how to sign a zImage with multiple dtb?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

how to sign a zImage with multiple dtb?

593 Views
changbaoma
Contributor III

i have read https://community.nxp.com/t5/i-MX-Processors/Do-I-sign-only-one-dtb-file/m-p/654150#M100180.

But In our product scenario:

a device derives multiple models of devices. These devices all use the same zImage, but distinguish them in difference dtb. This zImage and multiple dtbs are saved in the /boot directory of the same firmware.

New derived models of devices are constantly being added,and we only want to a new dtb to the existing firmware.

how do dull with the signature of this scenario?

anyone have ideas?

@BiyongSUN 

0 Kudos
2 Replies

567 Views
changbaoma
Contributor III

Dear, @weidong_sun 

can you show me how to sign a dtb?

is it a signed dtb required in bootz of u-boot in secure boot?

someone say yes, but i can sucess to "bootz zImage_signed - dtb_not_signed" in my uboot, and i find bootz only authenticate zImage and do not auth authenticate dtb. see below:

/*
* zImage booting support
*/
static int bootz_start(cmd_tbl_t *cmdtp, int flag, int argc,
char * const argv[], bootm_headers_t *images)
{
int ret;
ulong zi_start, zi_end;

ret = do_bootm_states(cmdtp, flag, argc, argv, BOOTM_STATE_START,
images, 1);

/* Setup Linux kernel zImage entry point */
if (!argc) {
images->ep = load_addr;
debug("* kernel: default image load address = 0x%08lx\n",
load_addr);
} else {
images->ep = simple_strtoul(argv[0], NULL, 16);
debug("* kernel: cmdline image address = 0x%08lx\n",
images->ep);
}

ret = bootz_setup(images->ep, &zi_start, &zi_end);
if (ret != 0)
return 1;

lmb_reserve(&images->lmb, images->ep, zi_end - zi_start);

/*
* Handle the BOOTM_STATE_FINDOTHER state ourselves as we do not
* have a header that provide this informaiton.
*/
if (bootm_find_images(flag, argc, argv))
return 1;

#ifdef CONFIG_SECURE_BOOT
extern uint32_t authenticate_image(
uint32_t ddr_start, uint32_t image_size);
if (authenticate_image(images->ep, zi_end - zi_start) == 0) {
printf("Authenticate zImage Fail, Please check\n");
return 1;
}
#endif
return 0;
}

if we need to authenticate dtb, does it mean that we need to add the corresponding code to authenticate dtb in bootz()?

0 Kudos

577 Views
weidong_sun
NXP TechSupport
NXP TechSupport

Hi,

 

Different products use the same zImage but different dtb.

If your zImage has already been signed, you only need to sign the new dtb.

 

Hope this information is helpful to you.

Have a nice day!

B.R,

Weidong

 

0 Kudos