https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1429547#M188304 <P>We have a custom board using the iM8MM SoC and we would like to enable the FIT Image Signing under Yocto build (<EM><STRONG>hardknott</STRONG></EM> branch).</P><P>We are already able to sign the FIT Image using these variables:</P><LI-CODE lang="markup"># Add FIT Image to /boot partition IMAGE_BOOT_FILES = "fitImage-${MACHINE}.bin;fitImage" UBOOT_SIGN_KEYDIR = "${TMPDIR}/keys/" UBOOT_SIGN_KEYNAME = "dev" UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000" UBOOT_SIGN_ENABLE = "1" FIT_SIGN_INDIVIDUAL = "1" FIT_GENERATE_KEYS = "1"</LI-CODE><P>&nbsp;</P><P>We were able to confirm that the FIT Image is signed by running:</P><LI-CODE lang="markup">fit_check_sign -f &lt;fit-image&gt; -k &lt;uboot-dtb&gt;</LI-CODE><P>And during the boot we can see that the U-Boot sees the signature:</P><LI-CODE lang="markup">Verifying Hash Integrity ... sha256+ sha256,rsa2048:dev- OK</LI-CODE><P>But the U-Boot doesn't check the <STRONG><EM>sha256,rsa2048:dev-</EM></STRONG> signature, I suppose that's why we see a minus sign.</P><P>As far as I can see I have added the right U-Boot configuration as well:</P><LI-CODE lang="markup">CONFIG_FIT_SIGNATURE=y CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000 CONFIG_LEGACY_IMAGE_FORMAT=y</LI-CODE><P>&nbsp;</P><P>Checking the&nbsp;u-boot.dtb seems that the key was installed:</P><LI-CODE lang="markup">$ fdtget -p u-boot.dtb /signature/key-dev required algo rsa,r-squared rsa,modulus rsa,exponent rsa,n0-inverse rsa,num-bits key-name-hint</LI-CODE><P>&nbsp;</P><P>What am I might be missing here?</P> Wed, 16 Mar 2022 19:47:16 GMT caiotoledo-lunasystems 2022-03-16T19:47:16Z https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1429547#M188304 <P>We have a custom board using the iM8MM SoC and we would like to enable the FIT Image Signing under Yocto build (<EM><STRONG>hardknott</STRONG></EM> branch).</P><P>We are already able to sign the FIT Image using these variables:</P><LI-CODE lang="markup"># Add FIT Image to /boot partition IMAGE_BOOT_FILES = "fitImage-${MACHINE}.bin;fitImage" UBOOT_SIGN_KEYDIR = "${TMPDIR}/keys/" UBOOT_SIGN_KEYNAME = "dev" UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000" UBOOT_SIGN_ENABLE = "1" FIT_SIGN_INDIVIDUAL = "1" FIT_GENERATE_KEYS = "1"</LI-CODE><P>&nbsp;</P><P>We were able to confirm that the FIT Image is signed by running:</P><LI-CODE lang="markup">fit_check_sign -f &lt;fit-image&gt; -k &lt;uboot-dtb&gt;</LI-CODE><P>And during the boot we can see that the U-Boot sees the signature:</P><LI-CODE lang="markup">Verifying Hash Integrity ... sha256+ sha256,rsa2048:dev- OK</LI-CODE><P>But the U-Boot doesn't check the <STRONG><EM>sha256,rsa2048:dev-</EM></STRONG> signature, I suppose that's why we see a minus sign.</P><P>As far as I can see I have added the right U-Boot configuration as well:</P><LI-CODE lang="markup">CONFIG_FIT_SIGNATURE=y CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000 CONFIG_LEGACY_IMAGE_FORMAT=y</LI-CODE><P>&nbsp;</P><P>Checking the&nbsp;u-boot.dtb seems that the key was installed:</P><LI-CODE lang="markup">$ fdtget -p u-boot.dtb /signature/key-dev required algo rsa,r-squared rsa,modulus rsa,exponent rsa,n0-inverse rsa,num-bits key-name-hint</LI-CODE><P>&nbsp;</P><P>What am I might be missing here?</P> Wed, 16 Mar 2022 19:47:16 GMT https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1429547#M188304 caiotoledo-lunasystems 2022-03-16T19:47:16Z https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1434644#M188667 <P>Do you have some error logs during your boot?</P> Mon, 28 Mar 2022 08:05:40 GMT https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1434644#M188667 Zhiming_Liu 2022-03-28T08:05:40Z https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1444624#M189381 <P>As far as I can see there's no error during boot, my device is able to boot as usual.</P><P>Check the full U-Boot log in attachment.</P><P>My guess is that U-Boot doesn't have the public key in its binary.</P> Fri, 15 Apr 2022 14:36:09 GMT https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1444624#M189381 caiotoledo-lunasystems 2022-04-15T14:36:09Z https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1447365#M189559 <P>I've made some changes in imx-boot_1.0.bb (from meta-freescale) and&nbsp;uboot-sign.bbclass (from poky), check&nbsp;<SPAN class=""><SPAN class=""><STRONG>imx-boot_1.0.bb.patch</STRONG> and&nbsp;</SPAN></SPAN><STRONG><SPAN>uboot-sign.bbclass.patch&nbsp;</SPAN></STRONG><SPAN>(for now I'm patching the original recipe directly for prototyping purpose for the final implementation I will use bbappend instead)</SPAN><SPAN>.</SPAN></P><P><SPAN>Now I'm getting the following error during boot:</SPAN></P><P>&nbsp;</P><LI-CODE lang="c">## Loading kernel from FIT Image at 90000000 ... Using 'conf-freescale_imx8mm-luna-pvt3.dtb' configuration Verifying Hash Integrity ... sha256,rsa2048:dev- error! Verification failed for '&lt;NULL&gt;' hash node in 'conf-freescale_imx8mm-luna-pvt3.dtb' config node Failed to verify required signature 'key-dev' Bad Data Hash ERROR: can't get kernel image! Failed to load 'boot.scr' Failed to load 'Image' Booting from net ... No ethernet found. No ethernet found. WARN: Cannot load the DT</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>For some reason, the u-boot isn't recognizing the RSA public key in its binary.</P><P>The u-boot.dtb contains the key (double checked using fdtget).</P> Thu, 21 Apr 2022 15:51:18 GMT https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1447365#M189559 caiotoledo-lunasystems 2022-04-21T15:51:18Z https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1576016#M199375 <P>Hello,&nbsp;</P><P>I am having the same issue, do you have any updates on your side ?<BR />could anyone from the NXP team confirm that verified boot is functional on imx8 platforms ?</P><P>&nbsp;</P><P>Thank you</P> Mon, 02 Jan 2023 09:40:30 GMT https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1576016#M199375 bluemonkeysrock 2023-01-02T09:40:30Z https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1882809#M224652 Hi! if you were able to solve this problem? I added the configurations in yocto<BR /><BR />UBOOT_SIGN_KEYDIR = "${TMPDIR}/keys/"<BR />UBOOT_SIGN_KEYNAME = "dev"<BR />UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"<BR />UBOOT_SIGN_ENABLE = "1"<BR /><BR />I added the following things in uboot<BR />CONFIG_FIT_SIGNATURE=y<BR />CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000<BR />CONFIG_LEGACY_IMAGE_FORMAT=y<BR />CONFIG_RSA=y<BR />CONFIG_OF_CONTROL=y<BR /><BR />But I am getting the same error<BR /><BR />## Loading kernel from FIT Image at 420000000 ...<BR />Using 'imx8mm.dtb' configuration<BR />Verifying Hash Integrity ... sha256,rsa2048:dev- error!<BR />Verification failed for '&lt;NULL&gt;' hash node in 'imx8mm.dtb' config node<BR />Failed to verify required signature 'key-dev'<BR />Bad Data Hash<BR />ERROR: can't get kernel image!<BR /><BR />on detail debugging, I found the error is coming from the following file rsa_verify.c<BR /><BR />Error in Modular exponentation<BR /><BR />I have already checked the signatures through fit_check_sign and its showing fine results. But in u-boot its failing. Any recommendation would be helpful.<BR /><BR /> Thu, 06 Jun 2024 14:16:57 GMT https://community.nxp.com/t5/i-MX-Processors/iMX8-U-Boot-FIT-Image-Signature/m-p/1882809#M224652 CrazyDeveloper 2024-06-06T14:16:57Z