Sha256,rsa4096 it is supported for signing the dtb for xilinux-zynqmp secure boot according to: github.com/Xilinx/u-boot-xlnx.git, lastest commit 5fa7d2ed066166571e969d036c1871c1759a921d from:u-boot-xlnx/u-boot-xlnx_2017.01.bb recipe. But when the customer tries to sign with Sha256,rsa4096 he gets the following error: ./tools/mkimage -T zynqmpimage -R /projects/case00087032_xilinx/secure-boot/bitbake_build/tmp/work/xilinx_zynqmp-wrs-linux│ /u-boot-xlnx/v2017.01-xilinx-v2017.4+gitAUTOINC+5fa7d2ed06-r0/git/"" -n /projects/case00087032_xilinx/secure-boot/bitbake_buil│ d/tmp/work/xilinx_zynqmp-wrs-linux/u-boot-xlnx/v2017.01-xilinx-v2017.4+gitAUTOINC+5fa7d2ed06-r0/git/"" -d spl/u-boot-spl.bin spl/boot.bin │ | Image Type : Xilinx Zynq Boot Image support │ | Image Offset : 0x000009c0 │ | Image Size : 129288 bytes (129288 bytes packed) │ | Image Load : 0xfffc0000 │ | Checksum : 0xfd1a5871 │ | /projects/case00087032_xilinx/secure-boot/bitbake_build/tmp/work/xilinx_zynqmp-wrs-linux/u-boot-xlnx/v2017.01-xilinx-v2017.4│ +gitAUTOINC+5fa7d2ed06-r0/git/scripts/check-config.sh u-boot.cfg \ │ | /projects/case00087032_xilinx/secure-boot/bitbake_build/tmp/work/xilinx_zynqmp-wrs-linux/u-boot-xlnx/v2017.01-xilinx-v│ 2017.4+gitAUTOINC+5fa7d2ed06-r0/git/scripts/config_whitelist.txt /projects/case00087032_xilinx/secure-boot/bitbake_build/tmp/w│ ork/xilinx_zynqmp-wrs-linux/u-boot-xlnx/v2017.01-xilinx-v2017.4+gitAUTOINC+5fa7d2ed06-r0/git 1>&2 │ | make[1]: Leaving directory '/projects/case00087032_xilinx/secure-boot/bitbake_build/tmp/work/xilinx_zynqmp-wrs-linux/u-boot-│ xlnx/v2017.01-xilinx-v2017.4+gitAUTOINC+5fa7d2ed06-r0/build' │ | make: Leaving directory '/projects/case00087032_xilinx/secure-boot/bitbake_build/tmp/work/xilinx_zynqmp-wrs-linux/u-boot-xln│ x/v2017.01-xilinx-v2017.4+gitAUTOINC+5fa7d2ed06-r0/git' │ | uboot-mkimage Can't add hashes to FIT blob │ | WARNING: /projects/case00087032_xilinx/secure-boot/bitbake_build/tmp/work/xilinx_zynqmp-wrs-linux/u-boot-xlnx/v2017.01-xilin│ x-v2017.4+gitAUTOINC+5fa7d2ed06-r0/temp/do_compile/run.do_compile.91516:1 exit 255 from │ | uboot-mkimage -k /projects/case00087032_xilinx/secure-boot/keys -K /projects/case00087032_xilinx/secur│ e-boot/bitbake_build/tmp/work/xilinx_zynqmp-wrs-linux/u-boot-xlnx/v2017.01-xilinx-v2017.4+gitAUTOINC+5fa7d2ed06-r0/build/dts/dt.dtb -r -f fit-null│ .its nullimage │ | ERROR: Function failed: do_compile (log file is located at /projects/case00087032_xilinx/secure-boot/bitbake_build/tmp/work/│ xilinx_zynqmp-wrs-linux/u-boot-xlnx/v2017.01-xilinx-v2017.4+gitAUTOINC+5fa7d2ed06-r0/temp/do_compile/log.do_compile.91516) │ ERROR: Task 4 (/projects/case00087032_xilinx/secure-boot/layers/wr-secure/wr-security-packages/recipes-bsp/u-boot-xlnx/u-boot-│ xlnx_2017.01.bb, do_compile) failed with exit code '1' │ NOTE: Tasks Summary: Attempted 277 tasks of which 272 didn't need to be rerun and 1 failed.
1. Create project
configure --enable-reconfig --enable-board=xilinx-zynqmp --enable-kernel=secure --enable-rootfs=secure-core+debug+zynqmp-secure-boot+debug+secure-configuration --enable-build=production --enable-addons=wr-secure --enable-bootimage=cpio.gz --with-rcpl-version=0025
2. Modify the u-boot.inc at layers/wr-secure/wr-security-packages/recipes-bsp/u-boot-xlnx/u-boot.inc to use sha256,rsa4096.
/dts-v1/;
/ {
description = "U-Boot fitImage";
#address-cells = <1>;
images {
fdt@1 {
description = "Flattened Device Tree blob";
data = /incbin/("null.dtb");
type = "flat_dt";
arch = "arm64";
compression = "none";
hash@1 {
algo = "sha256";
};
signature@1 {
//algo = "sha1,rsa2048";
algo = "sha256,rsa4096";
key-name-hint = "dev";
};
};
};
//signature@1 {
// algo = "sha256,rsa4096";
// key-name-hint = "dev";
//};
configurations {
default = "conf@1";
conf@1 {
description = "Boot Linux kernel with FDT blob";
fdt = "fdt@1";
hash@1 {
algo = "sha256";
};
};
};
};
EOF
3. Generate your 4096 key in your 4096keys dir :
openssl genrsa -F4 -out keys/dev.key 4096
4. Redefine ZYNQMP_FITIMAGE_KEY_DIR in your local.conf
ZYNQMP_FITIMAGE_KEY_DIR = "<your project>/keys"
