github.com/usbarmory/armory-boot@v0.0.0-20240307133412-208c66a380b9/README.md (about) 1 Introduction 2 ============ 3 4 This [TamaGo](https://github.com/usbarmory/tamago) based unikernel 5 acts as a primary boot loader for the [USB armory Mk II](https://github.com/usbarmory/usbarmory/wiki), 6 allowing boot of kernel images (e.g. Linux) from either the eMMC card or an 7 external microSD card. 8 9 This repository also provides a [command line utility](https://github.com/usbarmory/armory-boot#serial-download-protocol-utility) 10 to load imx executables through USB using [SDP](https://github.com/usbarmory/usbarmory/wiki/Boot-Modes-(Mk-II)#serial-download-protocol-sdp). 11 12 Compiling 13 ========= 14 15 Build the [TamaGo compiler](https://github.com/usbarmory/tamago-go) 16 (or use the [latest binary release](https://github.com/usbarmory/tamago-go/releases/latest)): 17 18 ``` 19 wget https://github.com/usbarmory/tamago-go/archive/refs/tags/latest.zip 20 unzip latest.zip 21 cd tamago-go-latest/src && ./all.bash 22 cd ../bin && export TAMAGO=`pwd`/go 23 ``` 24 25 The `BOOT` environment variable must be set to either `uSD` or `eMMC` to 26 configure the bootloader media for `/boot/armory-boot.conf`, as well as kernel 27 images, location. 28 29 The `START` environment variable must be set to the offset of the first valid 30 ext4 partition where `/boot/armory-boot.conf` is located (typically 5242880 for 31 USB armory Mk II default pre-compiled images). 32 33 The `CONSOLE` environment variable may be set to `on` to enable serial 34 logging when a [debug accessory](https://github.com/usbarmory/usbarmory/tree/master/hardware/mark-two-debug-accessory) 35 is connected. 36 37 Build the `armory-boot.imx` application executable: 38 39 ``` 40 git clone https://github.com/usbarmory/armory-boot && cd armory-boot 41 make imx BOOT=uSD START=5242880 42 ``` 43 44 Docker 45 ------ 46 47 For convenience a docker configuration is provided. 48 49 Ensure docker daemon is running and build the `armory-boot` docker image, 50 this needs to be done only the first time: 51 52 ``` 53 docker build --build-arg UID=$UID --build-arg GID=$UID -t armory-boot docker 54 ``` 55 56 You can enter to the container as follows: 57 58 ``` 59 docker run -it --rm -v $PWD:/build armory-boot 60 ``` 61 62 Installing 63 ========== 64 65 The `armory-boot.imx` file can be flashed on the internal eMMC card or an 66 external micro SD card as shown in [these instructions](https://github.com/usbarmory/usbarmory/wiki/Boot-Modes-(Mk-II)#flashing-imx-native-images). 67 68 Configuration 69 ============= 70 71 The bootloader expects a single configuration file to read information on the 72 image and parameters to boot. 73 74 The bootloader is configured via a single configuration file, and can boot either 75 an ARM kernel image or an ELF unikernel (e.g. 76 [tamago-example](https://github.com/usbarmory/tamago-example)). 77 The required elements in the configuration file differ depending on the type of 78 image being loaded, examples for both are given below. 79 80 It is an error specify both unikernel and kernel config parameters in the same 81 configuration file. 82 83 Linux kernel boot 84 ----------------- 85 86 To load a Linux kernel, the bootloader requires that you provide the paths to 87 the kernel image and the Device Tree Blob file, along with their respective 88 SHA256 hashes (only used with configuration signature verification, see _Secure 89 Boot_), as well as the kernel command line. 90 91 An optional initial ramdisk can be passed with the `initrd` parameter. 92 93 Example `/boot/armory-boot.conf` configuration file for loading a Linux kernel: 94 95 ``` 96 { 97 "kernel": [ 98 "/boot/zImage-5.4.51-0-usbarmory", 99 "aceb3514d5ba6ac591a7d5f2cad680e83a9f848d19763563da8024f003e927c7" 100 ], 101 "dtb": [ 102 "/boot/imx6ulz-usbarmory-default-5.4.51-0.dtb", 103 "60d4fe465ef60042293f5723bf4a001d8e75f26e517af2b55e6efaef9c0db1f6" 104 ], 105 "initrd": [ 106 "/boot/initrd.img-5.4.51-0-usbarmory", 107 "64119096fd329e89f062cb5e0fc5b8e66f98081aef987e0bc7a92a05f4452540" 108 ], 109 "cmdline": "console=ttymxc1,115200 root=/dev/mmcblk0p1 rootwait rw" 110 } 111 ``` 112 113 TamaGo unikernel boot 114 --------------------- 115 116 To load a TamaGo unikernel, the bootloader only needs the path to the ELF 117 binary along with its SHA256 hash (only used with configuration signature 118 verification, see _Secure Boot_). 119 120 Example `/boot/armory-boot.conf` configuration file for loading a TamaGo 121 unikernel: 122 123 ``` 124 { 125 "unikernel": [ 126 "/boot/tamago-example", 127 "e6de9214249dd7989b4056372424e84b273ff4e5d2410fa12ac230ddaf22690a" 128 ] 129 } 130 ``` 131 132 Secure Boot 133 =========== 134 135 On secure booted systems the `imx_signed` target should be used instead with the relevant 136 [`HAB_KEYS`](https://github.com/usbarmory/usbarmory/wiki/Secure-boot-(Mk-II)) set. 137 138 Additionally, to maintain the chain of trust, the `PUBLIC_KEY` environment 139 variable must be set with either a [signify](https://man.openbsd.org/signify) 140 or [minisign](https://jedisct1.github.io/minisign/) public key to enable 141 configuration file signature verification. 142 143 Example key generation (signify): 144 145 ``` 146 signify -G -p armory-boot.pub -s armory-boot.sec 147 ``` 148 149 Example key generation (minisign): 150 151 ``` 152 minisign -G -p armory-boot.pub -s armory-boot.sec 153 ``` 154 155 Compilation with embedded key: 156 157 ``` 158 make imx_signed BOOT=uSD START=5242880 PUBLIC_KEY=<last line of armory-boot.pub> HAB_KEYS=<path> 159 ``` 160 161 When `armory-boot` is compiled with the `PUBLIC_KEY` variable, a signature for 162 the configuration file must be created in `/boot/armory-boot.conf.sig` using 163 with the corresponding secret key. 164 165 Example signature generation (signify): 166 167 ``` 168 signify -S -s armory-boot.sec -m armory-boot.conf -x armory-boot.conf.sig 169 ``` 170 171 Example signature generation (minisign): 172 173 ``` 174 minisign -S -s armory-boot.sec -m armory-boot.conf -x armory-boot.conf.sig 175 ``` 176 177 LED status 178 ========== 179 180 The [USB armory Mk II](https://github.com/usbarmory/usbarmory/wiki) LEDs 181 are used, in sequence, as follows: 182 183 | Boot sequence | Blue | White | 184 |---------------------------------|------|-------| 185 | 0. initialization | off | off | 186 | 1. boot media detected | on | off | 187 | 2. kernel verification complete | on | on | 188 | 3. jumping to kernel image | off | off | 189 190 Serial Download Protocol utility 191 ================================ 192 193 The `armory-boot-usb` command line utility allows to load an imx executable 194 through USB using [SDP](https://github.com/usbarmory/usbarmory/wiki/Boot-Modes-(Mk-II)#serial-download-protocol-sdp), 195 useful for testing or initial provisioning purposes. 196 197 You can automatically download, compile and install the utility, under your 198 GOPATH, as follows: 199 200 ``` 201 go install github.com/usbarmory/armory-boot/cmd/armory-boot-usb@latest 202 ``` 203 204 Alternatively you can manually compile it from source: 205 206 ``` 207 git clone https://github.com/usbarmory/armory-boot 208 cd armory-boot && make armory-boot-usb 209 ``` 210 211 The utility can be cross compiled for Windows as follows: 212 213 ``` 214 make armory-boot-usb.exe 215 ``` 216 217 Pre-compiled binaries for Linux and Windows are released 218 [here](https://github.com/usbarmory/armory-boot/releases). 219 220 The utility is meant to be used on devices running in 221 [USB SDP mode](https://github.com/usbarmory/usbarmory/wiki/Boot-Modes-(Mk-II)): 222 223 ``` 224 sudo armory-boot-usb -i armory-boot.imx 225 found device 15a2:0080 Freescale SemiConductor Inc SE Blank 6ULL 226 parsing armory-boot.imx 227 loading DCD at 0x00910000 (952 bytes) 228 loading imx to 0x9000f400 (2182144 bytes) 229 jumping to 0x9000f400 230 serial download complete 231 ``` 232 233 Authors 234 ======= 235 236 Andrea Barisani 237 andrea.barisani@withsecure.com | andrea@inversepath.com 238 239 License 240 ======= 241 242 armory-boot | https://github.com/usbarmory/armory-boot 243 Copyright (c) WithSecure Corporation 244 245 These source files are distributed under the BSD-style license found in the 246 [LICENSE](https://github.com/usbarmory/armory-boot/blob/master/LICENSE) file.