[yocto] Steps to enable u-boot signed verified images?

Irving ST irving at ssfivy.com
Wed Oct 10 05:49:22 PDT 2018 

Hello,

I'm trying to make u-boot perform signature verification of fitImages. I
have problems getting it to work, and the documentation seems to be
scattered in different places on the internet (I found plenty
descriptions of the concept, but I haven't seen detailed step-by-step
instructions on how to actually do it).

This is on an NXP i.MX7 Dual chip, using yocto 2.5, linux-fslc-imx 4.9,
and u-boot 2017.07 with vendor-specific patches to enable hardware
support and the like.

According to:
-
https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/classes/uboot-sign.bbclass
I set these variables in the machine config file :

    UBOOT_SIGN_KEYDIR
    UBOOT_SIGN_KEYNAME
    UBOOT_MKIMAGE_DTCOPTS
    UBOOT_SIGN_ENABLE
    KERNEL_CLASSES
    KERNEL_IMAGETYPE

According to:
-
https://github.com/u-boot/u-boot/blob/master/doc/uImage.FIT/verified-boot.txt
- https://github.com/u-boot/u-boot/blob/master/doc/uImage.FIT/signature.txt
- https://github.com/u-boot/u-boot/blob/master/doc/README.fdt-control
I added the following configuration in u-boot defconfig:

    CONFIG_SECURE_BOOT=y
    CONFIG_SPL_DRIVERS_MISC_SUPPORT=y
    CONFIG_FIT=y
    CONFIG_FIT_VERBOSE=y
    CONFIG_FIT_SIGNATURE=y
    CONFIG_RSA=y
    CONFIG_OF_CONTROL=y
    CONFIG_OF_SEPARATE=y

This causes u-boot compilation failure, with the relevant line being:

| make[2]: *** No rule to make target 'arch/arm/dts/unset.dts', needed
by 'arch/arm/dts/unset.dtb'.  Stop.

If I added CONFIG_DEFAULT_DEVICE_TREE in u-boot defconfig, the
compilation failure goes away.
Am I correct that I need to provide the same device tree source to this
uboot config as the one I give to my kernel?
Or is there a way to not need to specify this config, considering the
only reason I enabled CONFIG_OF_CONTROL is because the current scheme in
yocto requires it?


Anyway, I tried setting this config to "imx7d-sdb" to see what happens,
and I got error from bitbake (relevant parts only):

    | uboot-mkimage: Can't open
/workdir/build/upstream/tmp/deploy/images/<my-machine-name>/u-boot.dtb:
No such file or directory
    | uboot-mkimage Can't add hashes to FIT blob: -5
    | WARNING: exit code 255 from a shell command.
    | ERROR: Function failed: do_assemble_fitimage (log file is located
at
/workdir/build/upstream/tmp/work/<my-machine-name>-poky-linux-gnueabi/linux-fslc-imx/4.9-1.0.x+gitAUTOINC+953c6e30c9-r0/temp/log.do_assemble_fitimage.883)
    ERROR: Task
(/workdir/upstream/meta-freescale/recipes-kernel/linux/linux-fslc-imx_4.9-1.0.x.bb:do_assemble_fitimage)
failed with exit code '1'


u-boot.dtb file is indeed not present on disk, so my next step is to
figure out why.
In the meantime, is there anything obvious that I am currently still
missing? I would be very happy if someone knows a good detailed guide to
implement this, since I have not found any.


Regards,
Irving

More information about the yocto mailing list