Michał Żygowski has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43483 )
Change subject: Documentation/vendorcode/eltan/security.md: Fix bugs in the guide ......................................................................
Documentation/vendorcode/eltan/security.md: Fix bugs in the guide
ELTAN verified boot seems to be using vboot 2.1 key format not vboot 1.0. Generating vboot 1.0 keys results in public key of incorrect size (according to the verified boot implementation in vendorcode) which results in errors during booting.
Fix the cbfstool extraction command to take account for stage file which may have certain sections removed.
Add note about endianess of digest generated by openssl.
Signed-off-by: Michał Żygowski michal.zygowski@3mdeb.com Change-Id: I27cf8e3f8e22876f671092fe4d3265a98564d996 --- M Documentation/vendorcode/eltan/security.md 1 file changed, 8 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/83/43483/1
diff --git a/Documentation/vendorcode/eltan/security.md b/Documentation/vendorcode/eltan/security.md index 9dd47c0..1c05cd5 100644 --- a/Documentation/vendorcode/eltan/security.md +++ b/Documentation/vendorcode/eltan/security.md @@ -42,7 +42,7 @@ Create private key in RSA2048 format: `openssl genrsa -F4 -out <private_key_file> 2048`
Create public key using private key: -`futility --vb1 create <private_key_file> <public_key_file_without_extension>` +`futility --vb21 create <private_key_file> <public_key_file_without_extension>`
The public key will be included into coreboot and used for verified boot only.
@@ -79,9 +79,15 @@ The total number of items must match `VENDORCODE_ELTAN_OEM_MANIFEST_ITEMS`.
For every part the SHA (SHA-256) must be calculated. First extract the binary from the coreboot -image using: `cbfstool <coreboot_file_name> extract -n <cbfs_name> -f <item_binary_file_name>` +image using: `cbfstool <coreboot_file_name> extract -n <cbfs_name> -f <item_binary_file_name> -m x86 -U` +Note the `-m x86 -U` flags are required for correct extraction of stages. Certain stages are +put in CBFS without certain program sections so extraction process must also remove these sections. + followed by: `openssl dgst -sha256 -binary -out <hash_file_name> <item_binary_file_name>`
+The SHA256 digest will be in big endian so it must be converted to little endian with: +`< <hash_file_name> xxd -p -c1 | tac | xxd -p -r > <hash_file_name_le>` + Replace -sha256 with -sha512 when `VENDORCODE_ELTAN_VBOOT_USE_SHA512` is enabled.
All the hashes must be combined to a hash binary. The hashes need to be placed in the same order as