OpenSystemsDevelopment / usbboot

Commit ec8294ffa46931e5b1b322b04ca26863a98a40cb

Authored by Tim Gover
1 parent 4a21a619

secure-boot-example: Update boot.img and docs for cryptsetup example

Inline Side-by-side
Showing 4 changed files with 47 additions and 29 deletions
Readme.md
  View file @ec8294f
... ... @@ -93,6 +93,7 @@ This section describes how to diagnose common `rpiboot` failures for Compute Mod
93 93  
94 94 ### Product Information Portal
95 95 The [Product Information Portal](https://pip.raspberrypi.com/) contains the official documentation for hardware revision changes for Raspberry Pi computers.
  96 +Please check this first to check that the software is up to date.
96 97  
97 98 ### Hardware
98 99 * Inspect the Compute Module pins and connector for signs of damage and verify that the socket is free from debris.
... ... @@ -137,7 +138,7 @@ Secure Boot requires a recent bootloader stable image e.g. the version in this r
137 138 Creating a secure boot system from scratch can be quite complex. The [secure boot tutorial](secure-boot-example/README.md) uses a minimal example OS image to demonstrate how the Raspberry Pi-specific aspects of secure boot work.
138 139  
139 140 ### Host Setup
140   -Secure boot require a 2048 bit RSA asymmetric keypair and the Python `pycrytodomex` module to sign the EEPROM config and boot image.
  141 +Secure boot require a 2048 bit RSA asymmetric keypair and the Python `pycrytodomex` module to sign the bootloader EEPROM config and boot image.
141 142  
142 143 #### Install Python Crypto Support (the pycryptodomex module)
143 144 ```bash
... ... @@ -171,37 +172,27 @@ The `boot.img` file should contain:-
171 172  
172 173  
173 174 ### Disk encryption
174   -Secure-boot loads the `boot.img` from an unencrypted FAT / EFI boot partition and is responsible for
175   -loading the Kernel + initramfs. There is no support in the firmware or ROM for full-disk encryption.
  175 +Secure-boot is responsible for loading the Kernel + initramfs and loads all of the data
  176 +from a single `boot.img` file stored on an unencrypted FAT/EFI partition.
176 177  
177   -If a custom OS image needs to use an encrypted file-system then this would normally be implement
  178 +**There is no support in the ROM or firmware for full-disk encryption.**
  179 +
  180 +If a custom OS image needs to use an encrypted file-system then this would normally be implemented
178 181 via scripts within the initramfs.
179 182  
180 183 Raspberry Pi computers do not have a secure enclave, however, it's possible to store a 256 bit
181 184 [device specific private key](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#device-specific-private-key)
182   -in OTP. The key is accessible to any process with access to `/dev/vcio` (`vcmailbox`) so the
  185 +in OTP. The key is accessible to any process with access to `/dev/vcio` (`vcmailbox`), therefore, the
183 186 secure-boot OS must ensure that access to this interface is restricted.
184 187  
185   -**It's not possible to prevent code kernel code from accessing OTP directly**
  188 +**It is not possible to prevent code running in ARM supervisor mode (e.g. kernel code) from accessing OTP hardware directly**
186 189  
187 190 See also:-
188 191 * [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup)
189 192 * [cryptsetup FAQ](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions)
190 193 * [rpi-otp-private-key](../tools/rpi-otp-private-key)
191 194  
192   -Example script which uses a device-specific private key to create/mount an encrypted file-system.
193   -```bash
194   -export BLK_DEV=/dev/mmcblk0p3
195   -export KEY_FILE=$(mktemp -d)/key.bin
196   -rpi-otp-private-key -b > "${KEY_FILE}"
197   -cryptsetup luksFormat --key-file="${KEY_FILE}" --key-size=256 --type=luks2 ${BLK_DEV}
198   -
199   -cryptsetup luksOpen ${BLK_DEV} encrypted-disk --key-file="${KEY_FILE}"
200   -mkfs /dev/mapper/encrypted-disk
201   -mkdir -p /mnt/application-data
202   -mount /dev/mapper/encrypted-disk /mnt/application-data
203   -rm "${KEY_FILE}"
204   -```
  195 +The [secure boot tutorial](secure-boot-example/README.md) contains a `boot.img` that supports cryptsetup and a simple example.
205 196  
206 197 ### Building `boot.img` using buildroot
207 198  
... ... @@ -278,4 +269,5 @@ openssl rsa -in private.pem -pubout -out public.pem
278 269 ```
279 270  
280 271 #### Copy the secure boot image to the boot partition on the Raspberry Pi.
281   -Copy `boot.img` and `boot.sig` to the chosen boot filesystem. Secure boot images can be loaded from any of the normal boot devices (e.g. SD, USB, Network).
  272 +Copy `boot.img` and `boot.sig` to the boot filesystem.
  273 +Secure boot images can be loaded from any of the normal boot modes (e.g. SD, USB, Network).
... ...
secure-boot-example/README.md
  View file @ec8294f
... ... @@ -16,12 +16,10 @@ This example includes a simple buildroot image for Compute Module 4 in order
16 16 to demonstrate secure boot on a simple but functional OS.
17 17  
18 18 The example does NOT modify the OTP or make other permanent changes to the system;
19   - the code signing can be disabled by reflashing the default bootloader EEPROM.
  19 +the code signing can be disabled by reflashing the default bootloader EEPROM.
20 20  
21   -This tutorial does not cover how to create the `boot.img` file or permanently
22   -require secure boot in OTP. Please see the top level [README](../Readme.md#building) and
23   -[secure-boot-recovery/README](../secure-boot-recovery/README.md) guides for
24   -more information.
  21 +Please see the top level [README](../Readme.md#building) and [secure-boot-recovery/README](../secure-boot-recovery/README.md) guides for
  22 +instructions about how to permanently enable secure-boot by programming OTP.
25 23  
26 24 ### Requirements for running this example
27 25 * A Raspberry Pi Compute Module 4
... ... @@ -121,6 +119,33 @@ load the OS.
121 119  
122 120 This example OS image is minimal Linux ramdisk image. Login as `root` with the empty password.
123 121  
  122 +#### Disk encryption example
  123 +Example script which uses a device-specific private key to create/mount an encrypted file-system.
  124 +
  125 +Generating a 256-bit random key for test purposes.
  126 +```bash
  127 +export KEY_FILE=$(mktemp -d)/key.bin
  128 +openssl rand -hex 32 | xxd -rp > ${KEY_FILE}
  129 +```
  130 +
  131 +Using [rpi-otp-private-key](../tools/rpi-otp-private-key) to extract the device private key (if programmed).
  132 +```bash
  133 +export KEY_FILE=$(mktemp -d)/key.bin
  134 +rpi-otp-private-key -b > "${KEY_FILE}"
  135 +```
  136 +
  137 +Creating an encrypted disk on a specified block device.
  138 +```bash
  139 +export BLK_DEV=/dev/mmcblk0p3
  140 +cryptsetup luksFormat --key-file="${KEY_FILE}" --key-size=256 --type=luks2 ${BLK_DEV}
  141 +
  142 +cryptsetup luksOpen ${BLK_DEV} encrypted-disk --key-file="${KEY_FILE}"
  143 +mkfs /dev/mapper/encrypted-disk
  144 +mkdir -p /mnt/application-data
  145 +mount /dev/mapper/encrypted-disk /mnt/application-data
  146 +rm "${KEY_FILE}"
  147 +```
  148 +
124 149 ### Mount the CM4 SD/EMMC after enabling secure-boot
125 150 Now that `SIGNED_BOOT` is enabled the bootloader will only load images signed with private key generated earlier.
126 151 To boot the Compute Module in mass storage mode a signed version of this code must be generated.
... ... @@ -153,4 +178,5 @@ For example:
153 178 * Power cycle the CM4 IO board.
154 179 * The system should now boot into the OS.
155 180  
156   -The secure-boot example image can be rebuilt and modified using buildroot. See [raspberrypi-signed-boot buildroot](https://github.com/raspberrypi/buildroot/blob/raspberrypi-signed-boot/README.md)
  181 +### Modifying / rebuilding `boot.img`
  182 +The secure-boot example image can be rebuilt and modified using buildroot. See [raspberrypi-signed-boot](https://github.com/raspberrypi/buildroot/blob/raspberrypi-signed-boot/README.md) buildroot configuration.
... ...
secure-boot-example/boot.img
View file @ec8294f
No preview for this file type
secure-boot-example/boot.sig
  View file @ec8294f
1   -eaf0471182874f0b80e6fdfa2c801bd3ea6f7bdc21a807d2c616bad8d88fc417
2   -ts: 1666183916
3   -rsa2048: bbb15b0d7f90c8f022b8fad9766258dadb7a0a0aad5af7daf846cccccf49b8d0bc72ef3fb2551f630786642b7fbe9e3e11328b72bc41698ffc8928bd058b6b37d09cb6d35ecc427be1f4b1a897bcf480b80dc1eb109526f512cad23d2744c8e3538447e45156c6bf3dd5b89401ee9d933b8dcb3d20ada352d18312f42b7bae54131eb0a33449fe2a5cf4bf0b5c7f1f3f94d683e76806465d903156bab19542fe2e96a2d99f1b8d1332962109dd7a0b317add8448fa43beb7ecb1f333303a989d6534ef653e9f1466ce0beac620759fbcc22ad1b622a8dc9bd2c278886b117c038f0f7edfd1b580d44ddfc4303e0c41c9819ffa3afff7361e84a2b964bb2b01cd
  1 +946e19fa1396e99aaee32259deeaeb130396f2fc32b240d0a690bee7e25c5a0a
  2 +ts: 1668104408
  3 +rsa2048: afe8c8a8b150d8d317858c24175a942ca10ee47df9e3f546a0fa1bee9fb0e276036c1ed03151de15b048f782e98800a0c17ccda4a7605be9c8585e88c007fd0803545e138d3b537afc7b85696b330617322605a91fa066ae9cdcbd6946ef14be9f00ef0539dcd490af0a87c91e02c82e6fde122fdf3f904c09a6fd9cfbc5c31f0ab4fd5f5aa584c1c9f7a3d46dc298ad164a86c853eaedc3d8822f9a0102e7d4929579d8c90e000dba5b69ca2d52d18e2a5239d86a178ffd07521821dda626a517c7368ad12d44c42df22e7fe589d5b9cd0f49ecd4367e270f2891043fd313ea0bcfcda28ef87f8e2a0ada7db32ae04d2aa44dc03cf9ce6e83dda339deba8241
... ...