Mender with Zync Ultrascale+ secureboot

Hello everybody,

I am looking a symmetric update tool that supports Zync Ultrascale+ secureboot.
Does Mender support Zync Ultrascale+ secureboot?

Hi @intern,

Thanks for reaching out! The answer is “yes, no, maybe, depends.”
Generally, Mender stays out of the way for Secure Boot. So if your boot chain is already enabled for that, and uses u-boot or UEFI along the way, then the Mender integration is rather easy. Add the A/B switching code, and you should be good. If there is no u-boot or UEFI in play already, then things become a bit more complicated. How does the boot flow for the Ultrascale+ look?

Greets,
Josef

Thanks Josef,

The Zync ultrascale+ system has secureboot support using u-boot.
The document UG1283 explains the details:
https://docs.amd.com/r/2020.2-English/ug1283-bootgen-user-guide/Zynq-7000-SoC-Partition-Attribute-Bits

Boot loader preparation for secureboot

Secureboot structure

Boot flow

Which document list would you recommend for the quick start with the integration of the uboot with secureboot?

Hi @intern,
I am using a ZynqMP Ultrascale+ with Mender in the PetaLinux flow. It hasn’t been easy, in part due to AMD/Xilinx not following the LTS release flow. However, I was able to get u-boot-xlnx patched for support of Mender.
I settled on supporting PetaLinux 2022.2 for now, which was released with honister-level Yocto support. I forked meta-mender-community and backported the kirkstone branch to honister for keeping up with at least some LTS support (kirkstone is LTS).

All that said, here is a link to my fork, which is a narrow use case and needs further updating for general use, but it does provide a meta-mender-zynqmp layer which works in PetaLinux 2022.2.
mtk-pci/meta-mender-community at honister-xlnx (github.com)

I am interested in adding secureboot support as well, and thank you for posting the interest and the diagrams for further discussion. Perhaps there is an opportunity to collaborate on ZynqMP support?

I did get some feedback directly from the Mender team in the past, and we’ve discussed moving to the pure Yocto flow with AMD-provided layers and such as a better production-ready flow. I have only so much time to support this part of our system, so that has been on hold.

I hope the meta-mender-zynqmp layer helps as a starting place, and let’s see if we can improve at least documentation to indicate where secureboot can be part of the flow.

Kind Regards, Matt

Thank you Matt for comment!

Hi @keenpci,

Great thanks for the information. Indeed, I am in touch with some of the engineers on the Yocto team at Xilinx/AMD, and their recommendation is always to treat Petalinux as an onboarding tool, then switch to a pure Yocto build for production and maintenance. My personal take on it is that this definitely needs better communication and process assistance from their end, but it is what it is at the moment.

Concerning the mentioned Secure Boot flows, my understanding is that they all are way before u-boot kicks in, so Mender by itself is not directly affected. The only immediate action required is building a u-boot with the integration described here: Manual U-Boot integration | Mender documentation
This build obviously needs to be signed in a way so the desired boot trust chain stays intact. From thereon, you should be able to use Mender for root filesystem updates.

A few notes:

  • getting a u-boot based boot flow really secured is extremely tricky, because you need to disable all ways of manual interaction, specifically the u-boot terminal
  • the integration above does not provide means to update u-boot itself or even earlier stages of the boot flow. For those, a customised root filesystem update module which places the files and enrolls them accordingly is required. If you want to go for that, have a look at the Mender Client 4.0 which provides an easy way to create such.

Greets,
Josef

5 posts were split to a new topic: Mender client local update