What is the proper way to sign fit images using binman/mkimage for verified boot

Sat, 31 Aug 2024 05:06:58 -0700 

Hello!

I used to sign images for verified boot for u-boot v2020.04 for allwinner 
A64-based board. It was simple.
I’ve just added signature nodes for atf, u-boot, dtb, configurations to the 
generated by mksunxi_fit_atf.sh
its file and mkimage signed the fit image.

Now I trying to do the same for u-boot v2024.07. I work with Radxa Model 3a. 
It’s fit image is generated
using binman. It’s bimnan configuration is located in the file 
arch/arm/dts/rockchip-u-boot.dtsi.

I have 3 ideas about how to get the job done:
- improve binman, to support signing fit images during fit image generation. 
Sort of implementing
  image-signature etype
- fix mkimage to allow signing generated by binman images. Now I getting error, 
then I try to do that
- may be I do the job in a wrong way? Could you please direct me in a correct 
way?

First I think, that I have to add signature entries to binman configuration. 
So, I added following:

&binman {
    simple-bin {
        …
        fit: fit {
            …
            images {
                …
                @atf-SEQ {
                     …
                     signature {
                         algo = "sha256,rsa2048»;
                         key-name-hint = "uboot-spl»;
                         sign-images = "atf-SEQ»;
                    };
                };
            };
        };
    };
};

This signature entry was copied to resulted fit image without processing. No 
signature was generated.
SEQ was not replaced to 1:

atf-1 {
    ...
    hash {
        value = <0xb5946ac6 0x3df8fb35 0x69407a75 0xcf2f6aa3 0x96551ba0 
0x11e1a84b 0xec654dc9 0x982ba063>;
        algo = "sha256»;
    };

    signature {
        algo = "sha256,rsa2048»;
        key-name-hint = "uboot-spl»;
        sign-images = "atf-SEQ»;
    };
};

So, obviously binman is not support this way of signing images. If this way 
looks reasonable, I can try to implement
it and send patches to u-boot. I played with binman etypes, tryied to add 
custom 'image-signature' etype. Looks like I
can complete such work.

Second solution looks for me as follows. We need run mkimage to sign generated 
by binman fit image.
Some sort of running mkimage like this:

./tools/mkimage -k /media/yocto/build-yocto/…. -F ./u-boot.itb

Now I getting error then I run mkimage:
Can't add verification data for node 'atf-1' (<unknown error>)

If that solution is reasonable, I can fix <unknown error> and send patches.

Third thought, may be there is another proper way to sign fit image for 
verified boot?
Could you please provide an idea how to do that.

Regards,
Alexander.

Reply via email to