Booting an ELF image from a FIT image with Verified Boot
Turner, Ben
ben.turner at roke.co.uk
Tue Apr 28 10:59:38 CEST 2020
Hi,
I have been trying to work out how to achieve booting an ELF image after I have successfully verified the signature using verified boot.
I have successfully managed to boot the ELF image on its own using the bootelf command from the U-Boot command line, and I have also managed to get a normal linux kernel and DTB verified and booted using a FIT image. I have not however managed to get my ELF image to boot from a FIT image.
My .its file is as follows:
/dts-v1/;
/ {
Description = "My image";
#address-cells = <0x1>;
images {
app at 1 {
description = "My app";
data = /incbin/("uImage");
type = "kernel";
os = "linux";
arch = "arm";
compression = "none";
load = <0x42000000>;
entry = <0x42000000>;
signature {
algo = "sha1,rsa4096";
key-name-hint = "my-key";
};
};
};
configurations {
default = "conf at 1";
conf at 1 {
kernel = "app at 1";
};
};
};
This created a FIT image without complaining, however when I attempt to boot this U-Boot complains: "Could not find configuration node".
After some trial and error, and converting the ELF image to a uImage, it seems that U-Boot doesn't like it if there is not a DTB included when the FIT image is created:
/dts-v1/;
/ {
Description = "My image";
#address-cells = <0x1>;
images {
app at 1 {
description = "My app";
data = /incbin/("uImage");
type = "kernel";
os = "linux";
arch = "arm";
compression = "none";
load = <0x42000000>;
entry = <0x42000000>;
signature {
algo = "sha1,rsa4096";
key-name-hint = "my-key";
};
};
fdt at 1 {
description = "My DTB";
data = /incbin/("device.dtb");
type = "flat_dt";
arch = "arm";
compression = "none";
signature {
algo = "sha1,rsa4096";
key-name-hint = "my-key";
};
};
};
configurations {
default = "conf at 1";
conf at 1 {
kernel = "app at 1";
fdt = "fdt at 1";
};
};
};
This file generates an image that does not produce an error. It states that it has been successfully verified and is "Starting kernel..." however I get no further output to the terminal after that point (unlike when booting the image on its own). I am unsure if this is just because the image is not being run, or if I have missed some setting which means the output is not being directed correctly so is not displaying.
My concern about this second file is also that my ELF image requires no DTB file. It has all the information it needs in order to operate on the device (the DTB is baked into the ELF). So I don't understand why I need to provide a DTB in order to make U-Boot happy - especially when the documentation states that the `fdt` field in the configuration is optional?
I have tried several iterations of various different image types (kernel, standalone etc) as well as different os types (linux, qnx etc) and nothing seems to work.
What am I doing wrong?
Thanks,
Ben Turner
________________________________________
Roke Manor Research Limited, Romsey, Hampshire, SO51 0ZN, United Kingdom.Part of the Chemring Group.
Registered in England & Wales. Registered No: 00267550
http://www.roke.co.uk
_______________________________________
The information contained in this e-mail and any attachments is proprietary to Roke Manor Research Limited and
must not be passed to any third party without permission. This communication is for information only and shall
not create or change any contractual relationship.
________________________________________
More information about the U-Boot
mailing list