S32g secure boot signature generation
u-boot signature
openssl tool is used to generated the signature of u-boot.
openssl dgst -sha256 -sign $ROOT_DIR/rsa2048_private.pem -out fip-signature.bin tosign-fip.bin
linux kernel signature
tools/mkimage -f ../linux/boot.its -K ../arm-trusted-firmware/build/s32g274ardb2/release/fdts/s32g274a-rdb2.dtb -k ../kernel_keys -r sec-boot.itb
/dts-v1/;
/ {
description = "kernel+dtb/fdt fit image";
#address-cells = <1>;
images {
kernel@1 {
description = "kernel image";
data = /incbin/("../linux/arch/arm64/boot/Image");
type = "kernel";
arch = "arm64";
os = "linux";
compression = "none";
load = <0x81000000>;
entry = <0x81000000>;
kernel-version = <1>;
hash@1 {
algo = "sha256";
};
};
fdt@1 {
description = "dtb blob";
data =
/incbin/("../linux/arch/arm64/boot/dts/freescale/s32g274a-rdb2.dtb");
type = "flat_dt";
arch = "arm64";
compression = "none";
load = <0x83000000>;
entry = <0x83000000>;
fdt-version = <1>;
hash@1 {
algo = "sha256";
};
};
};
configurations {
default = "conf@1";
conf@1 {
kernel = "kernel@1";
fdt = "fdt@1";
signature@1 {
algo = "sha256,rsa2048";
key-name-hint = "boot_key";
sign-images = "kernel", "fdt";
};
};
};
};
boot.its is used to create a FIT image. it defines a configuration which contains a kernel and dtb. the configuration will be hased and signed using the private key.
s32g274a-rdb2.dtb is the device tree blob that the public key will be copied to.
kernel_keys is the folder path that contains the private key
How mkimage generate signature for ITS file:
The call stack to generate signature for a ITB file:
tools/mkimage -f ../linux/boot.its -K ../arm-trusted-firmware/build/s32g274ardb2/release/fdts/s32g274a-rdb2.dtb -k ../kernel_keys -r sec-boot.itb
fit_handle_file (tools/fit_image.c) : it is fit image, call fit image handler
fit_add_file_data (tools/fit_image.c) : add the data to FDT blob according to dts
fit_add_verification_data (tools/image_host.c): add verification data(sig)
fit_imag_add_verification_data (tools/image_host.c)
fit_image_process_sig (tools/image_host.c) : process signature tag:
this function calls:
fit_image_set_sig //set sign algo according to its
info.crypto->sign //generate signature
fit_image_write_sig //write the signature to FDT blob
U-boot supported signature algo. currently we use SHA256, rsa2048,pkcs1.5
struct checksum_algo checksum_algos[] = {
{
.name = "sha1",
.checksum_len = SHA1_SUM_LEN,
.der_len = SHA1_DER_LEN,
.der_prefix = sha1_der_prefix,
#if IMAGE_ENABLE_SIGN
.calculate_sign = EVP_sha1,
#endif
.calculate = hash_calculate,
},
{
.name = "sha256",
.checksum_len = SHA256_SUM_LEN,
.der_len = SHA256_DER_LEN,
.der_prefix = sha256_der_prefix,
#if IMAGE_ENABLE_SIGN
.calculate_sign = EVP_sha256,
#endif
.calculate = hash_calculate,
}
};
struct crypto_algo crypto_algos[] = {
{
.name = "rsa2048",
.key_len = RSA2048_BYTES,
.sign = rsa_sign,
.add_verify_data = rsa_add_verify_data,
.verify = rsa_verify,
},
{
.name = "rsa4096",
.key_len = RSA4096_BYTES,
.sign = rsa_sign,
.add_verify_data = rsa_add_verify_data,
.verify = rsa_verify,
}
};
struct padding_algo padding_algos[] = {
{
.name = "pkcs-1.5",
.verify = padding_pkcs_15_verify,
},
#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT
{
.name = "pss",
.verify = padding_pss_verify,
}
#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */
};
Use sign server to generate signatures:
Signatures
u-boot software sign
Sign server sign
u-boot
openssl command line
linux kernel
rsa_sign
sign server provides similar apis, if possible, maybe c libs
最后更新于