SHA verification fails on signed images
Andy Pandy
andypandy123g at gmail.com
Tue May 2 19:12:28 CEST 2023
Hi there,
I have a FIT image that boots fine, but when I sign it, with the following
command, it fails to boot:
mkimage -k keys -r -o sha256,rsa2048 -F image.fit
It fails while checking sha256, Bad hash value for 'hash' hash node in ...
I get similar error when I test it on my host:
tools/fit_check_sign -f image.fit -k u-boot-spl.dtb
After debugging, I found that after signing the image, data gets imbedded
into images structure with data = <...> field, but data-offset, data-size
fields (used for external reference) are not removed, and that's why when
verifying the signatures fit_image_get_data_and_size() function gets
confused when finds data-offset settings and calculates sha256 on the wrong
data.
I checked my other projects, with older version of uboot, and I can confirm
that there after signing a FIT image data-offset, data-size fields got
removed and data field appeared with data.
I am experiencing the issue with the recent head of the mater branch of
u-boot.
Did I miss something or is it a bug?
Cheers,
Andy
More information about the U-Boot
mailing list