[PATCH v2 3/3] doc: verified-boot: add required-mode information
Simon Glass
sjg at chromium.org
Tue Jul 28 20:58:23 CEST 2020
Hi Thirupathaiah,
On Fri, 17 Jul 2020 at 21:20, Thirupathaiah Annapureddy
<thiruan at linux.microsoft.com> wrote:
>
> Signed-off-by: Thirupathaiah Annapureddy <thiruan at linux.microsoft.com>
> ---
>
> Changes in v2:
> - New
>
> doc/uImage.FIT/signature.txt | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
Reviewed-by: Simon Glass <sjg at chromium.org>
But I think we need a new mkimage option to set the required-mode
> diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
> index d4afd755e9..a3455889ed 100644
> --- a/doc/uImage.FIT/signature.txt
> +++ b/doc/uImage.FIT/signature.txt
> @@ -386,6 +386,20 @@ that might be used by the target needs to be signed with 'required' keys.
>
> This happens automatically as part of a bootm command when FITs are used.
>
> +For Signed Configurations, the default verification behavior can be changed by
> +the following optional property in /signature node in U-Boot's control FDT.
> +
> +- required-mode: Valid values are "any" to allow verified boot to succeed if
> +the selected configuration is signed by any of the 'required' keys, and "all"
> +to allow verified boot to succeed if the selected configuration is signed by
> +all of the 'required' keys.
> +
> +This property can be added to a binary device tree using fdtput as shown in
> +below examples::
> +
> + fdtput -t s control.dtb /signature required-mode any
> + fdtput -t s control.dtb /signature required-mode all
> +
>
> Enabling FIT Verification
> -------------------------
> --
> 2.25.2
>
More information about the U-Boot
mailing list