With UBOOT_SIGN_ENABLE enabled commit 3fb215a3af24 (u-boot: kernel-fitimage: Fix dependency loop if UBOOT_SIGN_ENABLE and UBOOT_ENV enabled) always adds the signature of UBOOT_SIGN_IMG_KEYNAME to the u-boot dtb, independent of FIT_SIGN_INDIVIDUAL. The kernel fitimage configuration node is signed with UBOOT_SIGN_KEYNAME but the u-boot dtb contains the signature of UBOOT_SIGN_IMG_KEYNAME. U-boot is therefore unable to verify the signed kernel fitimage. Before that commit the signature of all keys used in the kernel fitimage would be added to the u-boot dtb.
To fix this, always add the signature of UBOOT_SIGN_KEYNAME for configuration nodes to the u-boot dtb. If FIT_SIGN_INDIVIDUAL is 1 also add the signature of UBOOT_SIGN_IMG_KEYNAME for individual images. This has one drawback at the moment: The signing of individual images is not tested with fit_check_sign during concat_dtb. Fixes: 3fb215a3af24 (u-boot: kernel-fitimage: Fix dependency loop if UBOOT_SIGN_ENABLE and UBOOT_ENV enabled) Reported-by: Rogerio Guerra Borin <rogerio.bo...@toradex.com> Signed-off-by: Leonard Anderweit <l.anderw...@phytec.de> --- Link to bug report: https://lists.openembedded.org/g/openembedded-core/topic/111218371#msg211507 --- meta/classes-recipe/uboot-sign.bbclass | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 96c47ab01651..b2fcb5a31546 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -102,26 +102,36 @@ concat_dtb() { if [ -e "${UBOOT_DTB_BINARY}" ]; then # Re-sign the kernel in order to add the keys to our dtb - UBOOT_MKIMAGE_MODE="auto-conf" - # Signing individual images is not recommended as that - # makes fitImage susceptible to mix-and-match attack. - if [ "${FIT_SIGN_INDIVIDUAL}" = "1" ] ; then - UBOOT_MKIMAGE_MODE="auto" - fi ${UBOOT_MKIMAGE_SIGN} \ ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ - -f $UBOOT_MKIMAGE_MODE \ + -f auto-conf \ -k "${UBOOT_SIGN_KEYDIR}" \ -o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \ - -g "${UBOOT_SIGN_IMG_KEYNAME}" \ + -g "${UBOOT_SIGN_KEYNAME}" \ -K "${UBOOT_DTB_BINARY}" \ -d /dev/null \ -r ${B}/unused.itb \ ${UBOOT_MKIMAGE_SIGN_ARGS} + # Verify the kernel image and u-boot dtb ${UBOOT_FIT_CHECK_SIGN} \ -k "${UBOOT_DTB_BINARY}" \ -f ${B}/unused.itb + + # Signing individual images is not recommended as that + # makes fitImage susceptible to mix-and-match attack. + if [ "${FIT_SIGN_INDIVIDUAL}" = "1" ] ; then + ${UBOOT_MKIMAGE_SIGN} \ + ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ + -f auto \ + -k "${UBOOT_SIGN_KEYDIR}" \ + -o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \ + -g "${UBOOT_SIGN_IMG_KEYNAME}" \ + -K "${UBOOT_DTB_BINARY}" \ + -d /dev/null \ + -r ${B}/unused.itb \ + ${UBOOT_MKIMAGE_SIGN_ARGS} + fi cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED} fi -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#211761): https://lists.openembedded.org/g/openembedded-core/message/211761 Mute This Topic: https://lists.openembedded.org/mt/111289801/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
