[U-Boot] Hi Simon, There may exist a problem about FIT image signature verify , can you check this problem?

Duxiaoqiang duxiaoqiang at huawei.com
Tue Oct 21 04:52:01 CEST 2014


Hi Simon & All

These days I tested verified U-Boot on ARM Foundation. And I found a problem when I tested like this:

1)       Generate a FIT image and signature blob file like: mkimage -D "-I dts -O dtb -p 2000" -F kernel.its -k keys -K fvp.dtb -r signed_image.fit

2)       Compile the Uboot like :

Step1: Make distclean

Step2: Make DEVICE_TREE=foundation all. After this step, there generated a u-boot-dtb.bin file, but public key was not contained in it.



Normally I should use the public key contained blob file fvp.dtb to compile Uoobt like: make EXT_DTB=<path>/fvp.dtb.

In my test case, I omitted the last step, and just choose step2's result to test.



3)       Package firmware together with uboot

4)       Boot system on Foundation



For the signed_image.fit contains the signature information, but U-Boot has no public key information contained, When U-boot load the image,

There occurred error information like ": No signature node found: ", this result was normal.

But the system wasn't stopped after this error information, it keep going on and boot the system success at last!

I checked the source code about UBoot, and found problem in function fit_config_verify_required_sigs

Please note the red part.



int fit_config_verify_required_sigs(const void *fit, int conf_noffset,

           const void *sig_blob)

{

int noffset;

int sig_node;



/* Work out what we need to verify */

sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);

if (sig_node < 0) {

           debug("%s: No signature node found: %s\n", __func__,

                 fdt_strerror(sig_node));

           return 0; --> Since mismatch exists between UBoot and images, system should return a error code. Return 0 means the result was ok.

      }

   .........



After I modified return0 to return -1, result seems ok.



Please check this problem, and confirm should I have to commit a patch or someone else will modify it.



Sincerely.

Jason




More information about the U-Boot mailing list