[PATCH 0/3] Implement signing FIT images during image build
Simon Glass
sjg at chromium.org
Wed Oct 9 03:50:54 CEST 2024
Hi,
On Mon, 16 Sept 2024 at 02:24, <al.kochet at gmail.com> wrote:
>
> From: Alexander Kochetkov <al.kochet at gmail.com>
>
> Hello!
>
> I've done verified boot on Radxa Rock 3A. I've embedded public key in U-Boot
> SPL and signed FIT image configuration. All the work was done during U-Boot
> image build. For some use cases building and signing images in one go will be
> much simple, than building unsigned images and signing later. For example
> SPL-image for rk3568 called idbloader.img consist of TPL, U-boot SPL and
> U-boot SPL DTB with public key. So in order to assemble signed idbloader.img
> lately we have to keep all the intermediate files used during build.
>
> To embed public key, I've replaced u-boot-spl node with blob-ext and generated
> u-boot-spl-with-pubkey-dtb blob using u-boot-spl-pubkey-dtb entry.
>
> To sign FIT image I've used newly implemented fit property 'fit,sign'.
>
> I haven't sign FIT image nodes, because I had realized that signing
> configuration is safe and sufficient for verified boot. But I doubt.
> So I've left that signing scheme in the test.
>
> What do you think, is using signed configuration and signed images at the same
> time is much safer or doesn't provide any benefits?
So long as you have hashes on the images, then yes it is sufficient.
>
> Now I thinking about implementing configuration option, something like
> FIT_SIGNATURE_KEYDIR. The value of the option will be passed to binman
> using -I.
I suppose you saw entryargs - could that help?
>
> Alsi I want to embed another public key in the configuration DTB, so
> it will be used to verify kernel FIT. But I couldn't figure out how to
> do it using binman.
I'm not sure what you are trying to do here. The kernel image (or
really, its hash) would normally be verified using the same signature
as for everything else in the configuration.
>
> &binman {
> u-boot-spl-with-pubkey-dtb {
> filename = "u-boot-spl-with-pubkey-dtb.bin";
>
> u-boot-spl-nodtb {
> };
>
> u-boot-spl-pubkey-dtb {
> algo = "sha256,rsa2048";
> required = "conf";
> key-name-hint = "uboot-spl";
> };
> };
>
> simple-bin {
> ...
> mkimage {
> ...
>
> #ifdef CONFIG_ROCKCHIP_EXTERNAL_TPL
> rockchip-tpl {
> };
> #elif defined(CONFIG_TPL)
> u-boot-tpl {
> };
> #endif
> blob-ext {
> filename = "u-boot-spl-with-pubkey-dtb.bin";
> };
> };
>
> fit: fit {
> ...
> fit,sign;
> ...
>
> configurations {
> default = "@config-DEFAULT-SEQ";
> @config-SEQ {
> ...
> #ifdef CONFIG_SPL_FIT_SIGNATURE
> signature {
> algo = "sha256,rsa2048";
> key-name-hint = "uboot-spl";
> sign-images = "firmware", "loadables", "fdt";
> };
> #endif
> };
> };
> };
> };
> }
>
>
> Alexander Kochetkov (3):
> binman: fix passing loadables to mkimage on first run
> image-host: fix 'unknown error' error message
> binman: implement signing FIT images during image build
>
> tools/binman/btool/mkimage.py | 5 +-
> tools/binman/entries.rst | 7 ++
> tools/binman/etype/fit.py | 57 +++++++++++++-
> tools/binman/ftest.py | 95 ++++++++++++++++++++++++
> tools/binman/test/326_fit_signature.dts | 98 +++++++++++++++++++++++++
> tools/binman/test/326_rsa2048.key | 28 +++++++
> tools/binman/test/327_fit_signature.dts | 98 +++++++++++++++++++++++++
> tools/binman/test/328_fit_signature.dts | 61 +++++++++++++++
> tools/image-host.c | 2 +-
> 9 files changed, 446 insertions(+), 5 deletions(-)
> create mode 100644 tools/binman/test/326_fit_signature.dts
> create mode 100644 tools/binman/test/326_rsa2048.key
> create mode 100644 tools/binman/test/327_fit_signature.dts
> create mode 100644 tools/binman/test/328_fit_signature.dts
>
> --
> 2.17.1
>
Regards,
Simon
More information about the U-Boot
mailing list