[U-Boot] [PATCH 3/3 v3] controlcenterdc: Make secure boot available

Mario Six mario.six at gdsys.cc
Thu Mar 23 10:13:02 UTC 2017


On Thu, Mar 23, 2017 at 11:04 AM, Stefan Roese <sr at denx.de> wrote:
> On 23.03.2017 10:45, Mario Six wrote:
>>
>> On Thu, Mar 23, 2017 at 10:31 AM, Stefan Roese <sr at denx.de> wrote:
>>>
>>> Hi Mario,
>>>
>>> On 22.02.2017 16:07, Mario Six wrote:
>>>>
>>>> Make secure booting available for the controlcenterdc
>>>> board.
>>>>
>>>> Signed-off-by: Reinhard Pfau <reinhard.pfau at gdsys.cc>
>>>> Signed-off-by: Mario Six <mario.six at gdsys.cc>
>>>> ---
>>>> Changes in v3:
>>>>
>>>> * Added secure boot options to config to enable secure boot by default
>>>>
>>>> Changes in v2:
>>>>
>>>> * Moved definition and interpretation of SECURED_MODE_IMAGE and
>>>>   SECURED_MODE_CSK_INDEX to previous patch
>>>
>>>
>>> When trying to compile with these patches applied, I get this
>>> error:
>>>
>>> [stefan at stefan-work u-boot-marvell (master)]$ make -s -j10
>>> Couldn't open RSA private key: './kwb_csk.key': No such file or directory
>>> Failed to load CSK
>>> Could not create image
>>> Makefile:982: recipe for target 'u-boot-spl.kwb' failed
>>>
>>> We need to find a way, to compile for this board without such errors.
>>> Perhaps by providing a "default key"? Any ideas?
>>>
>>> Thanks,
>>> Stefan
>>>
>>
>> Hi Stefan,
>>
>> Hm, yes, for automatic building, the need to put the KAK and CSK keys
>> somewhere
>> is problematic; didn't consider that, sorry.
>>
>> The easiest way would probably be to have some Makefile check for the
>> existence
>> of kwb_kak.key and kwb_csk.key in the root directory, and create them if
>> they
>> don't exists, using
>>
>> openssl genrsa -out kwb_kak.key 2048 openssl genrsa -out kwb_csk.key 2048
>
>
> Sounds like a doable solution.
>
>> But I am not quite sure where to put those checks/instructions in a
>> non-disruptive manner.
>
>
> Perhaps its better, to place those files into the board directory,
> for cases, where multiple targets with different keys are being
> built?
>
> I'm currently busy with collecting most pending mvebu patches for
> a pull request now. To get this going, I'll probably drop this
> last patch from you (patch 3/3) for now, to get the remaining
> stuff into mainline.
>
> This way, you will have a bit more time to figure this out in an
> acceptable way.
>
>
> Thanks,
> Stefan
>

OK, that's fine with me. Thanks for testing!

Best regards,

Mario


More information about the U-Boot mailing list