I wonder if there is support for secure/trusted boot on any Banana Pi board? And how to use it?
1 Like
your mean file system encryption??
what system are you want useďźďźďź debian or ubnutu??
No,
I want enable signed images(RSA/ECC sign&verify) BootROM verifies the signature of the next bootloader with respect to ROTPK(public key in efuse area).
I have downloaded your sdk (BPI-M2P-bsp-master) and it is well organised. There is one folder: AllWinnerH3/BPI-M2P-bsp-master/u-boot-sunxi/sunxi_spl/sbrom what is this folder?
We want use H3 soc, but there is no proper information Secure boot sequence and Building Root Of trust.
what is this file? AllWinnerH3/BPI-M2P-bsp-master/sunxi-pack/chips/sun8iw7p1/bin/sboot_sun8iw7p1.bin
is it signed image of âboot0_sdcard.fexâ file?
what is this file? AllWinnerH3/BPI-M2P-bsp-master/sunxi-pack/chips/sun8iw7p1/bin/sboot_sun8iw7p1.bin
is it signed image of âboot0_sdcard.fexâ file?
Hi,
I know what you are asking, Iâve been working on this now, and will be attempting to flip this âsecure_bootâ efuse bit on the BananaPi M5 this weekend. So I will explain what I know, in relation to the BPI M5, since I have this board (uses the Amlogic S905X3).
In order to set the Amlogic S905x to do âsecure bootâ, and to also have the âbuildâ process create a secure âubootâ (ie signed/encrypted bootloader.img), you need to do:
-
â#define CONFIG_AML_SIGNED_UBOOT 1â â> this is a flag that needs to be set in the config file (.h) file for your board, for some boards itâs already configured (ie âg12a_skt_v1.hâ), but for the BPI M5 this variable is not set. So in the âbananapi_m5_v1.hâ, I put this #define around line 699.
-
âcopy aml-keyâ â> copy the âaml-keyâ folder from the âBPI-S905X3-Android9-master\bootloader\uboot-repo\bl33\board\amlogic\g12a_skt_v1â to the âBPI-S905X3-Android9-master\bootloader\uboot-repo\bl33\board\amlogic\bananapi_m5_v1â folder (or to the correct board folder of the board you are using)⌠this âaml-keyâ folder will be used by the âsign.shâ script within the âstoolsâ folder mentioned aboveâŚ
--- this folder contains the aes keys/iv for aes encryption of the final bootloader.img, as well as RSA keys for 'signing' each component (bl2, bl31, bl33, etc).... -
run the âquick_compile.shâ to kick off the banana pi build⌠if all goes successfully, you can check the âu-boot.bin.signed.encryptedâ from the \bootloader\uboot-repo\build
folder. (they didnât handle copying the encrypted uboot in the quick_compile.sh script if signed is enabled)âŚ(see my notes at the bottom to fix this in the quick_compile.sh script)
Some general notes about the signing⌠the âsigningâ process is done by the âbuild.shâ script (that corresponds to your board, ie â\bootloader\uboot-repo\fip\g12a\build.shâ). It looks for that variable âCONFIG_AML_SIGNED_UBOOTâ to be enabled, if it is, then it does belowâŚ
calls the âsign.shâ in the â\bootloader\uboot-repo\fip\stoolâ folder. This âsign.shâ ends up calling the appropriate âamlogic-sign-xxxx.shâ script for your cpu, in this case the âamlogic-sign-g12a.shâ script. This script does the sigining process, and will also spit out the âefusesâ files in the âbootloader\uboot-repo\buildâ folder. You will see a âpattern.secureboot.efuseâ file.
** file you should read is the âreadme.txtâ in the â\bootloader\uboot-repo\fip\stoolâ folder ***
in order to enforce secure boot, you MUST burn this âpattern.secureboot.efuseâ from within the âubootâ menu on the bananapi, which you should be able to enter by holding âSW1â down while the board boots up, and you need a USB cable connected to your host and your board in order for it to halt in uboot when it discovers your usb connection. Normally in this uboot mode, you have to use the amlogic âupdateâ tool (64-bit linux binary) to talk to the uboot mode⌠it is available from most of the public amlogic github reposâŚ
in the âreadme.txtâ above, it tells you how to burn the efuses file via the uboot menuâŚ
** note: have to update this to verify which USB port is needed! **
Some notes about the âkeysâ⌠in the efuses is a sha-256 hash related to the 4 pubkeys in the root0/1/1/3 .pem files. This sha-256 is written to offset 0x140 in the efuses (you can even dump the efuses using the âRaxoneâ usbdl on github). There does appear to be AES keys/iv and RSA root hash written to these areas on the bananapi M5âŚ
But looking at the file âaml-user-key.sigâ in the â\bootloader\uboot-repo\bl33\board\amlogic\bananapi_m5_v1â, itâs the same sig file that is in other board folders like the âg12a_skt_v1â folder, which DOES have an âaml-keyâ folder with all the supposed keys⌠but they do NOT match what I see in the fuses, and the rsa hash also does not matchâŚ
so hmm⌠I wonât know until I setup a build this weekend with these keys and try it, and also enable the âsecure bootâ efuse⌠but if it doesnât work, then I think these banana Pi devs must have programmed these boards with a different keyset that they didnât upload to their github??
below is how you âRANDOMLYâ create these keysets, if you donât already have one⌠but in our case, since the BPI M5 seems to have fuses set, we cannot use RNG keysâŚ
âkey.create.bashâ â> this script is in the âBPI-S905X3-Android9-master\bootloader\uboot-repo\fip\stoolâ folder. Run this script with 1 parameter, the folder name where to put your keys. Simplest is to just do âkey.create.bash aml-keyâ. Your rsa/aes keys are now in the âaml-keyâ folder.
*** note: *** if you want to keep things simple, and want to make it easy to look at your resulting 'bootloader.img' and decrypt it without knowing which aes keys to use, just pick ONE of the 'aeskey' and 'aesiv' paris in your 'aml-key' folder, and replace all of the other aeskey & aesiv keys with this one. That way all of your aes keys will be the same.
You can also do this with the all the .pem files (RSA keys), you can just take one of them (like root0.pem), and replace all of the other .pem files with this one, so that you use the same RSA keyset for all RSA things...
--------------------------------------------- quick_compile.sh --------------------------------------------------------------- *** replace the âcompile_uboot()â function below in â\device\bananapi\common\quick_compile.shâ ****
**compile_uboot(){**
** echo -e â[./mk $uboot_name --systemroot]â** ** ./mk $uboot_name --systemroot;**
** if [ -e build/u-boot.bin.signed.encrypted ]; then** ** cp build/u-boot.bin.signed.encrypted âŚ/âŚ/device/bananapi/$project_path/bootloader.img;** ** else** ** cp build/u-boot.bin âŚ/âŚ/device/bananapi/$project_path/bootloader.img;** ** fi** ** cp build/u-boot.bin.usb.bl2 âŚ/âŚ/device/bananapi/$project_path/upgrade/u-boot.bin.usb.bl2;** ** cp build/u-boot.bin.usb.tpl âŚ/âŚ/device/bananapi/$project_path/upgrade/u-boot.bin.usb.tpl;** ** cp build/u-boot.bin.sd.bin âŚ/âŚ/device/bananapi/$project_path/upgrade/u-boot.bin.sd.bin;** ** }**