SHA verification fails on signed images

Andy Pandy andypandy123g at gmail.com
Tue May 2 19:12:28 CEST 2023


Hi there,

I have a FIT image that boots fine, but when I sign it, with the following
command, it fails to boot:

mkimage -k keys -r -o sha256,rsa2048 -F image.fit

It fails while checking sha256, Bad hash value for 'hash' hash node in ...

I get similar error when I test it on my host:

tools/fit_check_sign -f image.fit -k u-boot-spl.dtb

After debugging, I found that after signing the image, data gets imbedded
into images structure with data = <...> field, but data-offset, data-size
fields (used for external reference) are not removed, and that's why when
verifying the signatures fit_image_get_data_and_size() function gets
confused when finds data-offset settings and calculates sha256 on the wrong
data.

I checked my other projects, with older version of uboot, and I can confirm
that there after signing a FIT image data-offset, data-size fields got
removed and data field appeared with data.

I am experiencing the issue with the recent head of the mater branch of
u-boot.

Did I miss something or is it a bug?

Cheers,
Andy


More information about the U-Boot mailing list