u-boot signature check: Signature check Bad (error 1)

For some reason mkimage allows you to sign with public keys that are not paired with the private key  leading to fit images that will never be bootable due to signature verification failure like in the title of the post.

For example imagine you generate 2 sets of keys by doing :

#From https://github.com/siemens/u-boot/blob/master/doc/uImage.FIT/beaglebone_vboot.txt
#priv key
openssl genrsa -F4 -out keys/k1.key 2048
openssl genrsa -F4 -out keys/k2.key 2048

#pub key
openssl req -batch -new -x509 -key keys/k1.key -out keys/dev.crt

#Somehow mess things up:
mv keys/k2.key keys/k1.key

If you follow the above instructions and run mkimage on the keys directory, you will get no error, which is kind of amazing. What will happen is that next time you try to boot the fit image the validation will always fail.

A good way to make sure that you do not have such a situation going all the way to a board, and in the worst case bricking it, is to check with a tool included in u-boot:

uboot-fit_check_sign -f $fit_image -k $uboot_with_dtb

Extra: mkimage has an extra way of making things look fine when they are not.

When running mkimage and asking it to sign an image and the keys directory does not exist or there is some issue with the keys passed, mkimage will happily return success, even if it does not fulfill the request:

$ mkimage -f sign.its -K $dtb_with_pubkeysz -k $non_existing_dir -r image.fit
$ echo $?

For a good primer on how fit images and signatures work with u-boot, have a look at this doc It is a really good text. Do not get fooled by the beaglebone name, as it is generic for other boards.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s