如何使用带有多个密钥的u-boot验证启动进行签名验证?



我正在尝试使用u-boot验证的boot来支持我的用例。理想情况下,我想要两组内核,ramdisk,dtb 1(。仅供生产使用,2(。对于开发方案。

我生成了两个具有相应public key的键 -dev.keydev.crtprod.keyprod.crt

为了进行测试,我创建了一个FIT源文件,如下所示,但是生成的u-boot.dtb仅将生产密钥放在二进制文件中,没有开发密钥的迹象(结构存在,但缺少rsa,r-squaredrsa,modulus(。知道正确执行此操作吗?谢谢!

/dts-v1/;
/ {
description = "fitImage for Tegra TX2";
#address-cells = <1>;
images {
kernel-1 {
description = "Linux kernel";
data = /incbin/("Image");
...
hash-1 {
algo = "sha256";
};
};
fdt-1 {
description = "DTB for Tegra TX2";
data = /incbin/("tegra186-base.dtb");
...
hash-1 {
algo = "sha256";
};
};
ramdisk-1 {
description = "Ramdisk Image for Tegra TX2";
data = /incbin/("initrd");
...
hash-1 {
algo = "sha256";
};
};
};
configurations {
default = "conf-1";
conf-1 {
description = "Production build";
kernel = "kernel-1";
fdt = "fdt-1";
ramdisk = "ramdisk-1";
signature-1 {
algo = "sha256,rsa2048";
key-name-hint = "prod";
sign-images = "kernel", "fdt", "ramdisk";
};
};
conf-2 {
description = "Development build";
kernel = "kernel-1";
fdt = "fdt-1";
ramdisk = "ramdisk-1";
signature {
algo = "sha256,rsa2048";
key-name-hint = "dev";
sign-images = "kernel", "fdt", "ramdisk";
};
};
};
};

在我的有限测试中,mkimage命令将两个键添加到 u-boot.dtb 中的唯一方法是以下设置。本质上,第二个密钥仅用作备份选项。这似乎对应于U-boot文档。但这不适合我的用例。 该文件说

  • 名提示:用于签名的键的名称。这只是一个提示,因为它 可以更改名称。可以通过检查进行验证 所有可用的签名密钥,直到一个匹配。 ">
/dts-v1/;
/ {
description = "fitImage for Tegra TX2";
#address-cells = <1>;
images {
kernel-1 {
description = "Linux kernel";
data = /incbin/("Image");
...
hash-1 {
algo = "sha256";
};
};
fdt-1 {
description = "DTB for Tegra TX2";
data = /incbin/("tegra186-base.dtb");
...
hash-1 {
algo = "sha256";
};
};
ramdisk-1 {
description = "Ramdisk Image for Tegra TX2";
data = /incbin/("initrd");
...
hash-1 {
algo = "sha256";
};
};
};
configurations {
default = "conf-1";
conf-1 {
description = "Production build";
kernel = "kernel-1";
fdt = "fdt-1";
ramdisk = "ramdisk-1";
signature-1 {
algo = "sha256,rsa2048";
key-name-hint = "prod";
sign-images = "kernel", "fdt", "ramdisk";
};
signature-2 {
algo = "sha256,rsa2048";
key-name-hint = "dev";
sign-images = "kernel", "fdt", "ramdisk";
};
};
};
};

您可以使用 ubootpubkey 在 u-boot 编译时将密钥嵌入到 u-boot dts 文件中

相关内容

  • 没有找到相关文章

最新更新