Re[6]: [Etherboot-developers] RFC: Safe booting concept

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Ken,

Saturday, April 26, 2003, 5:20:16 PM, you wrote:

> Which is why you want a conceptual layer in between to separate out how
> the key is fetched, it may not be with the image, e.g. it may be in a
> smart card. But that can come later.

Just some status report:
I added one Config option (not in CVS, local only) called SAFEBOOTMODE
which currently can only be set to "1" (which means key is prepended
to image). Assuming you have image.nbi and want it transferred to new
"SafeBoot" format (hey, perhaps later someone implements elf block or
nbi part=key support... for now, it's easier this way), go like this:

If you don't have a 512bit key yet:
  openssl genrsa -out rsa.key 512
  chmod 400 rsa.key temp1.txt
Create the checksum:
  dd if=/dev/zero of=md5sum.bin bs=32 count=1
  md5sum < image.nbi | sed s/.$// > mdsum.bin
Encrypt the md5 sum with the private key:
  openssl rsautl -in md5sum.bin -out mdsum.sig -inkey rsa.key -sign -raw
Prepend block to image:
  dd if=/dev/zero of=temp bs=32 count=15
  cat md5sum.sig temp image.nbi > image.snbi
  rm temp md5sum.bin md5sum.sig

MD5 digesting yet works perfect and I hope I'm more than half way
through this ugly public key stuff :-)

I'd like to know which RAM regions I can use safely during etherboot
runs. I cannot use -DRELOCATE at the moment as this crashes my virtual
machine with the lance driver, but one day it probably should work.
Can I just get myself e.g. 0x30000-0x307ff for buffer purposes?

Best regards,
 Anselm Martin Hoffmeister
 Stockholm Projekt Computer-Service
 <an...@ho...>

-- 
Merke: Nicht das OS macht dich zu einem interessanteren Gespraechs-
partner, sondern das, was du darueber weisst. Und die Toleranz macht
dich dann noch zu einem liebenswerten Gespraechspartner.
(Buelent Caliskan in de.org.ccc)