[PATCH 00/16] tools: Add support for signing devicetree blobs

François Ozog francois.ozog at linaro.org
Fri Nov 12 20:49:11 CET 2021 

Hi Simon

Le ven. 12 nov. 2021 à 20:36, Simon Glass <sjg at chromium.org> a écrit :

> At present mkimage supports signing FITs, the standard U-Boot image type.
>
> Various people are opposed to using FIT since:
>
just to be sure: I am not one of those.

>
> a) it requires adding support for FIT into other bootloaders, notably
>    UEFI

whatever happens to FIT is entirely orthogonal to U-Boot UEFI subsystem.
FIT can evolve,  U-Boot UEFI does not have to change.

>
> b) it requires packaging a kernel in this standard U-Boot format, meaning
>    that distros must run 'mkimage' and deal with the kernel and initrd
>    being inside a FIT
>
> The kernel and initrd can be dealt with in other ways. But without FIT,
> we have no standard way of signing and grouping FDT files. Instead we must
> include them in the distro as separate files.
>
> In particular, some sort of mechanism for verifying FDT files is needed.
> One option would be to tack a signature on before or after the file,
> processing it accordingly. But due to the nature of the FDT binary format,
> it is possible to embed a signature inside the FDT itself, which is very
> convenient.
>
> This series provides a tool, fdt_sign, which can add a signature to an
> FDT. The signature can be checked later, preventing any change to the FDT,
> other than in permitted nodes (e.g. /chosen).
>
> This series also provides a fdt_check_sign tool, used to check signatures.
>
> Both of these tools are stand-alone do not require mkimage or FIT.
>
> As with FIT signing, multiple signatures are possible, but in this case
> that requires that fit_sign be called once for each signature. To make the
> check fail if a signature does not match, it should be marked as
> 'required' using the -r flag to fdt_sign.
>
> Run-time support for checking FDT signatures could be added to U-Boot
> fairly easily, but needs further discussion as the correct plumbing needs
> to be determined.
>
> For now there is absolutely no configurability in the signature mechanism.
> It would of course be possible to adjust which nodes are signed, as is
> done for FIT, but that needs further discussion also. The omission of the
> /chosen node is implemented in h_exclude_nodes() like this:
>
>    if (type == FDT_IS_NODE) {
>       /* Ignore the chosen node as well as /signature and subnodes */
>       if (!strcmp("/chosen", data) || !strncmp("/signature", data, 10))
>          return 0;
>    }
>
> Man pages are provided with example usage of the tools. Use this to view
> them:
>
>    man -l doc/fdt_check_sign.1
>
> This series also includes various clean-ups noticed along the way, as well
> as refactoring to avoid code duplication with the new tools. The last four
> patches are the new code.
>
> This series is available at u-boot-dm/fdt-sign-working :
>
>
> https://source.denx.de/u-boot/custodians/u-boot-dm/-/tree/fdt-sign-working
>
>
> Simon Glass (16):
>   rsa: Add debugging for failure cases
>   fit_check_sign: Update help to mention the key is in a dtb
>   tools: Move copyfile() into a common file
>   tools: Avoid leaving extra data at the end of copied files
>   tools: Improve comments in signing functions
>   tools: Drop unused name in image-host
>   tools: Avoid confusion between keys and signatures
>   tools: Tidy up argument order in fit_config_check_sig()
>   tools: Pass the key blob around
>   image: Return destination node for add_verify_data() method
>   tools: Pass public-key node through to caller
>   tools: mkimage: Show where signatures/keys are written
>   tools: Add a new tool to sign FDT blobs
>   tools: Add a new tool to check FDT-blob signatures
>   test: Add a test for FDT signing
>   tools: Add man pages for fdt_sign and fdt_check_sign
>
>  MAINTAINERS                      |   7 +
>  boot/image-fit-sig.c             | 151 +++++++++----
>  boot/image-fit.c                 |  12 +-
>  common/spl/spl_fit.c             |   3 +-
>  doc/fdt_check_sign.1             |  74 +++++++
>  doc/fdt_sign.1                   | 111 ++++++++++
>  include/image.h                  |  80 ++++++-
>  include/u-boot/ecdsa.h           |   5 +-
>  include/u-boot/rsa.h             |   5 +-
>  lib/ecdsa/ecdsa-libcrypto.c      |   4 +-
>  lib/rsa/rsa-sign.c               |   5 +-
>  lib/rsa/rsa-verify.c             |  13 +-
>  test/py/tests/test_fdt_sign.py   |  83 ++++++++
>  test/py/tests/test_vboot.py      |  21 +-
>  test/py/tests/vboot/sign-fdt.dts |  23 ++
>  test/py/tests/vboot_comm.py      |  22 ++
>  tools/Makefile                   |  10 +-
>  tools/fdt-host.c                 | 353 +++++++++++++++++++++++++++++++
>  tools/fdt_check_sign.c           |  85 ++++++++
>  tools/fdt_host.h                 |  46 ++++
>  tools/fdt_sign.c                 | 210 ++++++++++++++++++
>  tools/fit_check_sign.c           |   4 +-
>  tools/fit_common.c               |  69 ++++++
>  tools/fit_common.h               |  23 ++
>  tools/fit_image.c                |  59 +-----
>  tools/image-fdt-sig.c            | 254 ++++++++++++++++++++++
>  tools/image-host.c               | 155 +++++++++++---
>  tools/imagetool.h                |   4 +
>  tools/mkimage.c                  |   4 +
>  29 files changed, 1714 insertions(+), 181 deletions(-)
>  create mode 100644 doc/fdt_check_sign.1
>  create mode 100644 doc/fdt_sign.1
>  create mode 100644 test/py/tests/test_fdt_sign.py
>  create mode 100644 test/py/tests/vboot/sign-fdt.dts
>  create mode 100644 test/py/tests/vboot_comm.py
>  create mode 100644 tools/fdt-host.c
>  create mode 100644 tools/fdt_check_sign.c
>  create mode 100644 tools/fdt_sign.c
>  create mode 100644 tools/image-fdt-sig.c
>
> --
> 2.34.0.rc1.387.gb447b232ab-goog
>
> --
François-Frédéric Ozog | *Director Business Development*
T: +33.67221.6485
francois.ozog at linaro.org | Skype: ffozog

More information about the U-Boot mailing list