# S32g secure boot signature generation

### u-boot signature <a href="#u-boot-signature" id="u-boot-signature"></a>

openssl tool is used to generated the signature of u-boot.

`openssl dgst -sha256 -sign $ROOT_DIR/rsa2048_private.pem -out fip-signature.bin tosign-fip.bin`

### linux kernel signature <a href="#linux-kernel-signature" id="linux-kernel-signature"></a>

`tools/mkimage -f ../linux/boot.its -K ../arm-trusted-firmware/build/s32g274ardb2/release/fdts/s32g274a-rdb2.dtb -k ../kernel_keys -r sec-boot.itb`

```
/dts-v1/;
/ {
        description = "kernel+dtb/fdt fit image";
        #address-cells = <1>;
        images {
                kernel@1 {
                        description = "kernel image";
                        data = /incbin/("../linux/arch/arm64/boot/Image");
                        type = "kernel";
                        arch = "arm64";
                        os = "linux";
                        compression = "none";
                        load = <0x81000000>;
                        entry = <0x81000000>;
 kernel-version = <1>;
                        hash@1 {
                                algo = "sha256";
                        };
                };
                fdt@1 {
                        description = "dtb blob";
                        data = 
/incbin/("../linux/arch/arm64/boot/dts/freescale/s32g274a-rdb2.dtb");
                        type = "flat_dt";
                        arch = "arm64";
                        compression = "none";
                        load = <0x83000000>;
                        entry = <0x83000000>;
                        fdt-version = <1>;
                        hash@1 {
                                algo = "sha256";
                        };
                };
        };
        configurations {
                default = "conf@1";
                conf@1 {
                        kernel = "kernel@1";
                        fdt = "fdt@1";
                        signature@1 {
                               algo = "sha256,rsa2048";
key-name-hint = "boot_key";
sign-images = "kernel", "fdt";
                        };
                };
        };
};              
```

boot.its is used to create a FIT image. it defines a configuration which contains a kernel and dtb. the configuration will be hased and signed using the private key.

s32g274a-rdb2.dtb is the device tree blob that the public key will be copied to.

kernel\_keys is the folder path that contains the private key

How mkimage generate signature for ITS file:

The call stack to generate signature for a ITB file:

```
tools/mkimage -f ../linux/boot.its -K ../arm-trusted-firmware/build/s32g274ardb2/release/fdts/s32g274a-rdb2.dtb -k ../kernel_keys -r sec-boot.itb
fit_handle_file  (tools/fit_image.c) : it is fit image, call fit image handler
fit_add_file_data (tools/fit_image.c) : add the data to FDT blob according to dts
fit_add_verification_data (tools/image_host.c): add verification data(sig)
fit_imag_add_verification_data (tools/image_host.c)
fit_image_process_sig (tools/image_host.c) : process signature tag:

this function calls:
fit_image_set_sig    //set sign algo according to its
info.crypto->sign    //generate signature
fit_image_write_sig  //write the signature to FDT blob
```

U-boot supported signature algo. currently we use SHA256, rsa2048,pkcs1.5

```c
struct checksum_algo checksum_algos[] = {
	{
		.name = "sha1",
		.checksum_len = SHA1_SUM_LEN,
		.der_len = SHA1_DER_LEN,
		.der_prefix = sha1_der_prefix,
#if IMAGE_ENABLE_SIGN
		.calculate_sign = EVP_sha1,
#endif
		.calculate = hash_calculate,
	},
	{
		.name = "sha256",
		.checksum_len = SHA256_SUM_LEN,
		.der_len = SHA256_DER_LEN,
		.der_prefix = sha256_der_prefix,
#if IMAGE_ENABLE_SIGN
		.calculate_sign = EVP_sha256,
#endif
		.calculate = hash_calculate,
	}

};

struct crypto_algo crypto_algos[] = {
	{
		.name = "rsa2048",
		.key_len = RSA2048_BYTES,
		.sign = rsa_sign,
		.add_verify_data = rsa_add_verify_data,
		.verify = rsa_verify,
	},
	{
		.name = "rsa4096",
		.key_len = RSA4096_BYTES,
		.sign = rsa_sign,
		.add_verify_data = rsa_add_verify_data,
		.verify = rsa_verify,
	}

};

struct padding_algo padding_algos[] = {
	{
		.name = "pkcs-1.5",
		.verify = padding_pkcs_15_verify,
	},
#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT
	{
		.name = "pss",
		.verify = padding_pss_verify,
	}
#endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */
};
```

### Use sign server to generate signatures: <a href="#use-sign-server-to-generate-signatures" id="use-sign-server-to-generate-signatures"></a>

| **Signatures** | **u-boot software sign** | **Sign server sign**                                         |
| -------------- | ------------------------ | ------------------------------------------------------------ |
| u-boot         | openssl command line     |                                                              |
| linux kernel   | rsa\_sign                | sign server provides similar apis, if possible, maybe c libs |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://carloss-organization-4.gitbook.io/tech/ecus/readme/s32g-s32g247s-secure-boot-using-hse-firmware/s32g-secure-boot-signature-generation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.