Re: [OE-core] [PATCH v1] kernel-fit-image: Check signing key files based on algorithm

[Jamin Lin via lists.openembedded.org]

From: Jamin Lin
Sent: Tuesday, May 19, 2026 9:17 AM
To: 'Adrian Freihofer' <adrian.freiho...@gmail.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>; Troy Lee 
<troy_...@aspeedtech.com>; Vince Chang <vince_ch...@aspeedtech.com>; 
p...@pbarker.dev
Subject: RE: [OE-core] [PATCH v1] kernel-fit-image: Check signing key files 
based on algorithm

Hi Adrian, Paul

Thanks for the review and suggestions.

The handling of RSA and ECDSA keys in mkimage is different.

For ECDSA, mkimage only uses the .pem file format as the private key for 
signing the image.
It does not use separate .key and .crt files. However, OE/fitimage.py currently 
requires users to provide both .key and .crt files.

As a result, when users want to use the ECDSA algorithm, they are required to 
prepare .pem, .key, and .crt files, even though only the .pem file is actually 
used by mkimage.
The .key and .crt files are only needed to satisfy the OE/fitimage.py 
requirements.

Please also refer to the ECDSA implementation in U-Boot:
https://github.com/u-boot/u-boot/blob/master/lib/ecdsa/ecdsa-libcrypto.c

If you believe that users should still be required to provide .key and .crt 
files in OE/fitimage, then this patch can be dropped.

Thanks,
Jamin


Sorry I lost to remove the following disclaimer notice

************* Email Confidentiality Notice ********************
免責聲明:
本信件(或其附件)可能包含機密資訊，並受法律保護。如 台端非指定之收件者，請以電子郵件通知本電子郵件之發送者, 
並請立即刪除本電子郵件及其附件和銷毀所有複印件。謝謝您的合作!

DISCLAIMER:
This message (and any attachments) may contain legally privileged and/or other 
confidential information. If you have received it in error, please notify the 
sender by reply e-mail and immediately delete the e-mail and any attachments 
without copying or disclosing the contents. Thank you.

From: Adrian Freihofer 
<adrian.freiho...@gmail.com<mailto:adrian.freiho...@gmail.com>>
Sent: Tuesday, May 19, 2026 5:40 AM
To: Jamin Lin <jamin_...@aspeedtech.com<mailto:jamin_...@aspeedtech.com>>
Cc: OE-core 
<openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>>;
 Troy Lee <troy_...@aspeedtech.com<mailto:troy_...@aspeedtech.com>>; Vince 
Chang <vince_ch...@aspeedtech.com<mailto:vince_ch...@aspeedtech.com>>; 
p...@pbarker.dev<mailto:p...@pbarker.dev>
Subject: Re: [OE-core] [PATCH v1] kernel-fit-image: Check signing key files 
based on algorithm

Hi Jasmin

Probably Paul is right: pem versus crt + key is a different thing than ECS 
versus RSA.

The its specification mentions only crt + key: 
https://fitspec.osfw.foundation/#configuration-signature-nodes. Are you sure 
that mkimage works with pem but not with crt + key?
My guess is that converting the pem somehow like 
https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key would 
work as well.

If Yocto should get support for pem files it should support it for both formats 
and this should be covered by tests as well. But since the fit spec and the 
mkimage documentation do not mention pem files also on that side some 
investigation would probably be needed to ensure this is officially supported.

Regards
Adrian

Paul Barker via lists.openembedded.org<http://lists.openembedded.org> 
<paul=pbarker....@lists.openembedded.org<mailto:pbarker....@lists.openembedded.org>>
 schrieb am Mo., 18. Mai 2026, 19:39:
On Fri, 2026-05-15 at 09:42 +0000, Jamin Lin wrote:
> The key file validation in run_mkimage_sign() unconditionally required
> .key and .crt regardless of the signing algorithm. This prevented ECDSA
> signing which uses a single .pem file.
>
> Extract the check into _check_sign_key_files() and detect the algorithm
> from the algo string (e.g. "sha256,ecdsa384") by scanning all
> comma-separated parts so field order does not matter:
> - ECDSA: requires <keyname>.pem
> - RSA  : requires <keyname>.key and <keyname>.crt

Hi Jamin,

This contradicts my understanding of cryptographic algorithms and file
formats. To my knowledge, ECDSA & RSA are algorithms, PEM vs .key/.crt
are file formats. You can have an RSA certificate in PEM format, and you
can store the key & cert for use in ECDSA in .key & .crt files if you
want to.
Yes, it is correct.

Am I misunderstanding something here?

Best regards,

--
Paul Barker




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237265): 
https://lists.openembedded.org/g/openembedded-core/message/237265
Mute This Topic: https://lists.openembedded.org/mt/119327152/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-