U-boot

[Roman Kopytin]

Thanks a lot!
Yes, looks like using of the 'fdtput' is not very safety for me.
As I understood I need to use "fdt_add_pubkey" tool with CMD (example):
./ fdt_add_pubkey  -a rsa2048 -k <keydir> -n <keyname> -r <conf|image> my_file.dtb

-r <conf|image> is the same as for mkimage? As I remember we can use -r w/o any values in mkimage.


-----Original Message-----
From: Rasmus Villemoes <rasmus.villemoes at prevas.dk> 
Sent: Monday, August 2, 2021 12:00 PM
To: Simon Glass <sjg at chromium.org>; Roman Kopytin <Roman.Kopytin at kaspersky.com>
Cc: Thomas Perrot <thomas.perrot at bootlin.com>; Michael Nazzareno Trimarchi <michael at amarulasolutions.com>; U-Boot-Denx <u-boot at lists.denx.de>; Alex Kiernan <alex.kiernan at gmail.com>
Subject: Re: U-boot

Caution: This is an external email. Be cautious while opening links or attachments.



On 31/07/2021 18.59, Simon Glass wrote:
> Hi Roman,
>
> On Sat, 31 Jul 2021 at 02:26, Roman Kopytin <Roman.Kopytin at kaspersky.com> wrote:
>>
>> Thank, but my question was about adding of the public key to dtb file without private key. We won't have private key in our side.
>
> (please try not to top-post on the mailing list)
>
> Presumably this means that you know what the public key is, so one 
> option is to manually add it to the dtb, e.g. in a u-boot.dtsi file 
> for your board. You can see the format of it in the documentation, or 
> just copy what is there when you do the signing.
>

I sent
https://lore.kernel.org/u-boot/20200211094818.14219-3-rasmus.villemoes@prevas.dk/
1.5 years ago. Roman, is it something like that you need? We've used that patch/tool internally ever since.

> Another option would be to use 'fdtput' to add the various fields in 
> the dtb after building.

Yes, but that, or the .dtsi approach, requires figuring just exactly what those fields are supposed to be. And even if one could "reverse engineer" that and implement the math separately in another tool, it's much better to utilize the same code which "mkimage proper" would use, since there's less risk of messing up endianness etc., and only one place to fix bugs.

Rasmus