[U-Boot] Verified boot interrogation

Roger Clark roger.clark.au at gmail.com
Wed Sep 18 11:47:13 UTC 2019

Hello everyone,

After studying the verified boot feature I have some interrogations.

If my understanding is correct the procedure should be the following :
1) Generate private keys and certificate
2) Generate a uboot and a dts file to describe the key
3) Generate a kernel/dtb/ramdisk and an its file to describe the fit image
(files + conf + signatures)
4) Signature of the fit image and creation of a u-boot dtb file containing
the public key
5) Insertion of the uboot dtb file in the uboot binary

A am I correct so far ?

My question is why the step 4 is not divided in two steps ? I don't
understand why the public key generation needs the fit image as input.This
creates a link between uboot and the kernel and I don't see how I can flash
a new kernel without re-flashing a linked uboot.

The thing is I don't want to update uboot as often as the kernel.

Sorry if this is a stupid question..

Thanks !

More information about the U-Boot mailing list