verified boot changes since 2020.04

[Simon Glass]

Hi Rasmus,

On Mon, 5 Oct 2020 at 08:10, Rasmus Villemoes
<rasmus.villemoes at prevas.dk> wrote:
>
> Hi,
>
> I'm trying to keep our board in sync with upstream, but when trying to
> port it to v2020.10-rc4, the kernel verification fails:
>
> ## Loading kernel from FIT Image at 03000000 ...
>    Using 'conf-def.dtb' configuration
>    Verifying Hash Integrity ... sha1,rsa2048:dev-  error!
> Verification failed for '<NULL>' hash node in 'conf-def.dtb' config node
> Failed to verify required signature 'key-dev'
> Bad Data Hash
> ERROR: can't get kernel image!
>
> Our current board code is based on v2020.04 where everything works as
> expected.
>
> I have checked that U-Boot's .dtb has identical /signature nodes between
> the two versions, both from within U-Boot with 'fdt print /signature'
> and using fdtdump:
>
> => fdt print /signature
> signature {
>         key-dev {
>                 required = "conf";
>                 algo = "sha1,rsa2048";
>                 rsa,r-squared = ...
>                 rsa,modulus = ...
>                 rsa,exponent = ...
>                 rsa,n0-inverse = ...
>                 rsa,num-bits = <0x00000800>;
>                 key-name-hint = "dev";
>         };
> };
>
> (except that apparently the new version of U-Boot no longer abbreviates
> the r-squared and modulus values to an "* adress [length]" format).
>
> I wanted to try using tools/fit_check_sign as a quick way to bisect
> this, unfortunately the v2020.10-rc4 version (also) says that the kernel
> image is correctly signed.
>
> Does anyone have a crystal ball that says what might have changed to
> cause this? The board in question is based on mpc8309, i.e. big-endian
> powerpc.

It seems that big endian was broken and you have sent a patch, thank you.


- Simon