S32g secure boot signature generation

u-boot signature

openssl tool is used to generated the signature of u-boot.

openssl dgst -sha256 -sign $ROOT_DIR/rsa2048_private.pem -out fip-signature.bin tosign-fip.bin

linux kernel signature

tools/mkimage -f ../linux/boot.its -K ../arm-trusted-firmware/build/s32g274ardb2/release/fdts/s32g274a-rdb2.dtb -k ../kernel_keys -r sec-boot.itb

/dts-v1/;
/ {
        description = "kernel+dtb/fdt fit image";
        #address-cells = <1>;
        images {
                kernel@1 {
                        description = "kernel image";
                        data = /incbin/("../linux/arch/arm64/boot/Image");
                        type = "kernel";
                        arch = "arm64";
                        os = "linux";
                        compression = "none";
                        load = <0x81000000>;
                        entry = <0x81000000>;
 kernel-version = <1>;
                        hash@1 {
                                algo = "sha256";
                        };
                };
                fdt@1 {
                        description = "dtb blob";
                        data = 
/incbin/("../linux/arch/arm64/boot/dts/freescale/s32g274a-rdb2.dtb");
                        type = "flat_dt";
                        arch = "arm64";
                        compression = "none";
                        load = <0x83000000>;
                        entry = <0x83000000>;
                        fdt-version = <1>;
                        hash@1 {
                                algo = "sha256";
                        };
                };
        };
        configurations {
                default = "conf@1";
                conf@1 {
                        kernel = "kernel@1";
                        fdt = "fdt@1";
                        signature@1 {
                               algo = "sha256,rsa2048";
key-name-hint = "boot_key";
sign-images = "kernel", "fdt";
                        };
                };
        };
};

boot.its is used to create a FIT image. it defines a configuration which contains a kernel and dtb. the configuration will be hased and signed using the private key.

s32g274a-rdb2.dtb is the device tree blob that the public key will be copied to.

kernel_keys is the folder path that contains the private key

How mkimage generate signature for ITS file:

The call stack to generate signature for a ITB file:

tools/mkimage -f ../linux/boot.its -K ../arm-trusted-firmware/build/s32g274ardb2/release/fdts/s32g274a-rdb2.dtb -k ../kernel_keys -r sec-boot.itb
fit_handle_file  (tools/fit_image.c) : it is fit image, call fit image handler
fit_add_file_data (tools/fit_image.c) : add the data to FDT blob according to dts
fit_add_verification_data (tools/image_host.c): add verification data(sig)
fit_imag_add_verification_data (tools/image_host.c)
fit_image_process_sig (tools/image_host.c) : process signature tag:

this function calls:
fit_image_set_sig    //set sign algo according to its
info.crypto->sign    //generate signature
fit_image_write_sig  //write the signature to FDT blob

U-boot supported signature algo. currently we use SHA256, rsa2048,pkcs1.5

struct checksum_algo checksum_algos[] = {
	{
		.name = "sha1",
		.checksum_len = SHA1_SUM_LEN,
		.der_len = SHA1_DER_LEN,
		.der_prefix = sha1_der_prefix,
#if IMAGE_ENABLE_SIGN
		.calculate_sign = EVP_sha1,
#endif
		.calculate = hash_calculate,
	},
	{
		.name = "sha256",
		.checksum_len = SHA256_SUM_LEN,
		.der_len = SHA256_DER_LEN,
		.der_prefix = sha256_der_prefix,
#if IMAGE_ENABLE_SIGN
		.calculate_sign = EVP_sha256,
#endif
		.calculate = hash_calculate,
	}

};

struct crypto_algo crypto_algos[] = {
	{
		.name = "rsa2048",
		.key_len = RSA2048_BYTES,
		.sign = rsa_sign,
		.add_verify_data = rsa_add_verify_data,
		.verify = rsa_verify,
	},
	{
		.name = "rsa4096",
		.key_len = RSA4096_BYTES,
		.sign = rsa_sign,
		.add_verify_data = rsa_add_verify_data,
		.verify = rsa_verify,
	}

};

struct padding_algo padding_algos[] = {
	{
		.name = "pkcs-1.5",
		.verify = padding_pkcs_15_verify,
	},
#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT
	{
		.name = "pss",
		.verify = padding_pss_verify,
	}
#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */
};

Use sign server to generate signatures:

Signatures

u-boot software sign

Sign server sign

u-boot

openssl command line

linux kernel

rsa_sign

sign server provides similar apis, if possible, maybe c libs

上一页How S32g verify secure boot image 下一页How to download and build S32g Secure boot image

最后更新于1年前

/dts-v1/; / { description = "kernel+dtb/fdt fit image"; #address-cells = <1>; images { kernel@1 { description = "kernel image"; data = /incbin/("../linux/arch/arm64/boot/Image"); type = "kernel"; arch = "arm64"; os = "linux"; compression = "none"; load = <0x81000000>; entry = <0x81000000>; kernel-version = <1>; hash@1 { algo = "sha256"; }; }; fdt@1 { description = "dtb blob"; data = /incbin/("../linux/arch/arm64/boot/dts/freescale/s32g274a-rdb2.dtb"); type = "flat_dt"; arch = "arm64"; compression = "none"; load = <0x83000000>; entry = <0x83000000>; fdt-version = <1>; hash@1 { algo = "sha256"; }; }; }; configurations { default = "conf@1"; conf@1 { kernel = "kernel@1"; fdt = "fdt@1"; signature@1 { algo = "sha256,rsa2048"; key-name-hint = "boot_key"; sign-images = "kernel", "fdt"; }; }; }; };

tools/mkimage -f ../linux/boot.its -K ../arm-trusted-firmware/build/s32g274ardb2/release/fdts/s32g274a-rdb2.dtb -k ../kernel_keys -r sec-boot.itb fit_handle_file (tools/fit_image.c) : it is fit image, call fit image handler fit_add_file_data (tools/fit_image.c) : add the data to FDT blob according to dts fit_add_verification_data (tools/image_host.c): add verification data(sig) fit_imag_add_verification_data (tools/image_host.c) fit_image_process_sig (tools/image_host.c) : process signature tag: this function calls: fit_image_set_sig //set sign algo according to its info.crypto->sign //generate signature fit_image_write_sig //write the signature to FDT blob

struct checksum_algo checksum_algos[] = { { .name = "sha1", .checksum_len = SHA1_SUM_LEN, .der_len = SHA1_DER_LEN, .der_prefix = sha1_der_prefix, #if IMAGE_ENABLE_SIGN .calculate_sign = EVP_sha1, #endif .calculate = hash_calculate, }, { .name = "sha256", .checksum_len = SHA256_SUM_LEN, .der_len = SHA256_DER_LEN, .der_prefix = sha256_der_prefix, #if IMAGE_ENABLE_SIGN .calculate_sign = EVP_sha256, #endif .calculate = hash_calculate, } }; struct crypto_algo crypto_algos[] = { { .name = "rsa2048", .key_len = RSA2048_BYTES, .sign = rsa_sign, .add_verify_data = rsa_add_verify_data, .verify = rsa_verify, }, { .name = "rsa4096", .key_len = RSA4096_BYTES, .sign = rsa_sign, .add_verify_data = rsa_add_verify_data, .verify = rsa_verify, } }; struct padding_algo padding_algos[] = { { .name = "pkcs-1.5", .verify = padding_pkcs_15_verify, }, #ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT { .name = "pss", .verify = padding_pss_verify, } #endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */ };