Hello, I'm trying to make u-boot perform signature verification of fitImages. I have problems getting it to work, and the documentation seems to be scattered in different places on the internet (I found plenty descriptions of the concept, but I haven't seen detailed step-by-step instructions on how to actually do it).
This is on an NXP i.MX7 Dual chip, using yocto 2.5, linux-fslc-imx 4.9, and u-boot 2017.07 with vendor-specific patches to enable hardware support and the like. According to: - https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/classes/uboot-sign.bbclass I set these variables in the machine config file : UBOOT_SIGN_KEYDIR UBOOT_SIGN_KEYNAME UBOOT_MKIMAGE_DTCOPTS UBOOT_SIGN_ENABLE KERNEL_CLASSES KERNEL_IMAGETYPE According to: - https://github.com/u-boot/u-boot/blob/master/doc/uImage.FIT/verified-boot.txt - https://github.com/u-boot/u-boot/blob/master/doc/uImage.FIT/signature.txt - https://github.com/u-boot/u-boot/blob/master/doc/README.fdt-control I added the following configuration in u-boot defconfig: CONFIG_SECURE_BOOT=y CONFIG_SPL_DRIVERS_MISC_SUPPORT=y CONFIG_FIT=y CONFIG_FIT_VERBOSE=y CONFIG_FIT_SIGNATURE=y CONFIG_RSA=y CONFIG_OF_CONTROL=y CONFIG_OF_SEPARATE=y This causes u-boot compilation failure, with the relevant line being: | make[2]: *** No rule to make target 'arch/arm/dts/unset.dts', needed by 'arch/arm/dts/unset.dtb'. Stop. If I added CONFIG_DEFAULT_DEVICE_TREE in u-boot defconfig, the compilation failure goes away. Am I correct that I need to provide the same device tree source to this uboot config as the one I give to my kernel? Or is there a way to not need to specify this config, considering the only reason I enabled CONFIG_OF_CONTROL is because the current scheme in yocto requires it? Anyway, I tried setting this config to "imx7d-sdb" to see what happens, and I got error from bitbake (relevant parts only): | uboot-mkimage: Can't open /workdir/build/upstream/tmp/deploy/images/<my-machine-name>/u-boot.dtb: No such file or directory | uboot-mkimage Can't add hashes to FIT blob: -5 | WARNING: exit code 255 from a shell command. | ERROR: Function failed: do_assemble_fitimage (log file is located at /workdir/build/upstream/tmp/work/<my-machine-name>-poky-linux-gnueabi/linux-fslc-imx/4.9-1.0.x+gitAUTOINC+953c6e30c9-r0/temp/log.do_assemble_fitimage.883) ERROR: Task (/workdir/upstream/meta-freescale/recipes-kernel/linux/linux-fslc-imx_4.9-1.0.x.bb:do_assemble_fitimage) failed with exit code '1' u-boot.dtb file is indeed not present on disk, so my next step is to figure out why. In the meantime, is there anything obvious that I am currently still missing? I would be very happy if someone knows a good detailed guide to implement this, since I have not found any. Regards, Irving -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto