- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- [iMX8] U-Boot FIT Image Signature
[iMX8] U-Boot FIT Image Signature
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
[iMX8] U-Boot FIT Image Signature
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a custom board using the iM8MM SoC and we would like to enable the FIT Image Signing under Yocto build (hardknott branch).
We are already able to sign the FIT Image using these variables:
# Add FIT Image to /boot partition
IMAGE_BOOT_FILES = "fitImage-${MACHINE}.bin;fitImage"
UBOOT_SIGN_KEYDIR = "${TMPDIR}/keys/"
UBOOT_SIGN_KEYNAME = "dev"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
UBOOT_SIGN_ENABLE = "1"
FIT_SIGN_INDIVIDUAL = "1"
FIT_GENERATE_KEYS = "1"
We were able to confirm that the FIT Image is signed by running:
fit_check_sign -f <fit-image> -k <uboot-dtb>And during the boot we can see that the U-Boot sees the signature:
Verifying Hash Integrity ... sha256+ sha256,rsa2048:dev- OKBut the U-Boot doesn't check the sha256,rsa2048:dev- signature, I suppose that's why we see a minus sign.
As far as I can see I have added the right U-Boot configuration as well:
CONFIG_FIT_SIGNATURE=y
CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000
CONFIG_LEGACY_IMAGE_FORMAT=y
Checking the u-boot.dtb seems that the key was installed:
$ fdtget -p u-boot.dtb /signature/key-dev
required
algo
rsa,r-squared
rsa,modulus
rsa,exponent
rsa,n0-inverse
rsa,num-bits
key-name-hint
What am I might be missing here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am having the same issue, do you have any updates on your side ?
could anyone from the NXP team confirm that verified boot is functional on imx8 platforms ?
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've made some changes in imx-boot_1.0.bb (from meta-freescale) and uboot-sign.bbclass (from poky), check imx-boot_1.0.bb.patch and uboot-sign.bbclass.patch (for now I'm patching the original recipe directly for prototyping purpose for the final implementation I will use bbappend instead).
Now I'm getting the following error during boot:
## Loading kernel from FIT Image at 90000000 ...
Using 'conf-freescale_imx8mm-luna-pvt3.dtb' configuration
Verifying Hash Integrity ... sha256,rsa2048:dev- error!
Verification failed for '<NULL>' hash node in 'conf-freescale_imx8mm-luna-pvt3.dtb' config node
Failed to verify required signature 'key-dev'
Bad Data Hash
ERROR: can't get kernel image!
Failed to load 'boot.scr'
Failed to load 'Image'
Booting from net ...
No ethernet found.
No ethernet found.
WARN: Cannot load the DT
For some reason, the u-boot isn't recognizing the RSA public key in its binary.
The u-boot.dtb contains the key (double checked using fdtget).
Zhiming_Liu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have some error logs during your boot?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UBOOT_SIGN_KEYDIR = "${TMPDIR}/keys/"
UBOOT_SIGN_KEYNAME = "dev"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
UBOOT_SIGN_ENABLE = "1"
I added the following things in uboot
CONFIG_FIT_SIGNATURE=y
CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000
CONFIG_LEGACY_IMAGE_FORMAT=y
CONFIG_RSA=y
CONFIG_OF_CONTROL=y
But I am getting the same error
## Loading kernel from FIT Image at 420000000 ...
Using 'imx8mm.dtb' configuration
Verifying Hash Integrity ... sha256,rsa2048:dev- error!
Verification failed for '<NULL>' hash node in 'imx8mm.dtb' config node
Failed to verify required signature 'key-dev'
Bad Data Hash
ERROR: can't get kernel image!
on detail debugging, I found the error is coming from the following file rsa_verify.c
Error in Modular exponentation
I have already checked the signatures through fit_check_sign and its showing fine results. But in u-boot its failing. Any recommendation would be helpful.
