Community
cancel
Showing results for 
Search instead for 
Did you mean: 
SKuma75
New Contributor I
1,538 Views

Signing Files for secure SKU

Hi Guys,

I have to generate signed files for a secure SKU boot. I am following chapter 15 discussion in the Quark-1000-bsp-build-sw-rel-user-guide.pdf. The steps to follow to achieve the same have been mentioned as:-

Open a new terminal session and use the following commands:

# cd spi-flash-tools

# make asset-signing-tool/sign

After compiling the signing tool, you can sign assets as shown in the following

example:

# path/to/spi-flash-tools/asset-signing-tool/sign –i

-s -x -k

The output for this example is a signed binary file called .signed in

the same directory as the .

To create a separate signature file, pass the –c command line option which creates

.csbh as output in the same directory as the .

To get a full list of command line options, run the signing tool with no option.

 

 

I don't have any idea on what to give for and , and the signature file is not getting generated without these 2 parameters. It throws error saying that these 2 parameters are must.

I am thinking of passing the command as follows:-

# /home/.../spi-flash-tools/asset-signing-tool/sign -i bzImage -c -o -s -x

Is this command correct so that the signed output files can be generated?

Thanks in advance. Looking for help in this direction.

Tags (1)
16 Replies
Carlos_M_Intel
Employee
273 Views

Hi shubham_k

SVN means Security Version Number, take a look at the spi-flash-tools/asset-signing-tool/sign.c for more information about the parameters. In there, you will see the restrictions these parameters have. Let's try with this and the suggestion from the BSP: path/to/spi-flash-tools/asset-signing-tool/sign –i -s -x -k

If it works, try with the flags -c -o. For -o I think you may need to set a name as output.

Which BSP version are you using?

Regards,

Charlie

SKuma75
New Contributor I
273 Views

Hi CMata_Intel,

I'm using BSP version 1.2 . I looked at the source code sign.c. I found that svn and svn index have been mentioned as 0 each. So, I put 0 for both svn and svn index. That issue is resolved, and it is no more throwing the error for those. But the other obstacle that cropped up is the keyfile. It's throwing error without the keyfile parameter. The following Note has been given about the keyfile in chapter 15 :--

Note: For convenience during development, the software release includes a default Private

Key key.pem file. During development, all assets are signed with the default key that

is stored in the config directory. The default key cannot be used in a production

system; it is not secure due to its inclusion in the release package. Contact your Intel

representative for details.

 

Is this key.pem the file one which I have to pass as the parameter?? If yes, then Where can I find this key.pem file? I searched in my entire Yocto Build directory including the config directory which has been mentioned, but couldn't find any such file there.

Thanks and Regards,

Shubham_K

SKuma75
New Contributor I
273 Views

Hi CMata_Intel ,

I found the file key.pem in the Yocto Build directory. Then I ran the following command :-

/../Board_Support_Package_Sources_for_Intel_Quark_v1.1.0/spi-flash-tools_v1.1.0/asset-signing-tool/sign -c -i /../boot/grub/grub.conf -s 15 -x 15 -k /../Board_Support_Package_Sources_for_Intel_Quark_v1.1.0/meta-clanton_v1.1.0-dirty/yocto_build/tmp/work/i686-linux/openssl-native/1.0.1g-r0/openssl-1.0.1g/demos/sign/key.pem

 

In the source file sign.c , the svn and svn_index have been mentioned as 1. Still I tried with different svn numbers from 0 to 15. The corresponding .csbh files ,which are being created, don't seem to have the correct signatures for verification with their respective grub.conf, bzImage, core-**intiramfs.cpio.gz, etc. On putting these files with .csbh files , the Grub Error is being thrown which mentions that signatures do not match.

Any idea on how to resolve this??

Carlos_M_Intel
Employee
273 Views

Hi shubham_k

We are going to run some tests in order to help you with this. You said that you were using the BSP 1.2.0, but in your last reply you were using the BSP 1.1.0, do you have different outcomes with the versions or in both BSPs are you getting the same output?

Regards,

Charlie

SKuma75
New Contributor I
273 Views

Hi CMata_Intel,

I have tried with both BSP versions 1.1 as well as 1.2 , and the observation is pretty same for both. Also note that there are other files besides key.pem , viz., cakey.pem, but passing this as a parameter as -k cakey.pem doesn't help. It throws the error that it is not able to read the key file. Whereas there is no such error being thrown on passing -k key.pem . So, I believe that I'm passing the correct file as paramater. I think there's definitely a problem with the SVN and SVN index. It should be more clear from the documentation on what to use. Any inputs from your side on the same?

I have also gone through the following documentation to understand the process of signature verification on Intel Quark, but unfortunately I couldn't get much clearer idea on SVN and SVN Index from this documentation.

http://www.intel.com/content/dam/www/public/us/en/documents/manuals/quark-x1000-secure-boot-prm.pdf http://www.intel.com/content/dam/www/public/us/en/documents/manuals/quark-x1000-secure-boot-prm.pdf

Carlos_M_Intel
Employee
273 Views

Hi shubham_k

Yes, you need to use key.pem (Remember that using this file is not recommended for production builds).

Checking the file you posted above, have you tried with svn 1 and svn index 0? like the example in the file.

For SVNs, "The Secure Boot ROM Code claims the first three SVNs, used for:

SVN0: Key Module

SVN1: Stage 1 Software Applications

SVN2: Fixed Location Recovery Application

SVN15: Firmware Updates and Recovery Assets"

For SVN_Index:

Let me know if trying with ./sign .... –s 1 –x 0 you get improvements.

Regards,

Charlie

SKuma75
New Contributor I
273 Views

Hi CMata_Intel,

I tried with ./sign .... -s 1 x 0 just now, and the boot process again failed showing the same Grub Error as with the previously tried combinations.In fact I tried with the following combinations also:- ./sign.../boot/grub/grub.conf -s 5 -x 5

./sign../grub.efi -s 4 -x 4

./sign../core-image-minimal-initramfs.cpio.gz -s 7 -x 7

./sign../bzImage -s 6 -x 6

 

I have tried to use the above mentioned combinations based on the SVN Index Allocation table posted by you. Please give your input on the same whether those SVN values , which I have used, comply with the ones mentioned in the table.

I'm using a Secure Boot-enabled variant of Intel Quark X1000. That's the reason why I need cryptographically verified files on the SD card.

Carlos_M_Intel
Employee
273 Views

Hi shubham_k;

I will test this but I would like to have your same environment. Let's try with BSP 1.2.0

Which OS are you using?

Which changes are you doing in the image?

Please let me know all the changes and steps you have followed to sign the files in order to replicate your situation.

Regards,

Charlie

SKuma75
New Contributor I
273 Views

Hi,

I'm using the BSP 1.2.0 package available on the Intel download center. I'm following the standard steps for building the Yocto image for Quark as given in the Quark software build user guide chapter 6. I'm doing all this with SD card. There are no changes which I made in the image. Whichever Yocto image you have as of now, you can try doing it with that, because I tried with both 1.1.0 and 1.2.0 and the signature failed. So let me know if it works in your case with any of the BSP versions.

Thanks and Regards,

Shubham_K

Carlos_M_Intel
Employee
273 Views

Hi shubham_k

Have you tried only with the key.pem in yocto_build/tmp/work/i686-linux/openssl-native/1.0.1g-r0/openssl-1.0.1g/demos/sign/key.pem?

I tried with the key.pem file in yocto_build/tmp/work/x86_64-linux/glib-2.0-native/1_2.40.0-r0/glib-2.40.0/gio/tests/cert-tests/key.pem

I was able to boot the board by using the BSP 1.2.0 and the parameters:

-s 0x01 -x 0x00

 

For example, while using it with grub.conf, I ran:

./sign -i ../../meta-clanton_v1.2.0/yocto_build/tmp/deploy/images/quark/boot/grub/grub.conf -s 0x01 -x 0x00 -k ../../meta-clanton_v1.2.0/yocto_build/tmp/work/x86_64-linux/glib-2.0-native/1_2.40.0-r0/glib-2.40.0/gio/tests/cert-tests/key.pem -c

In the SD card, I'm having the following files:

Try to start from scratch using those parameters and let us know the outcome.

Regards,

Charlie

SKuma75
New Contributor I
273 Views

Hi CMata_Intel

Yes, I have tried with only key.pem file.Yes, I agree that each and every command generates the corresponding .csbh file for each input given. But How do you know that the signed files which have been generated are correct? Which Board did you boot with these files?? If you booted Galileo, then it's obvious that Galileo will boot because it doesn't need any kind of signature. I want you to boot some secure SKU Hardware from Intel with those images which you generated along with the signed files, viz., ADI Engineering Gateway HW based on Intel Quark X1000. If that works, then please let me know .

Thanks,

Shubham_K

Carlos_M_Intel
Employee
273 Views

Hi shubham_k,

We are working on this and we are trying to find a way to help you with this. I will contact you as soon as I get more information or new results.

Regards,

Charlie

Carlos_M_Intel
Employee
273 Views

Hi shubham_k ,

We would like to know if you are using a custom board or a Quark based board, if you do, please let us know which one in other to try to replicate your environment.

Kind Regards,

Charlie

SKuma75
New Contributor I
273 Views

Hi CMata_Intel,

I am using a Quark based board. That is ADI Engineering White Oak Canyon IoT Gateway, which comes pre-loaded with Windriver Linux with SD card mounted onto it. This is a Secure SKU HW. I'm just trying to boot this board with SD card Yocto Linux image on it.

Carlos_M_Intel
Employee
273 Views

Hi shubham_k

Thank you very much, we are working on this and I will let you know as soon as we get the results.

Kind regards,

Charlie

YENGYANG_L_Intel
Employee
273 Views

1) Flash the board with secure SPI firmware.

  • Building the EDKII Firmware – Chapter 4
  • Don't choose experienced users command please use "buildallconfigs.sh" command.
  • Proceed to Chapter 6, to build a small Linux image for SPI Flash.
  • Proceed to Chapter 8, to create a flash image for the board.
  • Because you need a secure flash image you should use files in "sysimage.CP-8M-release-secure" directory, this is for a release build secure SKU.
  • Proceed to Chapter 10, to program a flash image into the board (please choose section 10.2, Programming flash using Linux* run-time system)

2) Update the yocto image (assumed that you already created it before) with signature files. (*.csbh)

  • For the asset-signing-tool/sign –i -s -x -k please refer below:

o full path to your input files. (grub.conf, bzImage, and core-image-minimal-initramfs-clanton.cpio.gz)

o -> 0

o : Please refer to table below and following are examples.

o 5 for grub.conf

o 6 for bzImage

o 7 for core-image-minimal-initramfs-clantan,cpio.gz

o sysimage/config/key.pem.

For example to configure .csbh for grub.conf :

./asset-signing-tool/sign -i ~/Yocto_1.2/meta-clanton_v1.2.0/yocto_build/tmp/deploy/images/quark/boot/grub/grub.conf -s 0 -x 5 -k ../sysimage/config/key.pem -c

3) Make sure bzImage.csbh , core-image-minimal-initramfs-quark.cpio.gz.csbsh and boot/grub/grub.cbsh are exist inside the directory.

4) Paste all files into USB stick and boot it using DK100. The output will shown like image below.

*Note: Reformat USB drive to FAT or FAT32, if the couldn't couldn't boot up.

If bzImage.csbh , core-image-minimal-initramfs-quark.cpio.gz.csbsh and boot/grub/grub.cbsh not exist in USB stick, the output will shown below image:

Unable to boot SD storage without .csbh files shown in image below.

Reply