[PATCH 0/3] Implement signing FIT images during image build
al.kochet at gmail.com
al.kochet at gmail.com
Mon Sep 16 10:24:43 CEST 2024
From: Alexander Kochetkov <al.kochet at gmail.com>
Hello!
I've done verified boot on Radxa Rock 3A. I've embedded public key in U-Boot
SPL and signed FIT image configuration. All the work was done during U-Boot
image build. For some use cases building and signing images in one go will be
much simple, than building unsigned images and signing later. For example
SPL-image for rk3568 called idbloader.img consist of TPL, U-boot SPL and
U-boot SPL DTB with public key. So in order to assemble signed idbloader.img
lately we have to keep all the intermediate files used during build.
To embed public key, I've replaced u-boot-spl node with blob-ext and generated
u-boot-spl-with-pubkey-dtb blob using u-boot-spl-pubkey-dtb entry.
To sign FIT image I've used newly implemented fit property 'fit,sign'.
I haven't sign FIT image nodes, because I had realized that signing
configuration is safe and sufficient for verified boot. But I doubt.
So I've left that signing scheme in the test.
What do you think, is using signed configuration and signed images at the same
time is much safer or doesn't provide any benefits?
Now I thinking about implementing configuration option, something like
FIT_SIGNATURE_KEYDIR. The value of the option will be passed to binman
using -I.
Alsi I want to embed another public key in the configuration DTB, so
it will be used to verify kernel FIT. But I couldn't figure out how to
do it using binman.
&binman {
u-boot-spl-with-pubkey-dtb {
filename = "u-boot-spl-with-pubkey-dtb.bin";
u-boot-spl-nodtb {
};
u-boot-spl-pubkey-dtb {
algo = "sha256,rsa2048";
required = "conf";
key-name-hint = "uboot-spl";
};
};
simple-bin {
...
mkimage {
...
#ifdef CONFIG_ROCKCHIP_EXTERNAL_TPL
rockchip-tpl {
};
#elif defined(CONFIG_TPL)
u-boot-tpl {
};
#endif
blob-ext {
filename = "u-boot-spl-with-pubkey-dtb.bin";
};
};
fit: fit {
...
fit,sign;
...
configurations {
default = "@config-DEFAULT-SEQ";
@config-SEQ {
...
#ifdef CONFIG_SPL_FIT_SIGNATURE
signature {
algo = "sha256,rsa2048";
key-name-hint = "uboot-spl";
sign-images = "firmware", "loadables", "fdt";
};
#endif
};
};
};
};
}
Alexander Kochetkov (3):
binman: fix passing loadables to mkimage on first run
image-host: fix 'unknown error' error message
binman: implement signing FIT images during image build
tools/binman/btool/mkimage.py | 5 +-
tools/binman/entries.rst | 7 ++
tools/binman/etype/fit.py | 57 +++++++++++++-
tools/binman/ftest.py | 95 ++++++++++++++++++++++++
tools/binman/test/326_fit_signature.dts | 98 +++++++++++++++++++++++++
tools/binman/test/326_rsa2048.key | 28 +++++++
tools/binman/test/327_fit_signature.dts | 98 +++++++++++++++++++++++++
tools/binman/test/328_fit_signature.dts | 61 +++++++++++++++
tools/image-host.c | 2 +-
9 files changed, 446 insertions(+), 5 deletions(-)
create mode 100644 tools/binman/test/326_fit_signature.dts
create mode 100644 tools/binman/test/326_rsa2048.key
create mode 100644 tools/binman/test/327_fit_signature.dts
create mode 100644 tools/binman/test/328_fit_signature.dts
--
2.17.1
More information about the U-Boot
mailing list