Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FATAL: do_vbutil_kernel: Missing required config file. #26

Open
Marietto2008 opened this issue Oct 28, 2023 · 1 comment
Open

FATAL: do_vbutil_kernel: Missing required config file. #26

Marietto2008 opened this issue Oct 28, 2023 · 1 comment

Comments

@Marietto2008
Copy link

Marietto2008 commented Oct 28, 2023
edited
Loading

Hello my friend.

I'm trying to compile Xen on my ARM Chromebook following this tutorial :

https://wiki.xenproject.org/wiki/Xen_ARM_with_Virtualization_Extensions/Chromebook

I've reached almost on the end of tutorial when I got an error message that I'm not able to fix :

# ls (current directory)

exynos5250-snow.dtb  Gringoli  script  xen.bin  xen-chromebook-image  zImage

nano script :

/dts-v1/;
 / {
   description = "Chrome OS kernel image with one or more FDT blobs";
   #address-cells = <1>;
   images {
     kernel@1 {
       data = /incbin/("xen.bin");
       type = "kernel";
       arch = "arm";
       os = "linux";
       compression = "none";
       load = <0x80200000>;
       entry = <0x80200000>;
     };
     kernel@2 {
       data = /incbin/("zImage");
       type = "kernel_noload";
       arch = "arm";
       os = "linux";
       compression = "none";
       load = <0>;
       entry = <0>;
     };
     fdt@1 {
       description = "exynos5250-snow.dtb";
       data = /incbin/("exynos5250-snow.dtb");
       type = "flat_dt";
       arch = "arm";
       compression = "none";
       hash@1 {
         algo = "sha1";
       };
     };
   };
   configurations {
     default = "conf@1";
     conf@1 {
       kernel = "kernel@1";
       fdt = "fdt@1";
     };
   };
 };


# mkimage -f script xen-chromebook-image

script:6.15-14.8: Warning (unit_address_vs_reg): /images/kernel@1: node has
a unit name, but no reg or ranges property

script:15.15-23.8: Warning (unit_address_vs_reg): /images/kernel@2: node
has a unit name, but no reg or ranges property

script:24.12-33.8: Warning (unit_address_vs_reg): /images/fdt@1: node has a
unit name, but no reg or ranges property

script:30.15-32.10: Warning (unit_address_vs_reg): /images/fdt@1/hash@1:
node has a unit name, but no reg or ranges property

script:37.13-40.8: Warning (unit_address_vs_reg): /configurations/conf@1:
node has a unit name, but no reg or ranges property

Image contains unit addresses @, this will break signing

FIT description: Chrome OS kernel image with one or more FDT blobs
Created:         Sat Oct 28 00:29:40 2023
Image 0 (kernel@1)
 Description:  unavailable
 Created:      Sat Oct 28 00:29:40 2023
 Type:         Kernel Image
 Compression:  uncompressed
 Data Size:    868291 Bytes = 847.94 KiB = 0.83 MiB
 Architecture: ARM
 OS:           Linux
 Load Address: 0x80200000
 Entry Point:  0x80200000
Image 1 (kernel@2)
 Description:  unavailable
 Created:      Sat Oct 28 00:29:40 2023
 Type:         Kernel Image (no loading done)
 Compression:  uncompressed
 Data Size:    2424696 Bytes = 2367.87 KiB = 2.31 MiB
Image 2 (fdt@1)
 Description:  exynos5250-snow.dtb
 Created:      Sat Oct 28 00:29:40 2023
 Type:         Flat Device Tree
 Compression:  uncompressed
 Data Size:    26819 Bytes = 26.19 KiB = 0.03 MiB
 Architecture: ARM
 Hash algo:    sha1
 Hash value:   d1c2a89560f84b6fd1e17d9b8edd45fb9bc5e588
Default Configuration: 'conf@1'
Configuration 0 (conf@1)
 Description:  unavailable
 Kernel:       kernel@1
 FDT:          fdt@1

On ubuntu 23.04 :

# vbutil_kernel --keyblock /usr/share/vboot/devkeys/kernel.keyblock --version 1 --signprivate /usr/share/vboot/devkeys /kernel_data_key.vbprivk --vmlinuz xen-chromebook-image --arch arm --pack signed-xen-chromebook-image

FATAL: do_vbutil_kernel: Missing required config file.

PS : I have tried to remove /incbin/ but it didn't work :

# mkimage -f script xen-chromebook-image

Error: script:7.15-16 syntax error
FATAL ERROR: Unable to parse input tree
mkimage: Can't open xen-chromebook-image.tmp: No such file or directory
Error: Bad parameters for FIT image type
Usage: mkimage [-T type] -l image
         -l ==> list image header information
         -T ==> parse image file as 'type'
         -q ==> quiet
      mkimage [-x] -A arch -O os -T type -C comp -a addr -e ep -n name -d
data_file[:data_file...] image
         -A ==> set architecture to 'arch'
         -O ==> set operating system to 'os'
         -T ==> set image type to 'type'
         -C ==> set compression type 'comp'
         -a ==> set load address to 'addr' (hex)
         -e ==> set entry point to 'ep' (hex)
         -n ==> set image name to 'name'
         -R ==> set second image name to 'name'
         -d ==> use image data from 'datafile'
         -x ==> set XIP (execute in place)
         -s ==> create an image with no data
         -v ==> verbose
      mkimage [-D dtc_options] [-f fit-image.its|-f auto|-F] [-b <dtb> [-b
<dtb>]] [-E] [-B size] [-i <ramdisk.cpio.gz>] fit-image
          <dtb> file is used with -f auto, it may occur multiple times.
         -D => set all options for device tree compiler
         -f => input filename for FIT source
         -i => input filename for ramdisk file
         -E => place data outside of the FIT structure
         -B => align size in hex for FIT structure and header
         -b => append the device tree binary to the FIT
         -t => update the timestamp in the FIT
Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-p
addr] [-r] [-N engine]
         -k => set directory containing private keys
         -K => write public keys to this .dtb file
         -g => set key name hint
         -G => use this signing key (in lieu of -k)
         -c => add comment in signature node
         -F => re-sign existing FIT image
         -p => place external data at a static position
         -r => mark keys used as 'required' in dtb
         -N => openssl engine to use for signing
         -o => algorithm to use for signing
      mkimage -V ==> print version information and exit
Use '-T list' to see a list of available image types
Long options are available; read the man page for details

It seems that the validation is enough to bypass the bootloader protection. So,signing the kernel files,I may stop using the virtual open systems patched u-boot and I can use another bootloader , like your.
@quarkscript3
Copy link

Well, kernel signing should be like this:

mkimage -D "-I dts -O dtb -p 2048" -f 'path to kernel.its' 'path to vmlinux.uimg'
  dd if=/dev/zero of=bootloader.bin bs=512 count=1
  echo 'console=tty0 init=/sbin/init root=PARTUUID=%U/PARTNROFF=1 rootwait rw noinitrd ' > cmdline
  vbutil_kernel \
    --pack kernel_image \
    --version 1 \
    --vmlinuz 'path to vmlinux.uimg' \
    --arch arm \
    --keyblock 'path to kernel.keyblock' \
    --signprivate 'path to kernel_data_key.vbprivk' \
    --config 'path to cmdline' \
    --bootloader 'path to bootloader.bin'

and kernel.is should contain the correct path to the dtb specified there

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Marietto2008 @quarkscript3