Enabling Secure Boot

Hi,

I put this writeup in the BPI-M2+ forum, so figured I would post it here as well, in case anyone was wondering how to get started on a ‘secure-boot’ setup with the BPI-M5…

what I haven’t verified yet is if the ‘keys’ they have in their source for other similar boards are correct for what appears to be already burned into the efuses on this thing… if it’s not, maybe the M5 devs on here can figure out what keys they used??


Hi,

I know what you are asking, I’ve been working on this now, and will be attempting to flip this ‘secure_boot’ efuse bit on the BananaPi M5 this weekend. So I will explain what I know, in relation to the BPI M5, since I have this board (uses the Amlogic S905X3).

In order to set the Amlogic S905x to do ‘secure boot’, and to also have the ‘build’ process create a secure ‘uboot’ (ie signed/encrypted bootloader.img), you need to do:

  1. #define CONFIG_AML_SIGNED_UBOOT 1’ —> this is a flag that needs to be set in the config file (.h) file for your board, for some boards it’s already configured (ie ‘g12a_skt_v1.h’), but for the BPI M5 this variable is not set. So in the ‘bananapi_m5_v1.h’, I put this #define around line 699.

  2. ‘copy aml-key’ —> copy the ‘aml-key’ folder from the ‘BPI-S905X3-Android9-master\bootloader\uboot-repo\bl33\board\amlogic\g12a_skt_v1’ to the ‘BPI-S905X3-Android9-master\bootloader\uboot-repo\bl33\board\amlogic\bananapi_m5_v1’ folder (or to the correct board folder of the board you are using)… this ‘aml-key’ folder will be used by the ‘sign.sh’ script within the ‘stools’ folder mentioned above…

    				   --- this folder contains the aes keys/iv for aes encryption of the final bootloader.img, as well as RSA keys for 'signing' each component (bl2, bl31, bl33,
               			   etc)....
    
  3. run the ‘quick_compile.sh’ to kick off the banana pi build… if all goes successfully, you can check the ‘u-boot.bin.signed.encrypted’ from the \bootloader\uboot-repo\build
    folder. (they didn’t handle copying the encrypted uboot in the quick_compile.sh script if signed is enabled)…

    (see my notes at the bottom to fix this in the quick_compile.sh script)

Some general notes about the signing… the ‘signing’ process is done by the ‘build.sh’ script (that corresponds to your board, ie ‘\bootloader\uboot-repo\fip\g12a\build.sh’). It looks for that variable ‘CONFIG_AML_SIGNED_UBOOT’ to be enabled, if it is, then it does below…

calls the ‘sign.sh’ in the ‘\bootloader\uboot-repo\fip\stool’ folder. This ‘sign.sh’ ends up calling the appropriate ‘amlogic-sign-xxxx.sh’ script for your cpu, in this case the ‘amlogic-sign-g12a.sh’ script. This script does the sigining process, and will also spit out the ‘efuses’ files in the ‘bootloader\uboot-repo\build’ folder. You will see a ‘pattern.secureboot.efuse’ file.

** file you should read is the ‘readme.txt’ in the ‘\bootloader\uboot-repo\fip\stool’ folder ***

in order to enforce secure boot, you MUST burn this ‘pattern.secureboot.efuse’ from within the ‘uboot’ menu on the bananapi, which you should be able to enter by holding ‘SW1’ down while the board boots up, and you need a USB cable connected to your host and your board in order for it to halt in uboot when it discovers your usb connection. Normally in this uboot mode, you have to use the amlogic ‘update’ tool (64-bit linux binary) to talk to the uboot mode… it is available from most of the public amlogic github repos…

in the ‘readme.txt’ above, it tells you how to burn the efuses file via the uboot menu…

** note: have to update this to verify which USB port is needed! **

Some notes about the ‘keys’… in the efuses is a sha-256 hash related to the 4 pubkeys in the root0/1/1/3 .pem files. This sha-256 is written to offset 0x140 in the efuses (you can even dump the efuses using the ‘Raxone’ usbdl on github). There does appear to be AES keys/iv and RSA root hash written to these areas on the bananapi M5…

But looking at the file ‘aml-user-key.sig’ in the ‘\bootloader\uboot-repo\bl33\board\amlogic\bananapi_m5_v1’, it’s the same sig file that is in other board folders like the ‘g12a_skt_v1’ folder, which DOES have an ‘aml-key’ folder with all the supposed keys… but they do NOT match what I see in the fuses, and the rsa hash also does not match…

so hmm… I won’t know until I setup a build this weekend with these keys and try it, and also enable the ‘secure boot’ efuse… but if it doesn’t work, then I think these banana Pi devs must have programmed these boards with a different keyset that they didn’t upload to their github??

below is how you ‘RANDOMLY’ create these keysets, if you don’t already have one… but in our case, since the BPI M5 seems to have fuses set, we cannot use RNG keys…

‘key.create.bash’ —> this script is in the ‘BPI-S905X3-Android9-master\bootloader\uboot-repo\fip\stool’ folder. Run this script with 1 parameter, the folder name where to put your keys. Simplest is to just do ‘key.create.bash aml-key’. Your rsa/aes keys are now in the ‘aml-key’ folder.

					   *** note:  ***  if you want to keep things simple, and want to make it easy to look at your resulting 'bootloader.img' and decrypt it without knowing which aes keys to use, just pick ONE of the 'aeskey' and 'aesiv' paris in your 'aml-key' folder, and replace all of the other aeskey & aesiv keys with this one.  That way all of your aes keys will be the same.
					   
					   You can also do this with the all the .pem files (RSA keys), you can just take one of them (like root0.pem), and replace all of the other .pem files with this one, so that you use the same RSA keyset for all RSA things...

--------------------------------------------- quick_compile.sh --------------------------------------------------------------- *** replace the ‘compile_uboot()’ function below in ‘\device\bananapi\common\quick_compile.sh’ ****

compile_uboot(){
   echo -e "[./mk $uboot_name --systemroot]"
   ./mk $uboot_name --systemroot;

   if [ -e build/u-boot.bin.signed.encrypted ]; then
      cp build/u-boot.bin.signed.encrypted ../../device/bananapi/$project_path/bootloader.img;
   else
      cp build/u-boot.bin ../../device/bananapi/$project_path/bootloader.img;
   fi
   cp build/u-boot.bin.usb.bl2 ../../device/bananapi/$project_path/upgrade/u-boot.bin.usb.bl2;
   cp build/u-boot.bin.usb.tpl ../../device/bananapi/$project_path/upgrade/u-boot.bin.usb.tpl;
   cp build/u-boot.bin.sd.bin ../../device/bananapi/$project_path/upgrade/u-boot.bin.sd.bin;

}