[U-Boot] 答复: [U-boot] mkimage -F parameter
Simon Glass
sjg at chromium.org
Mon Feb 4 04:41:20 CET 2013
Hi Tiger,
On Sun, Feb 3, 2013 at 5:52 PM, <TigerLiu at viatech.com.cn> wrote:
> Hi, Simon:
> Thanks for your answer!
> I have a PandaBoard (OMAP 4460).
> I am studying Uboot code.
>
> If uboot integrates this verifying kernel function, then it would have a security feature.(seams as UEFI firmware supported)
Yes. It can be used to verify a kernel, and also to verify a
second-stage firmware (if upgradable firmware is required and you want
to always avoid bricking the device). It can verify any image that can
be put in a FIT, and any combination of images that can be put in a
FIT configuration.
Regards,
Simon
>
> Best wishes,
>
> -----邮件原件-----
> 发件人: sjg at google.com [mailto:sjg at google.com] 代表 Simon Glass
> 发送时间: 2013年2月1日 22:25
> 收件人: Tiger Liu
> 抄送: u-boot at lists.denx.de
> 主题: Re: [U-Boot] [U-boot] mkimage -F parameter
>
> Hi Tiger,
>
> On Thu, Jan 31, 2013 at 3:36 AM, <TigerLiu at viatech.com.cn> wrote:
>> Hi, experts:
>>
>> It seems mkimage has supported signing a image.
>
> This code is not yet merged, as you have discovered.
>
>>
>> So, I have a question about signed linux kernel image:
>>
>> 1. if kernel image is signed by mkimage tool.
>>
>> Could uboot verify this signed linux kernel image bf jumping to its
>> entry point function?
>
> Yes the bootm command will do this automatically.
>
>>
>> 2. if uboot could verify the signed linux kernel image
>>
>> how to management these different vendors' public keys in uboot code?
>> Using env variable?
>
> The keys are not easily kept in an environment variable as we have
> several bits of information.
>
> In the current implementation the device tree is used, so you need to
> enable CONFIG_OF_CONTROL. Then mkimage will put the public keys in the
> FDT, and you attach that to U-Boot.
>
> Multiple keys are supported and it is possible to sign the same image
> with several different keys. Keys can be marked 'required' so that
> they must verify.
>
> What platform/board are you using?
>
> Regards,
> Simon
>
>>
>>
>>
>> Best wishes,
>>
>>
>> _______________________________________________
>> U-Boot mailing list
>> U-Boot at lists.denx.de
>> http://lists.denx.de/mailman/listinfo/u-boot
>>
More information about the U-Boot
mailing list