U-boot

Rasmus Villemoes rasmus.villemoes at prevas.dk
Mon Aug 2 11:37:27 CEST 2021


On 02/08/2021 11.25, Roman Kopytin wrote:
> Thanks a lot!
> Yes, looks like using of the 'fdtput' is not very safety for me.
> As I understood I need to use "fdt_add_pubkey" tool with CMD (example):
> ./ fdt_add_pubkey  -a rsa2048 -k <keydir> -n <keyname> -r <conf|image> my_file.dtb
> 
> -r <conf|image> is the same as for mkimage? As I remember we can use -r w/o any values in mkimage.

Yes, that's very close to what our Yocto recipe currently does:

        for b in ${KERNEL_PUBLIC_KEYS} ; do
                fdt_add_pubkey -a 'sha1,rsa2048' -k
"${KERNEL_SIGNING_DIR}" -n "$b" \
                        -r conf $dtb
        done

I doubt that old patch applies nowadays, I've only forward-ported it to
2020.04 internally.

As to Simon's old question of whether it could be done in mkimage with a
new flag: I'd really prefer not to, mkimage is already an incoherent
collection of tools that do very different things with different flags.
Having a flag that says "create and sign this FIT image, and as a side
effect update $this dtb $overhere with the corresponding public key
mangled appropriately, oh, and btw, _only_ do that side effect" is a
non-starter.

Rasmus


More information about the U-Boot mailing list