[U-Boot] Need some help with verified u-boot (Signature verification failed)

Rayees Shamsuddin Rayees.Shamsuddin at intusurg.com
Mon Jun 10 19:13:23 UTC 2019 

Hi,

I am trying to get verified u-boot working on a Tegra TX2 board. I get an error while trying to verify the signature. I am not quite sure how to proceed forward to resolve this. Any help would be appreciated.

U-boot version:
U-Boot 2016.07-dirty (Jun 07 2019 - 10:46:18 -0700)
aarch64-linux-gnu-gcc (Linaro GCC 7.4-2019.02) 7.4.1 20181213 [linaro-7.4-2019.02 revision 56ec6f6b99cc167ff0c2f8e1a2eed33b1edc85d4]
GNU ld (Linaro_Binutils-2019.02) 2.28.2.20170706

This is the verification error I got:


Tegra186 (P2771-0000-500) # load mmc 0:1 0x80000000 boot/fitImage_Tegra
34393994 bytes read in 867 ms (37.8 MiB/s)
Tegra186 (P2771-0000-500) # bootm 0x80000000
## Loading kernel from FIT Image at 80000000 ...
Using 'conf at 1' configuration
Verifying Hash Integrity ... sha256,rsa4096:tx2_key- Failed to verify required signature 'key-tx2_key'
Bad Data Hash
ERROR: can't get kernel image!
I realize that there may be some issues with the load address of the image - not sure if that is why the error "can't get kernel image!" happens. But I am trying to resolve the signature error first.

Using fit_check_sign
There is a tool called fit_check_sign to check if the signature is fine. I got the following results when I ran the tool
sudo ../sources/u-boot/tools/fit_check_sign -f fitImage_Tegra -k tegra186-p2771-0000-500_pubkey.dtb

Verifying Hash Integrity ... sha256,rsa4096:tx2_key+
## Loading kernel from FIT Image at 7fd7974db000 ...
   Using 'conf at 1' configuration
   Verifying Hash Integrity ...
sha256,rsa4096:tx2_key+
OK

   Trying 'kernel at 1' kernel subimage
     Description:  Linux kernel
     Created:      Mon Jun 10 10:27:57 2019
     Type:         Kernel Image
     Compression:  uncompressed
     Data Size:    34048008 Bytes = 33250.01 kB = 32.47 MB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x80400000
     Entry Point:  0x80400000
     Hash algo:    sha256
     Hash value:   1ab04b15e67dad84c467cd354acb791cd5089ece37491d1771270e4f37af5f13
   Verifying Hash Integrity ...
sha256+
OK

   Loading Kernel Image ... Image too large: increase CONFIG_SYS_BOOTM_LEN
Must RESET board to recover
## Loading fdt from FIT Image at 7fd7974db000 ...
   Using 'conf at 1' configuration
   Trying 'fdt at 1' fdt subimage
     Description:  DTB for Tegra TX2
     Created:      Mon Jun 10 10:27:57 2019
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Size:    344105 Bytes = 336.04 kB = 0.33 MB
     Architecture: AArch64
     Hash algo:    sha256
     Hash value:   e8fbc4d332c0c1d957a77a57576191dfea0e1151193cedc671aecfb415d2782a
   Verifying Hash Integrity ...
sha256+
OK

   Loading Flat Device Tree ... OK

## Loading ramdisk from FIT Image at 7fd7974db000 ...
   Using 'conf at 1' configuration
Could not find subimage node

Signature check Bad (error 1)

Steps I used to create the fitImage

Generate a new key-pair using openssl
mkdir keys
openssl genrsa -F4 -out keys/tx2_key.key 4096 (Use 2048 instead of 4096 if boot time is unacceptable)
openssl req -batch -new -x509 -key keys/tx2_key.key -out keys/tx2_key.crt

sudo ../sources/u-boot/tools/mkimage -f fitImage_Tegra.its -K tegra186-p2771-0000-500_pubkey.dtb -k keys -r fitImage_Tegra
This will create the fitimage
FIT description: fitImage for Tegra
Created:         Thu Jun  6 13:11:36 2019
 Image 0 (kernel at 1)
  Description:  Linux kernel
  Created:      Thu Jun  6 13:11:36 2019
  Type:         Kernel Image
  Compression:  uncompressed
  Data Size:    34048008 Bytes = 33250.01 kB = 32.47 MB
  Architecture: AArch64
  OS:           Linux
  Load Address: 0x80000000
  Entry Point:  0x80000000
  Hash algo:    sha256
  Hash value:   1ab04b15e67dad84c467cd354acb791cd5089ece37491d1771270e4f37af5f13
 Image 1 (fdt at 1)
  Description:  DTB for Tegra TX2
  Created:      Thu Jun  6 13:11:36 2019
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    344105 Bytes = 336.04 kB = 0.33 MB
  Architecture: AArch64
  Hash algo:    sha256
  Hash value:   e8fbc4d332c0c1d957a77a57576191dfea0e1151193cedc671aecfb415d2782a
 Default Configuration: 'conf at 1'
 Configuration 0 (conf at 1)
  Description:  Boot Linux kernel and FDT
  Kernel:       kernel at 1
  FDT:          fdt at 1

Then I rebuild u-boot from source to incorporate the public key into its dtb.
make EXT_DTB=../../fit/tegra186-p2771-0000-500_pubkey.dtb


Thanks a lot for your help

Rayees Shamsuddin

More information about the U-Boot mailing list