U-boot

Mon Aug 2 11:55:14 CEST 2021

Yes, I don't see this tool in master branch.
May be I will take code and build this tool.

Do you have a plan for sharing it in repo?

-----Original Message-----
From: Rasmus Villemoes <rasmus.villemoes at prevas.dk> 
Sent: Monday, August 2, 2021 12:37 PM
To: Roman Kopytin <Roman.Kopytin at kaspersky.com>; Simon Glass <sjg at chromium.org>
Cc: Thomas Perrot <thomas.perrot at bootlin.com>; Michael Nazzareno Trimarchi <michael at amarulasolutions.com>; U-Boot-Denx <u-boot at lists.denx.de>; Alex Kiernan <alex.kiernan at gmail.com>
Subject: Re: U-boot

Caution: This is an external email. Be cautious while opening links or attachments.

On 02/08/2021 11.25, Roman Kopytin wrote:
> Thanks a lot!
> Yes, looks like using of the 'fdtput' is not very safety for me.
> As I understood I need to use "fdt_add_pubkey" tool with CMD (example):
> ./ fdt_add_pubkey  -a rsa2048 -k <keydir> -n <keyname> -r <conf|image> 
> my_file.dtb
>
> -r <conf|image> is the same as for mkimage? As I remember we can use -r w/o any values in mkimage.

Yes, that's very close to what our Yocto recipe currently does:

        for b in ${KERNEL_PUBLIC_KEYS} ; do
                fdt_add_pubkey -a 'sha1,rsa2048' -k "${KERNEL_SIGNING_DIR}" -n "$b" \
                        -r conf $dtb
        done

I doubt that old patch applies nowadays, I've only forward-ported it to
2020.04 internally.

As to Simon's old question of whether it could be done in mkimage with a new flag: I'd really prefer not to, mkimage is already an incoherent collection of tools that do very different things with different flags.
Having a flag that says "create and sign this FIT image, and as a side effect update $this dtb $overhere with the corresponding public key mangled appropriately, oh, and btw, _only_ do that side effect" is a non-starter.

Rasmus