Rootfs.hash & rootfs.rhash.unsigned file generation

Hi All,

For Secure boot in WP76xx module, as part of the Rootfs Signing process following files are taken from yocto build :

  • mkdir output
  • cp /opt/buildserver-git/Legato_Releases/WP76_R16_01/yocto/build_bin/tmp/deploy/images/swi-mdm9x28-wp/mdm9x28-image-minimal-swi-mdm9x28-wp.squashfs ./output/
  • cp /opt/buildserver-git/Legato_Releases/WP76_R16_01/yocto/build_bin/tmp/deploy/images/swi-mdm9x28-wp/rootfs.hash ./output/
  • cp /opt/buildserver-git/Legato_Releases/WP76_R16_01/yocto/build_bin/tmp/deploy/images/swi-mdm9x28-wp/rootfs.rhash.unsigned ./output/

These 3 files (highlighted) are used while creating the Signed Image. This has been tested and works fine. I want to extract “mdm9x28-image-minimal-swi-mdm9x28-wp.squashfs” add some additional files and repack it into the .squashfs file.

I tried the following to re-create the rootfs.hash & rootfs.rhash.unsigned files but I did not work.

  1. I used the unsquashfs to extract data from "mdm9x28-image-minimal-swi-mdm9x28-wp.squashfs”.
    unsquashfs mdm9x28-image-minimal-swi-mdm9x28-wp.squashfs

  2. I added a few test files inside the /etc and re-created the squash file.
    sudo mksquashfs squashfs-root/ mdm9x28-image-minimal-swi-mdm9x28-wp.squashfs

  3. I found some hints within the yocto build system on how to generate the rootfs.hash & rootfs.rhash.unsigned file, so I used the following commands to generate them.

    This will create the file rootfs.hash and I copied the “Root Hash :xxxxx” Contents into rootfs.rhash.unsigned file

  4. Then I used the newly created rootfs.hash, rootfs.rhash.unsigned file and mdm9x28-image-minimal-swi-mdm9x28-wp.squashfs to create the signed Image and it flashed successfully but device is not booting up due to squashfs error.

Need some help/suggestions on this. Thanks

  1. Squashfs error
  1. yocto build hints

how about you rebuild with “make clean” and “make”?

The problem is after building the yocto these files are generated and will be used in the different processes where there is no yocto build supported, so I had to manually inject some sensitive data into the .squashfs file and then form a complete .cwe image.

what do you mean by “no yocto build supported”?

We build the image using yocto on a system/team (Ex: PC, Server) this is used only for building the image.

Then the components of the image are passed on to different teams/processes where minimal activities like image secure boot signing will take place. There yocto is not necessary.

no idea, never work like this to inject file to the image.
I would suggest you keep the yocto build

1 Like

Is there a way I can see what exactly the steps/process used to create these components?

no, i don’t know, normally i just did “make clean” and “make”, and it works for me

1 Like