[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key

Teddy Reed teddy.reed at gmail.com
Sat Apr 30 02:44:22 CEST 2016


On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass <sjg at chromium.org> wrote:
> Hi Teddy,
>
> On 25 April 2016 at 10:25, Teddy Reed <teddy.reed at gmail.com> wrote:
>> Hi all,
>>
>> I'm curious if anyone has a script (or if I've missed something within
>> the verified-boot documentation) to compile a DTB given only public
>> keying information, i.e., a x509 certificate.
>>
>> I have build/test bots that need to build a u-boot with an
>> extra/embedded DTB containing a signing public key. I do not want the
>> private key on those hosts and the only way I've found to build the
>> documented/required nodes in /signature/key-KEYNAME/
>> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits')
>> is by using mkimage on a FIT with the -K switch. That requires a
>> private key to do the actual signing.
>>
>> I'm happy to write something, just want to ask first!
>
> Not on my side, sorry. Would be useful.
>

Ok!

I can't make any promises of completeness, but I quickly hacked
together https://github.com/theopolis/fit-certificate-store, to do
this.
I'll iterate on it over the next few weeks, and I'm more than happy to
take bugs/criticism via Github PRs.

>>
>> Thanks!
>>
>> --
>> Teddy Reed V
>
> Regards,
> Simon


More information about the U-Boot mailing list