utsweetyfish has quit [Remote host closed the connection]
utsweetyfish has joined #linux-sunxi
vagrantc has quit [Quit: leaving]
apritzel has quit [Ping timeout: 480 seconds]
Daanct12 has joined #linux-sunxi
palmer_ has left #linux-sunxi [#linux-sunxi]
palmer has joined #linux-sunxi
utsweetyfish has quit [Remote host closed the connection]
utsweetyfish has joined #linux-sunxi
utsweetyfish has quit [Remote host closed the connection]
utsweetyfish has joined #linux-sunxi
vagrantc has joined #linux-sunxi
Halamix2 has quit [Quit: Gone (and/or ZNC is doing something stupid)]
Halamix2 has joined #linux-sunxi
utsweetyfish has quit [Remote host closed the connection]
utsweetyfish has joined #linux-sunxi
vagrantc has quit [Quit: leaving]
hexdump01 has joined #linux-sunxi
hexdump0815 has quit [Ping timeout: 480 seconds]
JohnDoe_71Rus has joined #linux-sunxi
utsweetyfish has quit [Remote host closed the connection]
utsweetyfish has joined #linux-sunxi
<gamiee>
apritzel: so, it is already ready to use TOC0 for bootloader checking? :o
<gamiee>
(also, does u-boot have some mechanism to check sign of kernel?)
hexdump01 has quit []
hexdump0815 has joined #linux-sunxi
utsweetyfish has quit [Remote host closed the connection]
utsweetyfish has joined #linux-sunxi
<daschaos>
Yes, u-boot supports the check of signed kernels. The easiest way is to use FIT Images, the whole fit image gets signed, so everything in it including DTBs are also signed.
bauen1 has quit [Ping timeout: 480 seconds]
tnovotny has joined #linux-sunxi
warpme has joined #linux-sunxi
bauen1 has joined #linux-sunxi
apritzel has joined #linux-sunxi
warpme has quit []
<apritzel>
gamiee: what do you mean exactly with "bootloader checking"?
<apritzel>
the main usage for TOC0 is to be able to boot anything at all on boards with the secure boot fuse burnt
<apritzel>
and consistency checks are already in place with eGON, albeit using just a very simple checksum
<apritzel>
and as daschaos said: the rest of the boot chain should be validated by U-Boot then
<apritzel>
IIUC we don't support this in the SPL atm, mainly for code size reasons, although this shouldn't be an issue anymore for SoCs like H6 and newer
<apritzel>
and AFAIK nobody has really tried to burn an actual key hash into the eFUSEs, to enable proper SPL signature checks by the BROM
<gamiee>
apritzel: this is exactly what I would like to do, to burn actual key has into eFUSE, so non-signed u-boot will be not possible to run.
warpme has joined #linux-sunxi
<apritzel>
I guess smaeul is the person to talk to in this case
<apritzel>
but this would be only the first step: to verify the SPL is legit. The rest of the firmware (U-Boot proper, TF-A, DTB) would need to be checked by the SPL
<apritzel>
I think U-Boot has all the infrastructure to do that (since we use a FIT image for that as well), but you'd have to enable that in the config
<apritzel>
and then fix the compilation problems that you will most likely see, because that's U-Boot
<gamiee>
I am using H3, so only U-boot proper and kernel needs to be verified. (I am using DTB from u-boot)
<apritzel>
"DTB from U-Boot": very good, as you should! With smaeul's recent patches (sent yesterday) we gain SPL FIT support for 32-bit SoCs as well, so this should be the same category then
<apritzel>
gamiee: it would be great if you could explore that: apply and test his patches, then try to enable FIT signature checking in the SPL
<gamiee>
Sweet! Those are really good news.
<apritzel>
the H3 is unfortunately limited to 32KB SPL, so this might become a bit tight
<gamiee>
Yes, I can try that. Also, will this anyhow collide with Crust?
<gamiee>
(I don't know how Crust is "packed into u-boot)
<apritzel>
it should not, crust on H3 mostly requires SPL FIT: the commit messages explicitly mention that
<gamiee>
Sweeeet.
<apritzel>
so the U-Boot FIT would contain U-Boot proper, the DTB, crust, and IIUC this special eGON blob for CPU suspend/wakeup
<apritzel>
and all of this could be checked by the SPL, which itself is checked by the BROM
<gamiee>
Can FIT have also custom boot.cmd? Or rather I should override the default boot cmd in u-boot?
<gamiee>
This sounds really really good.
<apritzel>
haven't tried that, but FIT should allow to load arbitrary data into arbitrary locations, so that should include a boot script to $scriptaddr
<apritzel>
we use something to that effect with sunxi-fel: you upload a U-Boot script file to the right address, and it gets executed
<gamiee>
hmm, good to know. Will see what will work 😁 but this is amazing. Basically, I can get rid of the /boot partition at all lol :D Everything will be in u-boot SPL and FIT image.
<apritzel>
gamiee: just to avoid confusion: depending on your boot flow, there might be *two* separate FIT images at play here:
<apritzel>
one that contains U-Boot, the DTB, crust and will be loaded by the SPL
<apritzel>
and optionally one that contains the kernel, and maybe an initrd, that will be loaded by U-Boot proper
<apritzel>
of course you can just load the kernel and initrd separately from any media accessible to U-Boot, there is no real need to wrap that up, especially if you have a boot script anyway
<gamiee>
Yeah, actually, this sounds as good idea, because I have more advanced boot flow. u-boot checks if button is pressed, if yes, it will load alternate kernel and rootfs (recovery mode), else it will load main kernel and rootfs on partition.
<gamiee>
But if I want to encrypt partition, I guess I will need initrc... hm
<apritzel>
well, you have to load stuff from somewhere. Whether this is a separate /boot partition or another partition, is just an implementation detail
<apritzel>
U-Boot supports multiple filesystems, so you wouldn't be limited to FAT, if that is your concern
kuba2k2 has joined #linux-sunxi
<gamiee>
Yeah, that should be fine.
dsimic is now known as Guest5538
dsimic has joined #linux-sunxi
Guest5538 has quit [Ping timeout: 480 seconds]
junari has joined #linux-sunxi
junari has quit [Ping timeout: 480 seconds]
bauen1 has quit [Ping timeout: 480 seconds]
JohnDoe_71Rus has quit []
Daanct12 has quit [Quit: WeeChat 4.1.1]
warpme has quit []
kuba2k2 has quit [Ping timeout: 480 seconds]
warpme has joined #linux-sunxi
bauen1 has joined #linux-sunxi
kuba2k2 has joined #linux-sunxi
warpme has quit []
JohnDoe_71Rus has joined #linux-sunxi
bauen1 has quit [Ping timeout: 480 seconds]
kuba2k2 has quit [Ping timeout: 480 seconds]
warpme has joined #linux-sunxi
utsweetyfish has quit [Remote host closed the connection]
utsweetyfish has joined #linux-sunxi
gsz has joined #linux-sunxi
kuba2k2 has joined #linux-sunxi
utsweetyfish has quit [Remote host closed the connection]
utsweetyfish has joined #linux-sunxi
warpme has quit []
gsz has quit [Ping timeout: 480 seconds]
warpme has joined #linux-sunxi
evgeny_boger has joined #linux-sunxi
tnovotny has quit [Remote host closed the connection]
juri__ has joined #linux-sunxi
juri_ has quit [Ping timeout: 480 seconds]
juri_ has joined #linux-sunxi
juri__ has quit [Ping timeout: 480 seconds]
apritzel has quit [Ping timeout: 480 seconds]
kuba2k2 has quit [Ping timeout: 480 seconds]
JohnDoe_71Rus has quit []
colinsane has quit [Ping timeout: 480 seconds]
utsweetyfish has quit [Remote host closed the connection]
utsweetyfish has joined #linux-sunxi
apritzel has joined #linux-sunxi
warpme has quit []
utsweetyfish has quit [Remote host closed the connection]
utsweetyfish has joined #linux-sunxi
<smaeul>
apritzel: yes, there's a different FEL entry address when in secure mode, because (except for D1 and A523) it has to switch to NBROM where the FEL code is.
<smaeul>
I believe it is 0x64, which loads a magic value in r6, which is then checked at the end of that block
<smaeul>
your wiki update looks good
<smaeul>
I'm somewhat surprised that the mkimage TOC0 code continues to work on A523, though I suppose there's no motivation for AW to change their secure boot code
<apritzel>
smaeul: what did you expect? ;-)
<smaeul>
I hope they've at least fixed the stack smashing bug :/
<apritzel>
and while A76 doesn't support AArch32 in EL3 anymore, A55 does, so as long as they stay big.LITTLE, they can play this game (BROM in AA32) for a while
<gamiee>
smaeul: hi! Please, do you have any tools or info about signing u-boot SPL for BROM? I would like to try to get secure booting working on my H3
<smaeul>
I still haven't tried writing a key hash to the eFuse on any device, because I'm not confident in the endianness
<apritzel>
smaeul: isn't that signature checking code visible in the BROM? So you could check that, or somehow try or emulate?
<smaeul>
yeah, true
<gamiee>
Are there hidden parts of BROM?
<smaeul>
no
<smaeul>
you can only access the secure BROM if the secure fuse is burnt, but that's not really "hiding" it
<smaeul>
to answer your specific question about signing U-Boot SPL, apritzel just documented that on the wiki: https://linux-sunxi.org/TOC0#U-Boot.27s_mkimage
<apritzel>
I think gamiee is after signing the FIT image that the SPL loads ...
<apritzel>
I believe this should be generic U-Boot code, but I have never tried that
<smaeul>
1) generate a key, 2) build with CONFIG_SPL_IMAGE_TYPE_SUNXI_TOC0=y, 3) optionally, write the SHA-256 hash of the key to the eFuse
<smaeul>
right, CONFIG_SPL_FIT_SIGNATURE
<apritzel>
plus CONFIG_MAKE_EVERTHING_ELSE_REALLY_TINY_AND_HOPE_FOR_THE_BEST, because there is a hard 32K limit on the H3
<smaeul>
yeah, it might be worth trying to use the crypto engine for code size
<apritzel>
I was thinking the same, but that sounds like a serious challenge
<apritzel>
we need Corentin ....
ftg has joined #linux-sunxi
colinsane has joined #linux-sunxi
bauen1 has joined #linux-sunxi
gnarface__ has joined #linux-sunxi
gnarface has quit [Read error: Connection reset by peer]
gnarface__ has quit []
gnarface has joined #linux-sunxi
ftg has quit [Ping timeout: 480 seconds]
ftg has joined #linux-sunxi
Newbyte has quit [Ping timeout: 480 seconds]
KNULLNoNeAll[m] has quit [Ping timeout: 480 seconds]
Tooniis[m] has quit [Ping timeout: 482 seconds]
cperon has quit [Ping timeout: 480 seconds]
insep has quit [Ping timeout: 480 seconds]
chuang[m] has quit [Ping timeout: 482 seconds]
GrantM11235[m] has quit [Ping timeout: 482 seconds]
aerospace[m] has quit [Ping timeout: 482 seconds]
sajattack[m]1 has quit [Ping timeout: 480 seconds]
exkc has quit [Ping timeout: 480 seconds]
movedon5b2z4xywybidzannet[m] has quit [Ping timeout: 480 seconds]
fraolt has quit [Ping timeout: 480 seconds]
dittid[m] has quit [Ping timeout: 483 seconds]
obbardc has quit [Ping timeout: 480 seconds]
error2[m] has quit [Ping timeout: 480 seconds]
DanielakaCyReVolt[m] has quit [Ping timeout: 480 seconds]