[U-Boot] 答复: [U-boot] mkimage -F parameter

[TigerLiu at viatech.com.cn]

Hi, Simon:
Thanks for your answer!
I have a PandaBoard (OMAP 4460).
I am studying Uboot code.

If uboot integrates this verifying kernel function, then it would have a security feature.(seams as UEFI firmware supported)

Best wishes,

-----邮件原件-----
发件人: sjg at google.com [mailto:sjg at google.com] 代表 Simon Glass
发送时间: 2013年2月1日 22:25
收件人: Tiger Liu
抄送: u-boot at lists.denx.de
主题: Re: [U-Boot] [U-boot] mkimage -F parameter

Hi Tiger,

On Thu, Jan 31, 2013 at 3:36 AM,  <TigerLiu at viatech.com.cn> wrote:
> Hi, experts:
>
> It seems mkimage has supported signing a image.

This code is not yet merged, as you have discovered.

>
> So, I have a question about signed linux kernel image:
>
> 1.       if kernel image is signed by mkimage tool.
>
> Could uboot verify this signed linux kernel image bf jumping to its
> entry point function?

Yes the bootm command will do this automatically.

>
> 2.       if uboot could verify the signed linux kernel image
>
> how to management these different vendors' public keys in uboot code?
> Using env variable?

The keys are not easily kept in an environment variable as we have
several bits of information.

In the current implementation the device tree is used, so you need to
enable CONFIG_OF_CONTROL. Then mkimage will put the public keys in the
FDT, and you attach that to U-Boot.

Multiple keys are supported and it is possible to sign the same image
with several different keys. Keys can be marked 'required' so that
they must verify.

What platform/board are you using?

Regards,
Simon

>
>
>
> Best wishes,
>
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
>