Udoo Neo Buildroot Secure

A project to create a secure FIT image for the Udoo Neo using Buildroot

Table of contents

• General info
• Screenshots
• Technologies
• Project Setup
• Buildroot Configuration
• Features
• Status
• Inspiration
• Contact
• Links

General info

Buildroot set-up to generate a secure FIT image for the Udoo Neo. The project uses Buildroot's external tree mechanism to allow for easy version control.

Screenshots

Technologies

• Buildroot - version 2021.02
• RSA Encryption
• OP-TEE
• Udoo Neo

Project Setup

To run this project clone the repo, update the Buildroot submodule, generate the RSA key, then build the project.

$ git clone https://github.com/shanemmattner/udoo_neo_buildroot_secure.git
$ cd udoo_neo_buildroot_secure
$ git submodule update --init --recursive
$ openssl genrsa -out br-external/keys/dev.key 2048
$ openssl req -new -key br-external/keys/dev.key -out br-external/keys/dev.csr
$ make -C buildroot BR2_EXTERNAL=../br-external O=../br-external/

The output 'image.itb' will be in br-external/images:

Buildroot Configuration

Here are the steps I did to set-up this project.

First, we add buildroot as a submodule.

$ git submodule add git://git.buildroot.net/buildroot

Now we must make the recommended directory structure for the br2-external tree. This will allow us to version control our Buildroot configuration. In order for Git to register the folders we must create a file within them, this is the reason for 'touch ".../file"'.

$ mkdir br-external
$ mkdir -p "br-external/target_overlay" && touch "br-external/target_overlay/file"
$ mkdir -p "br-external/board/company/boardname/rootfs_overlay/etc" && touch "br-external/board/company/boardname/rootfs_overlay/etc/file"
$ mkdir -p "br-external/board/company/boardname/rootfs_overlay/etc" && touch "br-external/board/company/boardname/rootfs_overlay/etc/file"
$ mkdir -p "br-external/board/company/boardname/patches" && touch "br-external/board/company/boardname/patches/file"
$ mkdir -p "br-external/configs" && touch "br-external/configs/file"
$ mkdir -p "br-external/package/company" && touch "br-external/package/company/file"
$ mkdir -p "br-external/keys" && touch "br-external/keys/file"

Next we creat the external.desc file in /br-external/

$ vim br-external/external.desc

Enter the following and exit: name: Udoo_Neo

Make a copy of the Udoo Neo defconfig in the external tree

$ cp buildroot/configs/mx6sx_udoo_neo_defconfig br-external/configs/

Make the defconfig and point the output toward the external tree. Then save that defconfig

$ make -C buildroot defconfig BR2_EXTERNAL=../br-external BR2_DEFCONFIG=../br-external/configs/mx6sx_udoo_neo_defconfig O=../br-external/

Make menuconfig and select the options below:

Select these options in the menuconfig

• Build options >> Enable compiler cache >> 'y'
• System configuration >> Root filesystem overlay directories >> 'target_overlay'
• System configuration >> Custom scripts to run after creating filesystem images >> '../post-image-signatures.sh'
• Toolchain >> Toolchain Type >> External toolchain
• Toolchain >> Toolchain Type >> Copy gdb server to the Target >> 'y'
• Target packages >> Security >> optee-client >> 'y'
• Target packages >> Networking applications >> dropbear >> 'y'
• Bootloaders >> U-Boot needs OpenSSL >> 'y'
• Host utilities >> Flattened Image Tree (FIT) support >> 'y'
• Host utilities >> FIT signature verification support >> 'y'

$ cd br-external
$ make menuconfig

Save the defconfig

$ make savedefconfig

Make the image

$cd .. # Move to git root dir
$ make -C buildroot BR2_EXTERNAL=../br-external O=../br-external/

#TODO: Change this to make a FIT format SD card Move files to SD card

$ sudo dd if=output/images/sdcard.img of=/dev/mmcblk0 bs=1M conv=fdatasync status=progress

Features

List of features ready and TODOs for future development

• Verified boot
• OP-TEE Secure
• Awesome feature 3

To-do list:

• Build image using defconfig instead of .config
• Use OP-TEE

Status

in progress

Inspiration

Motivated by an employment screening question.

Contact

Project created by Shane Mattner
Readme template created by @flynerdpl

Links

Source Control

• Buildroot source control
• Buildroot manual - Keep customizations outside of Buildroot
• Buildroot manual - Recommended directory structure

Verified Boot

• VerifiedBoot using Buildroot for nitrogen6sx
• Verified Boot – Introduction to U-Boot’s Secure Boot
• U-Boot_verified_RSA_boot_flow_on_arm_target
• Verified U-Boot

OP-TEE Trusted Execution Environment

• Op-tee on RPi using Buildroot
• About OP-TEE

Buildroot

• Buildroot on i.MX6 UDOO NEO Hardware
• RPi on Buildroot
• Bootlin Buildroot Training slides
• Bootling Buildroot Training labs
• Bootling Buildroot STM32MP1
• My 6 tips for working with Buildroot
• Buildroot cheat sheet
• Buildroot-part 1

FIT format

• Example FIT image
• U-BOOT Images
• Image format info