Problem with U-boot | Configuration Signature not being checked while booting

Sat Sep 11 20:19:05 CEST 2021

Hi Simon,

Thanks for the reply.  I already followed the steps mentioned in
"doc/uImage.FIT/beaglebone_vboot.txt".

>I wonder if rpi is not using the devicetree compiled with U-Boot, but
instead one provided by the earlier-stage firmware?

Not sure, but seems like this is the case. I checked and there isn't any
dtb or dts for rpi4 (bcm2711-rpi-4-b) in arc/arm/dts in u-boot. I tried to
add the dtb and other dts dtsi
<https://github.com/raspberrypi/linux/tree/rpi-5.10.y/arch/arm64/boot/dts/broadcom>files
from the raspberry pi Linux and compile them with CONFIG_OF_SEPARATE and
CONFIG_OF_EMBED (one at a time) *but it couldn't even boot the U-Boot and
it would just give a blank screen*. I wonder why there isn't any device
tree in the U-boot repo for RPI4. Is U-boot control FDT not supported by
RPI4?

and if I tried CONFIG_OF_BOARD (the default rpi_4 configuration), it will
take us back to the initial problem, signature not being checked.

> Can you check that the required 'signature' node is present? You can use
the 'fdt' command in U-Boot to look at it.
I tried the "fdt checksign" but it didn't return anything. Screenshot
inlined, image.itb is the fit image. If I am not doing it wrong, or some
other commands needs to be executed, please let me know.

[image: image.png]

Just for reference, I am inlining the steps I followed:
1. clone the master branch of u-boot.
2. Add FIT, RSA & SIGNATURE support to rpi_4_defconfig
3. Build with 64-bit architecture. (CROSS_COMPILE=aarch64-linux-gnu-)
4. Build U-boot  ($make -j8)
5. copy device tree and make a clone by appending pubkey to it.
$ cp bcm2711-rpi-4-b.dtb bcm2711-rpi-4-b-pubkey.dtb
6. generate the keys and make .its file and sign it with the following
command:
mkdir keys
openssl genrsa -F4 -out keys/dev.key 2048
 openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
mkimage -f image.its -K bcm2711-rpi-4-b-pubkey.dtb -k keys -r image.itb
7. rebuild uboot with control FDT (bcm2711-rpi-4-b-pubkey.dtb)
$make EXT_DTB=bcm2711-rpi-4-b-pubkey.dtb -j8
8. Copy u-boot.bin and image.itb to boot partition.

But since I had CONFIG_OF_BOARD set, I am assuming it didn't add control
FDT into u-boot.bin as byte size for both binaries (u-boot.bin &
u-boot-nodtb.bin) was the same. I tried to concatenate them with cat but
while booting, U-Boot still didn't read the Control FDT.

Can anyone please help with enabling verified boot (signature check)
support for Raspberry Pi4. It's a very mainstream board and support for it
would be great to have. I am willing to contribute, whatever I can.

Best,
Moiz Imtiaz

On Fri, Sep 10, 2021 at 9:37 AM Simon Glass <sjg at chromium.org> wrote:

> +Tom Rini
>
> Hi Moiz,
>
> On Thu, 9 Sept 2021 at 14:21, Moiz Imtiaz <moizimtiaz1 at gmail.com> wrote:
> >
> > Hope you are doing well and everything is going good at your end. I am
> using Raspi 4B and Compute Model 4 and trying to configure U-boot with
> Verified boot support, but while booting the signing of the configuration
> is not being checked. I am using the latest master branch from GitHub.
> >
> > We have checked the signature verification via the "fit_check_sign"
> utility that comes with u-boot and it does verify the configuration of the
> signature so, I am sure that the image is signed properly and the Control
> FDT is good as well.
> >
> >
> >
> > but while booting, it doesn't check the signature of the configuration.
> It should be showing "Verifying Hash Integrity ... sha1,rsa2048:dev+ OK"
> >
> >
> > I believe that maybe I am not adding Control FDT in the U-boot binary
> properly. Following is the command that I am using to add control FDT to
> U-boot.
> >
> > $ make EXT_DTB=bcm2711-rpi-4-b-pubkey.dtb -j8
> > I have also tried
> > $ make DEV_TREE_BIN=bcm2711-rpi-4-b-pubkey.dtb -j8
> >
> > The bytes size of the u-boot.bin and u-boot-nodtb.bin after using both
> the above commands is the same.
> >
> > Attached is the FIT source file,  rpi_4_defconfig and the control FDT
> file. Also, the following has been added in configs/rpi_4_defconfig.
> >
> > CONFIG_OF_CONTROL=y
> > CONFIG_FIT=y
> > CONFIG_FIT_SIGNATURE=y
> > CONFIG_RSA=y
> >
> > Can you please help me with how to add Control FDT to the U-boot.bin
> binary or what can be the reason that it isn't checking the signature of
> the configuration while booting? Any kind of help would be really
> appreciated.
>
> There is an example of this flow in the sandbox vboot test. There is
> also an example for Beaglebone Black in
> doc/uImage.FIT/beaglebone_vboot.txt
>
> I wonder if rpi is not using the devicetree compiled with U-Boot, but
> instead one provided by the earlier-stage firmware? Can you check that
> the required 'signature' node is present? You can use the 'fdt'
> command in U-Boot to look at it.
>
> Looking at rpi_4 it uses CONFIG_OF_BOARD which means it has its own
> special way of getting the devicetree into U-Boot. The older boards
> use CONFIG_OF_EMBED which is actually not even allowed in production
> boards....
>
> Also you may need the -r argument to mkimage to mark the key as required.
>
> Regards,
> Simon
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 15099 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210911/0d59e849/attachment.png>