[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key

Simon Glass sjg at chromium.org
Sat Apr 30 01:09:00 CEST 2016


Hi Teddy,

On 25 April 2016 at 10:25, Teddy Reed <teddy.reed at gmail.com> wrote:
> Hi all,
>
> I'm curious if anyone has a script (or if I've missed something within
> the verified-boot documentation) to compile a DTB given only public
> keying information, i.e., a x509 certificate.
>
> I have build/test bots that need to build a u-boot with an
> extra/embedded DTB containing a signing public key. I do not want the
> private key on those hosts and the only way I've found to build the
> documented/required nodes in /signature/key-KEYNAME/
> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits')
> is by using mkimage on a FIT with the -K switch. That requires a
> private key to do the actual signing.
>
> I'm happy to write something, just want to ask first!

Not on my side, sorry. Would be useful.

>
> Thanks!
>
> --
> Teddy Reed V

Regards,
Simon


More information about the U-Boot mailing list