[U-Boot] [PATCH 3/3 v3] controlcenterdc: Make secure boot available
Stefan Roese
sr at denx.de
Thu Mar 23 10:04:36 UTC 2017
On 23.03.2017 10:45, Mario Six wrote:
> On Thu, Mar 23, 2017 at 10:31 AM, Stefan Roese <sr at denx.de> wrote:
>> Hi Mario,
>>
>> On 22.02.2017 16:07, Mario Six wrote:
>>> Make secure booting available for the controlcenterdc
>>> board.
>>>
>>> Signed-off-by: Reinhard Pfau <reinhard.pfau at gdsys.cc>
>>> Signed-off-by: Mario Six <mario.six at gdsys.cc>
>>> ---
>>> Changes in v3:
>>>
>>> * Added secure boot options to config to enable secure boot by default
>>>
>>> Changes in v2:
>>>
>>> * Moved definition and interpretation of SECURED_MODE_IMAGE and
>>> SECURED_MODE_CSK_INDEX to previous patch
>>
>> When trying to compile with these patches applied, I get this
>> error:
>>
>> [stefan at stefan-work u-boot-marvell (master)]$ make -s -j10
>> Couldn't open RSA private key: './kwb_csk.key': No such file or directory
>> Failed to load CSK
>> Could not create image
>> Makefile:982: recipe for target 'u-boot-spl.kwb' failed
>>
>> We need to find a way, to compile for this board without such errors.
>> Perhaps by providing a "default key"? Any ideas?
>>
>> Thanks,
>> Stefan
>>
>
> Hi Stefan,
>
> Hm, yes, for automatic building, the need to put the KAK and CSK keys somewhere
> is problematic; didn't consider that, sorry.
>
> The easiest way would probably be to have some Makefile check for the existence
> of kwb_kak.key and kwb_csk.key in the root directory, and create them if they
> don't exists, using
>
> openssl genrsa -out kwb_kak.key 2048 openssl genrsa -out kwb_csk.key 2048
Sounds like a doable solution.
> But I am not quite sure where to put those checks/instructions in a
> non-disruptive manner.
Perhaps its better, to place those files into the board directory,
for cases, where multiple targets with different keys are being
built?
I'm currently busy with collecting most pending mvebu patches for
a pull request now. To get this going, I'll probably drop this
last patch from you (patch 3/3) for now, to get the remaining
stuff into mainline.
This way, you will have a bit more time to figure this out in an
acceptable way.
Thanks,
Stefan
More information about the U-Boot
mailing list