| Message ID | 20230828104315.466393-1-tho1.nguyendat@toshiba.co.jp (mailing list archive) |
|---|---|
| Headers | show |
| Series | Enable secured boot for BBB | expand |
On 28.08.23 12:43, tho1.nguyendat@toshiba.co.jp wrote: > From: Tho Nguyen <tho1.nguyendat@toshiba.co.jp> > > Hi, > > The following patch series enables secured boot for Beaglebone Black, please help me review them and give your feedback. > > Nguyen Dat Tho (3): > linux/cip-kernel-config: Use latest commit > bbb: Enable secured boot > u-boot: Add EFI secure boot dependency > > Kconfig | 2 +- > recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 1 + > recipes-kernel/linux/cip-kernel-config.inc | 2 +- > wic/bbb-efibootguard-secureboot.wks.in | 13 +++++++++++++ > 4 files changed, 16 insertions(+), 2 deletions(-) > create mode 100644 wic/bbb-efibootguard-secureboot.wks.in > Thanks, patch 1 and 3 are already in next (I assume you didn't change them in this round, did you?). Patch 2 now makes we wonder about more fundamental things: I'm sure we can boot securely via UEFI onward - provided we can store the image keys somewhere. How did you address that? Did you test that you cannot boot a manipulated rootfs? I'm not seeing anything that enables secure storage. What we would need is some secure storage so that we can write the UEFI keys into it. The alternative would be a static chain with (public) image keys hard-coded into the firmware. But that would be only ok if there is nothing to store securely during runtime (CONFIG_IMAGE_DATA_ENCRYPTION). Jan
Hi, Thanks, patch 1 and 3 are already in next (I assume you didn't change them in this round, did you?). Yes, I didn't change patch 1 and 3. Patch 2 now makes we wonder about more fundamental things: I'm sure we can boot securely via UEFI onward - provided we can store the image keys somewhere. How did you address that? Did you test that you cannot boot a manipulated rootfs? I'm not seeing anything that enables secure storage. What we would need is some secure storage so that we can write the UEFI keys into it. I have tried to use TPM2 on BBB before, but I got some problems when enable TPM device on BBB: * No TPM device for BBB, so I tried to use TPM9670 (https://wiki.52pi.com/index.php/EP-0149) but It's for Pi, not sure it can work with BBB. * No device tree configuration for TPM on BBB. I tried to use some examples but still not work
On 29.08.23 04:32, tho1.nguyendat@toshiba.co.jp wrote: > Hi, > > > Thanks, patch 1 and 3 are already in next (I assume you didn't change > them in this round, did you?). > > Yes, I didn't change patch 1 and 3. > > Patch 2 now makes we wonder about more fundamental things: I'm sure we > can boot securely via UEFI onward - provided we can store the image keys > somewhere. How did you address that? Did you test that you cannot boot a > manipulated rootfs? I'm not seeing anything that enables secure storage. > What we would need is some secure storage so that we can write the UEFI > keys into it. > > I have tried to use TPM2 on BBB before, but I got some problems when > enable TPM device on BBB: > > * No TPM device for BBB, so I tried to use TPM9670 > (https://wiki.52pi.com/index.php/EP-0149 > <https://wiki.52pi.com/index.php/EP-0149>) but It's for Pi, not sure > it can work with BBB. > * No device tree configuration for TPM on BBB. I tried to use some > examples but still not work An alternative might be an fTPM, like we use in [1]. I'm also playing with that on the BeaglePlay, not done yet though. What we need for that is secure storage, possibly via RPMB of the eMMC. Not sure if the BBB had that already. Jan [1] https://github.com/siemens/meta-iot2050/
From: Tho Nguyen <tho1.nguyendat@toshiba.co.jp> Hi, The following patch series enables secured boot for Beaglebone Black, please help me review them and give your feedback. Nguyen Dat Tho (3): linux/cip-kernel-config: Use latest commit bbb: Enable secured boot u-boot: Add EFI secure boot dependency Kconfig | 2 +- recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 1 + recipes-kernel/linux/cip-kernel-config.inc | 2 +- wic/bbb-efibootguard-secureboot.wks.in | 13 +++++++++++++ 4 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 wic/bbb-efibootguard-secureboot.wks.in