Generate persistent ssh key for Xilinx MPSoC Linux (XLNX)

Here is some background information and methodology on how to store SSH keys on persistent storage, and modify init scripts such that the petalinux image does not generate a new key on each boot:

This sequence of steps describes how to use the flash MTD partition for persistent storage. The use case being considered is to load a previously generated RSA key and prevent dropbear from generating a new one (the dropbear init script needs to be modified for doing this).

The Dropbear SSH server is included by default in Petalinux, and is built automatically into the rootfs. Upon boot up, the dropbear init script (named dropbear) is placed and executes from the /etc/init.d directory:

  • This script has a function gen_keys(), which is responsible for generating the RSA key.
  • If a key already exists at /etc/dropbear, the gen_keys() function first deletes this key, and then generates a new one.
    Although not recommended by Xilinx officially, there might be some use cases where this functionality is not desired. For example, when a user wants to avoid having new keys generated upon reboot, and instead loads them from persistent storage.

In such cases, a custom recipe named dropbear can be added to the Petalinux project, with a custom init script that suppresses the call to gen_keys(). When the image is built and run from the board, the new dropbear init script will run and not create new keys at /etc/dropbear. The user can then copy over a previously generated key into this location from persistent storage.

This methodology can be dvivded into two parts:

  1. Generate a RSA key (on the board or laptop) and store it in the persistent storage (QSPI Flash) on the FPGA.
  2. Boot up with the modified dropbear init script, mount the QSPI Flash device on a JFFS partition, and copy over the previously stored key into /etc/dropbear.

Part 1:

  1. Build a normal Petalinux project and use those images to boot into the board. Default kernel config settings should include ZynqMP GQSPI as well as MTD block device support.
  2. From the Linux terminal, issue dmesg | grep spi and verify that four MTD partitions were created. Follow this by cat /proc/mtd to view the partitions. We will use the ‘spare’ MTD partition /dev/mtd3 for persistent storage.
  3. Erase /dev/mtd3 partition using flash_eraseall -j /dev/mtd3.
  4. Create a mount point for the flash partition: mkdir /mnt/flash_mtd3.
  5. Mount flash partition as JFFS2 file system: mount -t jffs2 /dev/mtdblock3 /mnt/flash_mtd3. (Note that /dev/mtdblock3 is used rather than /dev/mtd3)
  6. Copy Dropbear RSA key to flash partition: cp /etc/dropbear/dropbear_rsa_host_key /mnt/flash_mtd3
  7. Verify the copied key exists on the flash partition: ls /mnt/flash_mtd3.
  8. Unmount flash partition: umount /mnt/flash_mtd3.
  9. The Dropbear RSA key now resides in the persistent flash storage and can be accessed on successive boots
  10. The existing Dropbear init script can be modified and used in Part 2. Copy the script (/etc/init.d/dropbear) over to your host machine.

Part 2:

  1. Go back to your Petalinux project, and add a folder named ‘dropbear’ to <plnx_proj_root>/project-spec/meta-user/recipes-core/. Within this folder, build the following structure:
1
2
3
4
├── dropbear
│ ├── dropbear_%.bbappend
│ └── files
│ └── dropbear.initd
  1. The dropbear init script in the ‘files’ folder above is the one you have copied over from Part 1, and modified by modifying the gen_keys().
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
gen_keys() {
mkdir -p /mnt/qspi_mtd3
mount -t jffs2 /dev/mtdblock3 /mnt/qspi_mtd3

if [ -f "/mnt/qspi_mtd3/dropbear_rsa_host_key" ]; then
mkdir -p $DROPBEAR_RSAKEY_DIR
cp /mnt/qspi_mtd3/dropbear_rsa_host_key $DROPBEAR_RSAKEY
else
if [ -f "$DROPBEAR_RSAKEY" -a ! -s "$DROPBEAR_RSAKEY" ]; then
rm $DROPBEAR_RSAKEY || true
fi
if [ ! -f "$DROPBEAR_RSAKEY" ]; then
mkdir -p ${DROPBEAR_RSAKEY%/*}
dropbearkey -t rsa -f $DROPBEAR_RSAKEY $DROPBEAR_RSAKEY_ARGS
fi
cp $DROPBEAR_RSAKEY /mnt/qspi_mtd3
fi
umount /mnt/qspi_mtd3
}
  1. Create dropbear_%.bbappend as follows:
1
2
3
4
5
6
7
8
9
10
11
# The dropbear_%.bbappend looks like this:
# Dropbear: suppress gen_keys.
SRC_URI_append = " \
file://dropbear.initd \
"
FILESEXTRAPATHS_prepend := "${THISDIR}/files:"

# Overwrite the dropbear configuration with my configuration.
do_install_append() {
install -m 0755 ${WORKDIR}/dropbear.initd ${D}${sysconfdir}/init.d/dropbear
}
  1. Add the line SIGGEN_UNLOCKED_RECIPES_append = "dropbear" to <plnx_proj_root>/project-spec/meta-user/conf/petalinuxbsp.conf.
  2. Clean the Petalinux project and re-build: petalinux-build -x mrproper and petalinux-build.
  3. Boot with the generated images. Observe that the key generation message is not displayed, and no key will exist at /etc/dropbear.
  4. Mount flash partition containing original key: mount -t jffs2 /dev/mtdblock3 /mnt/flash_mtd3
  5. Copy key into default location: cp /mnt/flash_mtd3/dropbear_rsa_host_key /etc/dropbear