[U-Boot] Confusion about "u-boot/doc/uImage.FIT/signature.txt"

Wed Oct 30 01:49:48 UTC 2019

Hi Lang,

On Tue, 22 Oct 2019 at 20:23, Lang Yu <yulang at hesaitech.com> wrote:
>
> Hi, sjg,
>
>
>
>     I'm YuLang, a software engineer in Hesai Tech. I really appreciate your contribution to secure boot. But I'm confused with your explanation about signature with FIT image in "u-boot/doc/uImage.FIT/signature.txt".  As following，
>
>
> / {
> images {
> kernel at 1 {
> data = <data for kernel1>
> hash at 1 {
> algo = "sha1";
> value = <...kernel hash 1...>
> };
> };
> kernel at 2 {
> data = <data for kernel2>
> hash at 1 {
> algo = "sha1";
> value = <...kernel hash 2...>
> };
> };
> fdt at 1 {
> data = <data for fdt1>;
> hash at 1 {
> algo = "sha1";
> value = <...fdt hash 1...>
> };
> };
> fdt at 2 {
> data = <data for fdt2>;
> hash at 1 {
> algo = "sha1";
> value = <...fdt hash 2...>
> };
> };
> };
> configurations {
> default = "conf at 1";
> conf at 1 {
> kernel = "kernel at 1";
> fdt = "fdt at 1";
> signature at 1 {
> algo = "sha1,rsa2048";
> value = <...conf 1 signature...>;
> };
> };
> conf at 2 {
> kernel = "kernel at 2";
> fdt = "fdt at 2";
> signature at 1 {
> algo = "sha1,rsa2048";
> value = <...conf 1 signature...>;
> };
> };
> };
> };
>
>
> You can see that we have added hashes for all images (since they are no
> longer signed), and a signature to each configuration. In the above example,
> mkimage will sign configurations/conf at 1, the kernel and fdt that are
> pointed to by the configuration (/images/kernel at 1, /images/kernel at 1/hash at 1,
> /images/fdt at 1, /images/fdt at 1/hash at 1) and the root structure of the image
> (so that it isn't possible to add or remove root nodes). The signature is
> written into /configurations/conf at 1/signature at 1/value. It can easily be
> verified later even if the FIT has been signed with other keys in the
> meantime.
>
>
>
> But what a signature to each configuration really means ?
>
>
> 1. rsa2048-privatekey(sha1(kernel data + fdt data))
>
>
> 2. rsa2048-privatekey(sha1(kernel hash+kernel hash))
>
>
> 3....
>
>
> Could you give a clear  explanation? Many thanks

This is explained in signature.txt, just above the 'verification' heading:

> In the above example,
mkimage will sign configurations/conf-1, the kernel and fdt that are
pointed to by the configuration (/images/kernel-1, /images/kernel-1/hash-1,
/images/fdt-1, /images/fdt-1/hash-1) and the root structure of the image
(so that it isn't possible to add or remove root nodes). The signature is
written into /configurations/conf-1/signature-1/value. It can easily be
verified later even if the FIT has been signed with other keys in the
meantime.

Regards,
SImon