Problem with U-boot | Configuration Signature not being checked while booting
Simon Glass
sjg at chromium.org
Fri Sep 10 06:37:14 CEST 2021
+Tom Rini
Hi Moiz,
On Thu, 9 Sept 2021 at 14:21, Moiz Imtiaz <moizimtiaz1 at gmail.com> wrote:
>
> Hope you are doing well and everything is going good at your end. I am using Raspi 4B and Compute Model 4 and trying to configure U-boot with Verified boot support, but while booting the signing of the configuration is not being checked. I am using the latest master branch from GitHub.
>
> We have checked the signature verification via the "fit_check_sign" utility that comes with u-boot and it does verify the configuration of the signature so, I am sure that the image is signed properly and the Control FDT is good as well.
>
>
>
> but while booting, it doesn't check the signature of the configuration. It should be showing "Verifying Hash Integrity ... sha1,rsa2048:dev+ OK"
>
>
> I believe that maybe I am not adding Control FDT in the U-boot binary properly. Following is the command that I am using to add control FDT to U-boot.
>
> $ make EXT_DTB=bcm2711-rpi-4-b-pubkey.dtb -j8
> I have also tried
> $ make DEV_TREE_BIN=bcm2711-rpi-4-b-pubkey.dtb -j8
>
> The bytes size of the u-boot.bin and u-boot-nodtb.bin after using both the above commands is the same.
>
> Attached is the FIT source file, rpi_4_defconfig and the control FDT file. Also, the following has been added in configs/rpi_4_defconfig.
>
> CONFIG_OF_CONTROL=y
> CONFIG_FIT=y
> CONFIG_FIT_SIGNATURE=y
> CONFIG_RSA=y
>
> Can you please help me with how to add Control FDT to the U-boot.bin binary or what can be the reason that it isn't checking the signature of the configuration while booting? Any kind of help would be really appreciated.
There is an example of this flow in the sandbox vboot test. There is
also an example for Beaglebone Black in
doc/uImage.FIT/beaglebone_vboot.txt
I wonder if rpi is not using the devicetree compiled with U-Boot, but
instead one provided by the earlier-stage firmware? Can you check that
the required 'signature' node is present? You can use the 'fdt'
command in U-Boot to look at it.
Looking at rpi_4 it uses CONFIG_OF_BOARD which means it has its own
special way of getting the devicetree into U-Boot. The older boards
use CONFIG_OF_EMBED which is actually not even allowed in production
boards....
Also you may need the -r argument to mkimage to mark the key as required.
Regards,
Simon
More information about the U-Boot
mailing list