SPL FIT configuration signature verification

Andrii Voloshyn a.voloshyn at d.mobilunity.com
Mon Sep 14 08:44:31 CEST 2020


Hi Reuben,

    Thanks for your reply. 
So, in your 'its' file for second stage u-boot, do you define signature in images section as follows:

    images {
        uboot {
            description = "U-Boot Secondary";
           signature {
            };
        };

        configurations {
        };
   };

or in configuration section (signed configuration feature), as follows?:

    images {
        uboot {
            description = "U-Boot Secondary";
        };

        config-1 {
            description = "";
            loadables = "uboot";
            signature {
                    algo = "";
                    key-name-hint = "";
                    sign-images =  "loadables";
            };
   };

When I define signatures in images section, SPL U-Boot checks signatures of the second stage u-boot as expected, on the other hand, when configuration is signed it doesn't check it.
Microsoft added their own patch a couple of years ago to fix this (https://github.com/neilsh-msft/u-boot.ms-iot/commit/6ea7fab742eadddf4982695f3cbafeda079e4134), but it is not
in the mainline. I am wondering if this has been fixed in the mainline since then, or I need to patch u-boot similar way Microsoft did?

Cheers,
Andy

---- On Mon, 14 Sep 2020 01:01:46 +0300 Reuben Dowle <reuben.dowle at 4rf.com> wrote ----

 > 
 > Yes, it is possible to do this. The SPL will check its own DTB to check which signatures are required.
 >  
 >  When the FIT that the SPL will load is created with mkimage, you also pass the SPL's dtb file, which will be patched to include the required signatures.
 >  
 >  I am not sure if the config system has ability to specify this. My build process separates the signing from the normal uboot build (so that I can keep the private keys more secure), so I am manually calling mkimage. The command I am using to generate my second stage signed u-boot FIT file which is loaded by SPL:
 >  
 >  mkimage -f uboot.its -K u-boot-spl.dtb -k keys -r u-boot.fit
 >  
 >  The updated u-boot-spl.dtb needs to be available for the SPL to load at startup - often by appending this dtb to the end of the SPL binary. In my case I do this:
 >  cat u-boot-spl-nodtb.bin u-boot-spl-pad.bin u-boot-spl.dtb > u-boot-spl.bin
 >  
 >  
 >  Reuben Dowle
 >  Software Architect
 >  Phone:
 >  
 >  Fax:
 >  E-Mail:
 >  Website:
 >  +64 4 499 6000
 >  
 >  +64 4 473 4447
 >  reuben.dowle at 4rf.com
 >  Https://www.4rf.com
 >  
 > 
 > 
 >   
 > 
 > 
 > -----Original Message-----
 >  From: U-Boot <u-boot-bounces at lists.denx.de> On Behalf Of Andrii Voloshyn
 >  Sent: Saturday, 12 September 2020 12:18 am
 >  To: u-boot <u-boot at lists.denx.de>
 >  Subject: SPL FIT configuration signature verification
 >  
 >  Hi there,
 >  
 >         Is it possible to make SPL U-Boot to verify signature located in configuration section of FIT image, and do not continue in case the signature is missing or doesn't match?
 >  Asking because I couldn't find any configuration option for that, and I have FIT image with signature but SPL U-boot doesn't check it at all, it only checks signatures for images if present.
 >  
 >  Thanks
 >  
 >  Cheers,
 >  Andy
 >  
 > 
 > The information in this email communication (inclusive of attachments) is confidential to 4RF Limited and the intended recipient(s). If you are not the intended recipient(s), please note that any use, disclosure, distribution or copying of this information or any part thereof is strictly prohibited and that the author accepts no liability for the consequences of any action taken on the basis of the information provided. If you have received this email in error, please notify the sender immediately by return email and then delete all instances of this email from your system. 4RF Limited will not accept responsibility for any consequences associated with the use of this email (including, but not limited to, damages sustained as a result of any viruses and/or any action or lack of action taken in reliance on it).


More information about the U-Boot mailing list