A project to create a secure FIT image for the Udoo Neo using Buildroot
- General info
- Screenshots
- Technologies
- Project Setup
- Buildroot Configuration
- Features
- Status
- Inspiration
- Contact
- Links
Buildroot set-up to generate a secure FIT image for the Udoo Neo. The project uses Buildroot's external tree mechanism to allow for easy version control.
- Buildroot - version 2021.02
- RSA Encryption
- OP-TEE
- Udoo Neo
To run this project clone the repo, update the Buildroot submodule, generate the RSA key, then build the project.
$ git clone https://github.com/shanemmattner/udoo_neo_buildroot_secure.git
$ cd udoo_neo_buildroot_secure
$ git submodule update --init --recursive
$ openssl genrsa -out br-external/keys/dev.key 2048
$ openssl req -new -key br-external/keys/dev.key -out br-external/keys/dev.csr
$ make -C buildroot BR2_EXTERNAL=../br-external O=../br-external/
The output 'image.itb' will be in br-external/images:
Here are the steps I did to set-up this project.
First, we add buildroot as a submodule.
$ git submodule add git://git.buildroot.net/buildroot
Now we must make the recommended directory structure for the br2-external tree. This will allow us to version control our Buildroot configuration. In order for Git to register the folders we must create a file within them, this is the reason for 'touch ".../file"'.
$ mkdir br-external
$ mkdir -p "br-external/target_overlay" && touch "br-external/target_overlay/file"
$ mkdir -p "br-external/board/company/boardname/rootfs_overlay/etc" && touch "br-external/board/company/boardname/rootfs_overlay/etc/file"
$ mkdir -p "br-external/board/company/boardname/rootfs_overlay/etc" && touch "br-external/board/company/boardname/rootfs_overlay/etc/file"
$ mkdir -p "br-external/board/company/boardname/patches" && touch "br-external/board/company/boardname/patches/file"
$ mkdir -p "br-external/configs" && touch "br-external/configs/file"
$ mkdir -p "br-external/package/company" && touch "br-external/package/company/file"
$ mkdir -p "br-external/keys" && touch "br-external/keys/file"
Next we creat the external.desc file in /br-external/
$ vim br-external/external.desc
Enter the following and exit:
name: Udoo_Neo
Make a copy of the Udoo Neo defconfig in the external tree
$ cp buildroot/configs/mx6sx_udoo_neo_defconfig br-external/configs/
Make the defconfig and point the output toward the external tree. Then save that defconfig
$ make -C buildroot defconfig BR2_EXTERNAL=../br-external BR2_DEFCONFIG=../br-external/configs/mx6sx_udoo_neo_defconfig O=../br-external/
Make menuconfig and select the options below:
Select these options in the menuconfig
- Build options >> Enable compiler cache >> 'y'
- System configuration >> Root filesystem overlay directories >> 'target_overlay'
- System configuration >> Custom scripts to run after creating filesystem images >> '../post-image-signatures.sh'
- Toolchain >> Toolchain Type >> External toolchain
- Toolchain >> Toolchain Type >> Copy gdb server to the Target >> 'y'
- Target packages >> Security >> optee-client >> 'y'
- Target packages >> Networking applications >> dropbear >> 'y'
- Bootloaders >> U-Boot needs OpenSSL >> 'y'
- Host utilities >> Flattened Image Tree (FIT) support >> 'y'
- Host utilities >> FIT signature verification support >> 'y'
$ cd br-external
$ make menuconfig
Save the defconfig
$ make savedefconfig
Make the image
$cd .. # Move to git root dir
$ make -C buildroot BR2_EXTERNAL=../br-external O=../br-external/
#TODO: Change this to make a FIT format SD card Move files to SD card
$ sudo dd if=output/images/sdcard.img of=/dev/mmcblk0 bs=1M conv=fdatasync status=progress
List of features ready and TODOs for future development
- Verified boot
- OP-TEE Secure
- Awesome feature 3
To-do list:
- Build image using defconfig instead of .config
- Use OP-TEE
in progress
Motivated by an employment screening question.
Project created by Shane Mattner
Readme template created by @flynerdpl
- Buildroot source control
- Buildroot manual - Keep customizations outside of Buildroot
- Buildroot manual - Recommended directory structure
- VerifiedBoot using Buildroot for nitrogen6sx
- Verified Boot – Introduction to U-Boot’s Secure Boot
- U-Boot_verified_RSA_boot_flow_on_arm_target
- Verified U-Boot