Problem with U-boot | Configuration Signature not being checked while booting

Moiz Imtiaz moizimtiaz1 at gmail.com
Thu Sep 9 22:21:01 CEST 2021 

Hope you are doing well and everything is going good at your end. I am
using Raspi 4B and Compute Model 4 and trying to configure U-boot with
Verified boot support, *but while booting the signing of the configuration
is not being checked*. I am using the latest master branch from GitHub.
<https://github.com/u-boot/u-boot>

We have checked the signature verification via the *"fit_check_sign"
*utility that
comes with u-boot and it does verify the configuration of the signature so,
I am sure that the image is signed properly and the Control FDT is good as
well.

[image: fit_check_sign.png]

but while booting, it doesn't check the signature of the configuration. It
should be showing "*Verifying Hash Integrity ... sha1,rsa2048:dev+ OK*"
[image: image.png]

*I believe that maybe I am not adding Control FDT in the U-boot binary
properly.* Following is the command that I am using to add control FDT to
U-boot.

$ make EXT_DTB=bcm2711-rpi-4-b-pubkey.dtb -j8
I have also tried
$ make DEV_TREE_BIN=bcm2711-rpi-4-b-pubkey.dtb -j8

The bytes size of the u-boot.bin and u-boot-nodtb.bin after using both the
above commands is the same.

Attached is the FIT source file,  rpi_4_defconfig and the control FDT file.
Also, the following has been added in configs/rpi_4_defconfig.

CONFIG_OF_CONTROL=y
CONFIG_FIT=y
CONFIG_FIT_SIGNATURE=y
CONFIG_RSA=y

*Can you please help me with how to add Control FDT to the U-boot.bin
binary or what can be the reason that it isn't checking the signature of
the configuration while booting? Any kind of help would be really
appreciated.*
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rpi_4_defconfig
Type: application/octet-stream
Size: 1613 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210910/d1f018cd/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.its
Type: application/octet-stream
Size: 1153 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210910/d1f018cd/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bcm2711-rpi-4-b-pubkey.dtb
Type: application/octet-stream
Size: 50114 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210910/d1f018cd/attachment-0002.obj>

More information about the U-Boot mailing list