[U-Boot] [RFC PATCH 40/44] mkimage: Add -r option to specify keys that must be verified
Marek Vasut
marex at denx.de
Sat Jan 5 09:27:04 CET 2013
Dear Simon Glass,
> Normally, multiple public keys can be provided and U-Boot is not
> required to use all of them for verification. This is because some
> images may not be signed, or may be optionally signed.
>
> But we still need a mechanism to determine when a key must be used.
> This feature cannot be implemented in the FIT itself, since anyone
> could change it to mark a key as optional. The requirement for
> key verification must go in with the public keys, in a place that
> is protected from modification.
>
> Add a -r option which tells mkimage to mark all keys that it uses
> for signing as 'required'.
>
> If some keys are optional and some are required, run mkimage several
> times (perhaps with different key directories if some keys are very
> secret) using the -F flag to update an existing FIT.
>
> Signed-off-by: Simon Glass <sjg at chromium.org>
Reviewed-by: Marek Vasut <marex at denx.de>
Best regards,
Marek Vasut
More information about the U-Boot
mailing list