[PATCH 1/1] binman: add sign option for binman

Simon Glass sjg at chromium.org
Mon Feb 7 21:22:19 CET 2022


Hi Ivan,

On Thu, 27 Jan 2022 at 03:00, Ivan Mikhaylov <fr0st61te at gmail.com> wrote:
>
> On Tue, 2021-12-28 at 01:34 -0700, Simon Glass wrote:
> > Hi Ivan,
> >
> > On Fri, 24 Dec 2021 at 11:23, Ivan Mikhaylov <fr0st61te at gmail.com>
> > wrote:
> > >
> > > Introduce prototype for binman's new option which provides sign
> > > and replace sections in binary images.
> > >
> > > Usage as example:
> > >
> > > from:
> > > mkimage -G privateky -r -o sha256,rsa4096 -F fit at 0x280000.fit
> > > binman replace -i flash.bin -f fit at 0x280000.fit fit at 0x280000
> > >
> > > to:
> > > binman sign -i flash.bin -k privatekey -a sha256,rsa4096 -f
> > > fit at 0x280000.fit fit at 0x280000
> > >
> > > Signed-off-by: Ivan Mikhaylov <ivan.mikhaylov at siemens.com>
> > > ---
> > >  tools/binman/cmdline.py | 13 +++++++++++++
> > >  tools/binman/control.py | 27 ++++++++++++++++++++++++++-
> > >  2 files changed, 39 insertions(+), 1 deletion(-)
> >
> > This looks good. Just need a test and docs update (also check 'binman
> > test -T' for 100% code coverage).
>
> Simon, I've tried to figure out with test and stumble a little bit with
> verification step. How to verify that mkimage sign fit image with
> existing key, is there any option or any toolkits? I didn't find any
> suitable option in mkimage either, is it good idea to add key
> verification inside mkimage? Other way is to have blobs with predefined
> keys inside test directory in binman which I think is not so good.

We already have test_vboot.py which runs U-Boot (and also
fit_check_sign) to verify the signature. Can you use that?

Regards,
Simon


More information about the U-Boot mailing list