1 2 Previous Next 16 Replies Latest reply on Dec 18, 2015 1:57 AM by yeng.yangx

    Signing Files for secure SKU

    shubham_k

      Hi Guys,

       

      I have to generate signed files for a secure SKU boot. I am following chapter 15 discussion in the Quark-1000-bsp-build-sw-rel-user-guide.pdf. The steps to follow to achieve the same have been mentioned as:-

       

      Open a new terminal session and use the following commands:

      # cd spi-flash-tools

      # make asset-signing-tool/sign

      After compiling the signing tool, you can sign assets as shown in the following

      example:

      # path/to/spi-flash-tools/asset-signing-tool/sign –i <input file>

      -s <svn> -x <svn index> -k <key file>

      The output for this example is a signed binary file called <input file>.signed in

      the same directory as the <input file>.

      To create a separate signature file, pass the –c command line option which creates

      <input file>.csbh as output in the same directory as the <input file>.

      To get a full list of command line options, run the signing tool with no option.



      I don't have any idea on what to give for <svn> and <svn index>, and the signature file is not getting generated without these 2 parameters. It throws error saying that these 2 parameters are must.

      I am thinking of passing the command  as follows:-

       

      #/home/.../spi-flash-tools/asset-signing-tool/sign -i bzImage -c -o -s <svn> -x <svn index>

       

      Is this command correct so that the signed output files can be generated?

      Thanks in advance. Looking for help in this direction.

        • 1. Re: Signing Files for secure SKU
          CMata_Intel

          Hi shubham_k

           

          SVN means Security Version Number, take a look at the spi-flash-tools/asset-signing-tool/sign.c for more information about the parameters. In there, you will see the restrictions these parameters have. Let’s try with this and the suggestion from the BSP: path/to/spi-flash-tools/asset-signing-tool/sign –i <input file> -s <svn> -x <svn index> -k <key file>

          If it works, try with the flags -c -o. For -o I think you may need to set a name as output.

          Which BSP version are you using?

           

          Regards,

          Charlie

          • 2. Re: Signing Files for secure SKU
            shubham_k

            Hi CMata_Intel,

             

            I'm using BSP version 1.2 . I looked at the source code sign.c. I found that svn and svn index have been mentioned as 0 each. So, I put 0 for both svn and svn index. That issue is resolved, and it is no more throwing the error for those. But the other obstacle that cropped up is the keyfile. It's throwing error without the keyfile parameter.  The following Note has been given about the keyfile in chapter 15 :--

            Note: For convenience during development, the software release includes a default Private

            Key key.pem file. During development, all assets are signed with the default key that

            is stored in the config directory. The default key cannot be used in a production

            system; it is not secure due to its inclusion in the release package. Contact your Intel

            representative for details.


            Is this key.pem the file one which I have to pass as the parameter?? If yes, then Where can I find this key.pem file? I searched in my entire Yocto Build directory including the config directory which has been mentioned, but couldn't find any such file there.

             

            Thanks and Regards,

            Shubham_K

            • 3. Re: Signing Files for secure SKU
              shubham_k

              Hi CMata_Intel ,

               

              I found the file key.pem in the Yocto Build directory. Then I ran the following command :-

               

              /../Board_Support_Package_Sources_for_Intel_Quark_v1.1.0/spi-flash-tools_v1.1.0/asset-signing-tool/sign -c -i  /../boot/grub/grub.conf -s 15 -x 15 -k  /../Board_Support_Package_Sources_for_Intel_Quark_v1.1.0/meta-clanton_v1.1.0-dirty/yocto_build/tmp/work/i686-linux/openssl-native/1.0.1g-r0/openssl-1.0.1g/demos/sign/key.pem


              In the source file sign.c , the svn and svn_index have been mentioned as 1. Still I tried with different svn numbers from 0 to 15. The corresponding .csbh files ,which are being created, don't seem to have the correct signatures for verification with their respective grub.conf, bzImage, core-**intiramfs.cpio.gz, etc. On putting these files with .csbh files , the Grub Error is being thrown which mentions that signatures do not match.

               

              Any idea on how to resolve this??

              • 4. Re: Signing Files for secure SKU
                CMata_Intel

                Hi shubham_k

                 

                We are going to run some tests in order to help you with this. You said that you were using the BSP 1.2.0, but in your last reply you were using the BSP 1.1.0, do you have different outcomes with the versions or in both BSPs are you getting the same output?

                 

                Regards,

                Charlie

                • 5. Re: Signing Files for secure SKU
                  shubham_k

                  Hi CMata_Intel,

                   

                  I have tried with both BSP versions 1.1 as well as 1.2 , and the observation is pretty same for both. Also note that there are other files besides key.pem , viz., cakey.pem, but passing this as a parameter as -k cakey.pem doesn't help. It throws the error that it is not able to read the key file. Whereas there is no such error being thrown on passing -k key.pem . So, I believe that I'm passing the correct file as paramater. I think there's definitely a problem with the SVN and SVN index. It should be more clear from the documentation on what to use.  Any inputs from your side on the same?

                   

                  I have also gone through the following documentation to understand the process of signature verification on Intel Quark, but unfortunately I couldn't get much clearer idea on SVN and SVN Index from this documentation.

                   

                  http://www.intel.com/content/dam/www/public/us/en/documents/manuals/quark-x1000-secure-boot-prm.pdf

                  • 6. Re: Signing Files for secure SKU
                    CMata_Intel

                    Hi shubham_k

                     

                    Yes, you need to use key.pem (Remember that using this file is not recommended for production builds).

                    Checking the file you posted above, have you tried with svn 1 and svn index 0? like the example in the file.

                    For SVNs, “The Secure Boot ROM Code claims the first three SVNs, used for:

                        SVN0: Key Module

                        SVN1: Stage 1 Software Applications

                        SVN2: Fixed Location Recovery Application

                        SVN15: Firmware Updates and Recovery Assets”

                     

                    For SVN_Index:

                    svn_index.JPG

                     

                     

                     

                     

                     

                     

                     

                     

                     

                     

                     

                     

                     

                     

                     

                     

                    Let me know if trying with ./sign ....  –s 1 –x 0 you get improvements.

                     

                    Regards,

                    Charlie

                    • 7. Re: Signing Files for secure SKU
                      shubham_k

                      Hi CMata_Intel,

                       

                      I tried with ./sign .... -s 1 x 0  just now, and the boot process again failed showing the same Grub Error as with the previously tried combinations.In fact I tried with the following combinations also:- ./sign.../boot/grub/grub.conf -s 5 -x 5

                                                    ./sign../grub.efi -s 4 -x 4

                                                    ./sign../core-image-minimal-initramfs.cpio.gz -s 7 -x 7

                                                    ./sign../bzImage -s 6 -x 6


                      I have tried to use the above mentioned combinations based on the SVN Index Allocation  table posted by you. Please give your input on the same whether those SVN values , which I have used, comply with the ones mentioned in the table.

                       

                      I'm using a Secure Boot-enabled variant of Intel Quark X1000. That's the reason why I need cryptographically verified files on the SD card. Screenshot from 2015-10-28 09:35:08.png

                      • 8. Re: Signing Files for secure SKU
                        CMata_Intel

                        Hi shubham_k;

                         

                        I will test this but I would like to have your same environment. Let’s try with BSP 1.2.0

                        Which OS are you using?

                        Which changes are you doing in the image?

                        Please let me know all the changes and steps you have followed to sign the files in order to replicate your situation.

                         

                        Regards,

                        Charlie

                        • 9. Re: Signing Files for secure SKU
                          shubham_k

                          Hi,

                           

                          I'm using the BSP 1.2.0 package available on the Intel download center. I'm following the standard steps for building the Yocto image for Quark as given in the Quark software build user guide chapter 6. I'm doing all this with SD card. There are no changes which I made in the image. Whichever Yocto image you have as of now, you can try doing it with that, because I tried with both 1.1.0 and 1.2.0 and the signature failed. So let me know if it works in your case with any of the BSP versions.

                           

                          Thanks and Regards,

                          Shubham_K

                          • 10. Re: Signing Files for secure SKU
                            CMata_Intel

                            Hi shubham_k

                             

                            Have you tried only with the key.pem in  yocto_build/tmp/work/i686-linux/openssl-native/1.0.1g-r0/openssl-1.0.1g/demos/sign/key.pem?

                             

                            I tried with the key.pem file in yocto_build/tmp/work/x86_64-linux/glib-2.0-native/1_2.40.0-r0/glib-2.40.0/gio/tests/cert-tests/key.pem

                            I was able to boot the board by using the BSP 1.2.0 and the parameters:

                            -s 0x01 -x 0x00


                            For example, while using it with grub.conf, I ran:

                             

                            ./sign -i ../../meta-clanton_v1.2.0/yocto_build/tmp/deploy/images/quark/boot/grub/grub.conf -s 0x01 -x 0x00 -k ../../meta-clanton_v1.2.0/yocto_build/tmp/work/x86_64-linux/glib-2.0-native/1_2.40.0-r0/glib-2.40.0/gio/tests/cert-tests/key.pem -c

                             

                            In the SD card, I’m having the following files:

                                                                                                    SD1.JPG SD2.JPG

                            Try to start from scratch using those parameters and let us know the outcome.

                             

                            Regards,

                            Charlie

                            • 11. Re: Signing Files for secure SKU
                              shubham_k

                              Hi CMata_Intel

                               

                              Yes, I have tried with only key.pem file.Yes, I agree that each and every command generates the corresponding .csbh file for each input given. But How do you know that the signed files which have been generated are correct? Which Board did you boot with these files?? If you booted Galileo, then it's obvious that Galileo will boot because it doesn't need any kind of signature. I want you to boot some secure SKU Hardware from Intel with those images which you generated along with the signed files, viz., ADI Engineering Gateway HW based on Intel Quark X1000. If that works, then please let me know .

                               

                              Thanks,

                              Shubham_K

                              • 12. Re: Signing Files for secure SKU
                                CMata_Intel

                                Hi shubham_k,

                                 

                                We are working on this and we are trying to find a way to help you with this. I will contact you as soon as I get more information or new results.

                                 

                                Regards,

                                Charlie

                                • 13. Re: Signing Files for secure SKU
                                  CMata_Intel

                                  Hi shubham_k ,

                                   

                                  We would like to know if you are using a custom board or a Quark based board, if you do, please let us know which one in other to try to replicate your environment.

                                   

                                  Kind Regards,

                                  Charlie

                                  • 14. Re: Signing Files for secure SKU
                                    shubham_k

                                    Hi CMata_Intel,

                                     

                                    I am using a Quark based board. That is ADI Engineering White Oak Canyon IoT Gateway, which comes pre-loaded with Windriver Linux with SD card mounted onto it. This is a Secure SKU HW. I'm just trying to boot this board with SD card Yocto Linux image on it.

                                    1 2 Previous Next