Hello everyone,
I am currently trying to enable the verified boot feature in U-boot in order to boot a signed FIT image. I am working with the i.MX93 EVK and Yocto Kirkstone release.
My goal is to configure "local.conf" file so that after building the image I get a u-boot image with public key added to it. I want to secure the process of passing from u-boot to linux (in FIT format). To do so I have configured the "local.conf" as follows (info related to u-boot verification is provided only):
# to use FIT image for kernel and devicetree
MACHINE_FEATURES += "fit"
#signing key
UBOOT_SIGN_KEYDIR = "/home/gorka/timesys/bad_keys"
UBOOT_SIGN_KEYNAME = "dev"
# Sign FIT image
UBOOT_SIGN_ENABLE = "1"
# generate new signing key if not exist
FIT_GENERATE_KEYS = "1"
# Uboot mkimage option
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
While compiling the next warning is shown:
WARNING: u-boot-imx-2022.04-r0 do_deploy: Failure while adding public key to u-boot binary. Verified boot won't be available.And if I take a look at deployed files:
There u-boot binary is shown (with dtb and without dtb). And the dtb itself appears twice as symbolic links. But the real u-boot.dtb file isn't available.
I have compiled it twice with different keys and compared both u-boot.bin files, but they don't differ so I guess that the public key isn't hardcoded (as the warning had adviced).
Is there any way to solve it? Is it something wrong in "local.conf"?
Thank you in advance,
Gorka.
