Hello
I'm currently trying to boot Genode 15.02 on the USB Armory.
[1] provides tutorial of secure boot on USB Armory.
But, [1] only handle linux zImage.
Is this possible to generate signed U-boot for Genode image?
[1] https://github.com/inversepath/usbarmory/wiki/Secure-boot
Hi,
On 09/28/2016 07:10 AM, 오지수 wrote:
Hello
I'm currently trying to boot Genode 15.02 on the USB Armory.
[1] provides tutorial of secure boot on USB Armory.
But, [1] only handle linux zImage.
Is this possible to generate signed U-boot for Genode image?
From my naive understanding, you can follow the same approach like
described in the tutorial, although you have to exchange the uImage of the Linux kernel with the one produced by the Genode run-tool. But this would leave out verification of the Linux root-filesystem as it is used in our current USB armory example. In contrast to our example, the original USB armory Linux images used by the tutorial embed a file-system within the Linux' image. Thereby the file-system gets signed, and verified too when booting.
But I have to admit, I only skimmed through the tutorial, and never did secure booting of Genode on the USB armory myself. Thereby, it is probably a good idea to ask the people from Inversepath before fusing your device. They really went through the process of secure booting the USB armory, and they patched U-boot accordingly. There is a corresponding discussion group here:
https://groups.google.com/forum/#!forum/usbarmory
When you successfully boot a Genode image securely, I would be glad if you find the time to provide a rough how-to to all of us.
Btw. is there a reason for you to use this old release of Genode, instead of the current release 16.08?
Regards Stefan
[1] https://github.com/inversepath/usbarmory/wiki/Secure-boot
genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
Thank you for your reply.
I use release 15.02 only because I used it last year.
There is no special reason.
-----Original Message----- From: "Stefan Kalkowski"<stefan.kalkowski@...1...> To: <genode-main@lists.sourceforge.net>; Cc: Sent: 2016-09-28 (수) 15:59:51 Subject: Re: Enabling secure boot on the USB armory
Hi,
On 09/28/2016 07:10 AM, 오지수 wrote: > Hello > > > I'm currently trying to boot Genode 15.02 on the USB Armory. > > [1] provides tutorial of secure boot on USB Armory. > > But, [1] only handle linux zImage. > > Is this possible to generate signed U-boot for Genode image? >
From my naive understanding, you can follow the same approach like described in the tutorial, although you have to exchange the uImage of the Linux kernel with the one produced by the Genode run-tool. But this would leave out verification of the Linux root-filesystem as it is used in our current USB armory example. In contrast to our example, the original USB armory Linux images used by the tutorial embed a file-system within the Linux' image. Thereby the file-system gets signed, and verified too when booting.
But I have to admit, I only skimmed through the tutorial, and never did secure booting of Genode on the USB armory myself. Thereby, it is probably a good idea to ask the people from Inversepath before fusing your device. They really went through the process of secure booting the USB armory, and they patched U-boot accordingly. There is a corresponding discussion group here:
https://groups.google.com/forum/#!forum/usbarmory
When you successfully boot a Genode image securely, I would be glad if you find the time to provide a rough how-to to all of us.
Btw. is there a reason for you to use this old release of Genode, instead of the current release 16.08?
Regards Stefan
> > > [1] https://github.com/inversepath/usbarmory/wiki/Secure-boot > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > genode-main mailing list > genode-main@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/genode-main >
Hi 오지수,
Am 28.09.2016 um 07:10 schrieb 오지수:
Hello
I'm currently trying to boot Genode 15.02 on the USB Armory.
If just want to boot Genode without the need for secure booting, have you tried article [1]?
[1] provides tutorial of secure boot on USB Armory. But, [1] only handle linux zImage. Is this possible to generate signed U-boot for Genode image?
The current mainline Genode toolchain doesn't support creation of verified uBoot images. As far as I know, nobody tried to secure-boot Genode on the USB Armory yet. Thus, I can't give you any approved information on how to add support. I had a quick look at the tutorial:
"... The U-Boot compilation (with Verified Boot and HAB support) requires a precompiled zImage Linux kernel image source tree path ..."
This makes me wonder whether the Verified Boot/HAB tools support kernels other then Linux at all. For this question it might be better to ask the imx53 community [2] / manuals [3] or at the USB Armory forum [4].
[1] https://github.com/inversepath/usbarmory/wiki/Genode-OS [2] https://community.nxp.com/ [3] http://cache.nxp.com/files/32bit/doc/app_note/AN4581.pdf [4] https://groups.google.com/forum/#!forum/usbarmory
-
Martin Stein -
Stefan Kalkowski -
오지수