Hello, I’m working on enabling secure boot on our STM32MP15 cards. We are using yocto, with the layer from ST (meta-st-stm32mp). I am currently trying to implement the check of the signature of the fitImage by u-boot. I have added this configuration:
UBOOT_SIGN_ENABLE = "${SIGN_ENABLE}"
FIT_SIGN_INDIVIDUAL = "${SIGN_ENABLE}"
UBOOT_SIGN_KEYDIR = "${KEYDIR}"
UBOOT_SIGN_KEYNAME = "u-boot"
UBOOT_SIGN_IMG_KEYNAME="u-boot-img"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
We have multiple models of cards, with different device trees for each. U-boot is configured to load the correct one with information from the card. So there are multiple device trees with different configurations in our fitImage.
However it appears it is not possible to sign the fitImage with multiple device trees. A fatal error is launched when trying.It seems to comes from a function in recipes-kernel/linux/linux-stm32mp.inc in the layer from ST, but I don’t understand why
This is the function:
python() {
fitimage_signed = d.getVar('UBOOT_SIGN_ENABLE')
devicetree = d.getVar('KERNEL_DEVICETREE').split()
machine_features = d.getVar('MACHINE_FEATURES')
if 'fit' in machine_features:
if fitimage_signed is not None and fitimage_signed == "1":
if len(devicetree) > 1:
bb.fatal("The signature of FIT image work only when there”
"is only one DEVICE-TREE specified")
}
The signing of the fit image is implemented in the classes uboot-sign and kernel-fitimage from poky, not from ST. I checked the commit on meta-st-stm32mp and there was no explanation as to why this was added. I patched this function to create a fitImage. I used fit_check_sign, a tool from uboot, to check if it was properly signed and it raised no error. Is there something I am missing? Does anyone know why this function was added ? Thanks for your help.
–
Charles Neyrand
