Allow FIT Image Signature Verification to use RSA Public Key specified in DER Format

Harshvardhan Patel harshvardhan1621 at gmail.com
Fri Nov 5 17:17:17 CET 2021 

Hi All,

I have been able to get the FIT Image Signature verification running on a
Raspberry Pi 4 Model B by following the documentation here:
https://source.denx.de/u-boot/u-boot/-/blob/master/doc/uImage.FIT/beaglebone_vboot.txt.
The public key, as the doc states, is stored in the Control FDT. The
signature algorithm I'm using is RSA 2048 with SHA256. I am aware the
following step:
$ mkimage -f sign.its -K bcm2711-rpi-4-pubkey.dtb -k keys -r image.fit
Will store the Public key information in the DTB as different components
split up into:

rsa,r-squaredrsa,modulusrsa,n0-inversersa,num-bits

However, I was wondering if I can directly use a certificate generated
in the following steps for FIT Image verification:

$ openssl genrsa -F4 -out keys/dev.key 2048$ openssl req -batch -new
-x509 -key keys/dev.key -out keys/dev.crt

When reading through the code, it seems that the structure
"image_sign_info" (defined in include/image.h) would allow for Public key
to be specified in DER format:

const void *key;                /* Pointer to public key in DER */

So I did the following steps to convert the dev.crt Certificate to DER format:

$ openssl x509 -in ./keys/dev.crt -out dev.der -outform DER

Then I took the Hexdump of dev.der (Public Key in DER Format):

$ xxd -g 1 -u dev.der | cut -c -57  # Hexdump of the public key in DER format

And applied the following diff:

diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 83f7564101..3e60dc6b50 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -499,7 +499,11 @@ int rsa_verify_hash(struct image_sign_info *info,
 {
        int ret = -EACCES;

-       if (CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY) && !info->fdt_blob) {
+       // Der Format Public Key
+       char pub_key_der[] = {0x30, 0x82, .... 0x2F}; #
<-------------- Hardcoded the DER Pub Key here
+
+       info->key = pub_key_der;
+       if (CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY)) {
                /* don't rely on fdt properties */
                ret = rsa_verify_with_pkey(info, hash, sig, sig_len);
However, on applying the above changes, the rsa_verify_with_pkey
function fails with error code -74.

While I am aware that the above is probably not the best way to go
about enabling FIT signature verification using a Pub Key in DER
format, it will be very helpful if I can receive pointers on how to
achieve this.

Please let me know if there is some other way in which I should be
passing my Public Key in DER format for FIT Image Signature
Verification.

More information about the U-Boot mailing list