[U-Boot] regenerate a FIT image from u-boot

[Valerio Bardelli]

Hi all,

we have a problem about updating (via u-boot) our RTOS using a fit image 
that comes from a USB key.

The scenario is: we encrypt our application, with our RTOS linked to, 
and put it in a fit image signed. Then we put it in a USB key and we 
insert it on our board. At the start u-boot check the presence of an 
update file (a .fit), check the signature and, if this is ok, decrypt it 
using the same symmetric key (just for 'transport').

Now the problem is that we need to re-encrypt the update with another 
key (a running key, present on the machine) and put this encrypted file 
in an existing (or recalculated) fit used to 'run' the application and 
resigned (we can, for example, use the same signature that we have in 
the previous version of the application).

So, our question is: is it possible to update a node of an existing fit 
image directly from u-boot? Or this way of operation is not corrected 
for an update of a trusted an verified boot sequence using fit?

We use an Atmel sama5d27 cpu.

Any help is really appreciated.

Many thanks.

Regards, Valerio