[iMX8] U-Boot FIT Image Signature

caiotoledo-lunasystems · ‎03-16-2022

We have a custom board using the iM8MM SoC and we would like to enable the FIT Image Signing under Yocto build (hardknott branch).

We are already able to sign the FIT Image using these variables:

# Add FIT Image to /boot partition
IMAGE_BOOT_FILES = "fitImage-${MACHINE}.bin;fitImage"

UBOOT_SIGN_KEYDIR = "${TMPDIR}/keys/"
UBOOT_SIGN_KEYNAME = "dev"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
UBOOT_SIGN_ENABLE = "1"
FIT_SIGN_INDIVIDUAL = "1"
FIT_GENERATE_KEYS = "1"

We were able to confirm that the FIT Image is signed by running:

fit_check_sign -f <fit-image> -k <uboot-dtb>

And during the boot we can see that the U-Boot sees the signature:

Verifying Hash Integrity ... sha256+ sha256,rsa2048:dev- OK

But the U-Boot doesn't check the sha256,rsa2048:dev- signature, I suppose that's why we see a minus sign.

As far as I can see I have added the right U-Boot configuration as well:

CONFIG_FIT_SIGNATURE=y
CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000
CONFIG_LEGACY_IMAGE_FORMAT=y

Checking the u-boot.dtb seems that the key was installed:

$ fdtget -p u-boot.dtb /signature/key-dev
required
algo
rsa,r-squared
rsa,modulus
rsa,exponent
rsa,n0-inverse
rsa,num-bits
key-name-hint

What am I might be missing here?

bluemonkeysrock · ‎01-02-2023

Hello,

I am having the same issue, do you have any updates on your side ?
could anyone from the NXP team confirm that verified boot is functional on imx8 platforms ?

Thank you

caiotoledo-lunasystems · ‎04-21-2022

I've made some changes in imx-boot_1.0.bb (from meta-freescale) and uboot-sign.bbclass (from poky), check imx-boot_1.0.bb.patch and uboot-sign.bbclass.patch (for now I'm patching the original recipe directly for prototyping purpose for the final implementation I will use bbappend instead).

Now I'm getting the following error during boot:

## Loading kernel from FIT Image at 90000000 ...
   Using 'conf-freescale_imx8mm-luna-pvt3.dtb' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev-  error!
Verification failed for '<NULL>' hash node in 'conf-freescale_imx8mm-luna-pvt3.dtb' config node
Failed to verify required signature 'key-dev'
Bad Data Hash
ERROR: can't get kernel image!
Failed to load 'boot.scr'
Failed to load 'Image'
Booting from net ...
No ethernet found.
No ethernet found.
WARN: Cannot load the DT

For some reason, the u-boot isn't recognizing the RSA public key in its binary.

The u-boot.dtb contains the key (double checked using fdtget).

Zhiming_Liu · ‎03-28-2022

Do you have some error logs during your boot?

caiotoledo-lunasystems · ‎04-15-2022

As far as I can see there's no error during boot, my device is able to boot as usual.

Check the full U-Boot log in attachment.

My guess is that U-Boot doesn't have the public key in its binary.

CrazyDeveloper · ‎06-06-2024

Hi! if you were able to solve this problem? I added the configurations in yocto

UBOOT_SIGN_KEYDIR = "${TMPDIR}/keys/"
UBOOT_SIGN_KEYNAME = "dev"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
UBOOT_SIGN_ENABLE = "1"

I added the following things in uboot
CONFIG_FIT_SIGNATURE=y
CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000
CONFIG_LEGACY_IMAGE_FORMAT=y
CONFIG_RSA=y
CONFIG_OF_CONTROL=y

But I am getting the same error

## Loading kernel from FIT Image at 420000000 ...
Using 'imx8mm.dtb' configuration
Verifying Hash Integrity ... sha256,rsa2048:dev- error!
Verification failed for '<NULL>' hash node in 'imx8mm.dtb' config node
Failed to verify required signature 'key-dev'
Bad Data Hash
ERROR: can't get kernel image!

on detail debugging, I found the error is coming from the following file rsa_verify.c

Error in Modular exponentation

I have already checked the signatures through fit_check_sign and its showing fine results. But in u-boot its failing. Any recommendation would be helpful.

[iMX8] U-Boot FIT Image Signature

[iMX8] U-Boot FIT Image Signature

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano

Linux

Security

Yocto Project