[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key
Simon Glass
sjg at chromium.org
Mon May 2 16:06:51 CEST 2016
Hi Teddy,
On 29 April 2016 at 18:44, Teddy Reed <teddy.reed at gmail.com> wrote:
> On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass <sjg at chromium.org> wrote:
>> Hi Teddy,
>>
>> On 25 April 2016 at 10:25, Teddy Reed <teddy.reed at gmail.com> wrote:
>>> Hi all,
>>>
>>> I'm curious if anyone has a script (or if I've missed something within
>>> the verified-boot documentation) to compile a DTB given only public
>>> keying information, i.e., a x509 certificate.
>>>
>>> I have build/test bots that need to build a u-boot with an
>>> extra/embedded DTB containing a signing public key. I do not want the
>>> private key on those hosts and the only way I've found to build the
>>> documented/required nodes in /signature/key-KEYNAME/
>>> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits')
>>> is by using mkimage on a FIT with the -K switch. That requires a
>>> private key to do the actual signing.
>>>
>>> I'm happy to write something, just want to ask first!
>>
>> Not on my side, sorry. Would be useful.
>>
>
> Ok!
>
> I can't make any promises of completeness, but I quickly hacked
> together https://github.com/theopolis/fit-certificate-store, to do
> this.
> I'll iterate on it over the next few weeks, and I'm more than happy to
> take bugs/criticism via Github PRs.
Looks good. At some point will you do a U-Boot patch?
Regards,
Simon
More information about the U-Boot
mailing list