Hi Lang,
On Tue, 22 Oct 2019 at 20:23, Lang Yu <[email protected]> wrote: > > Hi, sjg, > > > > I'm YuLang, a software engineer in Hesai Tech. I really appreciate your > contribution to secure boot. But I'm confused with your explanation about > signature with FIT image in "u-boot/doc/uImage.FIT/signature.txt". As > following, > > > / { > images { > kernel@1 { > data = <data for kernel1> > hash@1 { > algo = "sha1"; > value = <...kernel hash 1...> > }; > }; > kernel@2 { > data = <data for kernel2> > hash@1 { > algo = "sha1"; > value = <...kernel hash 2...> > }; > }; > fdt@1 { > data = <data for fdt1>; > hash@1 { > algo = "sha1"; > value = <...fdt hash 1...> > }; > }; > fdt@2 { > data = <data for fdt2>; > hash@1 { > algo = "sha1"; > value = <...fdt hash 2...> > }; > }; > }; > configurations { > default = "conf@1"; > conf@1 { > kernel = "kernel@1"; > fdt = "fdt@1"; > signature@1 { > algo = "sha1,rsa2048"; > value = <...conf 1 signature...>; > }; > }; > conf@2 { > kernel = "kernel@2"; > fdt = "fdt@2"; > signature@1 { > algo = "sha1,rsa2048"; > value = <...conf 1 signature...>; > }; > }; > }; > }; > > > You can see that we have added hashes for all images (since they are no > longer signed), and a signature to each configuration. In the above example, > mkimage will sign configurations/conf@1, the kernel and fdt that are > pointed to by the configuration (/images/kernel@1, /images/kernel@1/hash@1, > /images/fdt@1, /images/fdt@1/hash@1) and the root structure of the image > (so that it isn't possible to add or remove root nodes). The signature is > written into /configurations/conf@1/signature@1/value. It can easily be > verified later even if the FIT has been signed with other keys in the > meantime. > > > > But what a signature to each configuration really means ? > > > 1. rsa2048-privatekey(sha1(kernel data + fdt data)) > > > 2. rsa2048-privatekey(sha1(kernel hash+kernel hash)) > > > 3.... > > > Could you give a clear explanation? Many thanks This is explained in signature.txt, just above the 'verification' heading: > In the above example, mkimage will sign configurations/conf-1, the kernel and fdt that are pointed to by the configuration (/images/kernel-1, /images/kernel-1/hash-1, /images/fdt-1, /images/fdt-1/hash-1) and the root structure of the image (so that it isn't possible to add or remove root nodes). The signature is written into /configurations/conf-1/signature-1/value. It can easily be verified later even if the FIT has been signed with other keys in the meantime. Regards, SImon _______________________________________________ U-Boot mailing list [email protected] https://lists.denx.de/listinfo/u-boot
