Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
UEFI Secure Boot and DRI
Kalyan Kumar N
ENGINEERS AND DEVICES
WORKING TOGETHER
Agenda
● Introduction
● RDK Boot Loader
● DRI (Disaster Recovery Image)
● RootFS Va...
ENGINEERS AND DEVICES
WORKING TOGETHER
Introduction
● Standardization of the RDK set-top box firmware boot process
○ Incre...
ENGINEERS AND DEVICES
WORKING TOGETHER
RDK Boot Loader
● RDK BootLoader selects the valid Platform Code Image (PCI) from t...
ENGINEERS AND DEVICES
WORKING TOGETHER
RDK Boot Loader
● FDT file will be read and install Using gFdtTableGuid.
● To maint...
ENGINEERS AND DEVICES
WORKING TOGETHER
RDK DRI
● RDK DRI reference implementation is UEFI application Resides in Flash
mem...
ENGINEERS AND DEVICES
WORKING TOGETHER
RDK DRI
● Linux and RootFs components are separately signed.
● Enabled USB host dri...
ENGINEERS AND DEVICES
WORKING TOGETHER
RootFS validation
● After kernel secure boot , RDK wants rootfs also has to be auth...
ENGINEERS AND DEVICES
WORKING TOGETHER
RootFS validation
● Kernel provides EFIVAR file system, which enables accessing UEF...
ENGINEERS AND DEVICES
WORKING TOGETHER
Build Environment
● EDK2 by default, does not support Hikey board.
● Openplatformpk...
ENGINEERS AND DEVICES
WORKING TOGETHER
Build Environment
edk2:
https://github.com/tianocore/edk2.git
Hikey UEFI Firmware:
...
Thank You
#SFO17
SFO17 keynotes and videos on: connect.linaro.org
For further information: www.linaro.org
Upcoming SlideShare
Loading in …5
×

UEFI Secure Boot and DRI for RDK on HiKey - SFO17-401

290 views

Published on

Session ID: SFO17-401
Session Name: UEFI Secure Boot and DRI for RDK on HiKey
- SFO17-401
Speaker: Kalyan Nagabhirava
Track: LHG


★ Session Summary ★
Explains about implementation of Secure boot and DRI (disaster recovery Image) using UEFI/EDK2 on Hikey board.

Secure Boot loader will verify and boot the RDK Image which is embedded with Digital signature.

DRI is UEFI executable which provides HTTP /HTTPS method to download RDK Image and store the image in Flash memory.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-401/
Presentation:
Video:
---------------------------------------------------

★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport

---------------------------------------------------
Keyword:
http://www.linaro.org
http://connect.linaro.org
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961

Published in: Technology
  • Be the first to comment

UEFI Secure Boot and DRI for RDK on HiKey - SFO17-401

  1. 1. UEFI Secure Boot and DRI Kalyan Kumar N
  2. 2. ENGINEERS AND DEVICES WORKING TOGETHER Agenda ● Introduction ● RDK Boot Loader ● DRI (Disaster Recovery Image) ● RootFS Validation ● Build Environment
  3. 3. ENGINEERS AND DEVICES WORKING TOGETHER Introduction ● Standardization of the RDK set-top box firmware boot process ○ Increase industry awareness of UEFI/EDK2 solutions for set-top boot implementation ● Need secure boot with chain of trust with secure keys ● Implement RDK Bootloader and Disaster Recovery Image (DRI) requirements (use cases) using well defined standard.
  4. 4. ENGINEERS AND DEVICES WORKING TOGETHER RDK Boot Loader ● RDK BootLoader selects the valid Platform Code Image (PCI) from the Device non-volatile memory to load and execute. ● Enables secure boot by registering PK and KEK Key. ● LoadImage protocol of UEFI Boot service is used to load the kernel image from boot partition. ● kernel arguments are passed using Loadoptions of LoadedImageProtocol. ● Installs the FDT blob into EFI system configuration table
  5. 5. ENGINEERS AND DEVICES WORKING TOGETHER RDK Boot Loader ● FDT file will be read and install Using gFdtTableGuid. ● To maintain chain of trust key to validate Linux kernel can be placed in partition other than Boot partition. ● Key which validates Rootfs can be placed in Boot partition and will registred to UEFI variable and exported to Linux kernel.
  6. 6. ENGINEERS AND DEVICES WORKING TOGETHER RDK DRI ● RDK DRI reference implementation is UEFI application Resides in Flash memory and provides HTTP download method. ● Downloads PCI image file via Ethernet ( USB to Ethernet interface) and store image into flash memory. ● DRI downloads Monolith Image comprised of 3 separate components 1. Linux Kernel 2. FDT file 3. Root FileSystem
  7. 7. ENGINEERS AND DEVICES WORKING TOGETHER RDK DRI ● Linux and RootFs components are separately signed. ● Enabled USB host driver with support of Ethernet Adapter. ● Enabled Http drivers in Network Pkg. ● URL and IP details will be given to Http Driver ● After Downloading , Components are stored into different Flash partitions , and will validated prior to use.
  8. 8. ENGINEERS AND DEVICES WORKING TOGETHER RootFS validation ● After kernel secure boot , RDK wants rootfs also has to be authenticated. ● Kernel will bootup with temporary initramfs and will validates signed rootfs image and mount the same. Yocto build command for creating initramfs: INITRAMFS_IMAGE = "core-image-minimal-initramfs" INITRAMFS_FSTYPES = "cpio" ● Keys to validate Rootfs will be exported to kernel through UEFI .
  9. 9. ENGINEERS AND DEVICES WORKING TOGETHER RootFS validation ● Kernel provides EFIVAR file system, which enables accessing UEFI variables from kernel. ● Sign RootFS using openssl and generate sha256 hash file which will be part of monolithic image to verify the signature. Ex: openssl dgst -sha256 -sign "Key.key" -out rootfs.sha256 rootfs.tar.bz2 ● Once secure Linux kernel bootup with initramfs, it validate rootfs ,untar and mount the rootfs.
  10. 10. ENGINEERS AND DEVICES WORKING TOGETHER Build Environment ● EDK2 by default, does not support Hikey board. ● Openplatformpkg based on edk2 supports various development boards such as RPI, ARM juno etc. including HiKey ● OpenPlatformPkg can be added as an extra Pkg to edk2, to support UEFI for HiKey ● RdkPkg need to be added to EDK2, which provides application to access driver from OpenPlatformPkg and boot Linux kernel.
  11. 11. ENGINEERS AND DEVICES WORKING TOGETHER Build Environment edk2: https://github.com/tianocore/edk2.git Hikey UEFI Firmware: https://github.com/linaro-home/OpenPlatformPkg.git -b hikey-rdk Rdk boot Loader and DRI: https://github.com/linaro-home/RdkPkg.git RDK secure Boot Build setup script : Build script
  12. 12. Thank You #SFO17 SFO17 keynotes and videos on: connect.linaro.org For further information: www.linaro.org

×