Hi Simon,
Thanks for the reply. I already followed the steps mentioned in "doc/uImage.FIT/beaglebone_vboot.txt".
I wonder if rpi is not using the devicetree compiled with U-Boot, but
instead one provided by the earlier-stage firmware?
Not sure, but seems like this is the case. I checked and there isn't any dtb or dts for rpi4 (bcm2711-rpi-4-b) in arc/arm/dts in u-boot. I tried to add the dtb and other dts dtsi https://github.com/raspberrypi/linux/tree/rpi-5.10.y/arch/arm64/boot/dts/broadcomfiles from the raspberry pi Linux and compile them with CONFIG_OF_SEPARATE and CONFIG_OF_EMBED (one at a time) *but it couldn't even boot the U-Boot and it would just give a blank screen*. I wonder why there isn't any device tree in the U-boot repo for RPI4. Is U-boot control FDT not supported by RPI4?
and if I tried CONFIG_OF_BOARD (the default rpi_4 configuration), it will take us back to the initial problem, signature not being checked.
Can you check that the required 'signature' node is present? You can use
the 'fdt' command in U-Boot to look at it. I tried the "fdt checksign" but it didn't return anything. Screenshot inlined, image.itb is the fit image. If I am not doing it wrong, or some other commands needs to be executed, please let me know.
[image: image.png]
Just for reference, I am inlining the steps I followed: 1. clone the master branch of u-boot. 2. Add FIT, RSA & SIGNATURE support to rpi_4_defconfig 3. Build with 64-bit architecture. (CROSS_COMPILE=aarch64-linux-gnu-) 4. Build U-boot ($make -j8) 5. copy device tree and make a clone by appending pubkey to it. $ cp bcm2711-rpi-4-b.dtb bcm2711-rpi-4-b-pubkey.dtb 6. generate the keys and make .its file and sign it with the following command: mkdir keys openssl genrsa -F4 -out keys/dev.key 2048 openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt mkimage -f image.its -K bcm2711-rpi-4-b-pubkey.dtb -k keys -r image.itb 7. rebuild uboot with control FDT (bcm2711-rpi-4-b-pubkey.dtb) $make EXT_DTB=bcm2711-rpi-4-b-pubkey.dtb -j8 8. Copy u-boot.bin and image.itb to boot partition.
But since I had CONFIG_OF_BOARD set, I am assuming it didn't add control FDT into u-boot.bin as byte size for both binaries (u-boot.bin & u-boot-nodtb.bin) was the same. I tried to concatenate them with cat but while booting, U-Boot still didn't read the Control FDT.
Can anyone please help with enabling verified boot (signature check) support for Raspberry Pi4. It's a very mainstream board and support for it would be great to have. I am willing to contribute, whatever I can.
Best, Moiz Imtiaz
On Fri, Sep 10, 2021 at 9:37 AM Simon Glass sjg@chromium.org wrote:
+Tom Rini
Hi Moiz,
On Thu, 9 Sept 2021 at 14:21, Moiz Imtiaz moizimtiaz1@gmail.com wrote:
Hope you are doing well and everything is going good at your end. I am
using Raspi 4B and Compute Model 4 and trying to configure U-boot with Verified boot support, but while booting the signing of the configuration is not being checked. I am using the latest master branch from GitHub.
We have checked the signature verification via the "fit_check_sign"
utility that comes with u-boot and it does verify the configuration of the signature so, I am sure that the image is signed properly and the Control FDT is good as well.
but while booting, it doesn't check the signature of the configuration.
It should be showing "Verifying Hash Integrity ... sha1,rsa2048:dev+ OK"
I believe that maybe I am not adding Control FDT in the U-boot binary
properly. Following is the command that I am using to add control FDT to U-boot.
$ make EXT_DTB=bcm2711-rpi-4-b-pubkey.dtb -j8 I have also tried $ make DEV_TREE_BIN=bcm2711-rpi-4-b-pubkey.dtb -j8
The bytes size of the u-boot.bin and u-boot-nodtb.bin after using both
the above commands is the same.
Attached is the FIT source file, rpi_4_defconfig and the control FDT
file. Also, the following has been added in configs/rpi_4_defconfig.
CONFIG_OF_CONTROL=y CONFIG_FIT=y CONFIG_FIT_SIGNATURE=y CONFIG_RSA=y
Can you please help me with how to add Control FDT to the U-boot.bin
binary or what can be the reason that it isn't checking the signature of the configuration while booting? Any kind of help would be really appreciated.
There is an example of this flow in the sandbox vboot test. There is also an example for Beaglebone Black in doc/uImage.FIT/beaglebone_vboot.txt
I wonder if rpi is not using the devicetree compiled with U-Boot, but instead one provided by the earlier-stage firmware? Can you check that the required 'signature' node is present? You can use the 'fdt' command in U-Boot to look at it.
Looking at rpi_4 it uses CONFIG_OF_BOARD which means it has its own special way of getting the devicetree into U-Boot. The older boards use CONFIG_OF_EMBED which is actually not even allowed in production boards....
Also you may need the -r argument to mkimage to mark the key as required.
Regards, Simon
