S32g secure boot signature generation

u-boot signature

openssl tool is used to generated the signature of u-boot.

openssl dgst -sha256 -sign $ROOT_DIR/rsa2048_private.pem -out fip-signature.bin tosign-fip.bin

linux kernel signature

tools/mkimage -f ../linux/boot.its -K ../arm-trusted-firmware/build/s32g274ardb2/release/fdts/s32g274a-rdb2.dtb -k ../kernel_keys -r sec-boot.itb

/dts-v1/;
/ {
        description = "kernel+dtb/fdt fit image";
        #address-cells = <1>;
        images {
                kernel@1 {
                        description = "kernel image";
                        data = /incbin/("../linux/arch/arm64/boot/Image");
                        type = "kernel";
                        arch = "arm64";
                        os = "linux";
                        compression = "none";
                        load = <0x81000000>;
                        entry = <0x81000000>;
 kernel-version = <1>;
                        hash@1 {
                                algo = "sha256";
                        };
                };
                fdt@1 {
                        description = "dtb blob";
                        data = 
/incbin/("../linux/arch/arm64/boot/dts/freescale/s32g274a-rdb2.dtb");
                        type = "flat_dt";
                        arch = "arm64";
                        compression = "none";
                        load = <0x83000000>;
                        entry = <0x83000000>;
                        fdt-version = <1>;
                        hash@1 {
                                algo = "sha256";
                        };
                };
        };
        configurations {
                default = "conf@1";
                conf@1 {
                        kernel = "kernel@1";
                        fdt = "fdt@1";
                        signature@1 {
                               algo = "sha256,rsa2048";
key-name-hint = "boot_key";
sign-images = "kernel", "fdt";
                        };
                };
        };
};              

boot.its is used to create a FIT image. it defines a configuration which contains a kernel and dtb. the configuration will be hased and signed using the private key.

s32g274a-rdb2.dtb is the device tree blob that the public key will be copied to.

kernel_keys is the folder path that contains the private key

How mkimage generate signature for ITS file:

The call stack to generate signature for a ITB file:

tools/mkimage -f ../linux/boot.its -K ../arm-trusted-firmware/build/s32g274ardb2/release/fdts/s32g274a-rdb2.dtb -k ../kernel_keys -r sec-boot.itb
fit_handle_file  (tools/fit_image.c) : it is fit image, call fit image handler
fit_add_file_data (tools/fit_image.c) : add the data to FDT blob according to dts
fit_add_verification_data (tools/image_host.c): add verification data(sig)
fit_imag_add_verification_data (tools/image_host.c)
fit_image_process_sig (tools/image_host.c) : process signature tag:

this function calls:
fit_image_set_sig    //set sign algo according to its
info.crypto->sign    //generate signature
fit_image_write_sig  //write the signature to FDT blob

U-boot supported signature algo. currently we use SHA256, rsa2048,pkcs1.5

struct checksum_algo checksum_algos[] = {
	{
		.name = "sha1",
		.checksum_len = SHA1_SUM_LEN,
		.der_len = SHA1_DER_LEN,
		.der_prefix = sha1_der_prefix,
#if IMAGE_ENABLE_SIGN
		.calculate_sign = EVP_sha1,
#endif
		.calculate = hash_calculate,
	},
	{
		.name = "sha256",
		.checksum_len = SHA256_SUM_LEN,
		.der_len = SHA256_DER_LEN,
		.der_prefix = sha256_der_prefix,
#if IMAGE_ENABLE_SIGN
		.calculate_sign = EVP_sha256,
#endif
		.calculate = hash_calculate,
	}

};

struct crypto_algo crypto_algos[] = {
	{
		.name = "rsa2048",
		.key_len = RSA2048_BYTES,
		.sign = rsa_sign,
		.add_verify_data = rsa_add_verify_data,
		.verify = rsa_verify,
	},
	{
		.name = "rsa4096",
		.key_len = RSA4096_BYTES,
		.sign = rsa_sign,
		.add_verify_data = rsa_add_verify_data,
		.verify = rsa_verify,
	}

};

struct padding_algo padding_algos[] = {
	{
		.name = "pkcs-1.5",
		.verify = padding_pkcs_15_verify,
	},
#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT
	{
		.name = "pss",
		.verify = padding_pss_verify,
	}
#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */
};

Use sign server to generate signatures:

Signatures	u-boot software sign	Sign server sign
u-boot	openssl command line
linux kernel	rsa_sign	sign server provides similar apis, if possible, maybe c libs