[PATCH v3 4/5] spl: fit: add Kconfig option to specify key-hint for fit_generator

Heiko Stuebner heiko at sntech.de
Tue May 26 12:44:11 CEST 2020

From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>

The u-boot.itb can be generated either from a static .its that can
simply include the needed signature nodes with key-hints or from a
fit-generator script referenced in CONFIG_SPL_FIT_GENERATOR.

In the script-case it will need to know what key to include for the
key-hint and specified algorithm, so add an option for that key-name.

Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich at theobroma-systems.com>
Reviewed-by: Simon Glass <sjg at chromium.org>
Reviewed-by: Kever Yang <kever.yang at rock-chips.com>
changes in v2:
- add doc snippet explaining the option

 Kconfig                  |  8 ++++++++
 doc/uImage.FIT/howto.txt | 13 +++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/Kconfig b/Kconfig
index bab7c4f3ee..6a9bf8d865 100644
--- a/Kconfig
+++ b/Kconfig
@@ -548,6 +548,14 @@ config SPL_FIT_GENERATOR
 	  passed a list of supported device tree file stub names to
 	  include in the generated image.
+	string "key hint for signing U-Boot FIT image"
+	depends on SPL_FIT_SIGNATURE
+	default "dev"
+	help
+	  The key hint to store in both the generated .its file as well as
+	  u-boot-key.dtb generated separately and embedded into the SPL.
 endif # SPL
 endif # FIT
diff --git a/doc/uImage.FIT/howto.txt b/doc/uImage.FIT/howto.txt
index 8592719685..f409b3770e 100644
--- a/doc/uImage.FIT/howto.txt
+++ b/doc/uImage.FIT/howto.txt
@@ -66,6 +66,19 @@ can point to a script which generates this image source file during
 the build process. It gets passed a list of device tree files (taken from the
 CONFIG_OF_LIST symbol).
+Signing u-boot.itb with SPL_FIT_GENERATOR
+u-boot.itb can be signed to verify the integrity of its components.
+option can be used to specifiy the key directory - either a relative or
+absolute path.
+See signature.txt for general signature handling, but when
+can be used to specify the key-hint that should be included into the
+created u-boot.its by the generator.
 Example 1 -- old-style (non-FDT) kernel booting

More information about the U-Boot mailing list