Ygtjki

If 'B is more likely given A', then 'A is more likely given B'

G-Code for resetting to 100% speed

Why are there no cargo aircraft with "flying wing" design?

How do I keep my slimes from escaping their pens?

Why is "Captain Marvel" translated as male in Portugal?

Output the ŋarâþ crîþ alphabet song without using (m)any letters

What is the longest distance a 13th-level monk can jump while attacking on the same turn?

Right-skewed distribution with mean equals to mode?

What is the correct way to use the pinch test for dehydration?

Why does Python start at index -1 when indexing a list from the end?

Single word antonym of "flightless"

How widely used is the term Treppenwitz? Is it something that most Germans know?

If a contract sometimes uses the wrong name, is it still valid?

Is there a "higher Segal conjecture"?

What do you call a plan that's an alternative plan in case your initial plan fails?

How do I mention the quality of my school without bragging

What would be the ideal power source for a cybernetic eye?

How to find all the available tools in macOS terminal?

Is there a documented rationale why the House Ways and Means chairman can demand tax info?

Why is black pepper both grey and black?

How can I make names more distinctive without making them longer?

What does the "x" in "x86" represent?

How can players work together to take actions that are otherwise impossible?

Do you forfeit tax refunds/credits if you aren't required to and don't file by April 15?

Verify FIT image signature in Linux userspace

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

0

I'm working on software update for my device. The image is a FIT image with RSA signature. My u-boot can verify it before booting it.

I'm wondering if there's a tool in linux userspace to do the same verification. Basically, my device running Linux downloads a FIT image, verifies it before writing it to flash. The verification step is what I don't have.

I guess I can sign the whole FIT image, but it's kind of a waste since my FIT already has RSA signature in it.

Thanks!

u-boot

share|improve this question

edited Apr 11 at 20:18

Nhat Nam Trinh

asked Apr 11 at 19:36

Nhat Nam TrinhNhat Nam Trinh

11

New contributor

Nhat Nam Trinh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Could you provide more details on your machine, OS/custom distro, the signature (an embedded file?) so it would be easier to help you out and be useful for future readers?
  
  – Paradox
  Apr 11 at 19:44
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Paradox. My device runs custom Linux built with buildroot. The bootloader is u-boot. The FIT (flatten device tree) image is a way to package stuff (kernel, dtb...) to be booted by u-boot. U-boot provides tools to help build FIT images with optional RSA signature. Uboot verifies the signature automatically at bootup. I'm just wondering if there's a tool in Linux that does the same verification.
  
  – Nhat Nam Trinh
  Apr 11 at 19:50
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, but if the FIT image is not embedded on your device in the same state you built it, I am not aware of a way of checking the signature of a running custom Linux image already altered by booting (it's the bootloader job AFAIK). I will let someone who might know better about it to try to point you in the right direction.
  
  – Paradox
  Apr 11 at 19:53
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Oh, sorry. I need to be clear. I'm working on system update. Basically, the device running Linux downloads the FIT image, verifies it before writing it to flash. The verification step is what I'm missing right now.
  
  – Nhat Nam Trinh
  Apr 11 at 20:01
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This can done. Could you all of these details in your question, please?
  
  – Paradox
  Apr 11 at 20:13
  

  
  
  
  

 | 
show 4 more comments

0

I'm working on software update for my device. The image is a FIT image with RSA signature. My u-boot can verify it before booting it.

I'm wondering if there's a tool in linux userspace to do the same verification. Basically, my device running Linux downloads a FIT image, verifies it before writing it to flash. The verification step is what I don't have.

I guess I can sign the whole FIT image, but it's kind of a waste since my FIT already has RSA signature in it.

Thanks!

u-boot

share|improve this question

edited Apr 11 at 20:18

Nhat Nam Trinh

asked Apr 11 at 19:36

Nhat Nam TrinhNhat Nam Trinh

11

New contributor

Nhat Nam Trinh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Could you provide more details on your machine, OS/custom distro, the signature (an embedded file?) so it would be easier to help you out and be useful for future readers?
  
  – Paradox
  Apr 11 at 19:44
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Paradox. My device runs custom Linux built with buildroot. The bootloader is u-boot. The FIT (flatten device tree) image is a way to package stuff (kernel, dtb...) to be booted by u-boot. U-boot provides tools to help build FIT images with optional RSA signature. Uboot verifies the signature automatically at bootup. I'm just wondering if there's a tool in Linux that does the same verification.
  
  – Nhat Nam Trinh
  Apr 11 at 19:50
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, but if the FIT image is not embedded on your device in the same state you built it, I am not aware of a way of checking the signature of a running custom Linux image already altered by booting (it's the bootloader job AFAIK). I will let someone who might know better about it to try to point you in the right direction.
  
  – Paradox
  Apr 11 at 19:53
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Oh, sorry. I need to be clear. I'm working on system update. Basically, the device running Linux downloads the FIT image, verifies it before writing it to flash. The verification step is what I'm missing right now.
  
  – Nhat Nam Trinh
  Apr 11 at 20:01
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This can done. Could you all of these details in your question, please?
  
  – Paradox
  Apr 11 at 20:13
  

  
  
  
  

 | 
show 4 more comments

I'm working on software update for my device. The image is a FIT image with RSA signature. My u-boot can verify it before booting it.

I'm wondering if there's a tool in linux userspace to do the same verification. Basically, my device running Linux downloads a FIT image, verifies it before writing it to flash. The verification step is what I don't have.

I guess I can sign the whole FIT image, but it's kind of a waste since my FIT already has RSA signature in it.

Thanks!

u-boot

share|improve this question

edited Apr 11 at 20:18

Nhat Nam Trinh

asked Apr 11 at 19:36

Nhat Nam TrinhNhat Nam Trinh

11

New contributor

Nhat Nam Trinh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited Apr 11 at 20:18

Nhat Nam Trinh

asked Apr 11 at 19:36

Nhat Nam TrinhNhat Nam Trinh

11

New contributor

Nhat Nam Trinh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited Apr 11 at 20:18

Nhat Nam Trinh

asked Apr 11 at 19:36

Nhat Nam TrinhNhat Nam Trinh

11

New contributor

Nhat Nam Trinh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked Apr 11 at 19:36

Nhat Nam TrinhNhat Nam Trinh

11

New contributor

Nhat Nam Trinh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked Apr 11 at 19:36

Nhat Nam TrinhNhat Nam Trinh

11

1 Answer
1

active

oldest

votes

0

I think I have an answer. U-Boot has a tool called "fit_check_sign".

If you use buildroot, these are the broad strokes:

• include package "uboot-tools" for your target.


• Enable FIT and FIT_SIGNATURE options for the package.


• build the system.


• in ..../output/build/uboot-tools-*/tools, there's "fit_check_sign". Copy that to target. You can do that in post-build script.


• 
  

  From target, run the following to verify:

  
  
  

   ./fit_check_sign -f your_fit_image -k uboot_dtb_file_containing_public_key
  

  
  

share|improve this answer

answered Apr 11 at 21:29

Nhat Nam TrinhNhat Nam Trinh

11

New contributor

Nhat Nam Trinh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Nhat Nam Trinh is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511980%2fverify-fit-image-signature-in-linux-userspace%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

I think I have an answer. U-Boot has a tool called "fit_check_sign".

If you use buildroot, these are the broad strokes:

• include package "uboot-tools" for your target.


• Enable FIT and FIT_SIGNATURE options for the package.


• build the system.


• in ..../output/build/uboot-tools-*/tools, there's "fit_check_sign". Copy that to target. You can do that in post-build script.


• 
  

  From target, run the following to verify:

  
  
  

   ./fit_check_sign -f your_fit_image -k uboot_dtb_file_containing_public_key
  

  
  

share|improve this answer

answered Apr 11 at 21:29

Nhat Nam TrinhNhat Nam Trinh

11

New contributor

Nhat Nam Trinh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

0

I think I have an answer. U-Boot has a tool called "fit_check_sign".

If you use buildroot, these are the broad strokes:

• include package "uboot-tools" for your target.


• Enable FIT and FIT_SIGNATURE options for the package.


• build the system.


• in ..../output/build/uboot-tools-*/tools, there's "fit_check_sign". Copy that to target. You can do that in post-build script.


• 
  

  From target, run the following to verify:

  
  
  

   ./fit_check_sign -f your_fit_image -k uboot_dtb_file_containing_public_key
  

  
  

share|improve this answer

answered Apr 11 at 21:29

Nhat Nam TrinhNhat Nam Trinh

11

New contributor

Nhat Nam Trinh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

I think I have an answer. U-Boot has a tool called "fit_check_sign".

If you use buildroot, these are the broad strokes:

• include package "uboot-tools" for your target.


• Enable FIT and FIT_SIGNATURE options for the package.


• build the system.


• in ..../output/build/uboot-tools-*/tools, there's "fit_check_sign". Copy that to target. You can do that in post-build script.


• 
  

  From target, run the following to verify:

  
  
  

   ./fit_check_sign -f your_fit_image -k uboot_dtb_file_containing_public_key
  

  
  

share|improve this answer

answered Apr 11 at 21:29

Nhat Nam TrinhNhat Nam Trinh

11

New contributor

Nhat Nam Trinh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

answered Apr 11 at 21:29

Nhat Nam TrinhNhat Nam Trinh

11

New contributor

Nhat Nam Trinh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered Apr 11 at 21:29

Nhat Nam TrinhNhat Nam Trinh

11

New contributor

Nhat Nam Trinh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered Apr 11 at 21:29

Nhat Nam TrinhNhat Nam Trinh

11