diff options
author | Tom Rini <trini@konsulko.com> | 2019-07-18 11:31:37 -0400 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2019-07-18 11:31:37 -0400 |
commit | 0de815356474912ef5bef9a69f0327a5a93bb2c2 (patch) | |
tree | 92db8fda09396081f58a0c5fb182e72fbc3fdd50 /doc | |
parent | 9a06eb800c1bdc68aa81fcad6d4f404e12dfff33 (diff) | |
parent | bf88d2b023063a0c46d7617a4f6897d5d561662d (diff) |
Merge branch '2019-07-17-master-imports'
- Various FS/disk related fixes with security implications.
- Proper fix for the pci_ep test.
- Assorted bugfixes
- Some MediaTek updates.
- 'env erase' support.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/README.chromium | 12 | ||||
-rw-r--r-- | doc/android/fastboot-protocol.txt (renamed from doc/README.android-fastboot-protocol) | 0 | ||||
-rw-r--r-- | doc/android/fastboot.txt | 4 | ||||
-rw-r--r-- | doc/uImage.FIT/signature.txt | 37 |
4 files changed, 44 insertions, 9 deletions
diff --git a/doc/README.chromium b/doc/README.chromium index 096bc4f1f7..8f67da6c72 100644 --- a/doc/README.chromium +++ b/doc/README.chromium @@ -33,12 +33,18 @@ To obtain: cd u-boot git checkout cros-master + cd .. + git clone https://chromium.googlesource.com/chromiumos/platform/vboot_reference + cd vboot_reference + git checkout 45964294 + # futility: updater: Correct output version for Snow + To build for sandbox: UB=/tmp/b/chromeos_sandbox # U-Boot build directory - CROS=/home/sglass/cosarm # Chromium OS directory - make O=$UB/chromeos_sandbox_defconfig - make O=$UB -j20 -s VBOOT_SOURCE=$CROS/src/platform/vboot_reference \ + cd u-boot + make O=$UB chromeos_sandbox_defconfig + make O=$UB -j20 -s VBOOT_SOURCE=/path/to/vboot_reference \ MAKEFLAGS_VBOOT=DEBUG=1 QUIET=1 Replace sandbox with another supported target. diff --git a/doc/README.android-fastboot-protocol b/doc/android/fastboot-protocol.txt index e9e7166a26..e9e7166a26 100644 --- a/doc/README.android-fastboot-protocol +++ b/doc/android/fastboot-protocol.txt diff --git a/doc/android/fastboot.txt b/doc/android/fastboot.txt index 431191c473..ea0d1da1fd 100644 --- a/doc/android/fastboot.txt +++ b/doc/android/fastboot.txt @@ -5,8 +5,8 @@ Android Fastboot Overview ======== -The protocol that is used over USB and UDP is described in the -``README.android-fastboot-protocol`` file in the same directory. +The protocol that is used over USB and UDP is described in +``doc/android/fastboot-protocol.txt``. The current implementation supports the following standard commands: diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index 78b59e7203..c9b1802686 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -388,8 +388,8 @@ Test Verified Boot Run: signed config with bad hash: OK Test passed -Hardware Signing with PKCS#11 ------------------------------ +Hardware Signing with PKCS#11 or with HSM +----------------------------------------- Securely managing private signing keys can challenging, especially when the keys are stored on the file system of a computer that is connected to the @@ -402,14 +402,43 @@ them perform the signing. PKCS#11 is standard for interfacing with these crypto device. Requirements: -Smartcard/USB token/HSM which can work with the pkcs11 engine +Smartcard/USB token/HSM which can work with some openssl engine openssl + +For pkcs11 engine usage: libp11 (provides pkcs11 engine) p11-kit (recommended to simplify setup) opensc (for smartcards and smartcard like USB devices) gnutls (recommended for key generation, p11tool) -The following examples use the Nitrokey Pro. Instructions for other devices may vary. +For generic HSMs respective openssl engine must be installed and locateable by +openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed +to openssl's default search paths. + +PKCS11 engine support forms "key id" based on "keydir" and with +"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if +defined is used to define (prefix for) which PKCS11 source is being used for +lookup up for the key. + +PKCS11 engine key ids: + "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>" +or + "pkcs11:object=<key-name-hint>;type=<public|private>", + +Generic HSM engine support forms "key id" based on "keydir" and with +"key-name-hint". If "keydir" is specified for mkimage it is used as a prefix in +"key id" and is appended with "key-name-hint". + +Generic engine key ids: + "<keydir><key-name-hint>" +or + "<key-name-hint>" + +As mkimage does not at this time support prompting for passwords HSM may need +key preloading wrapper to be used when invoking mkimage. + +The following examples use the Nitrokey Pro using pkcs11 engine. Instructions +for other devices may vary. Notes on pkcs11 engine setup: |