U-boot
Simon Glass
sjg at chromium.org
Mon Aug 2 21:20:15 CEST 2021
Hi Rasmus,
On Mon, 2 Aug 2021 at 03:37, Rasmus Villemoes
<rasmus.villemoes at prevas.dk> wrote:
>
> On 02/08/2021 11.25, Roman Kopytin wrote:
> > Thanks a lot!
> > Yes, looks like using of the 'fdtput' is not very safety for me.
> > As I understood I need to use "fdt_add_pubkey" tool with CMD (example):
> > ./ fdt_add_pubkey -a rsa2048 -k <keydir> -n <keyname> -r <conf|image> my_file.dtb
> >
> > -r <conf|image> is the same as for mkimage? As I remember we can use -r w/o any values in mkimage.
>
> Yes, that's very close to what our Yocto recipe currently does:
>
> for b in ${KERNEL_PUBLIC_KEYS} ; do
> fdt_add_pubkey -a 'sha1,rsa2048' -k
> "${KERNEL_SIGNING_DIR}" -n "$b" \
> -r conf $dtb
> done
>
> I doubt that old patch applies nowadays, I've only forward-ported it to
> 2020.04 internally.
>
> As to Simon's old question of whether it could be done in mkimage with a
> new flag: I'd really prefer not to, mkimage is already an incoherent
> collection of tools that do very different things with different flags.
> Having a flag that says "create and sign this FIT image, and as a side
> effect update $this dtb $overhere with the corresponding public key
> mangled appropriately, oh, and btw, _only_ do that side effect" is a
> non-starter.
I missed that comment at the time...I think this tool is useful though.
The series is marked as deferred in patchwork, probably because the
thread died. How about reposting it?
Regards,
Simon
More information about the U-Boot
mailing list