(Adding Joakim)
On Tue, Jan 12, 2016 at 12:08 AM, git git gitfineon@online.de wrote:
Hi,
has anybody tried to activate/implement the Trusted Board Boot (TBB) feature of ARM Trusted Firmware (ATF) on Hikey or any other 96Board, yet?
It would be interesting to get this working but I don't think we've worked on it. Joakim, has anybody in the security WG tried this?
Minimal requirement to run TBB is GENERATE_COT, but it should be possible to only generate these Certificates of Trust (CoT) and add them to the your Firmware Image Package (FIP). I've already tested TBB (incl. CoT) with Juno DevBoard and it worked fine. The 96Boards repository does not mention TBB anywhere. But also in Hikey branch it is possible to set the GENERATE_COT flag and the *.crt files get generated.
Hi Amit,
On Tue, Jan 12, 2016 at 12:32:45AM +0530, Amit Kucheria wrote:
(Adding Joakim)
On Tue, Jan 12, 2016 at 12:08 AM, git git gitfineon@online.de wrote:
Hi,
has anybody tried to activate/implement the Trusted Board Boot (TBB) feature of ARM Trusted Firmware (ATF) on Hikey or any other 96Board, yet?
It would be interesting to get this working but I don't think we've worked on it. Joakim, has anybody in the security WG tried this?
I'm afraid not, however we have it on the todo-list, then plan is to deal with it in SWG-112 (Epic, and Stories, 113 to 116).
Minimal requirement to run TBB is GENERATE_COT, but it should be possible to only generate these Certificates of Trust (CoT) and add them to the your Firmware Image Package (FIP). I've already tested TBB (incl. CoT) with Juno DevBoard and it worked fine. The 96Boards repository does not mention TBB anywhere.
I think ARM introduced the authenticated framework somewhere after they released v1.1, could it be that simple that 96Boards ARM-TF fork lags behind? The authenticated framework was introduced somewhere here: https://github.com/ARM-software/arm-trusted-firmware/commits/d337aaaf53ef278...
But also in Hikey branch it is possible to set the GENERATE_COT flag and the *.crt files get generated.
Hi,
On Tue, Jan 12, 2016 at 8:03 AM, Joakim Bech joakim.bech@linaro.org wrote:
Hi Amit,
On Tue, Jan 12, 2016 at 12:32:45AM +0530, Amit Kucheria wrote:
(Adding Joakim)
On Tue, Jan 12, 2016 at 12:08 AM, git git gitfineon@online.de wrote:
Hi,
has anybody tried to activate/implement the Trusted Board Boot (TBB)
feature
of ARM Trusted Firmware (ATF) on Hikey or any other 96Board, yet?
It would be interesting to get this working but I don't think we've worked on it. Joakim, has anybody in the security WG tried this?
I'm afraid not, however we have it on the todo-list, then plan is to deal with it in SWG-112 (Epic, and Stories, 113 to 116).
Minimal requirement to run TBB is GENERATE_COT, but it should be
possible to
only generate these Certificates of Trust (CoT) and add them to the
your
Firmware Image Package (FIP). I've already tested TBB (incl. CoT) with
Juno
DevBoard and it worked fine. The 96Boards repository does not mention
TBB
anywhere.
I think ARM introduced the authenticated framework somewhere after they released v1.1, could it be that simple that 96Boards ARM-TF fork lags behind? The authenticated framework was introduced somewhere here:
https://github.com/ARM-software/arm-trusted-firmware/commits/d337aaaf53ef278...
Above is dated 2015/6/16 Hikey branch forked here: https://github.com/96boards/arm-trusted-firmware/commits/hikey?page=5 https://github.com/96boards/arm-trusted-firmware/commit/68fc81743e8671312a98... dated 2015/2/15, so seems like it is behind. I believe work is ongoing to rebase on something newer, but don't have any more info about it.
hth
But also in Hikey branch it is possible to set the GENERATE_COT flag and the *.crt files get generated.
-- Regards, Joakim B _______________________________________________ Dev mailing list Dev@lists.96boards.org https://lists.96boards.org/mailman/listinfo/dev
Hi Vee, Joakim,
On Tue, Jan 12, 2016 at 09:25:39PM +0900, Victor Chong wrote:
On Tue, Jan 12, 2016 at 8:03 AM, Joakim Bech joakim.bech@linaro.org wrote:
On Tue, Jan 12, 2016 at 12:32:45AM +0530, Amit Kucheria wrote:
On Tue, Jan 12, 2016 at 12:08 AM, git git gitfineon@online.de wrote:
Hi,
has anybody tried to activate/implement the Trusted Board Boot (TBB)
feature
of ARM Trusted Firmware (ATF) on Hikey or any other 96Board, yet?
It would be interesting to get this working but I don't think we've worked on it. Joakim, has anybody in the security WG tried this?
I'm afraid not, however we have it on the todo-list, then plan is to deal with it in SWG-112 (Epic, and Stories, 113 to 116).
Minimal requirement to run TBB is GENERATE_COT, but it should be
possible to
only generate these Certificates of Trust (CoT) and add them to the
your
Firmware Image Package (FIP). I've already tested TBB (incl. CoT) with
Juno
DevBoard and it worked fine. The 96Boards repository does not mention
TBB
anywhere.
I think ARM introduced the authenticated framework somewhere after they released v1.1, could it be that simple that 96Boards ARM-TF fork lags behind? The authenticated framework was introduced somewhere here:
https://github.com/ARM-software/arm-trusted-firmware/commits/d337aaaf53ef278...
Above is dated 2015/6/16 Hikey branch forked here: https://github.com/96boards/arm-trusted-firmware/commits/hikey?page=5 https://github.com/96boards/arm-trusted-firmware/commit/68fc81743e8671312a98... dated 2015/2/15, so seems like it is behind. I believe work is ongoing to rebase on something newer, but don't have any more info about it.
Just reminding, I checked changelog ARM-TF for Hikey is based on v1.1; I also see in the code there have "TRUSTED_BOARD_BOOT" related configuration. So actually now ARM-TF can support trusted boot but has not enabled yet, right?
4 New features 5 ------------ 6 7 * A prototype implementation of Trusted Board Boot has been added. Boot 8 loader images are verified by BL1 and BL2 during the cold boot path. BL1 and 9 BL2 use the PolarSSL SSL library to verify certificates and images. The 10 OpenSSL library is used to create the X.509 certificates. Support has been 11 added to `fip_create` tool to package the certificates in a FIP. 12
Thanks, Leo Yan
But also in Hikey branch it is possible to set the GENERATE_COT flag and the *.crt files get generated.
-- Regards, Joakim B _______________________________________________ Dev mailing list Dev@lists.96boards.org https://lists.96boards.org/mailman/listinfo/dev
Dev mailing list Dev@lists.96boards.org https://lists.96boards.org/mailman/listinfo/dev
Hi,
On Tue, Jan 12, 2016 at 9:35 PM, Leo Yan leo.yan@linaro.org wrote:
Hi Vee, Joakim,
On Tue, Jan 12, 2016 at 09:25:39PM +0900, Victor Chong wrote:
On Tue, Jan 12, 2016 at 8:03 AM, Joakim Bech joakim.bech@linaro.org
wrote:
On Tue, Jan 12, 2016 at 12:32:45AM +0530, Amit Kucheria wrote:
On Tue, Jan 12, 2016 at 12:08 AM, git git gitfineon@online.de
wrote:
Hi,
has anybody tried to activate/implement the Trusted Board Boot
(TBB)
feature
of ARM Trusted Firmware (ATF) on Hikey or any other 96Board, yet?
It would be interesting to get this working but I don't think we've worked on it. Joakim, has anybody in the security WG tried this?
I'm afraid not, however we have it on the todo-list, then plan is to deal with it in SWG-112 (Epic, and Stories, 113 to 116).
Minimal requirement to run TBB is GENERATE_COT, but it should be
possible to
only generate these Certificates of Trust (CoT) and add them to the
your
Firmware Image Package (FIP). I've already tested TBB (incl. CoT)
with
Juno
DevBoard and it worked fine. The 96Boards repository does not
mention
TBB
anywhere.
I think ARM introduced the authenticated framework somewhere after they released v1.1, could it be that simple that 96Boards ARM-TF fork lags behind? The authenticated framework was introduced somewhere here:
https://github.com/ARM-software/arm-trusted-firmware/commits/d337aaaf53ef278...
Above is dated 2015/6/16 Hikey branch forked here: https://github.com/96boards/arm-trusted-firmware/commits/hikey?page=5
https://github.com/96boards/arm-trusted-firmware/commit/68fc81743e8671312a98...
dated 2015/2/15, so seems like it is behind. I believe work is ongoing to rebase on something newer, but don't have
any
more info about it.
Just reminding, I checked changelog ARM-TF for Hikey is based on v1.1; I also see in the code there have "TRUSTED_BOARD_BOOT" related configuration. So actually now ARM-TF can support trusted boot but has not enabled yet, right?
So it looks like the one in Feb is the 'old' implementation and was replaced by a 'new' implementation in June ( https://github.com/ARM-software/arm-trusted-firmware/commit/1779ba6b97fbff87...). Seem to remember the old one was just a first prototype so not sure how well it works or how well tested it is vs the new. Maybe someone from ARM can verify?
Thanks!
4 New features 5 ------------ 6 7 * A prototype implementation of Trusted Board Boot has been added. Boot 8 loader images are verified by BL1 and BL2 during the cold boot path. BL1 and 9 BL2 use the PolarSSL SSL library to verify certificates and images. The 10 OpenSSL library is used to create the X.509 certificates. Support has been 11 added to `fip_create` tool to package the certificates in a FIP. 12
Thanks, Leo Yan
But also in Hikey branch it is possible to set the GENERATE_COT flag and the *.crt files get generated.
-- Regards, Joakim B _______________________________________________ Dev mailing list Dev@lists.96boards.org https://lists.96boards.org/mailman/listinfo/dev
Dev mailing list Dev@lists.96boards.org https://lists.96boards.org/mailman/listinfo/dev
-
Amit Kucheria -
git git -
Joakim Bech -
Leo Yan -
Victor Chong