[U-Boot] [RFC PATCH 40/44] mkimage: Add -r option to specify keys that must be verified

Marek Vasut marex at denx.de
Sat Jan 5 09:27:04 CET 2013


Dear Simon Glass,

> Normally, multiple public keys can be provided and U-Boot is not
> required to use all of them for verification. This is because some
> images may not be signed, or may be optionally signed.
> 
> But we still need a mechanism to determine when a key must be used.
> This feature cannot be implemented in the FIT itself, since anyone
> could change it to mark a key as optional. The requirement for
> key verification must go in with the public keys, in a place that
> is protected from modification.
> 
> Add a -r option which tells mkimage to mark all keys that it uses
> for signing as 'required'.
> 
> If some keys are optional and some are required, run mkimage several
> times (perhaps with different key directories if some keys are very
> secret) using the -F flag to update an existing FIT.
> 
> Signed-off-by: Simon Glass <sjg at chromium.org>

Reviewed-by: Marek Vasut <marex at denx.de>

Best regards,
Marek Vasut


More information about the U-Boot mailing list