[U-Boot] Need some help with verified u-boot (Signature verification failed)
Rayees Shamsuddin
Rayees.Shamsuddin at intusurg.com
Mon Jun 10 19:13:23 UTC 2019
Hi,
I am trying to get verified u-boot working on a Tegra TX2 board. I get an error while trying to verify the signature. I am not quite sure how to proceed forward to resolve this. Any help would be appreciated.
U-boot version:
U-Boot 2016.07-dirty (Jun 07 2019 - 10:46:18 -0700)
aarch64-linux-gnu-gcc (Linaro GCC 7.4-2019.02) 7.4.1 20181213 [linaro-7.4-2019.02 revision 56ec6f6b99cc167ff0c2f8e1a2eed33b1edc85d4]
GNU ld (Linaro_Binutils-2019.02) 2.28.2.20170706
This is the verification error I got:
Tegra186 (P2771-0000-500) # load mmc 0:1 0x80000000 boot/fitImage_Tegra
34393994 bytes read in 867 ms (37.8 MiB/s)
Tegra186 (P2771-0000-500) # bootm 0x80000000
## Loading kernel from FIT Image at 80000000 ...
Using 'conf at 1' configuration
Verifying Hash Integrity ... sha256,rsa4096:tx2_key- Failed to verify required signature 'key-tx2_key'
Bad Data Hash
ERROR: can't get kernel image!
I realize that there may be some issues with the load address of the image - not sure if that is why the error "can't get kernel image!" happens. But I am trying to resolve the signature error first.
Using fit_check_sign
There is a tool called fit_check_sign to check if the signature is fine. I got the following results when I ran the tool
sudo ../sources/u-boot/tools/fit_check_sign -f fitImage_Tegra -k tegra186-p2771-0000-500_pubkey.dtb
Verifying Hash Integrity ... sha256,rsa4096:tx2_key+
## Loading kernel from FIT Image at 7fd7974db000 ...
Using 'conf at 1' configuration
Verifying Hash Integrity ...
sha256,rsa4096:tx2_key+
OK
Trying 'kernel at 1' kernel subimage
Description: Linux kernel
Created: Mon Jun 10 10:27:57 2019
Type: Kernel Image
Compression: uncompressed
Data Size: 34048008 Bytes = 33250.01 kB = 32.47 MB
Architecture: AArch64
OS: Linux
Load Address: 0x80400000
Entry Point: 0x80400000
Hash algo: sha256
Hash value: 1ab04b15e67dad84c467cd354acb791cd5089ece37491d1771270e4f37af5f13
Verifying Hash Integrity ...
sha256+
OK
Loading Kernel Image ... Image too large: increase CONFIG_SYS_BOOTM_LEN
Must RESET board to recover
## Loading fdt from FIT Image at 7fd7974db000 ...
Using 'conf at 1' configuration
Trying 'fdt at 1' fdt subimage
Description: DTB for Tegra TX2
Created: Mon Jun 10 10:27:57 2019
Type: Flat Device Tree
Compression: uncompressed
Data Size: 344105 Bytes = 336.04 kB = 0.33 MB
Architecture: AArch64
Hash algo: sha256
Hash value: e8fbc4d332c0c1d957a77a57576191dfea0e1151193cedc671aecfb415d2782a
Verifying Hash Integrity ...
sha256+
OK
Loading Flat Device Tree ... OK
## Loading ramdisk from FIT Image at 7fd7974db000 ...
Using 'conf at 1' configuration
Could not find subimage node
Signature check Bad (error 1)
Steps I used to create the fitImage
Generate a new key-pair using openssl
mkdir keys
openssl genrsa -F4 -out keys/tx2_key.key 4096 (Use 2048 instead of 4096 if boot time is unacceptable)
openssl req -batch -new -x509 -key keys/tx2_key.key -out keys/tx2_key.crt
sudo ../sources/u-boot/tools/mkimage -f fitImage_Tegra.its -K tegra186-p2771-0000-500_pubkey.dtb -k keys -r fitImage_Tegra
This will create the fitimage
FIT description: fitImage for Tegra
Created: Thu Jun 6 13:11:36 2019
Image 0 (kernel at 1)
Description: Linux kernel
Created: Thu Jun 6 13:11:36 2019
Type: Kernel Image
Compression: uncompressed
Data Size: 34048008 Bytes = 33250.01 kB = 32.47 MB
Architecture: AArch64
OS: Linux
Load Address: 0x80000000
Entry Point: 0x80000000
Hash algo: sha256
Hash value: 1ab04b15e67dad84c467cd354acb791cd5089ece37491d1771270e4f37af5f13
Image 1 (fdt at 1)
Description: DTB for Tegra TX2
Created: Thu Jun 6 13:11:36 2019
Type: Flat Device Tree
Compression: uncompressed
Data Size: 344105 Bytes = 336.04 kB = 0.33 MB
Architecture: AArch64
Hash algo: sha256
Hash value: e8fbc4d332c0c1d957a77a57576191dfea0e1151193cedc671aecfb415d2782a
Default Configuration: 'conf at 1'
Configuration 0 (conf at 1)
Description: Boot Linux kernel and FDT
Kernel: kernel at 1
FDT: fdt at 1
Then I rebuild u-boot from source to incorporate the public key into its dtb.
make EXT_DTB=../../fit/tegra186-p2771-0000-500_pubkey.dtb
Thanks a lot for your help
Rayees Shamsuddin
More information about the U-Boot
mailing list