[U-Boot] u-boot verifiied boot question

Simon Glass sjg at chromium.org
Sun Sep 22 23:26:48 CEST 2013


Hi Vikas,

On Sun, Sep 22, 2013 at 1:16 PM, Vikas N Kumar <vikas at vikaskumar.org> wrote:

>
> Hi
> I am trying to get verified boot working for the Beaglebone Black (BBB)
> and have gotten the FIT image part working with  a kernel and an FDT
> blob for the BBB.
>
> However, I am a little confused by the documentation
> which says that u-boot also needs an FDT blob (with CONFIG_OF_CONTROL)
> to embed the RSA public key.
>
> I have a few questions that might not be related to each other but can
> help me complete my work:
>
> - Is this uboot FDT control blob the same as the FDT blob in the FIT
> image for booting the kernel or are these 2 separate blobs pointing to
> the same hardware ?
>

They are different, or at least are normally different. The control FDT is
used for configuration in U-Boot. But if you have a Beaglebone Black device
tree you use for the kernel, you can use the same one for U-Boot.


>
> - Can the uboot FDT blob be empty in the sense that all it does is store
> a public key and all the machine specific stuff is in the uboot image
> itself as it is done today for the BBB ?
>

Yes


>
> - Can one embed the public key in u-boot without using an FDT blob ?
>

There is a CONFIG_OF_EMBED which embeds a device tree file into the U-Boot
binary, but this is intended only for debugging. It is better to use
u-boot-dtb.bin or 'cat u-boot.bin u-boot.dtb > image.bin' to append the
device tree to U-Boot.

It would be possible to implement a feature to put the public key elsewhere
if you really don't want a device tree in U-Boot.

Regards,
Simon


>
> Thanks
> _vicash_
>
>
>


More information about the U-Boot mailing list