Hello
I succeed to use the UBoot and kernel verification with the HAB API but I want to go further in sign verification.
I've two partitions and a mechanism to update the kernel (and rootfs) from the linux user space. What I want is to verify the authenticity of the kernel before burn it to the non-active partition.
The HAB API is in the boot ROM and, as far as I could find, it's not possible to use this API in the user space. Is it all right?
So I'm trying to do the verification my self:
- Read SRK in UBoot and transfer in the user space with the bootcmd
- Verify the two certificate with this SRK (CFS and IMG certificate)
- Verify the signature of the command and the kernel with openssl.
My questions are:
1) Do you think is it possible to verify the kernel in that way?
2) I don't know how to verify the CFS/IMG certificate
3) The signature check failed with open SSL. Here are information:
ivt.bin: interrupt vector for kernel
linux.csf: csf file for kernel
test_signature.sh: script to check the signature of the kernel image
In code file I've: from 0x0 (beginning of the kernel to the end of IVT)
Signature is the signature after IMG1_cert
Certificate is the IMG1_ certificate
response: "Verification Failure"
Thank you
