Hi Reuben,
Thanks for your reply.
So, in your 'its' file for second stage u-boot, do you define signature in
images section as follows:
images {
uboot {
description = "U-Boot Secondary";
signature {
};
};
configurations {
};
};
or in configuration section (signed configuration feature), as follows?:
images {
uboot {
description = "U-Boot Secondary";
};
config-1 {
description = "";
loadables = "uboot";
signature {
algo = "";
key-name-hint = "";
sign-images = "loadables";
};
};
When I define signatures in images section, SPL U-Boot checks signatures of the
second stage u-boot as expected, on the other hand, when configuration is
signed it doesn't check it.
Microsoft added their own patch a couple of years ago to fix this
(https://github.com/neilsh-msft/u-boot.ms-iot/commit/6ea7fab742eadddf4982695f3cbafeda079e4134),
but it is not
in the mainline. I am wondering if this has been fixed in the mainline since
then, or I need to patch u-boot similar way Microsoft did?
Cheers,
Andy
---- On Mon, 14 Sep 2020 01:01:46 +0300 Reuben Dowle <reuben.do...@4rf.com>
wrote ----
>
> Yes, it is possible to do this. The SPL will check its own DTB to check
> which signatures are required.
>
> When the FIT that the SPL will load is created with mkimage, you also pass
> the SPL's dtb file, which will be patched to include the required signatures.
>
> I am not sure if the config system has ability to specify this. My build
> process separates the signing from the normal uboot build (so that I can
> keep the private keys more secure), so I am manually calling mkimage. The
> command I am using to generate my second stage signed u-boot FIT file which
> is loaded by SPL:
>
> mkimage -f uboot.its -K u-boot-spl.dtb -k keys -r u-boot.fit
>
> The updated u-boot-spl.dtb needs to be available for the SPL to load at
> startup - often by appending this dtb to the end of the SPL binary. In my
> case I do this:
> cat u-boot-spl-nodtb.bin u-boot-spl-pad.bin u-boot-spl.dtb > u-boot-spl.bin
>
>
> Reuben Dowle
> Software Architect
> Phone:
>
> Fax:
> E-Mail:
> Website:
> +64 4 499 6000
>
> +64 4 473 4447
> reuben.do...@4rf.com
> Https://www.4rf.com
>
>
>
>
>
>
> -----Original Message-----
> From: U-Boot <u-boot-boun...@lists.denx.de> On Behalf Of Andrii Voloshyn
> Sent: Saturday, 12 September 2020 12:18 am
> To: u-boot <u-boot@lists.denx.de>
> Subject: SPL FIT configuration signature verification
>
> Hi there,
>
> Is it possible to make SPL U-Boot to verify signature located in
> configuration section of FIT image, and do not continue in case the
> signature is missing or doesn't match?
> Asking because I couldn't find any configuration option for that, and I
> have FIT image with signature but SPL U-boot doesn't check it at all, it
> only checks signatures for images if present.
>
> Thanks
>
> Cheers,
> Andy
>
>
> The information in this email communication (inclusive of attachments) is
> confidential to 4RF Limited and the intended recipient(s). If you are not
> the intended recipient(s), please note that any use, disclosure,
> distribution or copying of this information or any part thereof is strictly
> prohibited and that the author accepts no liability for the consequences of
> any action taken on the basis of the information provided. If you have
> received this email in error, please notify the sender immediately by return
> email and then delete all instances of this email from your system. 4RF
> Limited will not accept responsibility for any consequences associated with
> the use of this email (including, but not limited to, damages sustained as a
> result of any viruses and/or any action or lack of action taken in reliance
> on it).
