+Tom Rini Hi Moiz,
On Thu, 9 Sept 2021 at 14:21, Moiz Imtiaz <moizimti...@gmail.com> wrote: > > Hope you are doing well and everything is going good at your end. I am using > Raspi 4B and Compute Model 4 and trying to configure U-boot with Verified > boot support, but while booting the signing of the configuration is not being > checked. I am using the latest master branch from GitHub. > > We have checked the signature verification via the "fit_check_sign" utility > that comes with u-boot and it does verify the configuration of the signature > so, I am sure that the image is signed properly and the Control FDT is good > as well. > > > > but while booting, it doesn't check the signature of the configuration. It > should be showing "Verifying Hash Integrity ... sha1,rsa2048:dev+ OK" > > > I believe that maybe I am not adding Control FDT in the U-boot binary > properly. Following is the command that I am using to add control FDT to > U-boot. > > $ make EXT_DTB=bcm2711-rpi-4-b-pubkey.dtb -j8 > I have also tried > $ make DEV_TREE_BIN=bcm2711-rpi-4-b-pubkey.dtb -j8 > > The bytes size of the u-boot.bin and u-boot-nodtb.bin after using both the > above commands is the same. > > Attached is the FIT source file, rpi_4_defconfig and the control FDT file. > Also, the following has been added in configs/rpi_4_defconfig. > > CONFIG_OF_CONTROL=y > CONFIG_FIT=y > CONFIG_FIT_SIGNATURE=y > CONFIG_RSA=y > > Can you please help me with how to add Control FDT to the U-boot.bin binary > or what can be the reason that it isn't checking the signature of the > configuration while booting? Any kind of help would be really appreciated. There is an example of this flow in the sandbox vboot test. There is also an example for Beaglebone Black in doc/uImage.FIT/beaglebone_vboot.txt I wonder if rpi is not using the devicetree compiled with U-Boot, but instead one provided by the earlier-stage firmware? Can you check that the required 'signature' node is present? You can use the 'fdt' command in U-Boot to look at it. Looking at rpi_4 it uses CONFIG_OF_BOARD which means it has its own special way of getting the devicetree into U-Boot. The older boards use CONFIG_OF_EMBED which is actually not even allowed in production boards.... Also you may need the -r argument to mkimage to mark the key as required. Regards, Simon
