[PATCH v2 3/3] doc: verified-boot: add required-mode information
Thirupathaiah Annapureddy
thiruan at linux.microsoft.com
Mon Aug 17 06:09:13 CEST 2020
On 7/28/2020 11:58 AM, Simon Glass wrote:
> Hi Thirupathaiah,
>
> On Fri, 17 Jul 2020 at 21:20, Thirupathaiah Annapureddy
> <thiruan at linux.microsoft.com> wrote:
>>
>> Signed-off-by: Thirupathaiah Annapureddy <thiruan at linux.microsoft.com>
>> ---
>>
>> Changes in v2:
>> - New
>>
>> doc/uImage.FIT/signature.txt | 14 ++++++++++++++
>> 1 file changed, 14 insertions(+)
>>
>
> Reviewed-by: Simon Glass <sjg at chromium.org>
>
> But I think we need a new mkimage option to set the required-mode
Is it okay if I do mkimage option change as part of a different patch/
patch series?
>
>
>> diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
>> index d4afd755e9..a3455889ed 100644
>> --- a/doc/uImage.FIT/signature.txt
>> +++ b/doc/uImage.FIT/signature.txt
>> @@ -386,6 +386,20 @@ that might be used by the target needs to be signed with 'required' keys.
>>
>> This happens automatically as part of a bootm command when FITs are used.
>>
>> +For Signed Configurations, the default verification behavior can be changed by
>> +the following optional property in /signature node in U-Boot's control FDT.
>> +
>> +- required-mode: Valid values are "any" to allow verified boot to succeed if
>> +the selected configuration is signed by any of the 'required' keys, and "all"
>> +to allow verified boot to succeed if the selected configuration is signed by
>> +all of the 'required' keys.
>> +
>> +This property can be added to a binary device tree using fdtput as shown in
>> +below examples::
>> +
>> + fdtput -t s control.dtb /signature required-mode any
>> + fdtput -t s control.dtb /signature required-mode all
>> +
>>
>> Enabling FIT Verification
>> -------------------------
>> --
>> 2.25.2
>>
More information about the U-Boot
mailing list