I want to verify CST-signed files from within a running Linux system. So far I only know of the esbc_validate command on the U-Boot command line, and need such a command/tool on Linux.
Is there a Linux port of the esbc_validate command? Or can the CST be used to verify signatures?
Solved! Go to Solution.
Hello Tanjeff Moos,
The command esbc_validate is used for validating header and signature of images (Boot Script, Linux Kernel, rootfs and device tree blob).
Please refer to the following procedure for secure boot
1. ISBC code would validate the ESBC code(u-boot).
2. On successful validation, ESBC code(u-boot) would run, which would then validate the boot script(with esbc_validate command).
3. On successful validation of boot script, commands in boot script would be executed.
4. The boot script contains esbc_validate commands to validate next level images, i.e rootfs, linux uImage and device tree.
5. Once all the images are validated, bootm command in boot script would be executed which would pass control to linux.
If you only want to sign a file and verify the signature, you could use OpenSSL.
Please refer to https://eclipsesource.com/blogs/2016/09/07/tutorial-code-signing-and-verification-with-openssl/ .
Thanks,
Yiping
In particular I want to verify a file which was signed using uni_sign.
We have a device which allows firmware updates using a web interface. For secure boot, the new firmware (which is a Linux FIT image) needs to be signed, of course. To prevent installing an invalid image to flash, the web server shall verify the signature before installation.
For this scenario I need a verification tool running in Linux which can verify uni_sign signatures. Of course, this shall include verification of the public key against the SRK hash in the fuse box.
I managed to extract the pubkey from the CST header (which is easy) and to calculate its hash using "openssl dgst -sha256 srk.pub". I can compare this hash against the SRK hash in the fuse. However, I cannot use it for OpenSSL (the format is not recognized). So I could use a little help, e.g. some OpenSSL example commands or documentation about the exact pubkey and signature formats within the CST headers. Or is it possible to verify signatures using CST?
The CST tool cannot be used to verify signatures.
My solution is to write a tool (in C) which uses OpenSSL to verify the signature. The following details may be of interest to people facing the same problem:
So my problem is solved now. Thanks for the support!