Filter results by

Verified Boot

U-Boot, a popular bootloader supporting numerous processor architectures, provides a method to generate a single image called a FIT image that can be signed for verification purposes. The kernel, ramdisk, and a modified DTB are contained in this FIT image.

ARTIK provides a chain of trust from BL0 (IROM) to U-Boot (bootloader). You can extend this trust to include the kernel and ramdisk by enabling the “verified boot” feature of U-Boot to additionally verify the FIT image.

The feature uses cryptographic algorithms like RSA to 'sign' software images. Images are signed using a private key that is known only to the signer, but that can be verified using a mathematically related public key. The process looks something like this.

In case of ARTIK "s" modules, that public key is stored in bootloader.img and the image is then signed by the CodeSigner. Learn more about Verified Boot here.

This article describes how to enable and test verified boot on the ARTIK 530s/710s. The procedure is manual but can be incorporated as part of a default build recipe.

Setting Up Build Environment

Start with the build environment set up as described previously.

  1. Compile the standard code and make sure the build completes successfully.

  2. Install the U-Boot tools and SSL libraries.

    sudo apt-get install kpartx u-boot-tools libssl-dev

  3. Create a new directory (workplace) for verified boot and copy boot.img into it. Adjust the path to match your release directory (. . . .).

    A530s
    cd ${HOME}/artik530s
    mkdir vboot
    cp build-artik/output/images/artik530s/..../boot.img vboot/

    A710s
    cd ${HOME}/artik710s
    mkdir vboot
    cp build-artik/output/images/artik710s/..../boot.img vboot/

Enabling Verified Boot Feature

The indicated paths in this section are under the u-boot-artik directory.

  1. Edit VB-related configuration into the noted U-Boot configuration file.

    A530s : configs/artik530_raptor_defconfig

    A710s : configs/artik710_raptor_defconfig

    CONFIG_FIT=y
    # Enable Verified Boot
    CONFIG_FIT_SIGNATURE=y
    CONFIG_RSA=y
    # Debug Verified Boot (optional)
    CONFIG_VERBOSE=y
    CONFIG_FIT_VERBOSE=y

    For the modules to be mounted with integrity checking, the updated initrd-artik scripts/init for the uInitrd additionally require CONFIG_DM_VERITY=y to be set. Refer to the GitHub documentation for details.

  2. In order to verify an image that has been signed with a public key, you need to store a trusted public key as sub-nodes in a signature node. Add it to the noted dts file.

    A530s : arch/arm/dts/s5p4418-artik530-raptor.dts

    A710s : arch/arm/dts/s5p6818-artik710-raptor.dts

    /dts-v1/;
    #include "s5pxx18-artikxxx-raptor-common.dtsi"
       /{
            signature {
                key-dev {
                    required = "conf";
                    algo = "sha1,rsa2048";
                    key-name-hint = "dev";
                };
            };
        };

  3. Modify the dts Makefile to include the necessary device tree compiler flags.

    In arch/arm/dts/Makefile

    #Add any required device tree compiler flags here
    DTC_FLAGS += -R 4 -p 0x1000

Building U-Boot

Build the modified DTS file and copy the tools and DTB file into the vboot directory. Run these commands from the u-boot-artik directory.

A530s
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- artik530_raptor_defconfig
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- dtbs
cp tools/mkimage ../vboot/
cp tools/fit_check_sign ../vboot/
cp arch/arm/dts/s5p4418-artik530-raptor.dtb ../vboot/

A710s
make ARCH=arm CROSS_COMPILE=aarch64-linux-gnu- artik710_raptor_defconfig
make ARCH=arm CROSS_COMPILE=aarch64-linux-gnu- dtbs
cp tools/mkimage ../vboot/
cp tools/fit_check_sign ../vboot/
cp arch/arm/dts/s5p6818-artik710-raptor.dtb ../vboot/

Creating ITS File

Create an Image Tree Source file (ITS) file to describe how you want the kernel, DTB, and ramdisk to be packaged, compressed, and signed. For details, refer to the "Signed Configurations” section in GitHub.

Create the indicated its file by copying the file contents provided here.

A530s: vboot/A530s_sign-configs.its

/dts-v1/;

/ {
    description = "ARTIK530 Image with single Linux kernel and FDT blob";
    #address-cells = <1>;

    images {
        kernel@1 {
            description = "Linux kernel";
            data = /incbin/("./zImage");
            type = "kernel";
            arch = "arm";
            os = "linux";
            compression = "none";
            load = <0x91080000>;
            entry = <0x91080000>;
            signature@1 {
            algo = "sha1,rsa2048";
            key-name-hint = "dev";
            };
        };

        fdt@1 {
            description = "Flattened Device Tree blob";
            data = /incbin/("./s5p4418-artik530-raptor-rev03.dtb");
            type = "flat_dt";
            arch = "arm";
            compression = "none";
            load = <0x9b000000>;
            signature@1 {
            algo = "sha1,rsa2048";
            key-name-hint = "dev";
            };
        };
        
        ramdisk@1 {
            description = "RAMDISK";
            data = /incbin/("./uInitrd.fit");
            type = "ramdisk";
            arch = "arm";
            os = "linux";
            compression = "none";
            load = <0x9a000000>;
            entry = <0x9a000000>;
            signature@1 {
            algo = "sha1,rsa2048";
            key-name-hint = "dev";
            };
        };
    };

    configurations {
        default = "conf@1";
        conf@1 {
            description = "Boot Linux kernel with FDT blob";
            kernel = "kernel@1";
            fdt = "fdt@1";
            ramdisk = "ramdisk@1";
        };
    };
};

A530s-1G: vboot/A530s_sign-configs.its

/dts-v1/;

/ {
    description = "Linux kernel and FDT blob for ARTIK-533(530 1G)";
    #address-cells = <1>;

    images {
        kernel {
            description = "Linux kernel for ARTIK-533";
            data = /incbin/("./zImage");
            type = "kernel";
            arch = "arm";
            os = "linux";
            compression = "none";
            load = <0x71080000>;
            entry = <0x71080000>;
            hash {
                algo = "sha1";
            };
            signature {
                required = "image";
                algo = "sha1,rsa2048";
                key-name-hint = "dev";
            };
        };
        ramdisk {
            description = "ramdisk";
            data = /incbin/("./initrd.gz");
            type = "ramdisk";
            arch = "arm";
            os = "linux";
            compression = "gzip";
            load = <0x7a000000>;
            hash {
                algo = "sha1";
            };
            signature {
                required = "image";
                algo = "sha1,rsa2048";
                key-name-hint = "dev";
            };
        };
        fdt-rev00 {
            description = "FDT blob for artik533 rev00";
            data = /incbin/("./s5p4418-artik533-raptor-rev00.dtb");
            type = "flat_dt";
            arch = "arm";
            compression = "none";
            load = <0x7b000000>;
            hash {
                algo = "sha1";
            };
            signature {
                required = "image";
                algo = "sha1,rsa2048";
                key-name-hint = "dev";
            };
        };
    };
    configurations {
        default = "rev00";
        rev00 {
            description = "Boot Linux kernel with FDT blob";
            kernel = "kernel";
            ramdisk = "ramdisk";
            fdt = "fdt-rev00";
            signature {
                required = "image";
                algo = "sha1,rsa2048";
                key-name-hint = "dev";
                sign-images = "fdt", "kernel", "ramdisk";
            };
        };
    };
};

A710s: vboot/A710s_sign-configs.its

/dts-v1/;

/ {
    description = "ARTIK710S Image with single Linux kernel and FDT blob";
    #address-cells = <1>;

    images {
        kernel@1 {
            description = "Linux kernel";
            data = /incbin/("./Image");
            type = "kernel";
            arch = "arm64";
            os = "linux";
            compression = "none";
            load = <0x40080000>;
            entry = <0x40080000>;
            signature@1 {
            algo = "sha1,rsa2048";
            key-name-hint = "dev";
            };
        };

        fdt@1 {
            description = "Flattened Device Tree blob";
            data = /incbin/("./s5p6818-artik710-raptor-rev03.dtb");
            type = "flat_dt";
            arch = "arm64";
            compression = "none";
            load = <0x4a000000>;
            signature@1 {
            algo = "sha1,rsa2048";
            key-name-hint = "dev";
            };
        };
        
        ramdisk@1 {
            description = "RAMDISK";
            data = /incbin/("./uInitrd.fit");
            type = "ramdisk";
            arch = "arm64";
            os = "linux";
            compression = "none";
            load = <0x49000000>;
            entry = <0x49000000>;
            signature@1 {
            algo = "sha1,rsa2048";
            key-name-hint = "dev";
            };
        };
    };

    configurations {
        default = "conf@1";
        conf@1 {
            description = "Boot Linux kernel with FDT blob";
            kernel = "kernel@1";
            fdt = "fdt@1";
            ramdisk = "ramdisk@1";
        };
    };
};

Key Pair Generation

Use OpenSSL commands to generate an RSA key and certificate for the firmware build and the kernel binary.

Start in your vboot/ directory.

mkdir keys

openssl genpkey -algorithm RSA -out keys/dev.key -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:3

openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt

The key pair is now available in the keys/ directory.

Note that keys/dev.key contains your private key, so it should be kept secure and secret. Anyone with access to that file will able to sign any unknown kernel/ramdisk with it.

Building Signed FIT Image

Building U-Boot creates tools to generate and check a monolithic image referred to as a Flattened Image Tree (FIT), a single binary that contains all the images required to boot up a system: kernel, ramdisk, and device tree.

The FIT Image is signed using a private key. The tool embeds the signature within the FIT image, and the corresponding public key within the U-Boot device tree. Since U-Boot is authenticated by Secure Boot, you can trust its public key and use that key to verify the FIT image.

The Device Tree Blob (DTB), also referred to as a flat device tree or device tree binary, is a database that represents hardware components on a given device. U-Boot supports DTB, used the same way the kernel does to probe drivers, and stores the public key there for kernel image signature verification.

Copy images to vboot

Creating a FIT image requires kernel, dtb, and ramdisk images, which can be extracted from the boot.img that you created and copied earlier.

  1. Go to the vboot/ directory.

  2. Mount the boot image.
    sudo mount -o loop boot.img /mnt

  3. Extract the kernel image.
    cp /mnt/zImage ./

  4. Extract the ramdisk image uInitrd, removing the header – the U-Boot in use does not support FIT and legacy images at the same time.
    dd if=/mnt/uInitrd of=./uInitrd.fit skip=64 bs=1

  5. Extract the dtb.
    A530s
    cp /mnt/s5p4418-artik530-raptor-rev03.dtb ./
    A710s
    cp /mnt/s5p6818-artik710-raptor-rev03.dtb ./

Leave the boot image mounted for now.

Make FIT image

Use the U-Boot tool mkimage to create the FIT image. The tool packages together:
- kernel (zImage)
- DTB
- ramdisk (uInitrd.fit)
into a FIT image according to the sign-configs.its file settings, using the key pair in the /keys directory that you created earlier.

Make sure you are in the vboot/ directory.

A530s
./mkimage -D "-I dts -O dtb -p 0x1000" -f A530s_sign-configs.its -K s5p4418-artik530-raptor.dtb -k keys -r signed_fit.img

A710s
./mkimage -D "-I dts -O dtb -p 0x1000" -f A710s_sign-configs.its -K s5p6818-artik710-raptor.dtb -k keys -r signed_fit.img

The command output file signed_fit.img contains zImage, the .dtb and uInitrd. The modified .dtb in the image now contains the public key that U-Boot will use for verification.

Check FIT image signature

Use the U-Boot tool fit_check_sign to check and verify the FIT image.

A530s
./fit_check_sign -k s5p4418-artik530-raptor.dtb -f signed_fit.img

A710s
./fit_check_sign -k s5p6818-artik710-raptor.dtb -f signed_fit.img

Updating boot.img

After creating signed_fit.img, boot.img must be updated to replace the unsigned kernel and ramdisk images with the signed FIT image.

This procedure starts in the vboot/ directory and with boot.img still mounted from the previous steps.

A530s
sudo rm /mnt/s5p4418-artik530-raptor-rev03.dtb

A710s
sudo rm /mnt/s5p6818-artik710-raptor-rev03.dtb

For both:
sudo rm /mnt/zImage
sudo rm /mnt/uInitrd
sudo cp signed_fit.img /mnt
sudo sync
sudo umount /mnt

boot.img now contains the signed FIT image in place of the separate unsigned ones.

Rebuilding U-Boot

You'll need to generate a new U-Boot (bootloader) image that includes the updated DTB containing the public key. To do so, it is necessary to add extra flags in the U-Boot build script to build using the prebuilt DT file.

Sequence for A530s

1. Edit build-artik/build_uboot.sh as follows.

Comment out:
# make ARCH=arm EXTRAVERSION="-$BUILD_VERSION" -j$JOBS O=$UBOOT_DIR/output

Replace with:
export UBOOT_SIGN_OPT="EXT_DTB=${HOME}/artik530s/vboot/s5p4418-artik530-raptor.dtb"
make ARCH=arm EXTRAVERSION="-$BUILD_VERSION" ${UBOOT_BUILD_OPT} ${UBOOT_SIGN_OPT} -j$JOBS O=$UBOOT_DIR/output

2. Build U-Boot again, and copy the updated bootloader image to vboot/ in anticipation of flash loading.

3. Go to the build-artik/ directory and run these commands.

./build_uboot.sh -b artik530s
cp output/images/artik530s/bootloader.img ../vboot/
cp output/images/artik530s/UNRELEASED/YYYYMMDD.HHMMSS/partmap_emmc.txt ../vboot/

Sequence for A710s

1. Edit build-artik/build_uboot.sh as follows.

Comment out:
# make ARCH=arm EXTRAVERSION="-$BUILD_VERSION" -j$JOBS O=$UBOOT_DIR/output

Replace with:
export UBOOT_SIGN_OPT="EXT_DTB=${HOME}/artik710s/vboot/s5p6818-artik710-raptor.dtb"
make ARCH=arm EXTRAVERSION="-$BUILD_VERSION" ${UBOOT_BUILD_OPT} ${UBOOT_SIGN_OPT} -j$JOBS O=$UBOOT_DIR/output

2. Unaligned Access Patch – There is an unaligned access issue in A710 bootloader because DT properties are 4-byte aligned. Therefore, you will need to apply a patch to get public-exponent property.

Subject: [PATCH] ARM: Avoid unaligned access to DT on 64bit SoC

Because DT properties are 4-byte aligned, the pointer access in this code causes unaligned access.
---
 lib/rsa/rsa-mod-exp.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/rsa/rsa-mod-exp.c b/lib/rsa/rsa-mod-exp.c
index 4a6de2b..9f153c6 100644
--- a/lib/rsa/rsa-mod-exp.c
+++ b/lib/rsa/rsa-mod-exp.c
@@ -262,9 +262,11 @@ int rsa_mod_exp_sw(const uint8_t *sig, uint32_t sig_len,
 
 	if (!prop->public_exponent)
 		key.exponent = RSA_DEFAULT_PUBEXP;
-	else
+	else {
+		prop->public_exponent += sizeof(uint32_t);
 		key.exponent =
-			fdt64_to_cpu(*((uint64_t *)(prop->public_exponent)));
+				(uint64_t)fdt32_to_cpu(*((uint32_t *)(prop->public_exponent)));
+	}
 
 	if (!key.len || !prop->modulus || !prop->rr) {
 		debug("%s: Missing RSA key info", __func__);
---

3. Build U-Boot again, and copy the updated bootloader image to vboot/ in anticipation of flash loading.

4. Go to the build-artik/ directory and run these commands.

./build_uboot.sh -b artik710s
cp build-artik/output/images/artik710s/YYYYMMDD.HHMMSS/fip-nonsecure.img ../vboot/
cp build-artik/output/images/artik710s/YYYYMMDD.HHMMSS/partmap_emmc.txt ../vboot/

Flash Loading and Testing

The updated bootloader and boot image can be flashed to the target board by following the fastboot over USB instructions.

When the setup is ready, reset your ARTIK board and stop autoboot by pressing any key. Then type fastboot 0 at the U-Boot prompt.

U-Boot 2016.01 (Dec 19 2017 - 19:33:47 -0800)
Model: Samsung artik305 raptor board based on Nexell s5p4418
. . .
Hit any key to stop autoboot: 0
artik305#
fastboot 0

On the development machine, start in the vboot/ directory and run these commands to flash load the bootloader and boot images.

Sequence for A530s

sudo fastboot flash partmap partmap_emmc.txt
sudo fastboot flash bootloader bootloader.img
sudo fastboot flash boot boot.img

Once bootloader and boot images get flashed successfully, reset the board and stop the autoboot once again and run the following commands at the U-Boot prompt.

. . .
Hit any key to stop autoboot: 0
artik530#
run gen_addr; run load_args
artik530# ext4load mmc 0:2 0x98000000 signed_fit.img
8433458 bytes read in 569 ms (14.1 MiB/s)
artik530#
bootm 0x98000000

## Loading kernel from FIT Image at 98000000 ...
   Using 'conf@1' configuration
   Verifying Hash Integrity ... OK
   Trying 'kernel@1' kernel subimage
     Description:  Linux kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x980000e8
     Data Size:    5954424 Bytes = 5.7 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x91080000
     Entry Point:  0x91080000
     Sign algo:    sha1,rsa2048:dev
     Sign value:   4169b42d2724f0ba2cb17a6c333db2ca26a52de6fb5d7601d5c37546e4052a9cd2445f2ec685549384f9ec97d2d5
26814b6da0ec46678656e7a4b3bbf3248bf287338639e5a6bcd2f9b6418a63231922e8973d1fec5c276f1332cfbef443c62e4d199e36b97
701e91883e569c31464e6f37c66be1426c9f37da2e86d25008a21876812212f714a8555fb3b4ce9a1b05c801095f35170b90d031d194a66
adbff615481cf0abf4a0d0a96e98aef2955b429aa25dc56f03ad8d1e95c145e2d0e7dc145f464e7d20708f5486f70a93004fca352881f51
950d232f4725d12113af8a9bb2c8853e4db8c54cda7285a2fe395c1993a581d93a8079fd17a5b092b53031d
   Verifying Hash Integrity ... sha1,rsa2048:dev+ OK
## Loading ramdisk from FIT Image at 98000000 ...
   Using 'conf@1' configuration
   Trying 'ramdisk@1' ramdisk subimage
     Description:  RAMDISK
     Type:         RAMDisk Image
     Compression:  uncompressed
     Data Start:   0x985b93dc
     Data Size:    2427923 Bytes = 2.3 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x9a000000
     Entry Point:  0x9a000000
     Sign algo:    sha1,rsa2048:dev
     Sign value:   558935a47337f3347f30e3b31db40de164f7459f5002530f665a5cdb75beeab77280589b45cdbb57d3e35ca3ff92
25e453a6f0ff0744d43b697268552078d8662655cab828924bac954db6df98f2dd09f24a9a041e2a40c2dcab3d91dc050f69c4378029f72
65dbc153d544ade8fc1c87c1dcec3e52304e575a975db7e38c24fd153d60873791559bb303af87285eff46655a5a835143db015612c52cc
d8a5e075d812fe38315dc4f38638eb1f5645da8411341e255b2b81aba554298855a724db18a1bd46144256016fbe20e9930fd8f18b7985a
651f25bb3526ca3687c64f9dc14422642ef1ba6c0c07f44edb41619633e18cad9798769d5af8469c59bdbfc
   Verifying Hash Integrity ... sha1,rsa2048:dev+ OK
   Loading ramdisk from 0x985b93dc to 0x9a000000
## Loading fdt from FIT Image at 98000000 ...
   Using 'conf@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x985ade94
     Data Size:    45895 Bytes = 44.8 KiB
     Architecture: ARM
     Sign algo:    sha1,rsa2048:dev
     Sign value:   8951ddf17d15a6ce61fb3975a56737ac845db84d35e6cc692420c34ca850eb9f331c1919505f030629326329de7e
226ed6d2462731b864dd8585ea541aecab2c9bb80568ad9d0e5ee2f65f7d71a308cfd3783ab8533e47d80a4ed573f44c9e6a4bbcad9a569
90a527ee43f56a9de40a413338110e08e53ca9a89eb02322c1af0fe89b381d5cb58a2e8fd1291dc7ccaae50528b52af0a1c3e4b7e47dfba
83551e2763c7fc6cea6c9cfa511da6916ce5ce3ab0ae0be9411bae8891e66f7d86a5859e79bfad61fff971c7b82f810657f20a04612ca15
b4bd9455614c9f2c3ce56b9d672803a224c48e481e7f380b79cd95a2048141d92f7e024e2a133293a64f63d
   Verifying Hash Integrity ... sha1,rsa2048:dev+ OK
   Loading fdt from 0x985ade94 to 0x9b000000
   Booting using the fdt blob at 0x9b000000
   Loading Kernel Image ... OK
   Loading Ramdisk to ab3e8000, end ab638c13 ... OK
   Using Device Tree in place at 9b000000, end 9b00e346

Starting kernel ...

Sequence for A710s

sudo fastboot flash partmap partmap_emmc.txt
sudo fastboot flash fip-nonsecure fip-nonsecure.img
sudo fastboot flash boot boot.img

Once bootloader and boot images get flashed successfully, reset the board and stop the autoboot once again and run the following commands at the U-Boot prompt.

. . .
Hit any key to stop autoboot: 0
artik710#
run load_args
artik710# ext4load mmc 0:2 0x46000000 signed_fit.img
16101338 bytes read in 750 ms (20.5 MiB/s)
artik710#
bootm 0x46000000

## Loading kernel from FIT Image at 46000000 ...
   Using 'conf@1' configuration
   Verifying Hash Integrity ... OK
   Trying 'kernel@1' kernel subimage
     Description:  Linux kernel
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x460000e8
     Data Size:    13623400 Bytes = 13 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x40080000
     Entry Point:  0x40080000
     Sign algo:    sha1,rsa2048:dev
     Sign value:   99e83143c1c14d2ce394fc180ddea30aee45b38e6cdfb0f657c0a8ebb7eaad49017c49ac36634157f98d7cf9fe13763f130a23bc510d4f2568f628260f9d47bce29f54b5f905fa7c41a63234ba8dfd9b059d8876cb6a10643fb9f3f3c9d675bfc3f8b86d9b53108c1ad8c787c36df2310cae509b7554c9b2395a684da746c85586fc2a64a9e4a98a150c2a194e119d51db44fc33ee5a9eca3ce1943fab2099b9e8a96e487f3b22c1fd875ec2d6548d1a9519358d35eb28e253cdc1ec45b06a062ac14c811a6b87ccec297f05bcfaf07bcb42533d63c2aec69320fdb43ae882728723c6a841efb55a85a2184556f34d3c9a31f3ef56ece22c23b2680ad792758e
   Verifying Hash Integrity ... sha1,rsa2048:dev+ OK
## Loading ramdisk from FIT Image at 46000000 ...
   Using 'conf@1' configuration
   Trying 'ramdisk@1' ramdisk subimage
     Description:  RAMDISK
     Type:         RAMDisk Image
     Compression:  uncompressed
     Data Start:   0x46d0ae2c
     Data Size:    2423496 Bytes = 2.3 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x49000000
     Entry Point:  0x49000000
     Sign algo:    sha1,rsa2048:dev
     Sign value:   1c5da763eefa2fe6aa6193610a507845566cf67235ff64621e152e98fa5df107281880e9b8f09018cfd973f802dd2e9e4776f69eb1fc6971b06d783939502d32512447eb1866d8f35fd8caf8fe100fd2c71a30d3825cda80232373a37eb736f3a7ef69f1e184fe562241c9bdf95f63225951e20aad9602cb7e820669d8e5d0adc7cbc69760792f75290266433c825f09432576a28dcc07d6874ed1489e53b173dde93ec8a80db8d98f9787c9fa37bd799d383695969799603b5e704bdff99142785a50d53812c45a87eca576aaeac6245a68b6335d557e541c4304b4ee43b40619bc8c61d949b939fe0e132269e07d794eacfcd69dfd7f5d834b2c58bd3e5079
   Verifying Hash Integrity ... sha1,rsa2048:dev+ OK
   Loading ramdisk from 0x46d0ae2c to 0x49000000
## Loading fdt from FIT Image at 46000000 ...
   Using 'conf@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x46cfe3a0
     Data Size:    51310 Bytes = 50.1 KiB
     Architecture: AArch64
     Sign algo:    sha1,rsa2048:dev
     Sign value:   2e9a59401babccb96ac9b9d2b0861a8627e46a03a98f7bf9d749921e2d6f3dab27bc70c3bb663d0cfbf04579ed2ddaceda705f18b8cd9cacd1227f4212c76ad5a13206fcb48a742fc1a0df36c0b4099734b5a910309df93b65872cb93c8384a26f7e3ec561b238e66b35282b825a3d0631cdea34f7e7e4eb3c0a92baab851511c16c2dd28ee00bf947cc268ca9bf6501a61cc273b83576f63218911f48d215f34afee5a43ee40531ccdf3b6e65c784bdf81eed7e1ff877208f3c08c22a9c7c9a012766f19be1dc3da47b0101a9ee55d061b3490b0b8cb73fba23539e6f416c038ffaa548670c4f5e960e197736071a367d759584294bebdb422d423743f9477f
   Verifying Hash Integrity ... sha1,rsa2048:dev+ OK
   Loading fdt from 0x46cfe3a0 to 0x4a000000
   Booting using the fdt blob at 0x4a000000
   Loading Kernel Image ... OK
   reserving fdt memory region: addr=7de00000 size=100000
   Loading Ramdisk to 792e4000, end 79533ac8 ... OK
   Using Device Tree in place at 000000004a000000, end 000000004a00f86d

Starting kernel ...

Completing Chain of Trust

Verified Boot is now enabled and tested. At this point, kernel and ramdisk are verified by the bootloader using the public key that was included in bootloader.img.

To complete the chain of trust, you can also sign bootloader.img using the CodeSigner/KMS service provided by ARTIK to ensure the authenticity of the bootloader. In this way, the chain of trust starting from BL0 (IROM) to U-Boot (bootloader) can be extended to kernel and ramdisk.

Last updated on: