Injecting public keys into FTDs for FIT verification
Jan Kiszka
jan.kiszka at siemens.com
Fri Nov 5 11:16:16 CET 2021
Hi all,
in order to use CONFIG_FIT_SIGNATURE and also
CONFIG_SPL_FIT_SIGNATURE, a public key needs to be placed into the
control FDT. So far, I only found mkimage being able to do that during
FIT image signing. That is fairly unhandy and often incompatible with
how firmware is built & signed vs. how the lifecycle of the artifacts to
be loaded and verified look like. Is there really no other way than
mkimage -K?
I'm currently considering to derive a tool that, given a public key
(which is easy to hand around, compared to the private key needed for
signing), injects them into a FDT. Then I would hook that up as generic
feature for U-Boot builds, enriching all control FTDs already during the
first build with this when requested.
Am I missing an even simpler approach?
Thanks,
Jan
--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux
More information about the U-Boot
mailing list