Skip to content

0mniteck/U-Boot

BranchesTags

Repository files navigation

U-Boot RockChip - rk3399 (HARDENING), & rk3588 (TESTING)

Project Goals:

  • Enable vTPM Support
    • Test TPM2_FTPM_TEE
      • Build StandaloneMM
        • Migrate from old branch
      • Build ms-tpm-20-ref
        • Openssl use source include current upstream
          • Set OPENSSL_API_COMPAT 10100
        • Update optee_ftpm/sub.mk to support v1.83
      • TPM_PCR_ALLOCATE
      • MEASURED_BOOT
    • Check if new patches fixed problem
  • Remove rkbin dependency from rk3568 & rk3588
    • TF-A/Optee-OS upstreamed initial patches from rockchip
    • U-boot modifications to use u-boot-tpl vs rockchip-tpl
    • Resolve rk3588 issues - Enable TPL in Kconfig
    • Resolve rk3568 issues - SPL_MAX
  • Enable Self Signing of UEFI Secure Boot with Root CA only on a Yubikey
    • Use-once model for next secure boot signing (Reset Yubikey after initial signing)
      • 2025 Q4 signing est. 12/01/2025
        • Debian from trixie ISO shimaa64efi/bootaa64.efi
        • Ubuntu from 25.10 ISO shimaa64.efi/bootaa64.efi
          • Update autoinstall to Questing release
    • Try higher bit RSA/ECDSA keys to protect against Quantum Attacks
      • 4096 bit Fails on 5.7.1 Yubikey
      • Test 3072 bit RSA
      • Test ECDSA verification
  • Sign FIT images and enable COT (Chain of Trust) in ATF
    • Enable COT
    • Sign rotprivk to replace dev certs
  • Setup Secure Bootflow
    • U-Boot Secure boot with verified FIT -> TF-A -> Default: run bootcmd -> UEFI Secure Boot
      • Protect against untrusted environment variables
      • Restrict to BOOTM
        • Remove BOOTDEV_*
      • Change BOOTCMD to efiload; reset;
      • Enable STACKPROTECTOR
      • DISABLE_CONSOLE
  • Fine tune for reproducibility and ephemerality
    • Always erase & flash from ring-0
    • Generate SBOM at buildtime
      • Scan with Grype
      • Display Results/*.grype.status
        • Stabilize stdout
    • Convert to docker build
      • Integrate threat intelligence using syft/grype
      • Build variants in one branch
      • Add local docker build-cache in .git/Cache for dev rebuilds
      • Target selection
      • Make reproducible debian docker images
        • Sign base images with cosign & verify at buildtime

Docs:

--> BUILD INSTRUCTIONS

--> FLASHING AND INSTALLING --> FLASHING DEMO

--> SIGNING YOUR OWN

--> SER FRAMEWORK (Sovereignty Ephemerality Reproducibility)

About

Hardened U-Boot image builder pulling from current upstream sources

u-boot.omniteck.com/

Topics

linux rockchip bootloader pine64 u-boot rk3399 arm-trusted-firmware optee rockpro64 pinebook-pro rock5b

Resources

Readme

License

GPL-3.0 license
Activity

Stars

5 stars

Watchers

2 watching

Forks

1 fork
Report repository

Languages