Hi Simon, Thanks for the reply. I already followed the steps mentioned in "doc/uImage.FIT/beaglebone_vboot.txt".
>I wonder if rpi is not using the devicetree compiled with U-Boot, but instead one provided by the earlier-stage firmware? Not sure, but seems like this is the case. I checked and there isn't any dtb or dts for rpi4 (bcm2711-rpi-4-b) in arc/arm/dts in u-boot. I tried to add the dtb and other dts dtsi <https://github.com/raspberrypi/linux/tree/rpi-5.10.y/arch/arm64/boot/dts/broadcom>files from the raspberry pi Linux and compile them with CONFIG_OF_SEPARATE and CONFIG_OF_EMBED (one at a time) *but it couldn't even boot the U-Boot and it would just give a blank screen*. I wonder why there isn't any device tree in the U-boot repo for RPI4. Is U-boot control FDT not supported by RPI4? and if I tried CONFIG_OF_BOARD (the default rpi_4 configuration), it will take us back to the initial problem, signature not being checked. > Can you check that the required 'signature' node is present? You can use the 'fdt' command in U-Boot to look at it. I tried the "fdt checksign" but it didn't return anything. Screenshot inlined, image.itb is the fit image. If I am not doing it wrong, or some other commands needs to be executed, please let me know. [image: image.png] Just for reference, I am inlining the steps I followed: 1. clone the master branch of u-boot. 2. Add FIT, RSA & SIGNATURE support to rpi_4_defconfig 3. Build with 64-bit architecture. (CROSS_COMPILE=aarch64-linux-gnu-) 4. Build U-boot ($make -j8) 5. copy device tree and make a clone by appending pubkey to it. $ cp bcm2711-rpi-4-b.dtb bcm2711-rpi-4-b-pubkey.dtb 6. generate the keys and make .its file and sign it with the following command: mkdir keys openssl genrsa -F4 -out keys/dev.key 2048 openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt mkimage -f image.its -K bcm2711-rpi-4-b-pubkey.dtb -k keys -r image.itb 7. rebuild uboot with control FDT (bcm2711-rpi-4-b-pubkey.dtb) $make EXT_DTB=bcm2711-rpi-4-b-pubkey.dtb -j8 8. Copy u-boot.bin and image.itb to boot partition. But since I had CONFIG_OF_BOARD set, I am assuming it didn't add control FDT into u-boot.bin as byte size for both binaries (u-boot.bin & u-boot-nodtb.bin) was the same. I tried to concatenate them with cat but while booting, U-Boot still didn't read the Control FDT. Can anyone please help with enabling verified boot (signature check) support for Raspberry Pi4. It's a very mainstream board and support for it would be great to have. I am willing to contribute, whatever I can. Best, Moiz Imtiaz On Fri, Sep 10, 2021 at 9:37 AM Simon Glass <s...@chromium.org> wrote: > +Tom Rini > > Hi Moiz, > > On Thu, 9 Sept 2021 at 14:21, Moiz Imtiaz <moizimti...@gmail.com> wrote: > > > > Hope you are doing well and everything is going good at your end. I am > using Raspi 4B and Compute Model 4 and trying to configure U-boot with > Verified boot support, but while booting the signing of the configuration > is not being checked. I am using the latest master branch from GitHub. > > > > We have checked the signature verification via the "fit_check_sign" > utility that comes with u-boot and it does verify the configuration of the > signature so, I am sure that the image is signed properly and the Control > FDT is good as well. > > > > > > > > but while booting, it doesn't check the signature of the configuration. > It should be showing "Verifying Hash Integrity ... sha1,rsa2048:dev+ OK" > > > > > > I believe that maybe I am not adding Control FDT in the U-boot binary > properly. Following is the command that I am using to add control FDT to > U-boot. > > > > $ make EXT_DTB=bcm2711-rpi-4-b-pubkey.dtb -j8 > > I have also tried > > $ make DEV_TREE_BIN=bcm2711-rpi-4-b-pubkey.dtb -j8 > > > > The bytes size of the u-boot.bin and u-boot-nodtb.bin after using both > the above commands is the same. > > > > Attached is the FIT source file, rpi_4_defconfig and the control FDT > file. Also, the following has been added in configs/rpi_4_defconfig. > > > > CONFIG_OF_CONTROL=y > > CONFIG_FIT=y > > CONFIG_FIT_SIGNATURE=y > > CONFIG_RSA=y > > > > Can you please help me with how to add Control FDT to the U-boot.bin > binary or what can be the reason that it isn't checking the signature of > the configuration while booting? Any kind of help would be really > appreciated. > > There is an example of this flow in the sandbox vboot test. There is > also an example for Beaglebone Black in > doc/uImage.FIT/beaglebone_vboot.txt > > I wonder if rpi is not using the devicetree compiled with U-Boot, but > instead one provided by the earlier-stage firmware? Can you check that > the required 'signature' node is present? You can use the 'fdt' > command in U-Boot to look at it. > > Looking at rpi_4 it uses CONFIG_OF_BOARD which means it has its own > special way of getting the devicetree into U-Boot. The older boards > use CONFIG_OF_EMBED which is actually not even allowed in production > boards.... > > Also you may need the -r argument to mkimage to mark the key as required. > > Regards, > Simon >
