I want to create a Ubuntu bootable USB flash and install my apps in that, then pass USB to any other person. they should run Ubuntu from USB flash and run my applications from it, so that nobody could change Ubuntu's kernel modules and also my application's modules and I want to prevent booting Ubunto if one of that modules was changed.
I think I have two options to achieve my purpose, first, UEFI bootloader programming and checks hash of USB contents through my customized bootloader, second, Use secure boot feature of UEFI.
I prefer second option because I think secure boot does everything I want and it is much easier than the first option, but I couldn't find any tutorial for creating secure boot enabled USB flash(with only my keys).
I will appreciate you if you could provide a step-by-step tutorial for clear default keys, enroll my keys, enabling secure boot for flash disk, and everything else I will need.
Related
I have a custom i.MX6Q-based board with working U-Boot and Linux (Ubuntu) setups. The micro and board have support for USB-OTG and one serial port; currently, the serial port serves the console for both U-Boot and Linux. However, we may need to use the serial port for another purpose, but we don't want to lose the console for U-Boot and Linux. Is it possible to use the USB-OTG port for the system console for both U-Boot and Linux?
I've done some research and found a couple of promising articles here and here, though the second article says this tidbit:
Unfortunately it won't work as system console as the gadget driver is loaded as a module, but we can use it for serial console.
I'm not sure I understand this, but it sounds like the method won't meet my needs, which is to use USB-OTG for both U-Boot and Linux system consoles. I did try these methods, but without luck, which may mean that U-Boot and Linux aren't built properly for the desired functionality.
So here are my questions:
Can this work for U-Boot?
Can this work for Linux?
Am I insane for contemplating this path?
For either, any guidance (e.g. tutorials, examples, etc.) would be greatly appreciated.
Thanks!
Can this work for U-Boot?
Yes, at least since U-Boot version 2008.10, the README file has stated:
Define the below if you wish to use the USB console.
CONFIG_USB_DEVICE
Define this to build a UDC device
CONFIG_USB_TTY
Define this to have a tty type of device available to
talk to the UDC device
CFG_CONSOLE_IS_IN_ENV
Define this if you want stdin, stdout &/or stderr to
be set to usbtty.
Note that these configuration symbols are not accessible using the menuconfig, and must be enabled in a configuration file.
Currently at least five boards use this U-Boot capability, based on the occurrence of CONFIG_USB_TTY in files in include/configs/, for example include/configs/ti_omap4_common.h.
This USB configuration requires non-default definitions for the stdin and stdout environment variables. Refer to the README documentation for the details.
Can this work for Linux?
Yes, Linux (at least since version 4.5) can have a serial console on a USB connection, either a USB-to-serial adapter on a host port or a USB serial gadget on a device port (using CDC/ACM).
For instance, in drivers/usb/gadget/Kconfig there's the selection:
config U_SERIAL_CONSOLE
bool "Serial gadget console support"
depends on USB_G_SERIAL
help
It supports the serial gadget can be used as a console.
In the Linux 5.7.8 kernel only two boards have default configurations that use this capability, for example see arch/arm/configs/aspeed_g4_defconfig.
Besides a proper configuration to build the necessary drivers, a serial-gadget console requires (1) the kernel parameter specification (e.g. console=ttyGS0,...), and (2) a login session initiated by a getty command (e.g. in the inittab file).
Am I insane for contemplating this path?
No comment.
Beware that should you encounter a kernel boot issue, the Linux serial-gadget console does not support earlycon nor earlyprintk capability.
Personally I prefer to use a serial link that is persistent regardless of the target board's state. That ensures the terminal emulator program does not complain about lost connections.
Addendum
Unfortunately this Linux console on a USB serial gadget does not display boot messages generated by the kernel (before the login prompt), even if all drivers are statically linked in to the kernel image.
Although the syslog has messages like
console [ttyGS0] enabled
g_serial gadget: g_serial ready
...
gs_open: ttyGS0 ((ptrval),(ptrval))
before the salient Freeing unused kernel memory message, the host side does not receive any console messages until userspace is active.
This shortcoming is also reported in this guide: https://linux-sunxi.org/USB_Gadget/Serial
I have an embedded system running Linux, with many peripheral devices connected.
There are some storage devices connected too. Currently, we do not have any diagnostics tool to check the state of devices on the system.
what I want to do with this diagnostics tool is something like:
After connecting to my embedded system either via USB or network port, I want to be able to browse storage media ( in read only mod ), and may be later in future extend this to check the status of other devices running.
With this question, I am seeking guidance of expert people who have faced similar problem and were successfully implement a solution.
I am not looking for a solution but a likely approach.
thanks
one approach is that (it totally depends on your embedded board)
if your board supports booting from the usb, you can modify your bootloader code to boot linux initrd image from the usb, if usb is plugged in your board, otherwise noraml booting procedure.
you can write one c diagnostic utility to check the status of different peripherals and generate the report on the usbdisk
create Linux initrd image for your board with modified rcS file to mount the usb in Linux and start the utility while boot up, copy the utility in bin folder of your rootfilesystem.
now when you power-on your board with usb connected, your testing software will boot and test the peripherals otherwise your normal software will boot.
hope this helps!!
Anyone has any experience with application deployment through Mac App Store with 3rd party drivers? I have an application that is used to manage external device through usb port. It requires some drivers to be installed within. Any ideas how to deploy such application with Mac App Store so I don't have to bother user with any confusing messages about drivers? Is there any way to deploy such driver? Is there any way to load drivers only in userspace (sandbox?)
It's a virtual com port driver.
As far as I'm aware, you can use the user space I/O Kit framework from Mac App Store apps. So if your device can be driven entirely via that, go ahead. USB devices are usually good candidates for user space drivers, but it heavily depends on how the device will be used. If only your app is going to be accessing the device, you stand a very good chance. If you're intending to make it available to multiple applications, e.g. by creating a /dev node, you'll need to drop to the kernel.
You can't ship kernel extensions (kexts) with apps via the Mac App Store.
I don't know what the status is regarding MAS apps which require a specific device and kext to work, without shipping the kext together with the app. If the kext is optional, I suspect they'll allow it.
I am currently working on a script to image multiple lab machines I am in charge of with Windows 7, unfortunately they are UEFI Dell machines which work in a silly way. On the machine I created the image with in the Dell setup utility there was a UEFI entry in the boot menu for Windows which loaded the /boot/Microsoft/bootx64.efi file or some such equivalent, when I image the machines everything goes fine except when I boot them I get the good old 'No Bootable device found error' and when I go into the Dell setup utility there are no Windows entries. I can manually add a entry that points to this UEFI partition and the boot file, which will then boot fine and weirdly on boot add another entry to the NVRAM that points to the same file under the typical name 'Windows Boot Manager' or something. I have been trying to find some way to add this NVRAM entry without having to go into the Dell setup manually since I am imaging a large number of machines and this would just complicate the process. I originally tried just chainloading a grub bootloader after the imaging had finished to detect the windows installation and boot it which would theoretically add the entry to NVRAM itself and stop me from having two entries or having to interact with the machine myself. I also haven't been able to find any information on directly adding an entry to the NVRAM on the linux side that would do the same thing I accomplish through the Dell setup utility. Anyone have any experience with this?
Thanks
The operation of the Boot Manager is defined in the UEFI Specification, Chapter 3.
If you can write a UEFI application and boot to a UEFI shell and run your application you can use the Runtime Service for setting a variable to create a BootOption and add that BootOption's number to the BootOrder. This is what the MS bootloader is doing when it detects that there is not a BootOption defined for Windows, and this is way there is a new entry in the list after you boot to Windows.
Not sure what your default boot order is for your platform, but it may be possible to boot to a USB key with an UEFI shell by default, as this is a common configuration of defaults due to manufacturing requirements.
Check out the projects on tianocore on sourceforge to get a better idea of what would be involved in doing what you wanted to do.
I have been fooling around with different versions of Multiple boot softwares, trying to create a USB pin with my favorite PC tools and a folder with ISO's for which to boot after a normal boot into DOS (or something).
But a lot of ISO's don't work correctly, or at all (ie. Windows boot CD's etc.), so I got a new idea:
Would it be possible to create a bootable MS-DOS USB pin, and then after having booted, trigger the normal booting sequences of a CD-rom from the DOS prompt?
Like this:
Turn on PC.
Hit key to get boot sequence menu (in my case F12).
Select "Boot from USB".
Let the USB boot into DOS (... or whatever else could be used for this purpose?).
From DOS prompt start "some program/script" to trigger a bootable CD in the normal optical drive, as if it had been triggered directly from the BIOS boot sequence menu.
(if this was possible, I would then proceed to add a menu with the option to start virtual CD-drive software and mount ISO files to my USB pin)
Thanks for any advice and/or ideas and thoughts!
Theoretically, you can use Int13h/AH=4Ch to start a CD-ROM boot from code running under the BIOS. However, I seem to remember reading that most BIOS implementations don't actually implement this part of the El Torito standard. (That was a long time ago, so perhaps you won't have this problem on a modern BIOS, although I wouldn't count on it.)
It is important to note that (in my experience) this is unlikely to work once you've booted an operating system. DOS doesn't change the CPU mode (provided you don't install any extended memory drivers) but it does change the system context in other ways - for example, IIRC, it hooks several of the BIOS interrupts. As a result once DOS is running you can't overwrite it (in order to boot another OS from a CD) without things falling over.
So, in order to make this work (a) you have to run your code in the bare BIOS, with no operating system present; and (b) you need a BIOS that implements the boot function properly. The first part is just a matter of getting the hang of bare assembly and the BIOS functions, but the second part is pretty much out of your control.