All of lore.kernel.org
 help / color / mirror / Atom feed
From: Moiz Imtiaz <moizimtiaz1@gmail.com>
To: u-boot@lists.denx.de
Cc: sjg@chromium.org
Subject: Problem with U-boot | Configuration Signature not being checked while booting
Date: Fri, 10 Sep 2021 01:21:01 +0500	[thread overview]
Message-ID: <CAMHoVnq59tQTFyrKSnTZcohGiPwPMNdR0Jb1FEovgDBDcVL0eA@mail.gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 1569 bytes --]

Hope you are doing well and everything is going good at your end. I am
using Raspi 4B and Compute Model 4 and trying to configure U-boot with
Verified boot support, *but while booting the signing of the configuration
is not being checked*. I am using the latest master branch from GitHub.
<https://github.com/u-boot/u-boot>

We have checked the signature verification via the *"fit_check_sign"
*utility that
comes with u-boot and it does verify the configuration of the signature so,
I am sure that the image is signed properly and the Control FDT is good as
well.

[image: fit_check_sign.png]

but while booting, it doesn't check the signature of the configuration. It
should be showing "*Verifying Hash Integrity ... sha1,rsa2048:dev+ OK*"
[image: image.png]

*I believe that maybe I am not adding Control FDT in the U-boot binary
properly.* Following is the command that I am using to add control FDT to
U-boot.

$ make EXT_DTB=bcm2711-rpi-4-b-pubkey.dtb -j8
I have also tried
$ make DEV_TREE_BIN=bcm2711-rpi-4-b-pubkey.dtb -j8

The bytes size of the u-boot.bin and u-boot-nodtb.bin after using both the
above commands is the same.

Attached is the FIT source file,  rpi_4_defconfig and the control FDT file.
Also, the following has been added in configs/rpi_4_defconfig.

CONFIG_OF_CONTROL=y
CONFIG_FIT=y
CONFIG_FIT_SIGNATURE=y
CONFIG_RSA=y

*Can you please help me with how to add Control FDT to the U-boot.bin
binary or what can be the reason that it isn't checking the signature of
the configuration while booting? Any kind of help would be really
appreciated.*

[-- Attachment #2: rpi_4_defconfig --]
[-- Type: application/octet-stream, Size: 1613 bytes --]

CONFIG_ARM=y
CONFIG_ARCH_BCM283X=y
CONFIG_SYS_TEXT_BASE=0x00080000
CONFIG_TARGET_RPI_4=y
CONFIG_SYS_MALLOC_F_LEN=0x2000
CONFIG_ENV_SIZE=0x4000
CONFIG_DISTRO_DEFAULTS=y
CONFIG_OF_BOARD_SETUP=y
CONFIG_USE_PREBOOT=y
CONFIG_PREBOOT="pci enum; usb start;"
# CONFIG_DISPLAY_CPUINFO is not set
# CONFIG_DISPLAY_BOARDINFO is not set
CONFIG_MISC_INIT_R=y
CONFIG_SYS_PROMPT="U-Boot> "
CONFIG_CMD_DFU=y
CONFIG_CMD_GPIO=y
CONFIG_CMD_MMC=y
CONFIG_CMD_PCI=y
CONFIG_CMD_USB=y
CONFIG_CMD_FS_UUID=y
CONFIG_OF_BOARD=y
CONFIG_ENV_FAT_DEVICE_AND_PART="0:1"
CONFIG_SYS_RELOC_GD_ENV_ADDR=y
CONFIG_ENV_VARS_UBOOT_RUNTIME_CONFIG=y
CONFIG_TFTP_TSIZE=y
CONFIG_DM_DMA=y
CONFIG_DFU_MMC=y
CONFIG_SYS_DFU_DATA_BUF_SIZE=0x100000
CONFIG_SYS_DFU_MAX_FILE_SIZE=0x200000
CONFIG_MMC_SDHCI=y
CONFIG_MMC_SDHCI_SDMA=y
CONFIG_MMC_SDHCI_BCM2835=y
CONFIG_DM_ETH=y
CONFIG_BCMGENET=y
CONFIG_PCI=y
CONFIG_PCI_BRCMSTB=y
CONFIG_PINCTRL=y
# CONFIG_PINCTRL_GENERIC is not set
CONFIG_DM_RESET=y
CONFIG_DM_RNG=y
CONFIG_RNG_IPROC200=y
# CONFIG_REQUIRE_SERIAL_CONSOLE is not set
CONFIG_USB=y
CONFIG_DM_USB_GADGET=y
CONFIG_USB_XHCI_HCD=y
CONFIG_USB_XHCI_PCI=y
CONFIG_USB_KEYBOARD=y
CONFIG_USB_GADGET=y
CONFIG_USB_GADGET_MANUFACTURER="FSL"
CONFIG_USB_GADGET_VENDOR_NUM=0x0525
CONFIG_USB_GADGET_PRODUCT_NUM=0xa4a5
CONFIG_USB_GADGET_DWC2_OTG=y
CONFIG_USB_GADGET_DOWNLOAD=y
CONFIG_DM_VIDEO=y
# CONFIG_VIDEO_BPP8 is not set
# CONFIG_VIDEO_BPP16 is not set
CONFIG_SYS_WHITE_ON_BLACK=y
CONFIG_CONSOLE_SCROLL_LINES=10
CONFIG_PHYS_TO_BUS=y
CONFIG_OF_LIBFDT_OVERLAY=y
CONFIG_CMD_BOOTI=y
CONFIG_ENABLE_VBOOT=y
CONFIG_RSA=y
CONFIG_FIT=y
CONFIG_FIT_SIGNATURE=y
CONFIG_OF_CONTROL=y

[-- Attachment #3: image.its --]
[-- Type: application/octet-stream, Size: 1153 bytes --]

/dts-v1/;
/ {
    description = "RPi FIT Image";
    #address-cells = <1>;
    images {
        kernel-1 {
            description = "default kernel";
            data = /incbin/("/media/dodain/BOOT-A/kernel8.img");
            type = "kernel";
            arch = "arm64";
            os = "linux";
            compression = "none";
            load =  <0x00080000>;
            entry = <0x00080000>;
            hash-1 {
                algo = "sha1";
            };
        };
        fdt-1 {
            description = "device tree";
            data = /incbin/("/media/dodain/BOOT-A/bcm2711-rpi-4-b.dtb");
            type = "flat_dt";
            arch = "arm64";
            compression = "none";
            hash-1 {
                algo = "sha1";
            };
        };
    };
    configurations {
        default = "config-1";
        config-1 {
            description = "default configuration";
            kernel = "kernel-1";
            fdt = "fdt-1";
            signature-1 {
                algo = "sha1,rsa2048";
                key-name-hint = "dev";
                sign-images = "fdt", "kernel";
            };
        };
    };
};

[-- Attachment #4: bcm2711-rpi-4-b-pubkey.dtb --]
[-- Type: application/octet-stream, Size: 50114 bytes --]

             reply	other threads:[~2021-09-09 23:52 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-09 20:21 Moiz Imtiaz [this message]
2021-09-10  4:37 ` Problem with U-boot | Configuration Signature not being checked while booting Simon Glass
2021-09-11 18:19   ` Moiz Imtiaz
2021-09-11 19:18     ` Mark Kettenis
2021-09-11 21:05       ` Tom Rini
2021-09-11 21:30         ` Mark Kettenis
2021-09-11 21:34           ` Tom Rini
2021-09-11 21:58             ` Moiz Imtiaz
2021-09-12 15:02               ` Tom Rini
2021-09-12 20:45                 ` Moiz Imtiaz
2021-09-15 13:02                   ` Tom Rini
2021-09-15 10:13       ` Simon Glass
2021-09-15 10:25         ` François Ozog
2021-09-17 16:21           ` Simon Glass
2021-09-17 17:18             ` François Ozog
2021-09-17 17:55             ` Tom Rini
2021-09-15 11:51         ` Mark Kettenis
2021-09-15 13:35           ` Tom Rini
2021-09-15 13:53             ` François Ozog
2021-09-17 16:21             ` Simon Glass
2021-09-17 17:42               ` Tom Rini
2021-09-18  9:27                 ` Simon Glass
2021-09-18 13:24                   ` Tom Rini
2021-09-17 16:19           ` Simon Glass
2021-09-17 17:26             ` Tom Rini
2021-09-18  9:27               ` Simon Glass
2021-09-18  9:47                 ` Moiz Imtiaz
2021-09-18 10:10                   ` Mark Kettenis
2021-09-18 10:26                     ` François Ozog
2021-09-18 13:24                       ` Moiz Imtiaz
2021-09-18 13:30                         ` Moiz Imtiaz
2021-09-20 15:33                       ` Tom Rini
2021-09-18 11:15                 ` Mark Kettenis
2021-09-18 15:28                   ` Simon Glass
2021-09-20 15:38                   ` Tom Rini
2021-09-20 15:27                 ` Tom Rini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAMHoVnq59tQTFyrKSnTZcohGiPwPMNdR0Jb1FEovgDBDcVL0eA@mail.gmail.com \
    --to=moizimtiaz1@gmail.com \
    --cc=sjg@chromium.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.