Kernel FitImage Signing Error

CrazyDeveloper · ‎06-06-2024

I am working on signing fitimage in Kirkstone Branch. My u-boot version is 2022. I generated the key and crt using the following commands

openssl genrsa -F4 -out dev.key 2048

openssl req -batch -new -x509 -key dev.key -out dev.crt

Then I added the following configurations in yocto

UBOOT_SIGN_KEYDIR = "${TMPDIR}/keys/"
UBOOT_SIGN_KEYNAME = "dev"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
UBOOT_SIGN_ENABLE = "1"

I added the following things in uboot defconfig file
CONFIG_FIT_SIGNATURE=y
CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000
CONFIG_LEGACY_IMAGE_FORMAT=y
CONFIG_RSA=y
CONFIG_OF_CONTROL=y

But I am getting the error

## Loading kernel from FIT Image at 420000000 ...
Using 'imx8mm.dtb' configuration
Verifying Hash Integrity ... sha256,rsa2048:dev- error!
Verification failed for '<NULL>' hash node in 'imx8mm.dtb' config node
Failed to verify required signature 'key-dev'
Bad Data Hash
ERROR: can't get kernel image!

on detail debugging, I found the error is coming from the following file rsa_verify.c

Error in Modular exponentation

I have already checked the signatures through fit_check_sign utility and its showing fine results. But in u-boot its failing. Any recommendation would be helpful.

sbin · ‎07-01-2024

Hello,

were you able to resolve

Verification failed for '<NULL>' hash node in 'imx8mm.dtb' config node

problem?

CrazyDeveloper · ‎07-31-2024

Sorry for the late reply, I resolved the issue and also commented the solution above

Bio_TICFSL · ‎06-07-2024

Hello,

You have to modify the dtb since you are changing the parameters of sha.

Regards

CrazyDeveloper · ‎06-07-2024

Hi! I have been able to solve the error. Actually, in my case, uboot was modifying and updating with signature keys. Actual error was happening at this stage of code in u-boot

rsa-verify.c

#if !defined(USE_HOSTCC)
ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
if (ret) {
printf("RSA: Can't find Modular Exp implementation\n");
return -EINVAL;
}

ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
#else
ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
#endif

So, I went towards the software implementation of code this way

#if !defined(USE_HOSTCC)
ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
if (ret) {
printf("RSA: Can't find Modular Exp implementation\n");
return -EINVAL;
}

ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
#else
ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
#endif
if (ret) {
debug("Error in Modular exponentation\n");
ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
if (ret) {
printf("%s: attempting rsa_mod_exp_sw instead \n", __func__);
}
}

and adding this additional configuration in u-boot

CONFIG_RSA_SOFTWARE_EXP=y

Here the code for rsa_mod_exp_sw was little broken and giving the linking error undefined reference to 'rsa_mod_exp_sw', so I did the following change in the rsa-mod-exp.h file

--- a/include/u-boot/rsa-mod-exp.h
+++ b/include/u-boot/rsa-mod-exp.h
@@ -1,3 +1,4 @@
+
/* SPDX-License-Identifier: GPL-2.0+ */
/*
* Copyright 2014 Freescale Semiconductor, Inc.
@@ -62,7 +63,7 @@ void rsa_free_key_prop(struct key_prop *prop);
* @out: Result in form of byte array of len equal to sig_len
*/
int rsa_mod_exp_sw(const uint8_t *sig, uint32_t sig_len,
- struct key_prop *node, uint8_t *out);
+ struct key_prop *prop, uint8_t *out);

int rsa_mod_exp(struct udevice *dev, const uint8_t *sig, uint32_t sig_len,
struct key_prop *node, uint8_t *out);

After that, it started working. However, I am still searching why 'rsa_verify_key' is not working fine in my iMX8MM board and rsa_verify_key_sw working

Here are few references

https://u-boot.denx.narkive.com/BpvBKeLY/hangs-after-enabling-secured-boot-gumstix-overo

https://community.nxp.com/t5/i-MX-Processors/U-boot-FIT-image-verification-failed-when-HAB-is-enable...