* [Buildroot] fitImage: proposal to sign images into fitImage
@ 2019-07-22 7:07 Mickaël Tansorier
2019-07-22 8:42 ` Jan Willem Janssen
0 siblings, 1 reply; 3+ messages in thread
From: Mickaël Tansorier @ 2019-07-22 7:07 UTC (permalink / raw)
To: buildroot
Hello,
In project, I worked to add option in builroot to sign kernel and
devicetree image for fitImage.
Uboot support fitImage signature check, but buildroot have no option to
build fitImage with specific signature.
I would like to propose patch, but I'm not sure about the best practice
to do that. Have you any suggestion ?
I can send you my patch (draft) to improve it.
My idea is to add variables to get path of `its` file, `dts` to describe
public key for uboot, and server where to download keys to sign in
Config.in.
Then in `uboot.mk`:
- I download keys
- I replace kernel name, dtb name, and keys name in `its` file. (To
get right path to its).
- I replace keys name in `dts` file
- I compile `dts` to `dtb` with space to add pubic key
- I compile fitImage with `mkimage`
It could be find if this can be generic.
I appreciate if any of you have idea or suggertion.
Thank.
Regards.
--
Tansorier Micka?l
Smile ECS / OpenWide Ing?nierie
D?l?gu? du Personnel pour l'agence de Nantes
[Pr?serve ta libert?: https://gafam.laquadrature.net/]
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] fitImage: proposal to sign images into fitImage
2019-07-22 7:07 [Buildroot] fitImage: proposal to sign images into fitImage Mickaël Tansorier
@ 2019-07-22 8:42 ` Jan Willem Janssen
2019-07-22 10:01 ` Mickaël Tansorier
0 siblings, 1 reply; 3+ messages in thread
From: Jan Willem Janssen @ 2019-07-22 8:42 UTC (permalink / raw)
To: buildroot
On Mon, 2019-07-22 at 09:07 +0200, Micka?l Tansorier wrote:
> Hello,
>
> In project, I worked to add option in builroot to sign kernel and
> devicetree image for fitImage.
>
> Uboot support fitImage signature check, but buildroot have no option to
> build fitImage with specific signature.
>
> I would like to propose patch, but I'm not sure about the best practice
> to do that. Have you any suggestion ?
> I can send you my patch (draft) to improve it.
Cool, I think this could be a very useful addition to buildroot! You can just mail your
patch against the buildroot repo to this mailing list (see [1]) to get feedback on it.
>
> My idea is to add variables to get path of `its` file, `dts` to describe
> public key for uboot, and server where to download keys to sign in
> Config.in.
> Then in `uboot.mk`:
> - I download keys
> - I replace kernel name, dtb name, and keys name in `its` file. (To
> get right path to its).
> - I replace keys name in `dts` file
> - I compile `dts` to `dtb` with space to add pubic key
> - I compile fitImage with `mkimage`
That is more or less what I do as well to create my own signed images (only using a custom
post-image script). Only, I use a small HSM which needs to be addressed through PKCS#11
which requires some tricks to work properly (I can expand on the details if needed).
One thing that we need to be careful of is the "key management", or how do we ensure that
the signing key is not lingering around for longer than necessary or might not even be
physically available (in case of a HSM).
Other than this, I think it would be a nice addition to buildroot!
Regards,
Jan Willem
1. https://buildroot.org/downloads/manual/manual.html#patch-policy
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] fitImage: proposal to sign images into fitImage
2019-07-22 8:42 ` Jan Willem Janssen
@ 2019-07-22 10:01 ` Mickaël Tansorier
0 siblings, 0 replies; 3+ messages in thread
From: Mickaël Tansorier @ 2019-07-22 10:01 UTC (permalink / raw)
To: buildroot
On 22/07/2019 10:42, Jan Willem Janssen wrote:
> On Mon, 2019-07-22 at 09:07 +0200, Micka?l Tansorier wrote:
>> Hello,
>>
>> In project, I worked to add option in builroot to sign kernel and
>> devicetree image for fitImage.
>>
>> Uboot support fitImage signature check, but buildroot have no option to
>> build fitImage with specific signature.
>>
>> I would like to propose patch, but I'm not sure about the best practice
>> to do that. Have you any suggestion ?
>> I can send you my patch (draft) to improve it.
>
> Cool, I think this could be a very useful addition to buildroot! You can just mail your
> patch against the buildroot repo to this mailing list (see [1]) to get feedback on it.
Thank you for the reply.
I attach my patch (I adapt it because my project was very specific).
>
>>
>> My idea is to add variables to get path of `its` file, `dts` to describe
>> public key for uboot, and server where to download keys to sign in
>> Config.in.
>> Then in `uboot.mk`:
>> - I download keys
>> - I replace kernel name, dtb name, and keys name in `its` file. (To
>> get right path to its).
>> - I replace keys name in `dts` file
>> - I compile `dts` to `dtb` with space to add pubic key
>> - I compile fitImage with `mkimage`
>
> That is more or less what I do as well to create my own signed images (only using a custom
> post-image script). Only, I use a small HSM which needs to be addressed through PKCS#11
> which requires some tricks to work properly (I can expand on the details if needed).
>
> One thing that we need to be careful of is the "key management", or how do we ensure that
> the signing key is not lingering around for longer than necessary or might not even be
> physically available (in case of a HSM).
>
> Other than this, I think it would be a nice addition to buildroot!
I have limitation in my case, because I can use only one kernel and dtb
into my its. The reason is I replace path to kernel and dtb by absolute
path. Maybe, users can anticipate it in there conf.
This is kind of dts and its I use:
u-boot_pubkey.dts
```
/dts-v1/;
/ {
model = "Keys";
compatible ="vendor,board";
signature {
key-%KEYNAME% {
required = "image";
algo = "sha256,rsa4096";
key-name-hint = "%KEYNAME%";
};
};
};
```
fitImage.its
```
/ {
description = "fitImage for sign Kernel image and DTB";
#address-cells = <1>;
images {
kernel at 1 {
description = "Linux Kenel";
data = /incbin/("%KERNEL%");
type = "kernel";
arch = "arm";
os = "linux";
compression = "none";
load = <0x15000000>;
entry = <0x15000000>;
signature at 1 {
algo = "sha256,rsa4096";
key-name-hint = "%KEYNAME%";
};
};
fdt at 1 {
description = "Devicetree";
data = /incbin/("%DTB%");
type = "flat_dt";
arch = "arm";
compression = "none";
load = <0x18000000>;
entry = <0x18000000>;
signature at 1 {
algo = "sha256,rsa4096";
key-name-hint = "%KEYNAME%";
};
};
};
configurations {
default = "conf at 1";
conf at 1 {
kernel = "kernel at 1";
fdt = "fdt at 1";
};
};
};
```
>
> Regards,
>
> Jan Willem
>
>
> 1. https://buildroot.org/downloads/manual/manual.html#patch-policy
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
Regards,
--
Tansorier Micka?l
Smile ECS / OpenWide Ing?nierie
D?l?gu? du Personnel pour l'agence de Nantes
[Pr?serve ta libert?: https://gafam.laquadrature.net/]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-uboot-Add-config-to-sign-images-in-fitImage.patch
Type: text/x-patch
Size: 4113 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20190722/6e20d667/attachment.bin>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-07-22 10:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-22 7:07 [Buildroot] fitImage: proposal to sign images into fitImage Mickaël Tansorier
2019-07-22 8:42 ` Jan Willem Janssen
2019-07-22 10:01 ` Mickaël Tansorier
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.