Hello, I have a question regarding the signing of a FIT image using mkimage. I already contacted DENX, they referred me to this mailing list.
mkimage supports the creation of a signed FIT image. To do this, we need to have an appropriate .its file and pass the private key as a parameter to the mkimage command: mkimage -f fitImage-sign.its -k keys/ fitImage-signed
However, this approach does not work in our setup, as we do not have access to the private key. The private key resides on an HSM (Hardware security module) that is not directly accessible for us. We can invoke signing related functions via an external signing server that takes a sha256 hash as input and returns the signed hash. Then we need to add the signed hash to the FIT image.
The replacement of a signature in a FIT image can be easily done using the FDT library. However, getting the sha256 hash that mkimage uses for the signing does not seems to be possible. I tried to reverse engineer the code, but it looks like that there are a lot of low level byte operations on the FIT image. Now my questions: Is there a way to get the SHA256 used for the signing somehow from the mkimage or via a different way? Is there somewhere a documentation how this hash is generated from the unsigned FIT image ?
Any help is very much appreciated.
Some more details below
Our system runs on a raspberry pi CM 4 module. We use Yocto scarthgap to build the SW images. The raspberry bootloader loads the U-boot which then boots the further system using a fit image. We need to support secure boot for this platform. As part of it, we need to have a signed fit image. Currently, we achieve this using the mkimage tool with the -k option to pass the private key. Via this procedure we are able to execute the secure boot successfully. However, our organization requires to use a dedicated signing server that implements an organization wide security infrastructure. It requires a hash (sha256) as input and returns a signature that is generated using the private key inside the signing server. Our challenges are now:
1. Get the hashes that mkimage uses as a base for the signatures 2. Manipulate the fit image to include the configuration signatures The attachments may provide further details.
Thank you very much and Regards
Klaus Rosenschild IoT solution architect OP BU Tool Services
Hilti Entwicklungsgesellschaft mbH Hiltistraße 6 | 86916 Kaufering
E klaus.rosenschild@hilti.commailto:klaus.rosenschild@hilti.com
www.hilti.dehttp://www.hilti.de/
Hilti Entwicklungsgesellschaft mbH Geschäftsführer: Dr. Olaf Schadoffsky Sitz der Gesellschaft: D-86916 Kaufering, Hiltistraße 6 Amtsgericht Augsburg HRB 16295
