Hi, On Mon, 14 Oct 2024 at 08:24, Sean Anderson <[email protected]> wrote: > > Hi Lev, > > On 10/14/24 04:42, Lev R. Oshvang wrote: > > Hi Sean, > > > > I am looking for help with Uboot FIT signatures problem > > > > > > > > I started to work with FIT image (u-boot 2024) and managed to sign > > kernel and load this image with Uboot using 'required' property in > > signature as : > > > > signature-1 { > > > > algo = "sha1,rsa2048"; > > > > key-name-hint = "dev_key"; > > > > sign-images="kernel"; > > > > required="conf"; > > > > { > > > > Iminfo reports" > > > > ## Checking hash(es) for FIT Image at 01000000 ... > > > > Hash(es) for Image 0 (kernel-1): sha256+ sha256,rsa2048:dev_key- > > > > > > > > To test the procedure, I generated another private key and signed > > another kernel with this new key on another Linux host. > > > > > > > > > > > > I expected bootm to fail, but it just happily loads this image!!! > > > > Even an image without a signature but with a valid hash is not > > rejected against my expectations. > > > > In this case iminfo report only hash is OK > > Did you embed the public key into your U-Boot devicetree with `mkimage -K` ?
Also see the walkthrough at [1] which might help. The 'required' field needs to be in the public-key information (i.e. protected and separate from the image being loaded), not the signature node, since anyone can change the signature node. Regards, Simon [1] https://docs.u-boot.org/en/latest/usage/fit/beaglebone_vboot.html
