[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key
Teddy Reed
teddy.reed at gmail.com
Mon May 2 22:24:21 CEST 2016
On Mon, May 2, 2016 at 7:06 AM, Simon Glass <sjg at chromium.org> wrote:
> Hi Teddy,
>
> On 29 April 2016 at 18:44, Teddy Reed <teddy.reed at gmail.com> wrote:
>> On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass <sjg at chromium.org> wrote:
>>> Hi Teddy,
>>>
>>> On 25 April 2016 at 10:25, Teddy Reed <teddy.reed at gmail.com> wrote:
>>>> Hi all,
>>>>
>>>> I'm curious if anyone has a script (or if I've missed something within
>>>> the verified-boot documentation) to compile a DTB given only public
>>>> keying information, i.e., a x509 certificate.
>>>>
>>>> I have build/test bots that need to build a u-boot with an
>>>> extra/embedded DTB containing a signing public key. I do not want the
>>>> private key on those hosts and the only way I've found to build the
>>>> documented/required nodes in /signature/key-KEYNAME/
>>>> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits')
>>>> is by using mkimage on a FIT with the -K switch. That requires a
>>>> private key to do the actual signing.
>>>>
>>>> I'm happy to write something, just want to ask first!
>>>
>>> Not on my side, sorry. Would be useful.
>>>
>>
>> Ok!
>>
>> I can't make any promises of completeness, but I quickly hacked
>> together https://github.com/theopolis/fit-certificate-store, to do
>> this.
>> I'll iterate on it over the next few weeks, and I'm more than happy to
>> take bugs/criticism via Github PRs.
>
> Looks good. At some point will you do a U-Boot patch?
Could we define a new environment variable, maybe DTB_KEYS_DIR, or
build option, that could point to the directory of public keys.
Then the U-Boot/SPL build could synthesize the EXT_DTB inline. :)
>
> Regards,
> Simon
--
Teddy Reed V
More information about the U-Boot
mailing list