github.com/usbarmory/armory-boot@v0.0.0-20240307133412-208c66a380b9/README.md (about)

     1  Introduction
     2  ============
     3  
     4  This [TamaGo](https://github.com/usbarmory/tamago) based unikernel
     5  acts as a primary boot loader for the [USB armory Mk II](https://github.com/usbarmory/usbarmory/wiki),
     6  allowing boot of kernel images (e.g. Linux) from either the eMMC card or an
     7  external microSD card.
     8  
     9  This repository also provides a [command line utility](https://github.com/usbarmory/armory-boot#serial-download-protocol-utility)
    10  to load imx executables through USB using [SDP](https://github.com/usbarmory/usbarmory/wiki/Boot-Modes-(Mk-II)#serial-download-protocol-sdp).
    11  
    12  Compiling
    13  =========
    14  
    15  Build the [TamaGo compiler](https://github.com/usbarmory/tamago-go)
    16  (or use the [latest binary release](https://github.com/usbarmory/tamago-go/releases/latest)):
    17  
    18  ```
    19  wget https://github.com/usbarmory/tamago-go/archive/refs/tags/latest.zip
    20  unzip latest.zip
    21  cd tamago-go-latest/src && ./all.bash
    22  cd ../bin && export TAMAGO=`pwd`/go
    23  ```
    24  
    25  The `BOOT` environment variable must be set to either `uSD` or `eMMC` to
    26  configure the bootloader media for `/boot/armory-boot.conf`, as well as kernel
    27  images, location.
    28  
    29  The `START` environment variable must be set to the offset of the first valid
    30  ext4 partition where `/boot/armory-boot.conf` is located (typically 5242880 for
    31  USB armory Mk II default pre-compiled images).
    32  
    33  The `CONSOLE` environment variable may be set to `on` to enable serial
    34  logging when a [debug accessory](https://github.com/usbarmory/usbarmory/tree/master/hardware/mark-two-debug-accessory)
    35  is connected.
    36  
    37  Build the `armory-boot.imx` application executable:
    38  
    39  ```
    40  git clone https://github.com/usbarmory/armory-boot && cd armory-boot
    41  make imx BOOT=uSD START=5242880
    42  ```
    43  
    44  Docker
    45  ------
    46  
    47  For convenience a docker configuration is provided.
    48  
    49  Ensure docker daemon is running and build the `armory-boot` docker image,
    50  this needs to be done only the first time:
    51  
    52  ```
    53  docker build --build-arg UID=$UID --build-arg GID=$UID -t armory-boot docker
    54  ```
    55  
    56  You can enter to the container as follows:
    57  
    58  ```
    59  docker run -it --rm -v $PWD:/build armory-boot
    60  ```
    61  
    62  Installing
    63  ==========
    64  
    65  The `armory-boot.imx` file can be flashed on the internal eMMC card or an
    66  external micro SD card as shown in [these instructions](https://github.com/usbarmory/usbarmory/wiki/Boot-Modes-(Mk-II)#flashing-imx-native-images).
    67  
    68  Configuration
    69  =============
    70  
    71  The bootloader expects a single configuration file to read information on the
    72  image and parameters to boot.
    73  
    74  The bootloader is configured via a single configuration file, and can boot either
    75   an ARM kernel image or an ELF unikernel (e.g.
    76  [tamago-example](https://github.com/usbarmory/tamago-example)).
    77  The required elements in the configuration file differ depending on the type of
    78  image being loaded, examples for both are given below.
    79  
    80  It is an error specify both unikernel and kernel config parameters in the same
    81  configuration file.
    82  
    83  Linux kernel boot
    84  -----------------
    85  
    86  To load a Linux kernel, the bootloader requires that you provide the paths to
    87  the kernel image and the Device Tree Blob file, along with their respective
    88  SHA256 hashes (only used with configuration signature verification, see _Secure
    89  Boot_), as well as the kernel command line.
    90  
    91  An optional initial ramdisk can be passed with the `initrd` parameter.
    92  
    93  Example `/boot/armory-boot.conf` configuration file for loading a Linux kernel:
    94  
    95  ```
    96  {
    97    "kernel": [
    98      "/boot/zImage-5.4.51-0-usbarmory",
    99      "aceb3514d5ba6ac591a7d5f2cad680e83a9f848d19763563da8024f003e927c7"
   100    ],
   101    "dtb": [
   102      "/boot/imx6ulz-usbarmory-default-5.4.51-0.dtb",
   103      "60d4fe465ef60042293f5723bf4a001d8e75f26e517af2b55e6efaef9c0db1f6"
   104    ],
   105    "initrd": [
   106      "/boot/initrd.img-5.4.51-0-usbarmory",
   107      "64119096fd329e89f062cb5e0fc5b8e66f98081aef987e0bc7a92a05f4452540"
   108    ],
   109    "cmdline": "console=ttymxc1,115200 root=/dev/mmcblk0p1 rootwait rw"
   110  }
   111  ```
   112  
   113  TamaGo unikernel boot
   114  ---------------------
   115  
   116  To load a TamaGo unikernel, the bootloader only needs the path to the ELF
   117  binary along with its SHA256 hash (only used with configuration signature
   118  verification, see _Secure Boot_).
   119  
   120  Example `/boot/armory-boot.conf` configuration file for loading a TamaGo
   121  unikernel:
   122  
   123  ```
   124  {
   125    "unikernel": [
   126      "/boot/tamago-example",
   127      "e6de9214249dd7989b4056372424e84b273ff4e5d2410fa12ac230ddaf22690a"
   128    ]
   129  }
   130  ```
   131  
   132  Secure Boot
   133  ===========
   134  
   135  On secure booted systems the `imx_signed` target should be used instead with the relevant
   136  [`HAB_KEYS`](https://github.com/usbarmory/usbarmory/wiki/Secure-boot-(Mk-II)) set.
   137  
   138  Additionally, to maintain the chain of trust, the `PUBLIC_KEY` environment
   139  variable must be set with either a [signify](https://man.openbsd.org/signify)
   140  or [minisign](https://jedisct1.github.io/minisign/) public key to enable
   141  configuration file signature verification.
   142  
   143  Example key generation (signify):
   144  
   145  ```
   146  signify -G -p armory-boot.pub -s armory-boot.sec
   147  ```
   148  
   149  Example key generation (minisign):
   150  
   151  ```
   152  minisign -G -p armory-boot.pub -s armory-boot.sec
   153  ```
   154  
   155  Compilation with embedded key:
   156  
   157  ```
   158  make imx_signed BOOT=uSD START=5242880 PUBLIC_KEY=<last line of armory-boot.pub> HAB_KEYS=<path>
   159  ```
   160  
   161  When `armory-boot` is compiled with the `PUBLIC_KEY` variable, a signature for
   162  the configuration file must be created in `/boot/armory-boot.conf.sig` using
   163  with the corresponding secret key.
   164  
   165  Example signature generation (signify):
   166  
   167  ```
   168  signify -S -s armory-boot.sec -m armory-boot.conf -x armory-boot.conf.sig
   169  ```
   170  
   171  Example signature generation (minisign):
   172  
   173  ```
   174  minisign -S -s armory-boot.sec -m armory-boot.conf -x armory-boot.conf.sig
   175  ```
   176  
   177  LED status
   178  ==========
   179  
   180  The [USB armory Mk II](https://github.com/usbarmory/usbarmory/wiki) LEDs
   181  are used, in sequence, as follows:
   182  
   183  | Boot sequence                   | Blue | White |
   184  |---------------------------------|------|-------|
   185  | 0. initialization               | off  | off   |
   186  | 1. boot media detected          | on   | off   |
   187  | 2. kernel verification complete | on   | on    |
   188  | 3. jumping to kernel image      | off  | off   |
   189  
   190  Serial Download Protocol utility
   191  ================================
   192  
   193  The `armory-boot-usb` command line utility allows to load an imx executable
   194  through USB using [SDP](https://github.com/usbarmory/usbarmory/wiki/Boot-Modes-(Mk-II)#serial-download-protocol-sdp),
   195  useful for testing or initial provisioning purposes.
   196  
   197  You can automatically download, compile and install the utility, under your
   198  GOPATH, as follows:
   199  
   200  ```
   201  go install github.com/usbarmory/armory-boot/cmd/armory-boot-usb@latest
   202  ```
   203  
   204  Alternatively you can manually compile it from source:
   205  
   206  ```
   207  git clone https://github.com/usbarmory/armory-boot
   208  cd armory-boot && make armory-boot-usb
   209  ```
   210  
   211  The utility can be cross compiled for Windows as follows:
   212  
   213  ```
   214  make armory-boot-usb.exe
   215  ```
   216  
   217  Pre-compiled binaries for Linux and Windows are released
   218  [here](https://github.com/usbarmory/armory-boot/releases).
   219  
   220  The utility is meant to be used on devices running in
   221  [USB SDP mode](https://github.com/usbarmory/usbarmory/wiki/Boot-Modes-(Mk-II)):
   222  
   223  ```
   224  sudo armory-boot-usb -i armory-boot.imx
   225  found device 15a2:0080 Freescale SemiConductor Inc  SE Blank 6ULL
   226  parsing armory-boot.imx
   227  loading DCD at 0x00910000 (952 bytes)
   228  loading imx to 0x9000f400 (2182144 bytes)
   229  jumping to 0x9000f400
   230  serial download complete
   231  ```
   232  
   233  Authors
   234  =======
   235  
   236  Andrea Barisani  
   237  andrea.barisani@withsecure.com | andrea@inversepath.com  
   238  
   239  License
   240  =======
   241  
   242  armory-boot | https://github.com/usbarmory/armory-boot  
   243  Copyright (c) WithSecure Corporation
   244  
   245  These source files are distributed under the BSD-style license found in the
   246  [LICENSE](https://github.com/usbarmory/armory-boot/blob/master/LICENSE) file.