Hi Lev,
On 10/14/24 04:42, Lev R. Oshvang wrote:
Hi Sean,
I am looking for help with Uboot FIT signatures problem
I started to work with FIT image (u-boot 2024) and managed to sign kernel and load this image with Uboot using 'required' property in signature as :
signature-1 {
algo = "sha1,rsa2048"; key-name-hint = "dev_key"; sign-images="kernel"; required="conf"; {Iminfo reports"
## Checking hash(es) for FIT Image at 01000000 ...
Hash(es) for Image 0 (kernel-1): sha256+ sha256,rsa2048:dev_key-
To test the procedure, I generated another private key and signed another kernel with this new key on another Linux host.
I expected bootm to fail, but it just happily loads this image!!!
Even an image without a signature but with a valid hash is not rejected against my expectations.
In this case iminfo report only hash is OK
Did you embed the public key into your U-Boot devicetree with `mkimage -K` ?
--Sean