[PATCH] image: Control FIT signature verification at runtime
andrew at aj.id.au
Tue Feb 15 04:25:13 CET 2022
On Tue, 15 Feb 2022, at 13:42, Dhananjay Phadke wrote:
> On 2/14/2022 3:13 PM, Patrick Williams wrote:
>> On Mon, Feb 14, 2022 at 11:14:53AM -0800, Dhananjay Phadke wrote:
>>> There's a key-requirement policy already implemented .
>>> Board code can patch "required-policy" = none at runtime based
>>> appropriate logic.
>> Isn't this jumper proposal just like the TCG Physical Presence requirements?
>> This is a software implementation and requires a particular hardware design for
>> it to be done right, but it seems to be along the same lines.
> I'm supporting idea of having control on FIT verification, just pointed
> that it maybe done by board code by just patching U-Boot control FDT,
> either the "required-policy" property at /signature or "required"
> property in individual key nodes.
This might separate the logic out in a way that's acceptable to Alex.
Let me poke at it.
More information about the U-Boot