[U-Boot] [PATCH v3 03/12] image: Add RSA support for image signing

Tom Rini trini at ti.com
Thu Jun 27 17:48:00 CEST 2013


On Thu, Jun 27, 2013 at 08:45:34AM -0700, Simon Glass wrote:
> Hi Tom,
> 
> On Thu, Jun 27, 2013 at 5:50 AM, Tom Rini <trini at ti.com> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 06/27/2013 02:44 AM, Simon Glass wrote:
> > > Hi Masahiro,
> > >
> > > On Wed, Jun 26, 2013 at 9:08 PM, Masahiro Yamada
> > > <yamada.m at jp.panasonic.com <mailto:yamada.m at jp.panasonic.com>>
> > > wrote:
> > >
> > > Hello, Simon.
> > >
> > >
> > > When compiling the master branch, I got an error while a
> > > tools/mkimage build.
> > >
> > >
> > > u-boot/lib/rsa/rsa-sign.c:26:25: fatal error: openssl/rsa.h: No
> > > such file or directory
> > >
> > >
> > > I think this erorr is caused by commit 19c402a.
> > >
> > >
> > > I searched and installed the necessary package and I could resolve
> > > this error.
> > >
> > > $ apt-file search openssl/rsa.h libssl-dev:
> > > /usr/include/openssl/rsa.h $ sudo apt-get install libssl-dev
> > >
> > >
> > > Let me ask a question.
> > >
> > > Going forward do we always need the openssl development package
> > > for creating mkimage tool? Or is it possible to disable RSA feature
> > > by some CONFIG option?
> > >
> > >
> > > This is to support verified boot using FIT. Yes it would be
> > > possible to make it an option. I had it that way for a while, but
> > > then I worried that it would create two versions of mkimage, one
> > > of which is incapable of signing images. That means that mkimage
> > > would need to be built for a board with verified boot enabled in
> > > order to get full functionality.
> > >
> > > Perhaps another way would be to check for the header and (if not
> > > present), silently build without signing support?
> >
> > Hurk, dang it.. Yes, I think we need to build and go with an error
> > message on attempted use.  Skimming the code, we can't rely on
> > CONFIG_FIT_SIGNATURE being inherited from the config, on the host
> > side, yes?
> >
> 
> Yes I can make this check CONFIG_FIT_SIGNATURE - as mentioned I had it that
> way originally but worred about creating different versions of mkimage.
> 
> There is actually code there for this which we can use:
> 
> #ifdef CONFIG_FIT_SIGNATURE
> fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c
> <comment>] [-r]\n"
> "          -k => set directory containing private keys\n"
> "          -K => write public keys to this .dtb file\n"
> "          -c => add comment in signature node\n"
> "          -F => re-sign existing FIT image\n"
> "          -r => mark keys used as 'required' in dtb\n");
> #else
> fprintf(stderr, "Signing / verified boot not supported
> (CONFIG_FIT_SIGNATURE undefined)\n");
> #endif
> 
> Let me know if this is the preferred option and I will prepare a patch.

The Makefile fragments I saw implied we couldn't use this approach on
the host.  But if we can, lets.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20130627/b1dfbf7f/attachment.pgp>


More information about the U-Boot mailing list