What is the proper way to sign fit images using binman/mkimage for verified boot

[Alexander Kochetkov]

Hello!

I used to sign images for verified boot for u-boot v2020.04 for allwinner A64-based board. It was simple.
I’ve just added signature nodes for atf, u-boot, dtb, configurations to the generated by mksunxi_fit_atf.sh
its file and mkimage signed the fit image.

Now I trying to do the same for u-boot v2024.07. I work with Radxa Model 3a. It’s fit image is generated
using binman. It’s bimnan configuration is located in the file arch/arm/dts/rockchip-u-boot.dtsi.

I have 3 ideas about how to get the job done:
- improve binman, to support signing fit images during fit image generation. Sort of implementing
  image-signature etype
- fix mkimage to allow signing generated by binman images. Now I getting error, then I try to do that
- may be I do the job in a wrong way? Could you please direct me in a correct way?

First I think, that I have to add signature entries to binman configuration. So, I added following:

&binman {
    simple-bin {
        …
        fit: fit {
            …
            images {
                …
                @atf-SEQ {
                     …
                     signature {
                         algo = "sha256,rsa2048»;
                         key-name-hint = "uboot-spl»;
                         sign-images = "atf-SEQ»;
                    };
                };
            };
        };
    };
};

This signature entry was copied to resulted fit image without processing. No signature was generated.
SEQ was not replaced to 1:

atf-1 {
    ...
    hash {
        value = <0xb5946ac6 0x3df8fb35 0x69407a75 0xcf2f6aa3 0x96551ba0 0x11e1a84b 0xec654dc9 0x982ba063>;
        algo = "sha256»;
    };

    signature {
        algo = "sha256,rsa2048»;
        key-name-hint = "uboot-spl»;
        sign-images = "atf-SEQ»;
    };
};

So, obviously binman is not support this way of signing images. If this way looks reasonable, I can try to implement
it and send patches to u-boot. I played with binman etypes, tryied to add custom 'image-signature' etype. Looks like I
can complete such work.

Second solution looks for me as follows. We need run mkimage to sign generated by binman fit image.
Some sort of running mkimage like this:

./tools/mkimage -k /media/yocto/build-yocto/…. -F ./u-boot.itb

Now I getting error then I run mkimage:
Can't add verification data for node 'atf-1' (<unknown error>)

If that solution is reasonable, I can fix <unknown error> and send patches.

Third thought, may be there is another proper way to sign fit image for verified boot?
Could you please provide an idea how to do that.

Regards,
Alexander.