Hi Rasmus,
On Wed, 22 Jan 2025 at 16:27, Rasmus Villemoes ravi@prevas.dk wrote:
On Wed, Jan 22 2025, "Rosenschild, Klaus" Klaus.Rosenschild@hilti.com wrote:
Hi Rasmus, thank you for pointing to this solution. I think this is the best way to do this.
However, our signing server is very well protected and making changes there is a long and complex process. Right now, it only provides the following two functions:
generation of a signature of a sha256 hash using the private key 2. providing the public key, the pure key, not the certificate
I found a workaround to determine the hash that mkimage uses to create the signature of the configuration without re-implementing the internal algorithm that mkimage uses:
create a temporary rsa private and public key 2. run mkimage to create a FIT image with signature: mkimage -k keys-f fitImage-sign-orig.its -r fitImage-sign 3. extract the signature from the FIT image 4. re-generate the hash from the signature and the public key: openssl pkeyutl -verifyrecover -in signFile.hash.sign.bin -pubin -inkey ../keys/build.pub -asn1parse 5. now, I can send the hash to the signing server, get the correct signature back and re-enter it into the FIT image (e.g. via python libfdt)
Urgh, it shouldn't be that complicated, and I would consider it quite reasonable if mkimage could be instructed to emit the hash it actually signs along with the signature.
Yes that sounds useful.
But, I do think you should be able to create a pkcs#11 module which simply takes that sha256 as input from the higher layers and does whatever it needs to do to talk to the server, getting the signature back.
However, there is now another problem. I also need to put the public key into the device tree file. So, I have to run a slightly different mkimage command (with -K option): mkimage -k keys -f fitImage-sign-orig.its -r -K bcm2711-rpi-4-b.dtb fitImage-sign
Note also that you don't need the original source. You can use the -F option.
However, the -K options requires a certificate and not just the public.
Yeah, that is a fundamental design flaw of mkimage; one shouldn't need to sign any image in order to get the public key data embedded in u-boot's control dtb.
It would be nice to have a way to generate an instructions file, which contains the hash to be signed, then a way to read the result file, loading the private/public keys in as needed. In other words, split the operations of mkgimag into two.
Fortunately, you can ignore what most tutorials tell you about that -K option. There is a simple script in the u-boot repo, tools/key2dtsi.py, which you can apply to just the public key, and you get a .dtsi fragment that you can include when you build u-boot's control dtb. Either you can use the CONFIG_DEVICE_TREE_INCLUDES mechanism for making sure that .dtsi gets picked up during build, or you can simply copy-paste the contents into your board's .dts file.
Rasmus
Regards, Simon