U-boot

Simon Glass sjg at chromium.org
Sat Jul 31 18:59:28 CEST 2021


Hi Roman,

On Sat, 31 Jul 2021 at 02:26, Roman Kopytin <Roman.Kopytin at kaspersky.com> wrote:
>
> Thank, but my question was about adding of the public key to dtb file without private key. We won't have private key in our side.

(please try not to top-post on the mailing list)

Presumably this means that you know what the public key is, so one
option is to manually add it to the dtb, e.g. in a u-boot.dtsi file
for your board. You can see the format of it in the documentation, or
just copy what is there when you do the signing.

Another option would be to use 'fdtput' to add the various fields in
the dtb after building.


- Simon

>
> -----Original Message-----
> From: Thomas Perrot <thomas.perrot at bootlin.com>
> Sent: Saturday, July 31, 2021 9:52 AM
> To: Roman Kopytin <Roman.Kopytin at kaspersky.com>; Michael Nazzareno Trimarchi <michael at amarulasolutions.com>
> Cc: U-Boot-Denx <u-boot at lists.denx.de>; Simon Glass <sjg at chromium.org>
> Subject: Re: U-boot
>
> Hi Roman,
>
> On Sat, 2021-07-31 at 03:34 +0000, Roman Kopytin wrote:
> > Thanks, Michael.
> > Can we sign in the separate state on special server for example?
>
> Yes, it possible, there is a step to build and another one to sign, that can be separated.
>
> For example, the following command, that build and sign the itb:
> # build and sign
> mkimage -D "-I dts -O dtb -p 4096" -f ./foo.its -k ./keys -K ./u- boot.dtb -r ./foo.itb
>
> Can be spitted in two:
> # build
> uboot-mkimage \
>     -D "-I dts -O dtb -p 4096" \
>     -f ./foo.its \
>     ./foo.itb
>
> # sign
> uboot-mkimage \
>     -D "-I dts -O dtb -p 4096" -F
>     -k ./keys \
>     -K ./u-boot.dtb \
>     -r \
>     ./foo.itb
>
> Then the u-boot*.dtb should contains the pubkey node(s) in the signature node and it can be shared and concatenated to the U-Boot
> binary:
>
> make EXT_DTB="./u-boot.dtb"
>
> > Looks like we can work with public key only in this step.
>
> The dtb containing the public key(s) is useful to verify the signature at the target boot, or with the tool fit_check_sign to perform an offload checking, for example:
>
> fit_check_sign -f ./foo.itb -k ./u-boot.dtb
>
> Best regards,
> Thomas Perrot
>
> >
> > From: Michael Nazzareno Trimarchi <michael at amarulasolutions.com>
> > Sent: Friday, July 30, 2021 8:50 PM
> > To: Roman Kopytin <Roman.Kopytin at kaspersky.com>
> > Cc: U-Boot-Denx <u-boot at lists.denx.de>; Simon Glass <sjg at chromium.org>
> > Subject: Re: U-boot
> >
> > Caution: This is an external email. Be cautious while opening links or
> > attachments.
> >
> >
> > Hi Román
> >
> >
> > On Fri, Jul 30, 2021, 7:44 PM Roman Kopytin <
> > Roman.Kopytin at kaspersky.com<mailto:Roman.Kopytin at kaspersky.com>> wrote:
> > Hello, dear U-boot team
> >
> > I have question about your old feature: U-boot patch for adding of the
> > public key to dtb file.
> >
> > https://patchwork.ozlabs.org/project/uboot/patch/1363650725-30459-37-g
> > it-send-email-sjg%40chromium.org/
> >
> > I can’t understand, can we work only with public key? Why do we need
> > to have private key for adding step?
> > In documentation it is not very clear for me.
> >
> > You need to sign with private key and keep it secret and local and
> > verify it during booting with public key. Private key is not
> > distributed with the image
> >
> > Michael
> >
> >
> > Thanks a lot.
> >
>
> --
> Thomas Perrot, Bootlin
> Embedded Linux and kernel engineering
> https://bootlin.com
>


More information about the U-Boot mailing list