Sourcing a signed boot script
Lukasz Majewski
lukma at denx.de
Thu Dec 5 23:14:46 CET 2019
Hi Diego,
> Hi,
>
> I would like to ask if it is possible to source a script after
> verifying its signature.
>
> Currently I've been able to source a script from a signed FIT image,
> before doing "bootm", with:
> source <addr>:<name>
> But this way the signature is not checked yet, so the script cannot
> be trusted.
>
> According to the docs[1] it seems that it's not possible yet to verify
> a FIT image signature without also booting the corresponding image. Is
> that right?
You can look into the "spl" command, which does the FIT parsing (to
prepare data for falcon mode booting).
You may want to re-use such "dry-run" feature to verify the signature,
extract the script and use it.
(And yes, I don't think that checking the signature for script works
out of the box).
>
>
> [1]
> https://gitlab.denx.de/u-boot/u-boot/blob/v2019.10/doc/uImage.FIT/signature.txt#L580
>
> Thank you,
> Diego Rondini
Best regards,
Lukasz Majewski
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lukma at denx.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20191205/a967bc2c/attachment.sig>
More information about the U-Boot
mailing list