valid values are |
| 109 | "image" to force verification of all images, and "conf" to force verification |
| 110 | of the selected configuration (which then relies on hashes in the images to |
| 111 | verify those). |
| 112 | |
| 113 | Each signing algorithm has its own additional properties. |
| 114 | |
| 115 | For RSA the following are mandatory: |
| 116 | |
| 117 | rsa,num-bits |
| 118 | Number of key bits (e.g. 2048) |
| 119 | |
| 120 | rsa,modulus |
| 121 | Modulus (N) as a big-endian multi-word integer |
| 122 | |
| 123 | rsa,exponent |
| 124 | Public exponent (E) as a 64 bit unsigned integer |
| 125 | |
| 126 | rsa,r-squared |
| 127 | (2^num-bits)^2 as a big-endian multi-word integer |
| 128 | |
| 129 | rsa,n0-inverse |
| 130 | -1 / modulus[0] mod 2^32 |
| 131 | |
| 132 | For ECDSA the following are mandatory: |
| 133 | |
| 134 | ecdsa,curve |
| 135 | Name of ECDSA curve (e.g. "prime256v1") |
| 136 | |
| 137 | ecdsa,x-point |
| 138 | Public key X coordinate as a big-endian multi-word integer |
| 139 | |
| 140 | ecdsa,y-point |
| 141 | Public key Y coordinate as a big-endian multi-word integer |
| 142 | |
| 143 | These parameters can be added to a binary device tree using parameter -K of the |
| 144 | mkimage command:: |
| 145 | |
| 146 | tools/mkimage -f fit.its -K control.dtb -k keys -r image.fit |
| 147 | |
| 148 | Here is an example of a generated device tree node:: |
| 149 | |
| 150 | signature { |
| 151 | key-dev { |
| 152 | required = "conf"; |
| 153 | algo = "sha256,rsa2048"; |
| 154 | rsa,r-squared = <0xb76d1acf 0xa1763ca5 0xeb2f126 |
| 155 | 0x742edc80 0xd3f42177 0x9741d9d9 |
| 156 | 0x35bb476e 0xff41c718 0xd3801430 |
| 157 | 0xf22537cb 0xa7e79960 0xae32a043 |
| 158 | 0x7da1427a 0x341d6492 0x3c2762f5 |
| 159 | 0xaac04726 0x5b262d96 0xf984e86d |
| 160 | 0xb99443c7 0x17080c33 0x940f6892 |
| 161 | 0xd57a95d1 0x6ea7b691 0xc5038fa8 |
| 162 | 0x6bb48a6e 0x73f1b1ea 0x37160841 |
| 163 | 0xe05715ce 0xa7c45bbd 0x690d82d5 |
| 164 | 0x99c2454c 0x6ff117b3 0xd830683b |
| 165 | 0x3f81c9cf 0x1ca38a91 0x0c3392e4 |
| 166 | 0xd817c625 0x7b8e9a24 0x175b89ea |
| 167 | 0xad79f3dc 0x4d50d7b4 0x9d4e90f8 |
| 168 | 0xad9e2939 0xc165d6a4 0x0ada7e1b |
| 169 | 0xfb1bf495 0xfc3131c2 0xb8c6e604 |
| 170 | 0xc2761124 0xf63de4a6 0x0e9565f9 |
| 171 | 0xc8e53761 0x7e7a37a5 0xe99dcdae |
| 172 | 0x9aff7e1e 0xbd44b13d 0x6b0e6aa4 |
| 173 | 0x038907e4 0x8e0d6850 0xef51bc20 |
| 174 | 0xf73c94af 0x88bea7b1 0xcbbb1b30 |
| 175 | 0xd024b7f3>; |
| 176 | rsa,modulus = <0xc0711d6cb 0x9e86db7f 0x45986dbe |
| 177 | 0x023f1e8c9 0xe1a4c4d0 0x8a0dfdc9 |
| 178 | 0x023ba0c48 0x06815f6a 0x5caa0654 |
| 179 | 0x07078c4b7 0x3d154853 0x40729023 |
| 180 | 0x0b007c8fe 0x5a3647e5 0x23b41e20 |
| 181 | 0x024720591 0x66915305 0x0e0b29b0 |
| 182 | 0x0de2ad30d 0x8589430f 0xb1590325 |
| 183 | 0x0fb9f5d5e 0x9eba752a 0xd88e6de9 |
| 184 | 0x056b3dcc6 0x9a6b8e61 0x6784f61f |
| 185 | 0x000f39c21 0x5eec6b33 0xd78e4f78 |
| 186 | 0x0921a305f 0xaa2cc27e 0x1ca917af |
| 187 | 0x06e1134f4 0xd48cac77 0x4e914d07 |
| 188 | 0x0f707aa5a 0x0d141f41 0x84677f1d |
| 189 | 0x0ad47a049 0x028aedb6 0xd5536fcf |
| 190 | 0x03fef1e4f 0x133a03d2 0xfd7a750a |
| 191 | 0x0f9159732 0xd207812e 0x6a807375 |
| 192 | 0x06434230d 0xc8e22dad 0x9f29b3d6 |
| 193 | 0x07c44ac2b 0xfa2aad88 0xe2429504 |
| 194 | 0x041febd41 0x85d0d142 0x7b194d65 |
| 195 | 0x06e5d55ea 0x41116961 0xf3181dde |
| 196 | 0x068bf5fbc 0x3dd82047 0x00ee647e |
| 197 | 0x0d7a44ab3>; |
| 198 | rsa,exponent = <0x00 0x10001>; |
| 199 | rsa,n0-inverse = <0xb3928b85>; |
| 200 | rsa,num-bits = <0x800>; |
| 201 | key-name-hint = "dev"; |
| 202 | }; |
| 203 | }; |
| 204 | |
| 205 | |
| 206 | Signed Configurations |
| 207 | --------------------- |
| 208 | While signing images is useful, it does not provide complete protection |
| 209 | against several types of attack. For example, it is possible to create a |
| 210 | FIT with the same signed images, but with the configuration changed such |
| 211 | that a different one is selected (mix and match attack). It is also possible |
| 212 | to substitute a signed image from an older FIT version into a newer FIT |
| 213 | (roll-back attack). |
| 214 | |
| 215 | As an example, consider this FIT:: |
| 216 | |
| 217 | / { |
| 218 | images { |
| 219 | kernel-1 { |
| 220 | data = <data for kernel1> |
| 221 | signature-1 { |
Sean Anderson | 72a09cc | 2023-12-02 14:33:14 -0500 | [diff] [blame] | 222 | algo = "sha256,rsa2048"; |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 223 | value = <...kernel signature 1...> |
| 224 | }; |
| 225 | }; |
| 226 | kernel-2 { |
| 227 | data = <data for kernel2> |
| 228 | signature-1 { |
Sean Anderson | 72a09cc | 2023-12-02 14:33:14 -0500 | [diff] [blame] | 229 | algo = "sha256,rsa2048"; |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 230 | value = <...kernel signature 2...> |
| 231 | }; |
| 232 | }; |
| 233 | fdt-1 { |
| 234 | data = <data for fdt1>; |
| 235 | signature-1 { |
Sean Anderson | 72a09cc | 2023-12-02 14:33:14 -0500 | [diff] [blame] | 236 | algo = "sha256,rsa2048"; |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 237 | value = <...fdt signature 1...> |
| 238 | }; |
| 239 | }; |
| 240 | fdt-2 { |
| 241 | data = <data for fdt2>; |
| 242 | signature-1 { |
Sean Anderson | 72a09cc | 2023-12-02 14:33:14 -0500 | [diff] [blame] | 243 | algo = "sha256,rsa2048"; |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 244 | value = <...fdt signature 2...> |
| 245 | }; |
| 246 | }; |
| 247 | }; |
| 248 | configurations { |
| 249 | default = "conf-1"; |
| 250 | conf-1 { |
| 251 | kernel = "kernel-1"; |
| 252 | fdt = "fdt-1"; |
| 253 | }; |
| 254 | conf-2 { |
| 255 | kernel = "kernel-2"; |
| 256 | fdt = "fdt-2"; |
| 257 | }; |
| 258 | }; |
| 259 | }; |
| 260 | |
| 261 | Since both kernels are signed it is easy for an attacker to add a new |
| 262 | configuration 3 with kernel 1 and fdt 2:: |
| 263 | |
| 264 | configurations { |
| 265 | default = "conf-1"; |
| 266 | conf-1 { |
| 267 | kernel = "kernel-1"; |
| 268 | fdt = "fdt-1"; |
| 269 | }; |
| 270 | conf-2 { |
| 271 | kernel = "kernel-2"; |
| 272 | fdt = "fdt-2"; |
| 273 | }; |
| 274 | conf-3 { |
| 275 | kernel = "kernel-1"; |
| 276 | fdt = "fdt-2"; |
| 277 | }; |
| 278 | }; |
| 279 | |
| 280 | With signed images, nothing protects against this. Whether it gains an |
| 281 | advantage for the attacker is debatable, but it is not secure. |
| 282 | |
| 283 | To solve this problem, we support signed configurations. In this case it |
| 284 | is the configurations that are signed, not the image. Each image has its |
| 285 | own hash, and we include the hash in the configuration signature. |
| 286 | |
| 287 | So the above example is adjusted to look like this:: |
| 288 | |
| 289 | / { |
| 290 | images { |
| 291 | kernel-1 { |
| 292 | data = <data for kernel1> |
| 293 | hash-1 { |
Sean Anderson | 72a09cc | 2023-12-02 14:33:14 -0500 | [diff] [blame] | 294 | algo = "sha256"; |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 295 | value = <...kernel hash 1...> |
| 296 | }; |
| 297 | }; |
| 298 | kernel-2 { |
| 299 | data = <data for kernel2> |
| 300 | hash-1 { |
Sean Anderson | 72a09cc | 2023-12-02 14:33:14 -0500 | [diff] [blame] | 301 | algo = "sha256"; |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 302 | value = <...kernel hash 2...> |
| 303 | }; |
| 304 | }; |
| 305 | fdt-1 { |
| 306 | data = <data for fdt1>; |
| 307 | hash-1 { |
Sean Anderson | 72a09cc | 2023-12-02 14:33:14 -0500 | [diff] [blame] | 308 | algo = "sha256"; |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 309 | value = <...fdt hash 1...> |
| 310 | }; |
| 311 | }; |
| 312 | fdt-2 { |
| 313 | data = <data for fdt2>; |
| 314 | hash-1 { |
Sean Anderson | 72a09cc | 2023-12-02 14:33:14 -0500 | [diff] [blame] | 315 | algo = "sha256"; |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 316 | value = <...fdt hash 2...> |
| 317 | }; |
| 318 | }; |
| 319 | }; |
| 320 | configurations { |
| 321 | default = "conf-1"; |
| 322 | conf-1 { |
| 323 | kernel = "kernel-1"; |
| 324 | fdt = "fdt-1"; |
| 325 | signature-1 { |
Sean Anderson | 72a09cc | 2023-12-02 14:33:14 -0500 | [diff] [blame] | 326 | algo = "sha256,rsa2048"; |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 327 | value = <...conf 1 signature...>; |
| 328 | }; |
| 329 | }; |
| 330 | conf-2 { |
| 331 | kernel = "kernel-2"; |
| 332 | fdt = "fdt-2"; |
| 333 | signature-1 { |
Sean Anderson | 72a09cc | 2023-12-02 14:33:14 -0500 | [diff] [blame] | 334 | algo = "sha256,rsa2048"; |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 335 | value = <...conf 1 signature...>; |
| 336 | }; |
| 337 | }; |
| 338 | }; |
| 339 | }; |
| 340 | |
| 341 | |
| 342 | You can see that we have added hashes for all images (since they are no |
| 343 | longer signed), and a signature to each configuration. In the above example, |
| 344 | mkimage will sign configurations/conf-1, the kernel and fdt that are |
| 345 | pointed to by the configuration (/images/kernel-1, /images/kernel-1/hash-1, |
| 346 | /images/fdt-1, /images/fdt-1/hash-1) and the root structure of the image |
| 347 | (so that it isn't possible to add or remove root nodes). The signature is |
| 348 | written into /configurations/conf-1/signature-1/value. It can easily be |
| 349 | verified later even if the FIT has been signed with other keys in the |
| 350 | meantime. |
| 351 | |
| 352 | |
| 353 | Details |
| 354 | ------- |
| 355 | The signature node contains a property ('hashed-nodes') which lists all the |
| 356 | nodes that the signature was made over. The image is walked in order and each |
| 357 | tag processed as follows: |
| 358 | |
| 359 | DTB_BEGIN_NODE |
| 360 | The tag and the following name are included in the signature |
| 361 | if the node or its parent are present in 'hashed-nodes' |
| 362 | |
| 363 | DTB_END_NODE |
| 364 | The tag is included in the signature if the node or its parent |
| 365 | are present in 'hashed-nodes' |
| 366 | |
| 367 | DTB_PROPERTY |
| 368 | The tag, the length word, the offset in the string table, and |
| 369 | the data are all included if the current node is present in 'hashed-nodes' |
| 370 | and the property name is not 'data'. |
| 371 | |
| 372 | DTB_END |
| 373 | The tag is always included in the signature. |
| 374 | |
| 375 | DTB_NOP |
| 376 | The tag is included in the signature if the current node is present |
| 377 | in 'hashed-nodes' |
| 378 | |
| 379 | In addition, the signature contains a property 'hashed-strings' which contains |
| 380 | the offset and length in the string table of the strings that are to be |
| 381 | included in the signature (this is done last). |
| 382 | |
| 383 | IMPORTANT: To verify the signature outside u-boot, it is vital to not only |
| 384 | calculate the hash of the image and verify the signature with that, but also to |
| 385 | calculate the hashes of the kernel, fdt, and ramdisk images and check those |
| 386 | match the hash values in the corresponding 'hash*' subnodes. |
| 387 | |
| 388 | |
| 389 | Verification |
| 390 | ------------ |
| 391 | FITs are verified when loaded. After the configuration is selected a list |
| 392 | of required images is produced. If there are 'required' public keys, then |
| 393 | each image must be verified against those keys. This means that every image |
| 394 | that might be used by the target needs to be signed with 'required' keys. |
| 395 | |
| 396 | This happens automatically as part of a bootm command when FITs are used. |
| 397 | |
| 398 | For Signed Configurations, the default verification behavior can be changed by |
| 399 | the following optional property in /signature node in U-Boot's control FDT. |
| 400 | |
| 401 | required-mode |
| 402 | Valid values are "any" to allow verified boot to succeed if |
| 403 | the selected configuration is signed by any of the 'required' keys, and "all" |
| 404 | to allow verified boot to succeed if the selected configuration is signed by |
| 405 | all of the 'required' keys. |
| 406 | |
| 407 | This property can be added to a binary device tree using fdtput as shown in |
| 408 | below examples:: |
| 409 | |
| 410 | fdtput -t s control.dtb /signature required-mode any |
| 411 | fdtput -t s control.dtb /signature required-mode all |
| 412 | |
| 413 | |
| 414 | Enabling FIT Verification |
| 415 | ------------------------- |
| 416 | In addition to the options to enable FIT itself, the following CONFIGs must |
| 417 | be enabled: |
| 418 | |
| 419 | CONFIG_FIT_SIGNATURE |
| 420 | enable signing and verification in FITs |
| 421 | |
| 422 | CONFIG_RSA |
| 423 | enable RSA algorithm for signing |
| 424 | |
| 425 | CONFIG_ECDSA |
| 426 | enable ECDSA algorithm for signing |
| 427 | |
| 428 | WARNING: When relying on signed FIT images with required signature check |
| 429 | the legacy image format is default disabled by not defining |
| 430 | CONFIG_LEGACY_IMAGE_FORMAT |
| 431 | |
| 432 | |
| 433 | Testing |
| 434 | ------- |
| 435 | |
| 436 | An easy way to test signing and verification is to use the test script |
| 437 | provided in test/vboot/vboot_test.sh. This uses sandbox (a special version |
| 438 | of U-Boot which runs under Linux) to show the operation of a 'bootm' |
| 439 | command loading and verifying images. |
| 440 | |
| 441 | A sample run is show below:: |
| 442 | |
| 443 | $ make O=sandbox sandbox_config |
| 444 | $ make O=sandbox |
| 445 | $ O=sandbox ./test/vboot/vboot_test.sh |
| 446 | |
| 447 | |
| 448 | Simple Verified Boot Test |
| 449 | ------------------------- |
| 450 | |
| 451 | Please see :doc:`verified-boot` for more information:: |
| 452 | |
| 453 | /home/hs/ids/u-boot/sandbox/tools/mkimage -D -I dts -O dtb -p 2000 |
| 454 | Build keys |
| 455 | do sha1 test |
| 456 | Build FIT with signed images |
| 457 | Test Verified Boot Run: unsigned signatures:: OK |
| 458 | Sign images |
| 459 | Test Verified Boot Run: signed images: OK |
| 460 | Build FIT with signed configuration |
| 461 | Test Verified Boot Run: unsigned config: OK |
| 462 | Sign images |
| 463 | Test Verified Boot Run: signed config: OK |
| 464 | check signed config on the host |
| 465 | Signature check OK |
| 466 | OK |
| 467 | Test Verified Boot Run: signed config: OK |
| 468 | Test Verified Boot Run: signed config with bad hash: OK |
| 469 | do sha256 test |
| 470 | Build FIT with signed images |
| 471 | Test Verified Boot Run: unsigned signatures:: OK |
| 472 | Sign images |
| 473 | Test Verified Boot Run: signed images: OK |
| 474 | Build FIT with signed configuration |
| 475 | Test Verified Boot Run: unsigned config: OK |
| 476 | Sign images |
| 477 | Test Verified Boot Run: signed config: OK |
| 478 | check signed config on the host |
| 479 | Signature check OK |
| 480 | OK |
| 481 | Test Verified Boot Run: signed config: OK |
| 482 | Test Verified Boot Run: signed config with bad hash: OK |
| 483 | |
| 484 | Test passed |
| 485 | |
| 486 | |
| 487 | Software signing: keydir vs keyfile |
| 488 | ----------------------------------- |
| 489 | |
| 490 | In the simplest case, signing is done by giving mkimage the 'keyfile'. This is |
| 491 | the path to a file containing the signing key. |
| 492 | |
| 493 | The alternative is to pass the 'keydir' argument. In this case the filename of |
| 494 | the key is derived from the 'keydir' and the "key-name-hint" property in the |
| 495 | FIT. In this case the "key-name-hint" property is mandatory, and the key must |
| 496 | exist in "<keydir>/<key-name-hint>.<ext>" Here the extension "ext" is |
| 497 | specific to the signing algorithm. |
| 498 | |
| 499 | |
| 500 | Hardware Signing with PKCS#11 or with HSM |
| 501 | ----------------------------------------- |
| 502 | |
| 503 | Securely managing private signing keys can challenging, especially when the |
| 504 | keys are stored on the file system of a computer that is connected to the |
| 505 | Internet. If an attacker is able to steal the key, they can sign malicious FIT |
| 506 | images which will appear genuine to your devices. |
| 507 | |
| 508 | An alternative solution is to keep your signing key securely stored on hardware |
| 509 | device like a smartcard, USB token or Hardware Security Module (HSM) and have |
| 510 | them perform the signing. PKCS#11 is standard for interfacing with these crypto |
| 511 | device. |
| 512 | |
| 513 | Requirements: |
| 514 | - Smartcard/USB token/HSM which can work with some openssl engine |
| 515 | - openssl |
| 516 | |
| 517 | For pkcs11 engine usage: |
| 518 | - libp11 (provides pkcs11 engine) |
| 519 | - p11-kit (recommended to simplify setup) |
| 520 | - opensc (for smartcards and smartcard like USB devices) |
| 521 | - gnutls (recommended for key generation, p11tool) |
| 522 | |
| 523 | For generic HSMs respective openssl engine must be installed and locateable by |
| 524 | openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed |
| 525 | to openssl's default search paths. |
| 526 | |
| 527 | PKCS11 engine support forms "key id" based on "keydir" and with |
| 528 | "key-name-hint". "key-name-hint" is used as "object" name (if not defined in |
| 529 | keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source |
| 530 | is being used for lookup up for the key. |
| 531 | |
| 532 | PKCS11 engine key ids |
| 533 | "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>" |
| 534 | |
| 535 | or, if keydir contains "object=" |
| 536 | "pkcs11:<keydir>;type=<public|private>" |
| 537 | |
| 538 | or |
| 539 | "pkcs11:object=<key-name-hint>;type=<public|private>", |
| 540 | |
| 541 | Generic HSM engine support forms "key id" based on "keydir" and with |
| 542 | "key-name-hint". If "keydir" is specified for mkimage it is used as a prefix in |
| 543 | "key id" and is appended with "key-name-hint". |
| 544 | |
| 545 | Generic engine key ids: |
| 546 | "<keydir><key-name-hint>" |
| 547 | |
| 548 | or |
| 549 | "< key-name-hint>" |
| 550 | |
| 551 | In order to set the pin in the HSM, an environment variable "MKIMAGE_SIGN_PIN" |
| 552 | can be specified. |
| 553 | |
| 554 | The following examples use the Nitrokey Pro using pkcs11 engine. Instructions |
| 555 | for other devices may vary. |
| 556 | |
| 557 | Notes on pkcs11 engine setup: |
| 558 | |
| 559 | Make sure p11-kit, opensc are installed and that p11-kit is setup to use opensc. |
| 560 | /usr/share/p11-kit/modules/opensc.module should be present on your system. |
| 561 | |
| 562 | |
| 563 | Generating Keys On the Nitrokey:: |
| 564 | |
| 565 | $ gpg --card-edit |
| 566 | |
| 567 | Reader ...........: Nitrokey Nitrokey Pro (xxxxxxxx0000000000000000) 00 00 |
| 568 | Application ID ...: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| 569 | Version ..........: 2.1 |
| 570 | Manufacturer .....: ZeitControl |
| 571 | Serial number ....: xxxxxxxx |
| 572 | Name of cardholder: [not set] |
| 573 | Language prefs ...: de |
| 574 | Sex ..............: unspecified |
| 575 | URL of public key : [not set] |
| 576 | Login data .......: [not set] |
| 577 | Signature PIN ....: forced |
| 578 | Key attributes ...: rsa2048 rsa2048 rsa2048 |
| 579 | Max. PIN lengths .: 32 32 32 |
| 580 | PIN retry counter : 3 0 3 |
| 581 | Signature counter : 0 |
| 582 | Signature key ....: [none] |
| 583 | Encryption key....: [none] |
| 584 | Authentication key: [none] |
| 585 | General key info..: [none] |
| 586 | |
| 587 | gpg/card> generate |
| 588 | Make off-card backup of encryption key? (Y/n) n |
| 589 | |
| 590 | Please note that the factory settings of the PINs are |
| 591 | PIN = '123456' Admin PIN = '12345678' |
| 592 | You should change them using the command --change-pin |
| 593 | |
| 594 | What keysize do you want for the Signature key? (2048) 4096 |
| 595 | The card will now be re-configured to generate a key of 4096 bits |
| 596 | Note: There is no guarantee that the card supports the requested size. |
| 597 | If the key generation does not succeed, please check the |
| 598 | documentation of your card to see what sizes are allowed. |
| 599 | What keysize do you want for the Encryption key? (2048) 4096 |
| 600 | The card will now be re-configured to generate a key of 4096 bits |
| 601 | What keysize do you want for the Authentication key? (2048) 4096 |
| 602 | The card will now be re-configured to generate a key of 4096 bits |
| 603 | Please specify how long the key should be valid. |
| 604 | 0 = key does not expire |
| 605 | <n> = key expires in n days |
| 606 | <n>w = key expires in n weeks |
| 607 | <n>m = key expires in n months |
| 608 | <n>y = key expires in n years |
| 609 | Key is valid for? (0) |
| 610 | Key does not expire at all |
| 611 | Is this correct? (y/N) y |
| 612 | |
| 613 | GnuPG needs to construct a user ID to identify your key. |
| 614 | |
| 615 | Real name: John Doe |
| 616 | Email address: john.doe@email.com |
| 617 | Comment: |
| 618 | You selected this USER-ID: |
| 619 | "John Doe <john.doe@email.com>" |
| 620 | |
| 621 | Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o |
| 622 | |
| 623 | |
| 624 | Using p11tool to get the token URL: |
| 625 | |
| 626 | Depending on system configuration, gpg-agent may need to be killed first:: |
| 627 | |
| 628 | $ p11tool --provider /usr/lib/opensc-pkcs11.so --list-tokens |
| 629 | Token 0: |
| 630 | URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=000xxxxxxxxx;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29 |
| 631 | Label: OpenPGP card (User PIN (sig)) |
| 632 | Type: Hardware token |
| 633 | Manufacturer: ZeitControl |
| 634 | Model: PKCS#15 emulated |
| 635 | Serial: 000xxxxxxxxx |
| 636 | Module: (null) |
| 637 | |
| 638 | |
| 639 | Token 1: |
| 640 | URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=000xxxxxxxxx;token=OpenPGP%20card%20%28User%20PIN%29 |
| 641 | Label: OpenPGP card (User PIN) |
| 642 | Type: Hardware token |
| 643 | Manufacturer: ZeitControl |
| 644 | Model: PKCS#15 emulated |
| 645 | Serial: 000xxxxxxxxx |
| 646 | Module: (null) |
| 647 | |
| 648 | Use the portion of the signature token URL after "pkcs11:" as the keydir argument (-k) to mkimage below. |
| 649 | |
| 650 | |
| 651 | Use the URL of the token to list the private keys:: |
| 652 | |
| 653 | $ p11tool --login --provider /usr/lib/opensc-pkcs11.so --list-privkeys \ |
| 654 | "pkcs11:model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=000xxxxxxxxx;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29" |
| 655 | Token 'OpenPGP card (User PIN (sig))' with URL 'pkcs11:model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=000xxxxxxxxx;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29' requires user PIN |
| 656 | Enter PIN: |
| 657 | Object 0: |
| 658 | URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=000xxxxxxxxx;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29;id=%01;object=Signature%20key;type=private |
| 659 | Type: Private key |
| 660 | Label: Signature key |
| 661 | Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; |
| 662 | ID: 01 |
| 663 | |
| 664 | Use the label, in this case "Signature key" as the key-name-hint in your FIT. |
| 665 | |
| 666 | Create the fitImage:: |
| 667 | |
| 668 | $ ./tools/mkimage -f fit-image.its fitImage |
| 669 | |
| 670 | |
| 671 | Sign the fitImage with the hardware key:: |
| 672 | |
| 673 | $ ./tools/mkimage -F -k \ |
Ayoub Zaki | 0f6b715 | 2023-08-26 13:53:29 +0200 | [diff] [blame] | 674 | "pkcs11:model=PKCS%2315%20emulated;manufacturer=ZeitControl;serial=000xxxxxxxxx;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29" \ |
Simon Glass | fb8b112 | 2023-06-23 13:22:06 +0100 | [diff] [blame] | 675 | -K u-boot.dtb -N pkcs11 -r fitImage |
| 676 | |
| 677 | |
| 678 | Future Work |
| 679 | ----------- |
| 680 | |
| 681 | - Roll-back protection using a TPM is done using the tpm command. This can |
| 682 | be scripted, but we might consider a default way of doing this, built into |
| 683 | bootm. |
| 684 | |
| 685 | |
| 686 | Possible Future Work |
| 687 | -------------------- |
| 688 | |
| 689 | - More sandbox tests for failure modes |
| 690 | - Passwords for keys/certificates |
| 691 | - Perhaps implement OAEP |
| 692 | - Enhance bootm to permit scripted signature verification (so that a script |
| 693 | can verify an image but not actually boot it) |
| 694 | |
| 695 | |
| 696 | .. sectionauthor:: Simon Glass <sjg@chromium.org>, 1-1-13 |