[U-Boot] Verified boot interrogation
roger.clark.au at gmail.com
Wed Sep 18 11:47:13 UTC 2019
After studying the verified boot feature I have some interrogations.
If my understanding is correct the procedure should be the following :
1) Generate private keys and certificate
2) Generate a uboot and a dts file to describe the key
3) Generate a kernel/dtb/ramdisk and an its file to describe the fit image
(files + conf + signatures)
4) Signature of the fit image and creation of a u-boot dtb file containing
the public key
5) Insertion of the uboot dtb file in the uboot binary
A am I correct so far ?
My question is why the step 4 is not divided in two steps ? I don't
understand why the public key generation needs the fit image as input.This
creates a link between uboot and the kernel and I don't see how I can flash
a new kernel without re-flashing a linked uboot.
The thing is I don't want to update uboot as often as the kernel.
Sorry if this is a stupid question..
More information about the U-Boot