1*041bca5bSSimon GlassU-Boot Verified Boot 2*041bca5bSSimon Glass==================== 3*041bca5bSSimon Glass 4*041bca5bSSimon GlassIntroduction 5*041bca5bSSimon Glass------------ 6*041bca5bSSimon GlassVerified boot here means the verification of all software loaded into a 7*041bca5bSSimon Glassmachine during the boot process to ensure that it is authorised and correct 8*041bca5bSSimon Glassfor that machine. 9*041bca5bSSimon Glass 10*041bca5bSSimon GlassVerified boot extends from the moment of system reset to as far as you wish 11*041bca5bSSimon Glassinto the boot process. An example might be loading U-Boot from read-only 12*041bca5bSSimon Glassmemory, then loading a signed kernel, then using the kernel's dm-verity 13*041bca5bSSimon Glassdriver to mount a signed root filesystem. 14*041bca5bSSimon Glass 15*041bca5bSSimon GlassA key point is that it is possible to field-upgrade the software on machines 16*041bca5bSSimon Glasswhich use verified boot. Since the machine will only run software that has 17*041bca5bSSimon Glassbeen correctly signed, it is safe to read software from an updatable medium. 18*041bca5bSSimon GlassIt is also possible to add a secondary signed firmware image, in read-write 19*041bca5bSSimon Glassmemory, so that firmware can easily be upgraded in a secure manner. 20*041bca5bSSimon Glass 21*041bca5bSSimon Glass 22*041bca5bSSimon GlassSigning 23*041bca5bSSimon Glass------- 24*041bca5bSSimon GlassVerified boot uses cryptographic algorithms to 'sign' software images. 25*041bca5bSSimon GlassImages are signed using a private key known only to the signer, but can 26*041bca5bSSimon Glassbe verified using a public key. As its name suggests the public key can be 27*041bca5bSSimon Glassmade available without risk to the verification process. The private and 28*041bca5bSSimon Glasspublic keys are mathematically related. For more information on how this 29*041bca5bSSimon Glassworks look up "public key cryptography" and "RSA" (a particular algorithm). 30*041bca5bSSimon Glass 31*041bca5bSSimon GlassThe signing and verification process looks something like this: 32*041bca5bSSimon Glass 33*041bca5bSSimon Glass 34*041bca5bSSimon Glass Signing Verification 35*041bca5bSSimon Glass ======= ============ 36*041bca5bSSimon Glass 37*041bca5bSSimon Glass +--------------+ * 38*041bca5bSSimon Glass | RSA key pair | * +---------------+ 39*041bca5bSSimon Glass | .key .crt | * | Public key in | 40*041bca5bSSimon Glass +--------------+ +------> public key ----->| trusted place | 41*041bca5bSSimon Glass | | * +---------------+ 42*041bca5bSSimon Glass | | * | 43*041bca5bSSimon Glass v | * v 44*041bca5bSSimon Glass +---------+ | * +--------------+ 45*041bca5bSSimon Glass | |----------+ * | | 46*041bca5bSSimon Glass | signer | * | U-Boot | 47*041bca5bSSimon Glass | |----------+ * | signature |--> yes/no 48*041bca5bSSimon Glass +---------+ | * | verification | 49*041bca5bSSimon Glass ^ | * | | 50*041bca5bSSimon Glass | | * +--------------+ 51*041bca5bSSimon Glass | | * ^ 52*041bca5bSSimon Glass +----------+ | * | 53*041bca5bSSimon Glass | Software | +----> signed image -------------+ 54*041bca5bSSimon Glass | image | * 55*041bca5bSSimon Glass +----------+ * 56*041bca5bSSimon Glass 57*041bca5bSSimon Glass 58*041bca5bSSimon GlassThe signature algorithm relies only on the public key to do its work. Using 59*041bca5bSSimon Glassthis key it checks the signature that it finds in the image. If it verifies 60*041bca5bSSimon Glassthen we know that the image is OK. 61*041bca5bSSimon Glass 62*041bca5bSSimon GlassThe public key from the signer allows us to verify and therefore trust 63*041bca5bSSimon Glasssoftware from updatable memory. 64*041bca5bSSimon Glass 65*041bca5bSSimon GlassIt is critical that the public key be secure and cannot be tampered with. 66*041bca5bSSimon GlassIt can be stored in read-only memory, or perhaps protected by other on-chip 67*041bca5bSSimon Glasscrypto provided by some modern SOCs. If the public key can ben changed, then 68*041bca5bSSimon Glassthe verification is worthless. 69*041bca5bSSimon Glass 70*041bca5bSSimon Glass 71*041bca5bSSimon GlassChaining Images 72*041bca5bSSimon Glass--------------- 73*041bca5bSSimon GlassThe above method works for a signer providing images to a run-time U-Boot. 74*041bca5bSSimon GlassIt is also possible to extend this scheme to a second level, like this: 75*041bca5bSSimon Glass 76*041bca5bSSimon Glass1. Master private key is used by the signer to sign a first-stage image. 77*041bca5bSSimon Glass2. Master public key is placed in read-only memory. 78*041bca5bSSimon Glass2. Secondary private key is created and used to sign second-stage images. 79*041bca5bSSimon Glass3. Secondary public key is placed in first stage images 80*041bca5bSSimon Glass4. We use the master public key to verify the first-stage image. We then 81*041bca5bSSimon Glassuse the secondary public key in the first-stage image to verify the second- 82*041bca5bSSimon Glassstate image. 83*041bca5bSSimon Glass5. This chaining process can go on indefinitely. It is recommended to use a 84*041bca5bSSimon Glassdifferent key at each stage, so that a compromise in one place will not 85*041bca5bSSimon Glassaffect the whole change. 86*041bca5bSSimon Glass 87*041bca5bSSimon Glass 88*041bca5bSSimon GlassFlattened Image Tree (FIT) 89*041bca5bSSimon Glass-------------------------- 90*041bca5bSSimon GlassThe FIT format is alreay widely used in U-Boot. It is a flattened device 91*041bca5bSSimon Glasstree (FDT) in a particular format, with images contained within. FITs 92*041bca5bSSimon Glassinclude hashes to verify images, so it is relatively straightforward to 93*041bca5bSSimon Glassadd signatures as well. 94*041bca5bSSimon Glass 95*041bca5bSSimon GlassThe public key can be stored in U-Boot's CONFIG_OF_CONTROL device tree in 96*041bca5bSSimon Glassa standard place. Then when a FIT it loaded it can be verified using that 97*041bca5bSSimon Glasspublic key. Multiple keys and multiple signatures are supported. 98*041bca5bSSimon Glass 99*041bca5bSSimon GlassSee signature.txt for more information. 100*041bca5bSSimon Glass 101*041bca5bSSimon Glass 102*041bca5bSSimon GlassSimon Glass 103*041bca5bSSimon Glasssjg@chromium.org 104*041bca5bSSimon Glass1-1-13 105