What is the proper way to sign fit images using binman/mkimage for verified boot

Mon Sep 2 00:14:51 CEST 2024

Hi Alexander,

On Sat, 31 Aug 2024 at 06:06, Alexander Kochetkov <al.kochet at gmail.com> wrote:
>
> Hello!
>
> I used to sign images for verified boot for u-boot v2020.04 for allwinner A64-based board. It was simple.
> I’ve just added signature nodes for atf, u-boot, dtb, configurations to the generated by mksunxi_fit_atf.sh
> its file and mkimage signed the fit image.
>
> Now I trying to do the same for u-boot v2024.07. I work with Radxa Model 3a. It’s fit image is generated
> using binman. It’s bimnan configuration is located in the file arch/arm/dts/rockchip-u-boot.dtsi.
>
> I have 3 ideas about how to get the job done:
> - improve binman, to support signing fit images during fit image generation. Sort of implementing
>   image-signature etype
> - fix mkimage to allow signing generated by binman images. Now I getting error, then I try to do that
> - may be I do the job in a wrong way? Could you please direct me in a correct way?
>
> First I think, that I have to add signature entries to binman configuration. So, I added following:
>
> &binman {
>     simple-bin {
>         …
>         fit: fit {
>             …
>             images {
>                 …
>                 @atf-SEQ {
>                      …
>                      signature {
>                          algo = "sha256,rsa2048»;
>                          key-name-hint = "uboot-spl»;
>                          sign-images = "atf-SEQ»;
>                     };
>                 };
>             };
>         };
>     };
> };
>
> This signature entry was copied to resulted fit image without processing. No signature was generated.
> SEQ was not replaced to 1:
>
> atf-1 {
>     ...
>     hash {
>         value = <0xb5946ac6 0x3df8fb35 0x69407a75 0xcf2f6aa3 0x96551ba0 0x11e1a84b 0xec654dc9 0x982ba063>;
>         algo = "sha256»;
>     };
>
>     signature {
>         algo = "sha256,rsa2048»;
>         key-name-hint = "uboot-spl»;
>         sign-images = "atf-SEQ»;
>     };
> };
>
> So, obviously binman is not support this way of signing images. If this way looks reasonable, I can try to implement
> it and send patches to u-boot. I played with binman etypes, tryied to add custom 'image-signature' etype. Looks like I
> can complete such work.

Yes this looks good to me. You should be able to extend one of the
tests like testFit(). Be careful to test any error cases too.

>
> Second solution looks for me as follows. We need run mkimage to sign generated by binman fit image.
> Some sort of running mkimage like this:
>
> ./tools/mkimage -k /media/yocto/build-yocto/…. -F ./u-boot.itb
>
> Now I getting error then I run mkimage:
> Can't add verification data for node 'atf-1' (<unknown error>)
>
> If that solution is reasonable, I can fix <unknown error> and send patches.

Hmmm so are you signing an intermediate file produced by Binman? That
error is likely to be that the dtb is out of space, but it should be
handled...so a patch for that would be welcome, too, if you have time.

>
> Third thought, may be there is another proper way to sign fit image for verified boot?
> Could you please provide an idea how to do that.

I think your first way seems best for what you want to do (sign images
in one step as part of build).

There is 'binman sign' for updating an existing one, but I'm not sure
if that is useful for you.

BTW thanks for the detailed notes.

Regards,
Simon