i.MX Processors中的主题 Re: Verify signed images from Linux user space

Verify signed images from Linux user space

jb2 — Mon, 23 Mar 2020 07:51:10 GMT

Hello

I succeed to use the UBoot and kernel verification with the HAB API but I want to go further in sign verification.

I've two partitions and a mechanism to update the kernel (and rootfs) from the linux user space. What I want is to verify the authenticity of the kernel before burn it to the non-active partition.

The HAB API is in the boot ROM and, as far as I could find, it's not possible to use this API in the user space. Is it all right?

So I'm trying to do the verification my self:

- Read SRK in UBoot and transfer in the user space with the bootcmd

- Verify the two certificate with this SRK (CFS and IMG certificate)

- Verify the signature of the command and the kernel with openssl.

My questions are:

1) Do you think is it possible to verify the kernel in that way?

2) I don't know how to verify the CFS/IMG certificate

3) The signature check failed with open SSL. Here are information:

ivt.bin: interrupt vector for kernel

linux.csf: csf file for kernel

test_signature.sh: script to check the signature of the kernel image

In code file I've: from 0x0 (beginning of the kernel to the end of IVT)

Signature is the signature after IMG1_cert

Certificate is the IMG1_ certificate

response: "Verification Failure"

Thank you

Re: Verify signed images from Linux user space

Yuri — Tue, 24 Mar 2020 03:56:30 GMT

Hello,

We recommend to use the DM-crypt after U-boot and kernel are verified.

Use app note AN12714 (i.MX Encrypted Storage Using CAAM Secure Keys)

https://www.nxp.com/docs/en/application-note/AN12714.pdf

Have a great day,

Yuri.

-------------------------------------------------------------------------------

Note:

- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored

Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

Re: Verify signed images from Linux user space

michael_glembot — Sun, 03 Jul 2022 11:36:12 GMT

Hi @jb2 , we are currently asking ourselves exactly the same question. Have you found a solution to test the flash.bin or other signed boot artifacts from Linux against the blown SRKs? I would be interested in your solution.

Re: Verify signed images from Linux user space

michael_glembot — Sun, 03 Jul 2022 11:40:10 GMT

Hi @Yuri,

Did you read @jb2 's question at all? And if so, did you understand them? There are over 600 views interested in a solution.

Re: Verify signed images from Linux user space

jb2 — Mon, 04 Jul 2022 14:29:36 GMT

Hi @michael_glembot ,

Sorry I don't remember if I succeed and I no longer have access to the source code.