@ -130,7 +130,7 @@ Put this into a file in that directory called sign.its:
#address-cells = <1>;
images {
kernel@1 {
kernel {
data = /incbin/("Image.lzo");
type = "kernel";
arch = "arm";
@ -138,27 +138,27 @@ Put this into a file in that directory called sign.its:
compression = "lzo";
load = <0x80008000>;
entry = <0x80008000>;
hash@ 1 {
hash- 1 {
algo = "sha1";
};
};
fdt@ 1 {
fdt- 1 {
description = "beaglebone-black";
data = /incbin/("am335x-boneblack.dtb");
type = "flat_dt";
arch = "arm";
compression = "none";
hash@ 1 {
hash- 1 {
algo = "sha1";
};
};
};
configurations {
default = "conf@ 1";
conf@ 1 {
kernel = "kernel@1 ";
fdt = "fdt@ 1";
signature@ 1 {
default = "conf- 1";
conf- 1 {
kernel = "kernel";
fdt = "fdt- 1";
signature- 1 {
algo = "sha1,rsa2048";
key-name-hint = "dev";
sign-images = "fdt", "kernel";
@ -211,7 +211,7 @@ You should see something like this:
FIT description: Beaglebone black
Created: Sun Jun 1 12:50:30 2014
Image 0 (kernel@1 )
Image 0 (kernel)
Description: unavailable
Created: Sun Jun 1 12:50:30 2014
Type: Kernel Image
@ -223,7 +223,7 @@ Created: Sun Jun 1 12:50:30 2014
Entry Point: 0x80008000
Hash algo: sha1
Hash value: c94364646427e10f423837e559898ef02c97b988
Image 1 (fdt@ 1)
Image 1 (fdt- 1)
Description: beaglebone-black
Created: Sun Jun 1 12:50:30 2014
Type: Flat Device Tree
@ -232,11 +232,11 @@ Created: Sun Jun 1 12:50:30 2014
Architecture: ARM
Hash algo: sha1
Hash value: cb09202f889d824f23b8e4404b781be5ad38a68d
Default Configuration: 'conf@ 1'
Configuration 0 (conf@ 1)
Default Configuration: 'conf- 1'
Configuration 0 (conf- 1)
Description: unavailable
Kernel: kernel@1
FDT: fdt@ 1
Kernel: kernel
FDT: fdt- 1
Now am335x-boneblack-pubkey.dtb contains the public key and image.fit contains
@ -251,12 +251,12 @@ which results in:
Verifying Hash Integrity ... sha1,rsa2048:dev+
## Loading kernel from FIT Image at 7fc6ee469000 ...
Using 'conf@ 1' configuration
Using 'conf- 1' configuration
Verifying Hash Integrity ...
sha1,rsa2048:dev+
OK
Trying 'kernel@1 ' kernel subimage
Trying 'kernel' kernel subimage
Description: unavailable
Created: Sun Jun 1 12:50:30 2014
Type: Kernel Image
@ -274,8 +274,8 @@ OK
Unimplemented compression type 4
## Loading fdt from FIT Image at 7fc6ee469000 ...
Using 'conf@ 1' configuration
Trying 'fdt@ 1' fdt subimage
Using 'conf- 1' configuration
Trying 'fdt- 1' fdt subimage
Description: beaglebone-black
Created: Sun Jun 1 12:50:30 2014
Type: Flat Device Tree
@ -291,7 +291,7 @@ OK
Loading Flat Device Tree ... OK
## Loading ramdisk from FIT Image at 7fc6ee469000 ...
Using 'conf@ 1' configuration
Using 'conf- 1' configuration
Could not find subimage node
Signature check OK
@ -313,8 +313,8 @@ the above flow works.
But it is fun to do this by hand, so you can load image.fit into a hex editor
like ghex, and change a byte in the kernel:
$UOUT/tools/fit_info -f image.fit -n /images/kernel@1 -p data
NAME: kernel@1
$UOUT/tools/fit_info -f image.fit -n /images/kernel -p data
NAME: kernel
LEN: 7790938
OFF: 168
@ -324,12 +324,12 @@ fit_check_sign again. You should see something like:
Verifying Hash Integrity ... sha1,rsa2048:dev+
## Loading kernel from FIT Image at 7f5a39571000 ...
Using 'conf@ 1' configuration
Using 'conf- 1' configuration
Verifying Hash Integrity ...
sha1,rsa2048:dev+
OK
Trying 'kernel@1 ' kernel subimage
Trying 'kernel' kernel subimage
Description: unavailable
Created: Sun Jun 1 13:09:21 2014
Type: Kernel Image
@ -343,12 +343,12 @@ OK
Hash value: c94364646427e10f423837e559898ef02c97b988
Verifying Hash Integrity ...
sha1 error
Bad hash value for 'hash@1' hash node in 'kernel@1 ' image node
Bad hash value for 'hash-1' hash node in 'kernel ' image node
Bad Data Hash
## Loading fdt from FIT Image at 7f5a39571000 ...
Using 'conf@ 1' configuration
Trying 'fdt@ 1' fdt subimage
Using 'conf- 1' configuration
Trying 'fdt- 1' fdt subimage
Description: beaglebone-black
Created: Sun Jun 1 13:09:21 2014
Type: Flat Device Tree
@ -364,7 +364,7 @@ OK
Loading Flat Device Tree ... OK
## Loading ramdisk from FIT Image at 7f5a39571000 ...
Using 'conf@ 1' configuration
Using 'conf- 1' configuration
Could not find subimage node
Signature check Bad (error 1)
@ -386,11 +386,11 @@ images
configurations
fdtget -l image.fit /configurations
conf@ 1
fdtget -l image.fit /configurations/conf@ 1
signature@ 1
conf- 1
fdtget -l image.fit /configurations/conf- 1
signature- 1
fdtget -p image.fit /configurations/conf@1/signature@ 1
fdtget -p image.fit /configurations/conf-1/signature- 1
hashed-strings
hashed-nodes
timestamp
@ -401,20 +401,20 @@ algo
key-name-hint
sign-images
fdtget image.fit /configurations/conf@1/signature@ 1 hashed-nodes
/ /configurations/conf@1 /images/fdt@1 /images/fdt@1/hash@1 /images/kernel@1 /images/kernel@1/hash@ 1
fdtget image.fit /configurations/conf-1/signature- 1 hashed-nodes
/ /configurations/conf-1 /images/fdt-1 /images/fdt-1/hash /images/kernel /images/kernel/hash- 1
This gives us a bit of a look into the signature that mkimage added. Note you
can also use fdtdump to list the entire device tree.
Say we want to change the kernel that this configuration uses
(/images/kernel@1 ). We could just put a new kernel in the image, but we will
(/images/kernel). We could just put a new kernel in the image, but we will
need to change the hash to match. Let's simulate that by changing a byte of
the hash:
fdtget -tx image.fit /images/kernel@1/hash@ 1 value
fdtget -tx image.fit /images/kernel/hash- 1 value
c9436464 6427e10f 423837e5 59898ef0 2c97b988
fdtput -tx image.fit /images/kernel@1/hash@ 1 value c9436464 6427e10f 423837e5 59898ef0 2c97b981
fdtput -tx image.fit /images/kernel/hash- 1 value c9436464 6427e10f 423837e5 59898ef0 2c97b981
Now check it again:
@ -437,7 +437,7 @@ configuration. But that won't work since you are not allowed to change the
configuration in any way. Try it with a fresh (valid) image if you like by
running the mkimage link again. Then:
fdtput -p image.fit /configurations/conf@1/signature@2 value fred
fdtput -p image.fit /configurations/conf-1/signature-1 value fred
$UOUT/tools/fit_check_sign -f image.fit -k am335x-boneblack-pubkey.dtb
Verifying Hash Integrity ... -
sha1,rsa2048:devrsa_verify_with_keynode: RSA failed to verify: -13
@ -521,9 +521,9 @@ U-Boot# ext2load mmc 0:2 82000000 /boot/image.fit
7824930 bytes read in 589 ms (12.7 MiB/s)
U-Boot# bootm 82000000
## Loading kernel from FIT Image at 82000000 ...
Using 'conf@ 1' configuration
Using 'conf- 1' configuration
Verifying Hash Integrity ... sha1,rsa2048:dev+ OK
Trying 'kernel@1 ' kernel subimage
Trying 'kernel' kernel subimage
Description: unavailable
Created: 2014-06-01 19:32:54 UTC
Type: Kernel Image
@ -538,8 +538,8 @@ U-Boot# bootm 82000000
Hash value: c94364646427e10f423837e559898ef02c97b988
Verifying Hash Integrity ... sha1+ OK
## Loading fdt from FIT Image at 82000000 ...
Using 'conf@ 1' configuration
Trying 'fdt@ 1' fdt subimage
Using 'conf- 1' configuration
Trying 'fdt- 1' fdt subimage
Description: beaglebone-black
Created: 2014-06-01 19:32:54 UTC
Type: Flat Device Tree