Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Safeguard ALP with NXP Secure Boot

Safeguard ALP with NXP Secure Boot

Secure boot on x86_64 is mostly taken for granted, as it is a mature feature in UEFI. When it comes to aarch64, the Secure Boot implementation can differ on each platform. In this session, we will learn how to safeguard SUSE ALP on NXP platforms with QorIQ Trust Architecture and High Assurance Boot (HABv4).

https://www.youtube.com/watch?v=Vn3KvcU2BdU

Alexandre Vicenzi

April 24, 2024
Tweet

More Decks by Alexandre Vicenzi

Other Decks in Technology

Transcript

  1. Copyright © SUSE — I'm Alex — Applications team –

    SLE BCI – Container Ecosystem — Previously Automotive team About me 2
  2. Copyright © SUSE — Proof of concept — Customer request

    — Not tested in production Disclaimer 3
  3. Copyright © SUSE — Standard developed by PC industry —

    Authenticity – Ensure that the image is from a trusted source — Integrity – Ensure that the image has not been tampered with — Each component of the boot process is digitally signed — Each component of the boot process gets verified – Verification failure aborts the boot process — Secure boot? Trusted boot? Chain of Trust? What is secure boot? 4
  4. Copyright © SUSE — Sign each image — Authenticate each

    image before execution — Boot States with Arm Trusted Firmware (TF-A) – BL1 - Boot ROM – Embedded in the hardware – BL2 - Platform initialization – Initialize DRAM – Validates BL31, BL32 and BL33 – BL31 - Runtime firmware - TF-A – BL32 - Trusted OS - OP-TEE – Optional – BL33 - U-Boot How it works? 5 BL1 Boot ROM BL2 Platform Initialization BL31 TF-A BL32 OP-TEE 1 2 3 4 BL33 U-Boot Kernel 6 5 fip.bin bl2.pbl
  5. Copyright © SUSE — Security – Boot verified and trusted

    images only – Image has not been tampered with — Compliance – Cyber Resilience Act (EU) Why we need it? 6
  6. Copyright © SUSE — Available for the i.MX family –

    High Assurance Boot (HABv4) — Available for QorIQ family – QorIQ Trust Architecture Hardware support 7
  7. Copyright © SUSE — Prepare the image – Build binaries

    – Prepare rootfs – Sign binaries — Setup the board – Steps varies by board and platform – Enable secure boot – Program required keys – It is a one-time operation – Can't be undone – Fuses are physically blown — Flash the image — Power on the board Steps for secure boot on NXP 8
  8. Copyright © SUSE — Many bits need to be signed

    — Signing happens at different stages — NXP Code Signing Tool – NXP software for image signing – Collection of command-line tools — Each NXP platform has its own CST – NXP Code Signing Tool for i.MX High Assurance Boot (HAB) – NXP Code Signing Tool for QorIQ and Layerscape Image signing tool 9
  9. Copyright © SUSE — Generate RSA key pair with CST

    – Super Root Key (SRK) — Prepare binaries – NXP blobs – Kernel, Initramfs, Device Tree (dtb) – ARM Trusted Firmware, U-Boot – U-Boot Boot Script and FIT image — Signing binaries – ARM Trusted Firmware handles it during build time – Requires CST to sign — Generate secure boot headers – CST provides this functionality Building an image 10
  10. Copyright © SUSE — TF-A supports two options for Chain

    of Trust – NXP CSF headers or X 509 certificates — CSF header is embedded into each image – BL31 (TF-A), BL32 (OP-TEE, optional) and BL33 (U-Boot) — Build for LX2160A requires a few items – NXP blobs (Reset Config Word Tree and DDR PHY) – U-Boot and OP-TEE (Optional) – CST and Signing Keys (SRK) – RSA key pair (srk.pri and srk.pub) must be in TF-A root folder Arm Trusted Firmware (TF-A) 11 $ make PLAT=lx2160ardb \ TRUSTED_BOARD_BOOT=1 \ CST_DIR=/cst \ DDR_PHY_BIN_PATH=ddr-phy-binary/lx2160a \ fip_ddr $ make PLAT=lx2160ardb \ TRUSTED_BOARD_BOOT=1 \ CST_DIR=/cst \ BOOT_MODE=sd \ RCW=/rcw/rcw_2200_750_3200_19_5_2.bin \ BL33=/boot/u-boot.bin \ all fip pbl Compile FIP and PBL Compile FIP-DDR fip_ddr can't be mixed with other targets
  11. Copyright © SUSE /dts-v1/; / { description = "FIT Image";

    #address-cells = <1>; images { kernel { description = "Linux kernel image"; data = /incbin/("uImage.bin"); type = "kernel"; arch = "arm64"; os = "linux"; compression = "none"; load = <0x81000000>; entry = <0x81000000>; hash-1 { algo = "sha256"; }; }; fdt { description = "Flattened DTB"; data = /incbin/("uImage.dtb"); type = "flat_dt"; arch = "arm64"; compression = "none"; hash-1 { algo = "sha256"; }; }; ramdisk { description = "Initial ramdisk image"; data = /incbin/("initramfs.img"); type = "ramdisk"; arch = "arm64"; os = "linux"; compression = "gzip"; load = <0x90000000>; entry = <0x90000000>; hash-1 { algo = "sha256"; }; }; }; configurations { default = "standard"; standard { description = "Default boot config"; kernel = "kernel"; ramdisk = "ramdisk"; fdt = "fdt"; }; }; }; Flattened Image Tree (FIT) 12 — FIT uses the Flattened Device Tree (DTB) format — Binaries are embedded inside it – kernel, ramdisk, etc. — Definition is an Image Tree Source (.its) — Binary is an Image Tree Blob (.itb) — Created using U-Boot mkimage tool lx2160a.its Boot Configuration Kernel Image Device Tree Blob Initramfs Image $ mkimage -f lx2160a.its kernel.itb Compile FIT image
  12. Copyright © SUSE setenv bootargs console=ttyAMA0,115200 root=LABEL=ROOT rw rootwait load

    mmc 0:1 ${load_addr} kernel.itb bootm ${load_addr} $ mkimage -A arm64 -O linux -T script -C none -d boot.cmd boot.scr U-Boot Boot Script 13 Kernel Arguments Load FIT into memory Boot from memory Compile boot script boot.cmd — U-Boot-specific script for boot — Standardized method to boot independently of the board used — Script is often named boot.scr or boot.scr.uimg – Can be overwritten by U-Boot settings – Use lx2160ardb_boot.scr for LX2160A — Created using U-Boot mkimage tool
  13. Copyright © SUSE — CST provides helper scripts to create

    secure boot headers — Input files controls file names, keys and other settings — No need to customize input files – But you may need to rename your files — CST creates secure headers for many files – Kernel image, Initramfs, DTB – NXP blobs (MC, DPC, DLP) – U-Boot Boot Script, FIT Image — All headers are concatenated into secboot_hdrs_sdboot.bin Secure Boot Headers 14 $ cst/platforms/lx2160_sd.sh Create secure boot headers
  14. Copyright © SUSE — KIWI can be used to build

    images — User defined scripts to perform many actions – Most ARM images use scripts to write U-Boot or perform partition changes – pre_disk_sync.sh is used to change the root tree contents – Copy files to their proper location – NXP blobs, FIT Image, Secure boot headers, etc – editbootinstall.sh is used only to write binaries into their respective offsets – Each file has its own offset – Offset varies by board and media storage (eMMC, SD, etc) — The private key used to sign needs to be stored in OBS – Can't be hosted on public instances Open Build Service 15
  15. Copyright © SUSE © SUSE LLC. All Rights Reserved. SUSE

    and the SUSE logo are registered trademarks of SUSE LLC in the United States and other countries. All third-party trademarks are the property of their respective owners. For more information, contact SUSE at: +1 800 796 3700 (U.S./Canada) Frankenstrasse 146 90461 Nürnberg www.suse.com Thank you