Binman signing

Thu Apr 27 18:41:01 CEST 2023

On Wed, 2023-04-26 at 15:29 -0600, Simon Glass wrote:
> Hi Andy,
> 
> On Wed, 26 Apr 2023 at 12:49, Andy Pandy <andypandy123g at gmail.com>
> wrote:
> > 
> > Hi there,
> > 
> > First of all,  I would like to thank you for the tool, I like it a
> > lot.
> 
> Great!
> 
> > 
> > I've been trying to sign uboot by placing signature section into
> > configurations section. Something like:
> > 
> > {
> > algo = "sha256,rsa2048";
> > key-name-hint = "dev";
> > sign-images = "fdt", "loadables";
> > }
> > 
> > But I can't find how to sign the second stage uboot, and integrate
> > the public key into uboot spl device tree with binman.
> > Prior to binman I used mkimage to do that, as follows:
> > 
> > mkimage -f uboot.its -K u-boot.dtb -k ./keys -r image.fit
> > 
> > Could not find it in the documentation,  I only saw pre-load, but I
> > am not sure that this is what I am looking for.
> > 
> > Would appreciate if you could give some hint on how this could be
> > done.
> > 
> > Thank you for your help
> 
> +Ivan Mikhaylov
> 
> I believe that 'binman sign' does this:
> 
> https://u-boot.readthedocs.io/en/latest/develop/package/binman.html#signing-fit-container-with-private-key-in-an-image
> 
> Regards,
> Simon

Andy, also you can look at tests there as examples
https://github.com/u-boot/u-boot/blob/288fe30a2367b8d0e3f416493150a38ebaa88459/tools/binman/ftest.py#L6594

You can add pubkeys with fdt_add_pubkey utility also if you need just
that.

Simon, maybe I need to add possibility to add pubkeys via binman sign,
what do you think?

Thanks.