New subject: [S] Change in coreboot[master]: Documentation/vendorcode/eltan/security.md: Fix bugs in the guide

15 Jul 2020

Michał Żygowski has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/43483 )
Change subject: Documentation/vendorcode/eltan/security.md: Fix bugs in the guide
......................................................................
Documentation/vendorcode/eltan/security.md: Fix bugs in the guide
ELTAN verified boot seems to be using vboot 2.1 key format not vboot
1.0. Generating vboot 1.0 keys results in public key of incorrect size
(according to the verified boot implementation in vendorcode) which
results in errors during booting.
Fix the cbfstool extraction command to take account for stage file
which may have certain sections removed.
Add note about endianess of digest generated by openssl.
Signed-off-by: Michał Żygowski michal.zygowski@3mdeb.com
Change-Id: I27cf8e3f8e22876f671092fe4d3265a98564d996
---
M Documentation/vendorcode/eltan/security.md
1 file changed, 8 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/83/43483/1

diff --git a/Documentation/vendorcode/eltan/security.md b/Documentation/vendorcode/eltan/security.md
index 9dd47c0..1c05cd5 100644
--- a/Documentation/vendorcode/eltan/security.md
+++ b/Documentation/vendorcode/eltan/security.md
@@ -42,7 +42,7 @@
 Create private key in RSA2048 format: `openssl genrsa -F4 -out <private_key_file> 2048`
Create public key using private key:
-`futility --vb1 create <private_key_file> <public_key_file_without_extension>`
+`futility --vb21 create <private_key_file> <public_key_file_without_extension>`
The public key will be included into coreboot and used for verified boot only.
@@ -79,9 +79,15 @@
 The total number of items must match `VENDORCODE_ELTAN_OEM_MANIFEST_ITEMS`.
For every part the SHA (SHA-256) must be calculated. First extract the binary from the coreboot
-image using: `cbfstool <coreboot_file_name> extract -n <cbfs_name> -f <item_binary_file_name>`
+image using: `cbfstool <coreboot_file_name> extract -n <cbfs_name> -f <item_binary_file_name> -m x86 -U`
+Note the `-m x86 -U` flags are required for correct extraction of stages. Certain stages are
+put in CBFS without certain program sections so extraction process must also remove these sections.
+
 followed by: `openssl dgst -sha256 -binary -out <hash_file_name> <item_binary_file_name>`
+The SHA256 digest will be in big endian so it must be converted to little endian with:
+`< <hash_file_name> xxd -p -c1 | tac | xxd -p -r > <hash_file_name_le>`
+
 Replace -sha256 with -sha512 when `VENDORCODE_ELTAN_VBOOT_USE_SHA512` is enabled.
All the hashes must be combined to a hash binary. The hashes need to be placed in the same order as
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/43483
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I27cf8e3f8e22876f671092fe4d3265a98564d996
Gerrit-Change-Number: 43483
Gerrit-PatchSet: 1
Gerrit-Owner: Michał Żygowski michal.zygowski@3mdeb.com
Gerrit-MessageType: newchange



    