Simon Glass sjg at chromium.org
Wed Nov 10 20:37:22 CET 2021

Hi Roman,

see signature.txt :

- required: If present this indicates that the key must be verified for the
image / configuration to be considered valid. Only required keys are
normally verified by the FIT image booting algorithm. Valid values are
"image" to force verification of all images, and "conf" to force verification
of the selected configuration (which then relies on hashes in the images to
verify those).


On Wed, 10 Nov 2021 at 04:20, Roman Kopytin <Roman.Kopytin at kaspersky.com> wrote:
> Hi, Rasmus and Simon
> I need more details about -r <conf|image> for fdt_add_pubkey.
> I need to add small help for tool, please provide details.
> -----Original Message-----
> From: Rasmus Villemoes <rasmus.villemoes at prevas.dk>
> Sent: Monday, August 2, 2021 12:37 PM
> To: Roman Kopytin <Roman.Kopytin at kaspersky.com>; Simon Glass <sjg at chromium.org>
> Cc: Thomas Perrot <thomas.perrot at bootlin.com>; Michael Nazzareno Trimarchi <michael at amarulasolutions.com>; U-Boot-Denx <u-boot at lists.denx.de>; Alex Kiernan <alex.kiernan at gmail.com>
> Subject: Re: U-boot
> Caution: This is an external email. Be cautious while opening links or attachments.
> On 02/08/2021 11.25, Roman Kopytin wrote:
> > Thanks a lot!
> > Yes, looks like using of the 'fdtput' is not very safety for me.
> > As I understood I need to use "fdt_add_pubkey" tool with CMD (example):
> > ./ fdt_add_pubkey  -a rsa2048 -k <keydir> -n <keyname> -r <conf|image>
> > my_file.dtb
> >
> > -r <conf|image> is the same as for mkimage? As I remember we can use -r w/o any values in mkimage.
> Yes, that's very close to what our Yocto recipe currently does:
>         for b in ${KERNEL_PUBLIC_KEYS} ; do
>                 fdt_add_pubkey -a 'sha1,rsa2048' -k "${KERNEL_SIGNING_DIR}" -n "$b" \
>                         -r conf $dtb
>         done
> I doubt that old patch applies nowadays, I've only forward-ported it to
> 2020.04 internally.
> As to Simon's old question of whether it could be done in mkimage with a new flag: I'd really prefer not to, mkimage is already an incoherent collection of tools that do very different things with different flags.
> Having a flag that says "create and sign this FIT image, and as a side effect update $this dtb $overhere with the corresponding public key mangled appropriately, oh, and btw, _only_ do that side effect" is a non-starter.
> Rasmus

More information about the U-Boot mailing list