mkimage不会将公钥添加到.dtb文件

时间:2017-03-24 16:11:04

标签: bootloader beagleboneblack u-boot

我正在尝试按照文档

在beaglebone black上进行验证启动

https://github.com/01org/edison-u-boot/blob/master/doc/uImage.FIT/beaglebone_vboot.txt

当我运行命令将公钥放入.dtb文件

mkimage -f sign.its -K am335x-boneblack.dtb -k keys -r image.fit

我得到了输出

FIT description: Beaglebone black
Created:         Fri Mar 24 18:47:51 2017
 Image 0 (kernel@1)
  Description:  unavailable
  Created:      Fri Mar 24 18:47:51 2017
  Type:         Kernel Image
  Compression:  lzo compressed
  Data Size:    8490316 Bytes = 8291.32 KiB = 8.10 MiB
  Architecture: ARM
  OS:           Linux
  Load Address: 0x80008000
  Entry Point:  0x80008000
  Hash algo:    sha1
  Hash value:   9a390ee3c02c5bddc7b191d5cbe107991522a6d7
 Image 1 (fdt@1)
  Description:  beaglebone-black
  Created:      Fri Mar 24 18:47:51 2017
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    38894 Bytes = 37.98 KiB = 0.04 MiB
  Architecture: ARM
  Hash algo:    sha1
  Hash value:   249ca75de41f5202fae334253bd153666f60b7dc
 Default Configuration: 'conf@1'
 Configuration 0 (conf@1)
  Description:  unavailable
  Kernel:       kernel@1
  FDT:          fdt@1

但遗憾的是,当我用fdtdump读取时,我的.dtb文件中没有像signature或rsa这样的字段。

这是我的.its文件:

/dts-v1/;

/ {
    description = "Beaglebone black";
    #address-cells = <1>;

    images {
        kernel@1 {
            data = /incbin/("zImage.lzo");
            type = "kernel";
            arch = "arm";
            os = "linux";
            compression = "lzo";
            load = <0x80008000>;
            entry = <0x80008000>;
            hash@1 {
                algo = "sha1";
            };
        };
        fdt@1 {
            description = "beaglebone-black";
            data = /incbin/("am335x-boneblack.dtb");
            type = "flat_dt";
            arch = "arm";
            compression = "none";
            hash@1 {
                algo = "sha1";
            };
        };
    };
    configurations {
        default = "conf@1";
        conf@1 {
            kernel = "kernel@1";
            fdt = "fdt@1";
            signature@1 {
                algo = "sha1,rsa2048";
                key-name-hint = "dev";
                sign-images = "fdt", "kernel";
            };
        };
    };
};

也在keys文件夹中我有dev.key和dev.crt文件。

谢谢你的回答。

2 个答案:

答案 0 :(得分:0)

如:https://lxr.missinglinkelectronics.com/#uboot/doc/uImage.FIT/signature.txt

中所述

公钥存储

为了验证我们需要使用公钥签名的图像 有一个可信的公钥。这不能存储在签名图像中,因为 它会很容易改变。对于这个实现,我们选择存储 U-Boot控制FDT中的公钥(使用CONFIG_OF_CONTROL)。

问候,史蒂夫

答案 1 :(得分:0)

尽管没有错误消息,但是如果未在U-Boot的.config中设置CONFIG_FIT_SIGNATURE,则mkimage不支持该功能。