Hi Lev, On 10/14/24 13:15, Lev R. Oshvang wrote: > [You don't often get email from [email protected]. Learn why this is > important at > https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2faka.ms%2fLearnAboutSenderIdentification&umid=d3086c41-4950-4369-b35b-dfbad134e05e&auth=d807158c60b7d2502abde8a2fc01f40662980862-da2f573d80b6a54ab9f8699b0376fb4e503517ea > ] > > Hi Sean, > Thanks for replying. > Of course, I have public key embedded into u-boot dtb. > I see it with dtdiff utility clearly., that it has rsa components and > mention required property, but there are no means : > - signature { > - > - key-dev_key { > - algo = "sha1,rsa2048"; > - key-name-hint = "dev_key"; > - required = "conf"; > - rsa,exponent = <0x00 0x10001>; > - rsa,modulus = <0xca0facd8 0xc8a49486 > 0x9785b0a8 0xd8560eae 0xffaefc34 0xd958e8d9 0xba5b1623 0x197b8ae > 0x216b0699 0xb5f048ab 0x1167f69a 0x3d02f44b 0xe1bdc8f3 0x533eaa9c > 0xd2ce119d 0xf34d90e7 0x9f470b92 0xa672fc84 0x25ce9a70 0x1ba0422f > 0xa92f1dc2 0x8a6026e9 0xc06c080 0x23d300b0 0xe1c325aa 0x9c229a84 > 0x40a59d7 0x3f59c482 0x7eb27b44 0x9e6d300 0xbd36a4c4 0x5cc65b1 > 0xb5708d8a 0xfc19f30 0x11ce5b3 0xed2c646b 0x77492129 0x4b0382ab > 0xcf7ac83d 0x93ca0078 0x6f4db3f7 0xd9934ef1 0x2bdb929c 0x4e0726fd > 0x56568874 0xf0950b02 0x1b2c51ae 0x94d685a4 0x6edd9044 0xb62bb692 > 0x3b131cc8 0xce8c1649 0x41726a8 0x34282ad7 0x7c978b86 0xf970b5cc > 0xc0505052 0x392a0a39 0xf9b25e93 0x5f32ff98 0x38b8ceda 0xda3a2855 > 0x2bbcb269 0x61db7b91>; > - rsa,n0-inverse = <0xc1255a8f>; > - rsa,num-bits = <0x800>; > - rsa,r-squared = <0x50fdcf54 0x76c283ab > 0x897a6a96 0x5011d310 0xc70c897 0x638fdc61 0xbde79c4c 0x5a66d6a5 > 0x7747e613 0xcac6b564 0x62456d6c 0x73d3f181 0xfd1d48ae 0xf8159021 > 0xa5c7cadf 0xf3ea3aee 0x3a801e43 0xc4d573cd 0x2c7e8dc 0x44030a5d > 0xa679da1f 0xad11fad2 0x93fc1da4 0xb3ca4d43 0x30cb4202 0xab21f661 > 0x57041882 0xa63b5c94 0x89c38732 0x8f2b191 0xe9e4a99 0x8292fc7f > 0x6e7cf63a 0x9eef2fab 0xa1414bfc 0xfdea67c0 0x713fe78d 0xaf176725 > 0x72168246 0x7ab0706d 0xac7f19b4 0x500118c8 0x5915e449 0xaf2cf688 > 0xb70d5fbb 0x8740ba88 0xc89fde6a 0x91931a8d 0x915b76b5 0x5dfcb2e9 > 0x7fe48d92 0xfec26649 0x541dd9c7 0x82c4957 0xb1a7b46 0x1b29c87d > 0xbb76c881 0x8da006a5 0xeaacff4 0xf39c1d12 0x82cc7dfa 0xc8de4237 > 0xf03ee80d 0xb060a204>; > - }; > - }; > - > > > But u-boot control dtb does not impose any requirement that FIT image > structure MUST have. > I think this is a reason for behaviour I observe. > It would be better to add FIT nodes structure to uboot dtb for the > case like mine > > I am attaching my 2 its files, one that do requires signature and > second that requires only a hash > Both flawlessly boot kernel. > > There is also script I use for signage and CTRL_FDT file my-iuboot.dtb
I compared your images to some examples I have and they seem correct. It may seem silly, but do you have CONFIG_FIT_SIGNATURE set? Also: note that `iminfo` will only report if *image* (not conf) signatures are correct. The conf signatures will be verified, but only when you boot (or source) the image using a particular config. --Sean > On Mon, Oct 14, 2024 at 5:24 PM Sean Anderson <[email protected]> wrote: >> >> Hi Lev, >> >> On 10/14/24 04:42, Lev R. Oshvang wrote: >> > Hi Sean, >> > >> > I am looking for help with Uboot FIT signatures problem >> > >> > >> > >> > I started to work with FIT image (u-boot 2024) and managed to sign >> > kernel and load this image with Uboot using 'required' property in >> > signature as : >> > >> > signature-1 { >> > >> > algo = "sha1,rsa2048"; >> > >> > key-name-hint = "dev_key"; >> > >> > sign-images="kernel"; >> > >> > required="conf"; >> > >> > { >> > >> > Iminfo reports" >> > >> > ## Checking hash(es) for FIT Image at 01000000 ... >> > >> > Hash(es) for Image 0 (kernel-1): sha256+ sha256,rsa2048:dev_key- >> > >> > >> > >> > To test the procedure, I generated another private key and signed >> > another kernel with this new key on another Linux host. >> > >> > >> > >> > >> > >> > I expected bootm to fail, but it just happily loads this image!!! >> > >> > Even an image without a signature but with a valid hash is not >> > rejected against my expectations. >> > >> > In this case iminfo report only hash is OK >> >> Did you embed the public key into your U-Boot devicetree with `mkimage -K` ? >> >> --Sean
