I have to generate signed files for a secure SKU boot. I am following chapter 15 discussion in the Quark-1000-bsp-build-sw-rel-user-guide.pdf. The steps to follow to achieve the same have been mentioned as:-
Open a new terminal session and use the following commands:
# cd spi-flash-tools
# make asset-signing-tool/sign
After compiling the signing tool, you can sign assets as shown in the following
# path/to/spi-flash-tools/asset-signing-tool/sign –i
-s -x -k
The output for this example is a signed binary file called .signed in
the same directory as the .
To create a separate signature file, pass the –c command line option which creates
.csbh as output in the same directory as the .
To get a full list of command line options, run the signing tool with no option.
I don't have any idea on what to give for and , and the signature file is not getting generated without these 2 parameters. It throws error saying that these 2 parameters are must.
I am thinking of passing the command as follows:-
# /home/.../spi-flash-tools/asset-signing-tool/sign -i bzImage -c -o -s -x
Is this command correct so that the signed output files can be generated?
Thanks in advance. Looking for help in this direction.
SVN means Security Version Number, take a look at the spi-flash-tools/asset-signing-tool/sign.c for more information about the parameters. In there, you will see the restrictions these parameters have. Let's try with this and the suggestion from the BSP: path/to/spi-flash-tools/asset-signing-tool/sign –i -s -x -k
If it works, try with the flags -c -o. For -o I think you may need to set a name as output.
Which BSP version are you using?
I'm using BSP version 1.2 . I looked at the source code sign.c. I found that svn and svn index have been mentioned as 0 each. So, I put 0 for both svn and svn index. That issue is resolved, and it is no more throwing the error for those. But the other obstacle that cropped up is the keyfile. It's throwing error without the keyfile parameter. The following Note has been given about the keyfile in chapter 15 :--
Note: For convenience during development, the software release includes a default Private
Key key.pem file. During development, all assets are signed with the default key that
is stored in the config directory. The default key cannot be used in a production
system; it is not secure due to its inclusion in the release package. Contact your Intel
representative for details.
Is this key.pem the file one which I have to pass as the parameter?? If yes, then Where can I find this key.pem file? I searched in my entire Yocto Build directory including the config directory which has been mentioned, but couldn't find any such file there.
Thanks and Regards,
Hi CMata_Intel ,
I found the file key.pem in the Yocto Build directory. Then I ran the following command :-
/../Board_Support_Package_Sources_for_Intel_Quark_v1.1.0/spi-flash-tools_v1.1.0/asset-signing-tool/sign -c -i /../boot/grub/grub.conf -s 15 -x 15 -k /../Board_Support_Package_Sources_for_Intel_Quark_v1.1.0/meta-clanton_v1.1.0-dirty/yocto_build/tmp/work/i686-linux/openssl-native/1.0.1g-r0/openssl-1.0.1g/demos/sign/key.pem
In the source file sign.c , the svn and svn_index have been mentioned as 1. Still I tried with different svn numbers from 0 to 15. The corresponding .csbh files ,which are being created, don't seem to have the correct signatures for verification with their respective grub.conf, bzImage, core-**intiramfs.cpio.gz, etc. On putting these files with .csbh files , the Grub Error is being thrown which mentions that signatures do not match.
Any idea on how to resolve this??
We are going to run some tests in order to help you with this. You said that you were using the BSP 1.2.0, but in your last reply you were using the BSP 1.1.0, do you have different outcomes with the versions or in both BSPs are you getting the same output?
I have tried with both BSP versions 1.1 as well as 1.2 , and the observation is pretty same for both. Also note that there are other files besides key.pem , viz., cakey.pem, but passing this as a parameter as -k cakey.pem doesn't help. It throws the error that it is not able to read the key file. Whereas there is no such error being thrown on passing -k key.pem . So, I believe that I'm passing the correct file as paramater. I think there's definitely a problem with the SVN and SVN index. It should be more clear from the documentation on what to use. Any inputs from your side on the same?
I have also gone through the following documentation to understand the process of signature verification on Intel Quark, but unfortunately I couldn't get much clearer idea on SVN and SVN Index from this documentation.
Yes, you need to use key.pem (Remember that using this file is not recommended for production builds).
Checking the file you posted above, have you tried with svn 1 and svn index 0? like the example in the file.
For SVNs, "The Secure Boot ROM Code claims the first three SVNs, used for:
SVN0: Key Module
SVN1: Stage 1 Software Applications
SVN2: Fixed Location Recovery Application
SVN15: Firmware Updates and Recovery Assets"
Let me know if trying with ./sign .... –s 1 –x 0 you get improvements.
I tried with ./sign .... -s 1 x 0 just now, and the boot process again failed showing the same Grub Error as with the previously tried combinations.In fact I tried with the following combinations also:- ./sign.../boot/grub/grub.conf -s 5 -x 5
./sign../grub.efi -s 4 -x 4
./sign../core-image-minimal-initramfs.cpio.gz -s 7 -x 7
./sign../bzImage -s 6 -x 6
I have tried to use the above mentioned combinations based on the SVN Index Allocation table posted by you. Please give your input on the same whether those SVN values , which I have used, comply with the ones mentioned in the table.
I'm using a Secure Boot-enabled variant of Intel Quark X1000. That's the reason why I need cryptographically verified files on the SD card.
I will test this but I would like to have your same environment. Let's try with BSP 1.2.0
Which OS are you using?
Which changes are you doing in the image?
Please let me know all the changes and steps you have followed to sign the files in order to replicate your situation.
I'm using the BSP 1.2.0 package available on the Intel download center. I'm following the standard steps for building the Yocto image for Quark as given in the Quark software build user guide chapter 6. I'm doing all this with SD card. There are no changes which I made in the image. Whichever Yocto image you have as of now, you can try doing it with that, because I tried with both 1.1.0 and 1.2.0 and the signature failed. So let me know if it works in your case with any of the BSP versions.
Thanks and Regards,
Have you tried only with the key.pem in yocto_build/tmp/work/i686-linux/openssl-native/1.0.1g-r0/openssl-1.0.1g/demos/sign/key.pem?
I tried with the key.pem file in yocto_build/tmp/work/x86_64-linux/glib-2.0-native/1_2.40.0-r0/glib-2.40.0/gio/tests/cert-tests/key.pem
I was able to boot the board by using the BSP 1.2.0 and the parameters:
-s 0x01 -x 0x00
For example, while using it with grub.conf, I ran:
./sign -i ../../meta-clanton_v1.2.0/yocto_build/tmp/deploy/images/quark/boot/grub/grub.conf -s 0x01 -x 0x00 -k ../../meta-clanton_v1.2.0/yocto_build/tmp/work/x86_64-linux/glib-2.0-native/1_2.40.0-r0/glib-2.40.0/gio/tests/cert-tests/key.pem -c
In the SD card, I'm having the following files:
Try to start from scratch using those parameters and let us know the outcome.
Yes, I have tried with only key.pem file.Yes, I agree that each and every command generates the corresponding .csbh file for each input given. But How do you know that the signed files which have been generated are correct? Which Board did you boot with these files?? If you booted Galileo, then it's obvious that Galileo will boot because it doesn't need any kind of signature. I want you to boot some secure SKU Hardware from Intel with those images which you generated along with the signed files, viz., ADI Engineering Gateway HW based on Intel Quark X1000. If that works, then please let me know .
We are working on this and we are trying to find a way to help you with this. I will contact you as soon as I get more information or new results.
Hi shubham_k ,
We would like to know if you are using a custom board or a Quark based board, if you do, please let us know which one in other to try to replicate your environment.
I am using a Quark based board. That is ADI Engineering White Oak Canyon IoT Gateway, which comes pre-loaded with Windriver Linux with SD card mounted onto it. This is a Secure SKU HW. I'm just trying to boot this board with SD card Yocto Linux image on it.
1) Flash the board with secure SPI firmware.
2) Update the yocto image (assumed that you already created it before) with signature files. (*.csbh)
o full path to your input files. (grub.conf, bzImage, and core-image-minimal-initramfs-clanton.cpio.gz)
o -> 0
o : Please refer to table below and following are examples.
o 5 for grub.conf
o 6 for bzImage
o 7 for core-image-minimal-initramfs-clantan,cpio.gz
For example to configure .csbh for grub.conf :
./asset-signing-tool/sign -i ~/Yocto_1.2/meta-clanton_v1.2.0/yocto_build/tmp/deploy/images/quark/boot/grub/grub.conf -s 0 -x 5 -k ../sysimage/config/key.pem -c
3) Make sure bzImage.csbh , core-image-minimal-initramfs-quark.cpio.gz.csbsh and boot/grub/grub.cbsh are exist inside the directory.
4) Paste all files into USB stick and boot it using DK100. The output will shown like image below.
*Note: Reformat USB drive to FAT or FAT32, if the couldn't couldn't boot up.
If bzImage.csbh , core-image-minimal-initramfs-quark.cpio.gz.csbsh and boot/grub/grub.cbsh not exist in USB stick, the output will shown below image:
Unable to boot SD storage without .csbh files shown in image below.