[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key

Teddy Reed teddy.reed at gmail.com
Mon Apr 25 18:25:58 CEST 2016


Hi all,

I'm curious if anyone has a script (or if I've missed something within
the verified-boot documentation) to compile a DTB given only public
keying information, i.e., a x509 certificate.

I have build/test bots that need to build a u-boot with an
extra/embedded DTB containing a signing public key. I do not want the
private key on those hosts and the only way I've found to build the
documented/required nodes in /signature/key-KEYNAME/
('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits')
is by using mkimage on a FIT with the -K switch. That requires a
private key to do the actual signing.

I'm happy to write something, just want to ask first!

Thanks!

-- 
Teddy Reed V


More information about the U-Boot mailing list