verified boot changes since 2020.04

[Rasmus Villemoes]

Hi,

I'm trying to keep our board in sync with upstream, but when trying to
port it to v2020.10-rc4, the kernel verification fails:

## Loading kernel from FIT Image at 03000000 ...
   Using 'conf-def.dtb' configuration
   Verifying Hash Integrity ... sha1,rsa2048:dev-  error!
Verification failed for '<NULL>' hash node in 'conf-def.dtb' config node
Failed to verify required signature 'key-dev'
Bad Data Hash
ERROR: can't get kernel image!

Our current board code is based on v2020.04 where everything works as
expected.

I have checked that U-Boot's .dtb has identical /signature nodes between
the two versions, both from within U-Boot with 'fdt print /signature'
and using fdtdump:

=> fdt print /signature
signature {
        key-dev {
                required = "conf";
                algo = "sha1,rsa2048";
                rsa,r-squared = ...
                rsa,modulus = ...
                rsa,exponent = ...
                rsa,n0-inverse = ...
                rsa,num-bits = <0x00000800>;
                key-name-hint = "dev";
        };
};

(except that apparently the new version of U-Boot no longer abbreviates
the r-squared and modulus values to an "* adress [length]" format).

I wanted to try using tools/fit_check_sign as a quick way to bisect
this, unfortunately the v2020.10-rc4 version (also) says that the kernel
image is correctly signed.

Does anyone have a crystal ball that says what might have changed to
cause this? The board in question is based on mpc8309, i.e. big-endian
powerpc.

Thanks,
Rasmus