[U-Boot] FIT image signing

Aaron Williams Aaron.Williams at caviumnetworks.com
Tue Jul 25 23:54:15 UTC 2017 

Hi all,

I am trying to enable support for booting signed FIT images but I'm not sure 
how I go about setting up the public keys. The documentation under uImage.fit 
does not seem to cover how to go about setting up the keys for U-Boot to 
verify the image.

I can sign the .fit image without any issues but so far I have not been able 
to put the keys in the device tree which gets passed to U-Boot.

In our case we're using AARCH64 and the device tree is passed to U-Boot from 
the ATF layer. At our lowest layer we use something called the BDK which 
performs low-level initialization and builds the proper device tree. The 
device tree is eventually passed as a parameter to U-Boot when the ATF starts 
U-Boot.

Since the device tree is stored in RAM and is not particularly secure we plan 
to add a call to the ATF to obtain the public key.

I'm thinking the best way to do this would be to have another version of 
rsa_verify which uses a separate function than rsa_verify_with_keynode so that 
the properties are obtained elsewhere.

In the meantime I am trying to use the device tree but it's not entirely clear 
what data needs to be placed into the board device tree for this. The 
documentation under doc/uImage.FIT is clear about what needs to go into the 
.its files to generate the FIT image and I have no problem with that. There is 
no documentation discussing how the keys are stored in the device tree or what 
fields are used there. I did find some reference to it in 
beaglebone_vboot.txt, however.

Is mkimage supposed to be able to add these fields to the device tree? If so, 
I'm not sure how to do that.

Also, I came across what appears to be a bug in mkimage when signing images. 
In tools/image-host.c in fit_image_add_verification_data if 
fit_image_process_sig or fit_image_process_hash returns -ENOSPC then -1 is 
returned which causes mkimage to fail. Instead shouldn't -ENOSPC be returned 
so that mkimage can resize the image and allow it to proceed?

Cheers,

-Aaron

-- 
Aaron Williams
Senior Software Engineer
Cavium, Inc.
(408) 943-7198	(510) 789-8988 (cell)

More information about the U-Boot mailing list