[PATCH 0/3] mkimage: allow to specify signing algorithm

Dhananjay Phadke dphadke at linux.microsoft.com
Fri Jan 14 00:28:40 CET 2022


On 1/13/2022 4:38 AM, Jan Kiszka wrote:
> On 25.11.21 20:03, Jan Kiszka wrote:
>> Another step to decouple the FIT image specification from the actual
>> signing: With these changes, the signature nodes can leave out an algo
>> property, mkimage will initialize that as well while signing. This way,
>> in-tree FIT source files can be prepared for gaining signatures without
>> defining the key type or size upfront, forcing users to patch the code
>> to change that.

[resend to the list]

While encryption algo (rsa2048 vs rsa4096, etc) shouldn't need to be
explicitly specified as you noted below, how does it help to add it to
(already exhaustive) mkimage args? Parsing OID / length from keyfile
would be real change.

While rotating keys is common, how often algo is changed?

>>
>> Patch 1 is preparatory for this, patch 2 a drive-by cleanup.
>>
>> A better solution would actually be if the algorithm was derived from
>> the provided key. But the underlying crypto layer seems to be rather
>> unprepared for that.


Thanks,
DHananjay


More information about the U-Boot mailing list