u-boot Flat Image Tree (FIT) signing support

Bug #1831942 reported by Andy Whitcroft on 2019-06-06
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Undecided
Andy Whitcroft
u-boot (Ubuntu)
Status tracked in Eoan
Xenial
High
Andy Whitcroft
Bionic
High
Andy Whitcroft
Cosmic
Medium
Andy Whitcroft
Disco
Medium
Andy Whitcroft
Eoan
Medium
Andy Whitcroft

Bug Description

[Impact] the existing mkimage/dumpimage tools are unable to make or dump out the contents of a u-boot FIT image.

[Test Case] run mkimage with no arguments, note that FIT images and signing are shown as disabled. Install the updated version and note that FIT images and signing are now shown as enabled. Run the attached TEST-FIT script which will put together a sample image, generate some keys, and sign the resulting image contents. You will see "kernel.img: Device Tree Blob version 17,..." if the image is created and you will see dumpimage output showing it is not yet signed (Sign value: unavailable). The signatures will then be applied and the image redumped and you will see it is now signed (Sign value: <hex>).

[Regression Potential] though this changes the u-boot boot loader package, only the build of the u-boot-utils package contents is modified. This primarily enabled FIT_SIGNATURE support in the configuration before building those tools. The majority of the tools we ship do not have configuration support even and so should not be affected. mkimage et al are not normally used during a kernel/bootloader update and so the risk to a pre-installed system should be low. There is slightly higher risk in the xenial changes as the enablement has enabled some additional tool builds, but none of those are shipped in the resulting binaries.

===

We need a mechanism for securely signing Flat Image Tree binaries. This will be performed in a similar manner to UEFI signing support via a custom binary upload to launchpad. We will also need a u-boot update to enable image creation and signing support in mkimage.

Related branches

Andy Whitcroft (apw) on 2019-06-06
Changed in launchpad:
status: New → In Progress
assignee: nobody → Andy Whitcroft (apw)
Changed in u-boot (Ubuntu):
importance: Undecided → High
assignee: nobody → Andy Whitcroft (apw)
Andy Whitcroft (apw) on 2019-06-10
Changed in u-boot (Ubuntu Eoan):
status: New → In Progress
Andy Whitcroft (apw) on 2019-06-10
Changed in u-boot (Ubuntu Disco):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Andy Whitcroft (apw)
Changed in u-boot (Ubuntu Cosmic):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Andy Whitcroft (apw)
Changed in u-boot (Ubuntu Bionic):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Andy Whitcroft (apw)
Changed in u-boot (Ubuntu Eoan):
importance: High → Medium
Changed in u-boot (Ubuntu Xenial):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Andy Whitcroft (apw)
Andy Whitcroft (apw) on 2019-06-11
description: updated
description: updated

Hello Andy, or anyone else affected,

Accepted u-boot into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/u-boot/2018.07~rc3+dfsg1-0ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in u-boot (Ubuntu Disco):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-disco
Łukasz Zemczak (sil2100) wrote :

Hello Andy, or anyone else affected,

Accepted u-boot into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/u-boot/2018.07~rc3+dfsg1-0ubuntu3~18.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in u-boot (Ubuntu Cosmic):
status: In Progress → Fix Committed
tags: added: verification-needed-cosmic
Changed in u-boot (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Łukasz Zemczak (sil2100) wrote :

Hello Andy, or anyone else affected,

Accepted u-boot into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/u-boot/2018.07~rc3+dfsg1-0ubuntu3~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Łukasz Zemczak (sil2100) wrote :

Hello Andy, or anyone else affected,

Accepted u-boot into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/u-boot/2016.01+dfsg1-2ubuntu4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in u-boot (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial

Test script to confirm FIT image build and signature is available.

description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package u-boot - 2019.04+dfsg-2ubuntu2

---------------
u-boot (2019.04+dfsg-2ubuntu2) eoan; urgency=low

  * Enable FIT signing support (LP: #1831942)
    - Enable CONFIG_FIT_SIGNATURE so we can sign FIT images.
    - Add libssl-dev to Build-Depends: to enable crypto functionality.
    - Limit key names to keys within the keydir.

 -- Andy Whitcroft <email address hidden> Mon, 10 Jun 2019 15:44:35 +0100

Changed in u-boot (Ubuntu Eoan):
status: In Progress → Fix Released
Andy Whitcroft (apw) wrote :

Testing passed on eoan:

kernel.img: Device Tree Blob version 17, size=4722, boot CPU=0, string block size=197, DT structure block size=3060
  Sign algo: sha256,rsa2048:fit
  Sign value: 662b7f56516e0fb10f94520d9d816bad27341d2b9f8212d68053f124a073bce6c5cdcbc2e85c3bce84e5e8db0be9841c81f2f8f9a85cb1c690904b35069fbca1ec6801e714263e6b6b12b4443e988bd92b5ebcb351eb34c0c6dbd6d8964852ae1aea873f452f708824e6b4eddc9d69b14bf94666f9279abe45cf0d23311f58ecbad43638c41f241feb29e5c89ac8e1a7014fbe07b09abe89e5a1e7f86e741f9a69f138c178b8e76d5be348b306e213f839d2a71e6fe095c6336dbea16d09a4fded6540c6bef6a01bfa3108032304624332b0ac10cb91ccb953149947de27514d39e369b0c0058eed0231abf3576af35323b69b4fa70e94347d91a29eb4f6846b

Andy Whitcroft (apw) wrote :

ii u-boot-tools 2018.07~rc3+dfsg1-0ubuntu3 amd64 companion tools for Das U-Boot bootloader

Testing passed on disco:

kernel.img: Device Tree Blob version 17, size=4722, boot CPU=0, string block size=197, DT structure block size=3076
  Sign algo: sha256,rsa2048:fit
  Sign value: 46de2b22dbc1f12b1e048d13c2470bc15b84aae306bc10192390768a80a91979d26fb549a4bec0f151b0a71efd49d9083494572ff0894b4e6f304d674fef7c870cd9d85ba663f99b5f77db1a3e799d76e6e51f1e4197ac272678200bdfc687f44f63322bdd1c32e650a3a3b06b6b52eaf34bea66f53b20657518fa7d09f0f0878e80896085b28f515ad7959af71d67ab35834c546d174cc978c3ed722b74f82563b429e98511e8878ad1b95dfb14386febe788050c50c911f21581628554c143f4d7154a3b0d3ebc91c2f97438ccfc5a8321fbd99bdb66efcd8d109d43a4779ee970c1793b8e7b815e1a98c7d6ac435ad04dbc6993162453101d1db5a2c31a80

Andy Whitcroft (apw) on 2019-06-11
tags: added: verification-done-disco
removed: verification-needed-disco
Andy Whitcroft (apw) wrote :

ii u-boot-tools 2018.07~rc3+dfsg1-0ubuntu3~18.10.1 amd64 companion tools for Das U-Boot bootloader

Testing passed on cosmic:

kernel.img: Device Tree Blob version 17, size=4722, boot CPU=0, string block size=197, DT structure block size=3108
  Sign algo: sha256,rsa2048:fit
  Sign value: 6a6a9af5f4b36cbb96772ea1e37890b94dc4a7fca26e90556fdd63ddf322ba0e9ad7d5ca1e8ce0195e05e898d18725d49c1fafabcf89b0918185f8a08456f0cfcc8250f9c640664eed6d9636ba370e53a59ca75f3910bdc3ec7607bf8337498bc8fd8c8e349839ddf946eedd0b307188150a9926604b48dc65054500e51cacba715014fdef675ad66d550ce558f316979d72e79c360886cb8e55aa9e9ce444fbe5a9b9981b155fc2bcac4c6a61fb464ddadb9a3821faba49ed53a96d84c71f0077b1a6f9056d9f35dae7aa16ee296fc536fa158028c5e9a13428407bc9854580f62cdaab3a572d7c0fff03a6ef3118973bd43109125593c372ae17a0be6a3d57

tags: added: verification-done-cosmic
removed: verification-needed-cosmic
Andy Whitcroft (apw) wrote :

ii u-boot-tools 2018.07~rc3+dfsg1-0ubuntu3~18.04.1 amd64 companion tools for Das U-Boot bootloader

Testing passed on bionic:

kernel.img: Device Tree Blob version 17, size=4722, boot CPU=0, string block size=197, DT structure block size=3108
  Sign algo: sha256,rsa2048:fit
  Sign value: 23992fd48221ef3fe499766374da06422d629a7eebb41f3a47ff8b249f9f45c9ab0ad96e39ab264dc497ad1bfcba9c3d304785d30093f88eaadaa7538836da05cd5643baefb13b8981d65e12fdd8bfc9d2cd6fef9164040eef275623dbe4282af51f5065034f1510e6a79949fe5e07e621ab5687fe804f54a069b9873452a8070d11a3cd92d838756ba10b3f08d06a2697ea3dd62adde5f4b177b185e354d35daa0d4afd6ebc7bd8822dab330231e7154acd9213ac848a86b002d6fcc843080672a281ae5753bff80e44b536e4f314f1d18e37b41212d3c4b610d1e0d8b1bd5eb008a5a2a0b50a2f670dcd4d1dad4ba3e5838c2f2850b0a4967076a31e646c79

tags: added: verification-done-bionic
removed: verification-needed-bionic
Andy Whitcroft (apw) wrote :

ii u-boot-tools 2016.01+dfsg1-2ubuntu4 amd64 companion tools for Das U-Boot bootloader

Testing failed:

mkimage Can't add hashes to FIT blob

Andy Whitcroft (apw) wrote :

Found a bug (fixed in later versions) where the auto-resize code can fail when ENOSPC is lost in the return chain. Fixed up and retested. Looking good. Submitted an updated SRU for xenial.

Hello Andy, or anyone else affected,

Accepted u-boot into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/u-boot/2016.01+dfsg1-2ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

ii u-boot-tools 2016.01+dfsg1-2ubuntu5 amd64 companion tools for Das U-Boot bootloader

Testing passed on xenial:

kernel.img: Device Tree Blob version 17, size=5046, boot CPU=0, string block size=197, DT structure block size=3060
  Sign algo: sha256,rsa2048:fit
  Sign value: 6c7ca5e448c39c58c3acd84d1825d4b3d5251f31ddb1ac7d3d0b69f55eedb286b315cdb40485827cec8b23b81ca2746f2123bf0459d7e6815004eaa20c886f0f3b86edb1afe124420caca16755611ee7ceec32e178d64f96a1793c1eb7654172560a5e3139e85204e9cd58214ba59b609dc6a352e6025fd0bceadf3da88d8c36cc3bde6409de758ce5ca23b889babc39396e65db866430ea25199c294cfe9bb4da17c1396a38e655c748f3a1c3f941981287acfbc47e0e4c09385490d674889b2cfdfeb59cde51b8d9b4d3b50160a1d1d6714d68ae706c6ae3677bc533f075002c14ea2187330f463adf73a83bda33ea2f2876ebbd6297093381ae3f1290d05e

tags: added: verification-done-xenial
removed: verification-needed-xenial
tags: added: verification-done verification-needed-xenial
removed: verification-done-xenial verification-needed

Thank you for taking the time to verify this stable release fix. We have noticed that you have used the verification-done tag for marking the bug as verified and would like to point out that due to a recent change in SRU bug verification policy fixes now have to be marked with per-release tags (i.e. verification-done-$RELEASE). Please remove the verification-done tag and add one for the release you have tested the package in. Thank you!

https://wiki.ubuntu.com/StableReleaseUpdates#Verification

Andy Whitcroft (apw) on 2019-06-13
tags: added: verification-done-xenial
removed: verification-done verification-needed-xenial

After some discussion with Andy, I will be releasing these SRUs much earlier conditionally. This is a special case and should not be treated as a general rule.

The bits from this SRU, especially for xenial, are required for a close-deadline project. The changes are isolated to the u-boot-tools package only, so the risk of breaking user systems is low. The change itself is (for most series) a config option change only - although even that can cause regressions, the risk is relatively low. I have checked the u-boot-tools reverse dependencies of their use of mkimage/dumpimage and assessed that the impact of any discovered regressions should be low as well. For xenial, as there was a bit more tweaking there, I also did a few non-FIT-related mkimage and dumpimage test runs to make sure the xenial-proposed version still works.

Let's get this released and keep a look-out for any reported regressions, reverting quickly to the previous version in case anything critical is found.

The verification of the Stable Release Update for u-boot has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package u-boot - 2018.07~rc3+dfsg1-0ubuntu3~18.10.1

---------------
u-boot (2018.07~rc3+dfsg1-0ubuntu3~18.10.1) cosmic; urgency=low

  * Enable FIT signing support (LP: #1831942)
    - Enable CONFIG_FIT_SIGNATURE so we can sign FIT images.
    - Add libssl-dev to Build-Depends: to enable crypto functionality.
    - Limit key names to keys within the keydir.

 -- Andy Whitcroft <email address hidden> Mon, 10 Jun 2019 16:00:22 +0100

Changed in u-boot (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package u-boot - 2018.07~rc3+dfsg1-0ubuntu3~18.04.1

---------------
u-boot (2018.07~rc3+dfsg1-0ubuntu3~18.04.1) bionic; urgency=low

  * Enable FIT signing support (LP: #1831942)
    - Enable CONFIG_FIT_SIGNATURE so we can sign FIT images.
    - Add libssl-dev to Build-Depends: to enable crypto functionality.
    - Limit key names to keys within the keydir.

 -- Andy Whitcroft <email address hidden> Mon, 10 Jun 2019 20:52:14 +0100

Changed in u-boot (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package u-boot - 2016.01+dfsg1-2ubuntu5

---------------
u-boot (2016.01+dfsg1-2ubuntu5) xenial; urgency=low

  * Enable FIT signing support (LP: #1831942)
    - Ensure fit_image_process_sig() ENOSPC return propogates to
      fit_file_name() space allocation loop.

u-boot (2016.01+dfsg1-2ubuntu4) xenial; urgency=low

  * Enable FIT signing support (LP: #1831942)
    - Fix configuration supply to tools to ensure CONFIG_FIT_SIGNATURE
      is available to mkimage such that is compiled with FIT build and
      sign support.
    - Add libssl-dev to Build-Depends: to enable crypto functionality.
    - Limit key names to keys within the keydir.

 -- Andy Whitcroft <email address hidden> Tue, 11 Jun 2019 22:44:54 +0100

Changed in u-boot (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package u-boot - 2018.07~rc3+dfsg1-0ubuntu3

---------------
u-boot (2018.07~rc3+dfsg1-0ubuntu3) disco; urgency=low

  * Enable FIT signing support (LP: #1831942)
    - Enable CONFIG_FIT_SIGNATURE so we can sign FIT images.
    - Add libssl-dev to Build-Depends: to enable crypto functionality.
    - Limit key names to keys within the keydir.

 -- Andy Whitcroft <email address hidden> Mon, 10 Jun 2019 16:00:22 +0100

Changed in u-boot (Ubuntu Disco):
status: Fix Committed → Fix Released
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Andy Whitcroft (apw) wrote :

The merge for this has been deployed to dogfood. Added a FIT signable blob to the signing test packages and threw them into a FIT signing PPA on dogfood. This correctly triggered a new key to be generated:

  Generating a 2048 bit RSA private key
  .........................+++
  ...................+++
  writing new private key to '/srv/launchpad.net/ppa-signing-keys/uefi/apw/fit-1/fit/fit.key'

and apparent signing of the supplied object:

  FIT description: kernel, initrd and devicetree
  Created: Wed Jun 19 11:46:09 2019
   Image 0 (kernel@1)
    Description: kernel

These have published out as expected into dists, and appear correctly signed when downloaded. The public key is included as expected.

tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson) on 2019-06-20
Changed in launchpad:
status: Fix Committed → Fix Released
summary: - support u-boot Flat Image Tree (FIT) signing support
+ u-boot Flat Image Tree (FIT) signing support
Vagrant Cascadian (vagrantc) wrote :

So I guess Ubuntu doesn't treat the incompatibilities between the GPL and OpenSSL as an issue?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments