Kernel fitImage Signing in Yocto: Secure Boot

Epteck GmbH > Blog > embedded linux > Kernel fitImage Signing in Yocto: Secure Boot

Kernel fitImage signing is an important step in embedded secure boot. In this technique, a public-private key pair is generated by OpenSSL. The private key is used to sign the kernel fitImage. The public key is placed in the device tree of the bootloader (uboot or barebox) which is used to authenticate the kernel fitImage at runtime.

In this tutorial, we will have a complete look at kernel fitImage signing in Yocto. Besides, we will also see how it can be tested on hardware. So, let’s get started!

Step 1: Generate OpenSSL Keys and Certificates

To generate a signing key for kernel-fitImage signing, follow the steps below:

cd path-to-yocto-sources/
mkdir fitImage-keys

Generate an RSA2048 private key using this command:

openssl genrsa -F4 -out path-to-yocto-sources/fitImage-keys/sign-key.key 2048

Generate a certificate from the private key:

openssl req -batch -new -x509 -key path-to-yocto-sources/fitImage-keys/sign-key.key -out path-to-yocto-sources/fitImage-keys/sign-key.crt

Step 2: Kernel-fitImage Signing Configurations in Yocto

In Yocto, fitImage.bbclass and uboot-sign.bbclass are responsible for fitImage signing. Add the following lines in your local.conf file:

MACHINE_FEATURES += "fit"
UBOOT_SIGN_ENABLE = "1"

# Path to directory where you generated SSL keys in Step 1
UBOOT_SIGN_KEYDIR = "path-to-yocto-sources/fitImage-keys"

# Name of the key without extension
UBOOT_SIGN_KEYNAME = "sign-key"

UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"

Step 3: U-Boot Configurations

Add the following configurations in U-Boot (via patch or devtool):

CONFIG_FIT_SIGNATURE=y
CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000
CONFIG_LEGACY_IMAGE_FORMAT=y

Step 4: Bitbake Image

Run the bitbake command to build your image:

bitbake image-name

Step 5: Testing on Host Machine

To test if fitImage is signed correctly, use the fit_check_sign utility:

fit_check_sign -f <fit-image> -k <uboot-dtb>

fit_check_sign can be found in the path-to-uboot-source/tools folder.

Step 6: Testing on Hardware

After flashing the image, check your U-Boot logs for verification:

## Loading kernel from FIT Image at 90000000 ...
   Using 'conf-freescale_imx8mm.dtb' configuration
   Verifying Hash Integrity ... sha256,rsa2048:sign-key+ success!

sign-key+ indicates successful signature verification. If it shows sign-key-, there’s an issue in your signing process.

By following these steps, you’ll be able to sign the FIT image of your kernel, enabling secure boot for your embedded system.

Tags:

Powered By WordPress