S32g secure boot signature generation
u-boot signature
openssl tool is used to generated the signature of u-boot.
openssl dgst -sha256 -sign $ROOT_DIR/rsa2048_private.pem -out fip-signature.bin tosign-fip.bin
linux kernel signature
tools/mkimage -f ../linux/boot.its -K ../arm-trusted-firmware/build/s32g274ardb2/release/fdts/s32g274a-rdb2.dtb -k ../kernel_keys -r sec-boot.itb
/dts-v1/;
/ {
description = "kernel+dtb/fdt fit image";
#address-cells = <1>;
images {
kernel@1 {
description = "kernel image";
data = /incbin/("../linux/arch/arm64/boot/Image");
type = "kernel";
arch = "arm64";
os = "linux";
compression = "none";
load = <0x81000000>;
entry = <0x81000000>;
kernel-version = <1>;
hash@1 {
algo = "sha256";
};
};
fdt@1 {
description = "dtb blob";
data =
/incbin/("../linux/arch/arm64/boot/dts/freescale/s32g274a-rdb2.dtb");
type = "flat_dt";
arch = "arm64";
compression = "none";
load = <0x83000000>;
entry = <0x83000000>;
fdt-version = <1>;
hash@1 {
algo = "sha256";
};
};
};
configurations {
default = "conf@1";
conf@1 {
kernel = "kernel@1";
fdt = "fdt@1";
signature@1 {
algo = "sha256,rsa2048";
key-name-hint = "boot_key";
sign-images = "kernel", "fdt";
};
};
};
}; boot.its is used to create a FIT image. it defines a configuration which contains a kernel and dtb. the configuration will be hased and signed using the private key.
s32g274a-rdb2.dtb is the device tree blob that the public key will be copied to.
kernel_keys is the folder path that contains the private key
How mkimage generate signature for ITS file:
The call stack to generate signature for a ITB file:
U-boot supported signature algo. currently we use SHA256, rsa2048,pkcs1.5
Use sign server to generate signatures:
Signatures
u-boot software sign
Sign server sign
u-boot
openssl command line
linux kernel
rsa_sign
sign server provides similar apis, if possible, maybe c libs
最后更新于