Usage of SHA384 signature for FIT image instead of SHA256

Message ID	CAKxnL=hnWt8ZYL2eU8yaYMRTF7wMO8asb_YLmY2361CWddMkXg@mail.gmail.com
State	New
Headers	show Return-Path: <openbmc-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> MIME-Version: 1.0 From: Gangadhar N <gangadhar.ubuntu@gmail.com> Date: Mon, 30 May 2022 14:56:10 +0530 Message-ID: <CAKxnL=hnWt8ZYL2eU8yaYMRTF7wMO8asb_YLmY2361CWddMkXg@mail.gmail.com> Subject: Usage of SHA384 signature for FIT image instead of SHA256 To: openbmc@lists.ozlabs.org Content-Type: multipart/alternative; boundary="000000000000c8292005e0373ff2" Precedence: list Errors-To: openbmc-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "openbmc" <openbmc-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
Series	Usage of SHA384 signature for FIT image instead of SHA256 \| expand Usage of SHA384 signature for FIT image instead of SHA256

Message ID

CAKxnL=hnWt8ZYL2eU8yaYMRTF7wMO8asb_YLmY2361CWddMkXg@mail.gmail.com

State

New

Headers

MIME-Version: 1.0
From: Gangadhar N <gangadhar.ubuntu@gmail.com>
Date: Mon, 30 May 2022 14:56:10 +0530
Message-ID: 
 <CAKxnL=hnWt8ZYL2eU8yaYMRTF7wMO8asb_YLmY2361CWddMkXg@mail.gmail.com>
Subject: Usage of SHA384 signature for FIT image instead of SHA256
To: openbmc@lists.ozlabs.org
Content-Type: multipart/alternative; boundary="000000000000c8292005e0373ff2"
Precedence: list
Errors-To: openbmc-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "openbmc"
 <openbmc-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Series

Usage of SHA384 signature for FIT image instead of SHA256 | expand

Commit Message

Gangadhar N May 30, 2022, 9:26 a.m. UTC

Hi All,
I am facing an issue while using SHA384 signature for FIT image instead of
SHA256. I get build errors.

ERROR: linux-obmc-5.8.17+gitAUTOINC+c26e1233f9-r0 do_assemble_fitimage:
Execution of
'/home/gangadhar/openbmc/build/tmp/work/linux-gnueabi/linux-obmc/5.8.17+gitAUTOINC+c26e1233f9-r0/temp/run.do_assemble_fitimage.17762'
failed with exit code 255:
none
fit-image.its:8.26-20.19: Warning (unit_address_vs_reg): /images/kernel@1:
node has a unit name, but no reg property
fit-image.its:17.32-19.27: Warning (unit_address_vs_reg): /images/kernel@1
/hash@1: node has a unit name, but no reg property
fit-image.its:21.29-31.19: Warning (unit_address_vs_reg): /images/fdt@...:
node has a unit name, but no reg property
fit-image.its:28.32-30.27: Warning (unit_address_vs_reg): /images/fdt@
.../hash@1: node has a unit name, but no reg property
fit-image.its:36.30-50.19: Warning (unit_address_vs_reg):
/configurations/conf@...: node has a unit name, but no reg property
fit-image.its:42.32-44.27: Warning (unit_address_vs_reg):
/configurations/conf@.../hash@1: node has a unit name, but no reg property
fit-image.its:45.37-49.27: Warning (unit_address_vs_reg):
/configurations/conf@.../signature@1: node has a unit name, but no reg
property
uboot-mkimage Can't add hashes to FIT blob: -93
Unsupported hash algorithm (sha384) for 'hash@1' hash node in 'kernel@1'
image node
WARNING: exit code 255 from a shell command.

Yocto changes that I have done,


Thanks & Regards,
Gangadhar

Comments

Patrick Williams May 31, 2022, 1:44 p.m. UTC | #1

On Mon, May 30, 2022 at 02:56:10PM +0530, Gangadhar N wrote:
> Hi All,
> I am facing an issue while using SHA384 signature for FIT image instead of
> SHA256. I get build errors.
...

> uboot-mkimage Can't add hashes to FIT blob: -93
> Unsupported hash algorithm (sha384) for 'hash@1' hash node in 'kernel@1'
> image node

This is reporting that the mkimage tool generated by u-boot doesn't
support SHA384.  Which u-boot are you attempting to use?  It appears
that v2016.07 doesn't support sha384 but v2019.04 likely does.

Gangadhar N June 1, 2022, 7:51 a.m. UTC | #2

Hi Patrick,
I am using 2020.10 uboot

Thanks & Regards,
Gangadhar

On Tue, May 31, 2022 at 7:14 PM Patrick Williams <patrick@stwcx.xyz> wrote:

> On Mon, May 30, 2022 at 02:56:10PM +0530, Gangadhar N wrote:
> > Hi All,
> > I am facing an issue while using SHA384 signature for FIT image instead
> of
> > SHA256. I get build errors.
> ...
>
> > uboot-mkimage Can't add hashes to FIT blob: -93
> > Unsupported hash algorithm (sha384) for 'hash@1' hash node in 'kernel@1'
> > image node
>
> This is reporting that the mkimage tool generated by u-boot doesn't
> support SHA384.  Which u-boot are you attempting to use?  It appears
> that v2016.07 doesn't support sha384 but v2019.04 likely does.
>
> --
> Patrick Williams
>

Patrick Williams June 2, 2022, 11:12 a.m. UTC | #3

On Wed, Jun 01, 2022 at 01:21:59PM +0530, Gangadhar N wrote:
> ERROR: linux-obmc-5.8.17+gitAUTOINC+c26e1233f9-r0
> do_assemble_fitimage:

...

> I am using 2020.10 uboot

I don't really understand what you're trying to accomplish.  Neither
linux-5.8 nor u-boot 2020.10 are something we've supported in OpenBMC
for any hardware I am aware of.  What are you trying to build?  Which
code are you using as the base?

diff --git a/poky/meta/classes/kernel-fitimage.bbclass
b/poky/meta/classes/kernel-fitimage.bbclass
index bb2f3c4cc..d4f9dddf2 100644
--- a/poky/meta/classes/kernel-fitimage.bbclass
+++ b/poky/meta/classes/kernel-fitimage.bbclass
@@ -51,13 +51,13 @@  python __anonymous () {
 UBOOT_MKIMAGE_DTCOPTS ??= ""

 # fitImage Hash Algo
-FIT_HASH_ALG ?= "sha256"
+FIT_HASH_ALG ?= "sha384"

 # fitImage Signature Algo
 FIT_SIGN_ALG ?= "rsa2048"

 # Generate keys for signing fitImage
-FIT_GENERATE_KEYS ?= "0"
+FIT_GENERATE_KEYS ?= "1"

 # Size of private key in number of bits
 FIT_SIGN_NUMBITS ?= "2048"

Usage of SHA384 signature for FIT image instead of SHA256

Commit Message

Comments

Patch