From: Reuben Dowle <reuben.dowle@4rf.com>
To: u-boot@lists.denx.de
Subject: SPL FIT configuration signature verification
Date: Sun, 13 Sep 2020 22:01:46 +0000 [thread overview]
Message-ID: <e4ab62e9e2a84a99a62dda4164469580@4rf.com> (raw)
In-Reply-To: <1747d19779d.c0d1fb0c101016.6971472271244983738@d.mobilunity.com>
Yes, it is possible to do this. The SPL will check its own DTB to check which signatures are required.
When the FIT that the SPL will load is created with mkimage, you also pass the SPL's dtb file, which will be patched to include the required signatures.
I am not sure if the config system has ability to specify this. My build process separates the signing from the normal uboot build (so that I can keep the private keys more secure), so I am manually calling mkimage. The command I am using to generate my second stage signed u-boot FIT file which is loaded by SPL:
mkimage -f uboot.its -K u-boot-spl.dtb -k keys -r u-boot.fit
The updated u-boot-spl.dtb needs to be available for the SPL to load at startup - often by appending this dtb to the end of the SPL binary. In my case I do this:
cat u-boot-spl-nodtb.bin u-boot-spl-pad.bin u-boot-spl.dtb > u-boot-spl.bin
-----Original Message-----
From: U-Boot <u-boot-bounces@lists.denx.de> On Behalf Of Andrii Voloshyn
Sent: Saturday, 12 September 2020 12:18 am
To: u-boot <u-boot@lists.denx.de>
Subject: SPL FIT configuration signature verification
Hi there,
Is it possible to make SPL U-Boot to verify signature located in configuration section of FIT image, and do not continue in case the signature is missing or doesn't match?
Asking because I couldn't find any configuration option for that, and I have FIT image with signature but SPL U-boot doesn't check it at all, it only checks signatures for images if present.
Thanks
Cheers,
Andy
next prev parent reply other threads:[~2020-09-13 22:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-11 12:17 SPL FIT configuration signature verification Andrii Voloshyn
2020-09-13 22:01 ` Reuben Dowle [this message]
2020-09-14 6:44 ` Andrii Voloshyn
2020-09-14 20:55 ` Reuben Dowle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e4ab62e9e2a84a99a62dda4164469580@4rf.com \
--to=reuben.dowle@4rf.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox