mbox series

[0/3] Implement signing FIT images during image build

Message ID 20240916082446.32082-1-al.kochet@gmail.com
Headers show
Series Implement signing FIT images during image build | expand

Message

Alexander Kochetkov Sept. 16, 2024, 8:24 a.m. UTC 
From: Alexander Kochetkov <al.kochet@gmail.com>

Hello!

I've done verified boot on Radxa Rock 3A. I've embedded public key in U-Boot
SPL and signed FIT image configuration. All the work was done during U-Boot
image build. For some use cases building and signing images in one go will be
much simple, than building unsigned images and signing later. For example
SPL-image for rk3568 called idbloader.img consist of TPL, U-boot SPL and
U-boot SPL DTB with public key. So in order to assemble signed idbloader.img
lately we have to keep all the intermediate files used during build.

To embed public key, I've replaced u-boot-spl node with blob-ext and generated
u-boot-spl-with-pubkey-dtb blob using u-boot-spl-pubkey-dtb entry.

To sign FIT image I've used newly implemented fit property 'fit,sign'.

I haven't sign FIT image nodes, because I had realized that signing
configuration is safe and sufficient for verified boot. But I doubt.
So I've left that signing scheme in the test.

What do you think, is using signed configuration and signed images at the same
time is much safer or doesn't provide any benefits?

Now I thinking about implementing configuration option, something like
FIT_SIGNATURE_KEYDIR. The value of the option will be passed to binman
using -I.

Alsi I want to embed another public key in the configuration DTB, so
it will be used to verify kernel FIT. But I couldn't figure out how to
do it using binman.

&binman {
    u-boot-spl-with-pubkey-dtb {
        filename = "u-boot-spl-with-pubkey-dtb.bin";

        u-boot-spl-nodtb {
        };

        u-boot-spl-pubkey-dtb {
            algo = "sha256,rsa2048";
            required = "conf";
            key-name-hint = "uboot-spl";
        };
    };

    simple-bin {
        ...
        mkimage {
            ...

#ifdef CONFIG_ROCKCHIP_EXTERNAL_TPL
            rockchip-tpl {
            };
#elif defined(CONFIG_TPL)
            u-boot-tpl {
            };
#endif
            blob-ext {
                filename = "u-boot-spl-with-pubkey-dtb.bin";
            };
        };

        fit: fit {
            ...
            fit,sign;
            ...

            configurations {
                default = "@config-DEFAULT-SEQ";
                @config-SEQ {
                    ...
#ifdef CONFIG_SPL_FIT_SIGNATURE
                    signature {
                        algo = "sha256,rsa2048";
                        key-name-hint = "uboot-spl";
                        sign-images = "firmware", "loadables", "fdt";
                    };
#endif
                };
            };
        };
    };
}


Alexander Kochetkov (3):
  binman: fix passing loadables to mkimage on first run
  image-host: fix 'unknown error' error message
  binman: implement signing FIT images during image build

 tools/binman/btool/mkimage.py           |  5 +-
 tools/binman/entries.rst                |  7 ++
 tools/binman/etype/fit.py               | 57 +++++++++++++-
 tools/binman/ftest.py                   | 95 ++++++++++++++++++++++++
 tools/binman/test/326_fit_signature.dts | 98 +++++++++++++++++++++++++
 tools/binman/test/326_rsa2048.key       | 28 +++++++
 tools/binman/test/327_fit_signature.dts | 98 +++++++++++++++++++++++++
 tools/binman/test/328_fit_signature.dts | 61 +++++++++++++++
 tools/image-host.c                      |  2 +-
 9 files changed, 446 insertions(+), 5 deletions(-)
 create mode 100644 tools/binman/test/326_fit_signature.dts
 create mode 100644 tools/binman/test/326_rsa2048.key
 create mode 100644 tools/binman/test/327_fit_signature.dts
 create mode 100644 tools/binman/test/328_fit_signature.dts