Skip to content

0mniteck/U-Boot

Repository files navigation

U-Boot RockChip - rk3399, rk3568, & rk3588

Project Goals

  • Enable TPM Support
    • Check if new patches fixed problem
  • Remove rkbin dependency from rk3568 & rk3588
    • TF-A upstreamed initial patches from rockchip
    • U-boot modifications to use u-boot-tpl vs rockchip-tpl
    • Resolve rk3568 issues - SPL_MAX
  • Enable UEFI Secure Boot with Root CA only on a Yubikey
    • Try higher bit RSA/ECDSA keys to protect against Quantum Attacks
      • 4096 bit Fails on 5.7.1 Yubikey
      • Test 3072 bit RSA
      • Test ECDSA keys
        • Create hybrid scheme fallback and use dbx revocations
  • Setup Secure Bootflow
    • U-Boot Secure boot with verified FIT -> TF-A -> Default: run bootcmd -> UEFI Secure Boot
      • Change default run to efiload
      • Enable stack protection
      • Block dropping down to shell
  • Generate SBOM at buildtime
    • Scan with Grype
  • Fine tune for reproducibility
    • Convert to docker build
      • Build variants in one branch
      • Make reproducable debian docker images

Build Instructions/Usage:

Build:

buildscript.sh
 -c {Clean: yes/no}
 -d {Date: source_date_epoch}
 -r {Release-tag: tagname}
 -t {Test-mode: yes/no}

To build current release run:

sudo su && \
git clone git@github.com:0mniteck/U-Boot.git && \
cd U-Boot && \
./buildscript.sh -r "tagname"

To build for reproducibility run:

sudo su && \
git clone git@github.com:0mniteck/U-Boot.git -b "tagname" && \
cd U-Boot && \
./buildscript.sh -d "$(cat Results/release.sha512sum | grep Epoch | cut -d ' ' -f5)"

Requirements:

  • Debian based OS already running on an ARM64 CPU

  • Any microSD in the /dev/mmcblk1 slot

--> FLASHING

--> SIGNING YOUR OWN