[Buildroot] fitImage: proposal to sign images into fitImage

[Jan Willem Janssen <j.w.janssen@lxtreme.nl>]

On Mon, 2019-07-22 at 09:07 +0200, Micka?l Tansorier wrote:
> Hello,
> 
> In project, I worked to add option in builroot to sign kernel and 
> devicetree image for fitImage.
> 
> Uboot support fitImage signature check, but buildroot have no option to 
> build fitImage with specific signature.
> 
> I would like to propose patch, but I'm not sure about the best practice 
> to do that. Have you any suggestion ?
> I can send you my patch (draft) to improve it.

Cool, I think this could be a very useful addition to buildroot! You can just mail your
patch against the buildroot repo to this mailing list (see [1]) to get feedback on it.

> 
> My idea is to add variables to get path of `its` file, `dts` to describe 
> public key for uboot, and server where to download keys to sign in 
> Config.in.
> Then in `uboot.mk`:
>   - I download keys
>   - I replace kernel name, dtb name, and keys name in `its` file. (To 
> get right path to its).
>   - I replace keys name in `dts` file
>   - I compile `dts` to `dtb` with space to add pubic key
>   - I compile fitImage with `mkimage`

That is more or less what I do as well to create my own signed images (only using a custom
post-image script). Only, I use a small HSM which needs to be addressed through PKCS#11
which requires some tricks to work properly (I can expand on the details if needed).

One thing that we need to be careful of is the "key management", or how do we ensure that
the signing key is not lingering around for longer than necessary or might not even be
physically available (in case of a HSM).

Other than this, I think it would be a nice addition to buildroot!

Regards,

  Jan Willem


1. https://buildroot.org/downloads/manual/manual.html#patch-policy