[PATCH v2 2/4] bootm: Add a bootm command for type IH_OS_EFI

[Heinrich Schuchardt]

On 12/11/19 9:54 AM, Cristian Ciocaltea wrote:
> 1. Create a public/private key pair
> $ openssl genpkey -algorithm RSA -out ${DEV_KEY} \
>          -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
>
> 2. Create a certificate containing the public key
> $ openssl req -batch -new -x509 -key ${DEV_KEY} -out ${DEV_CRT}
>
> 3. Dump QEMU virt board DTB
> $ qemu-system-arm -nographic -M virt,dumpdtb=${BOARD_DTB} \
>          -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin [...]
>
> 4. Create (unsigned) FIT image and put the public key into DTB, with
>     the 'required' property set, telling U-Boot that this key MUST be
>     verified for the image to be valid
> $ mkimage -f ${FIT_ITS} -K ${BOARD_DTB} -k ${KEYS_DIR} -r ${FIT_IMG}
>
> 5. Sign the FIT image
> $ fit_check_sign -f ${FIT_IMG} -k ${BOARD_DTB}

Thanks for the description

tools/fit_check_sign does not change any file. The signature is added in
step 4.

What seems to be missing in the U-Boot build system is the capability to
specify a public key in the configuation file to automatically include
the public key in the generated dtbs similar to Linux's
CONFIG_SYSTEM_TRUSTED_KEYS.

Best regards

Heinrich

>
> 6. Run QEMU supplying the DTB containing the public key and the
>     u-boot binary built with CONFIG_OF_BOARD
> $ qemu-system-arm -nographic \
>      -M virt -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin \
>      -dtb ${BOARD_DTB} [...]