Binman signing

[Simon Glass]

Hi Ivan,

On Thu, 27 Apr 2023 at 07:41, Ivan Mikhaylov <fr0st61te at gmail.com> wrote:
>
> On Wed, 2023-04-26 at 15:29 -0600, Simon Glass wrote:
> > Hi Andy,
> >
> > On Wed, 26 Apr 2023 at 12:49, Andy Pandy <andypandy123g at gmail.com>
> > wrote:
> > >
> > > Hi there,
> > >
> > > First of all,  I would like to thank you for the tool, I like it a
> > > lot.
> >
> > Great!
> >
> > >
> > > I've been trying to sign uboot by placing signature section into
> > > configurations section. Something like:
> > >
> > > {
> > > algo = "sha256,rsa2048";
> > > key-name-hint = "dev";
> > > sign-images = "fdt", "loadables";
> > > }
> > >
> > > But I can't find how to sign the second stage uboot, and integrate
> > > the public key into uboot spl device tree with binman.
> > > Prior to binman I used mkimage to do that, as follows:
> > >
> > > mkimage -f uboot.its -K u-boot.dtb -k ./keys -r image.fit
> > >
> > > Could not find it in the documentation,  I only saw pre-load, but I
> > > am not sure that this is what I am looking for.
> > >
> > > Would appreciate if you could give some hint on how this could be
> > > done.
> > >
> > > Thank you for your help
> >
> > +Ivan Mikhaylov
> >
> > I believe that 'binman sign' does this:
> >
> > https://u-boot.readthedocs.io/en/latest/develop/package/binman.html#signing-fit-container-with-private-key-in-an-image
> >
> > Regards,
> > Simon
>
> Andy, also you can look at tests there as examples
> https://github.com/u-boot/u-boot/blob/288fe30a2367b8d0e3f416493150a38ebaa88459/tools/binman/ftest.py#L6594
>
> You can add pubkeys with fdt_add_pubkey utility also if you need just
> that.
>
> Simon, maybe I need to add possibility to add pubkeys via binman sign,
> what do you think?

Yes I think that would be useful.

Regards,
Simon