Binman signing

Andy Pandy andypandy123g at gmail.com
Thu Apr 27 19:04:54 CEST 2023


Hi Ivan,

Thank you for the reference, didn't see the tool, as I'd been using uboot
v2023.04. These are all recent improvements, sign option in binman and
fdt_add_pubkey tool. Nice!

Not part of this request, but in an ideal world  :), it would be just a
matter of putting private/public keys in let's say /keys directory, and if
signing is enabled in spl or the second stage uboot, the make would produce
a binary with expected chain of trust. Yes I know, how the saying goes: "It
is simple but not easy".

Who knows,  one day my dream may come true. Meanwhile I will do it in an
old school way, scripting. :)

Cheers,
Andy

On Thu, Apr 27, 2023, 16:41 Ivan Mikhaylov <fr0st61te at gmail.com> wrote:

> On Wed, 2023-04-26 at 15:29 -0600, Simon Glass wrote:
> > Hi Andy,
> >
> > On Wed, 26 Apr 2023 at 12:49, Andy Pandy <andypandy123g at gmail.com>
> > wrote:
> > >
> > > Hi there,
> > >
> > > First of all,  I would like to thank you for the tool, I like it a
> > > lot.
> >
> > Great!
> >
> > >
> > > I've been trying to sign uboot by placing signature section into
> > > configurations section. Something like:
> > >
> > > {
> > > algo = "sha256,rsa2048";
> > > key-name-hint = "dev";
> > > sign-images = "fdt", "loadables";
> > > }
> > >
> > > But I can't find how to sign the second stage uboot, and integrate
> > > the public key into uboot spl device tree with binman.
> > > Prior to binman I used mkimage to do that, as follows:
> > >
> > > mkimage -f uboot.its -K u-boot.dtb -k ./keys -r image.fit
> > >
> > > Could not find it in the documentation,  I only saw pre-load, but I
> > > am not sure that this is what I am looking for.
> > >
> > > Would appreciate if you could give some hint on how this could be
> > > done.
> > >
> > > Thank you for your help
> >
> > +Ivan Mikhaylov
> >
> > I believe that 'binman sign' does this:
> >
> >
> https://u-boot.readthedocs.io/en/latest/develop/package/binman.html#signing-fit-container-with-private-key-in-an-image
> >
> > Regards,
> > Simon
>
> Andy, also you can look at tests there as examples
>
> https://github.com/u-boot/u-boot/blob/288fe30a2367b8d0e3f416493150a38ebaa88459/tools/binman/ftest.py#L6594
>
> You can add pubkeys with fdt_add_pubkey utility also if you need just
> that.
>
> Simon, maybe I need to add possibility to add pubkeys via binman sign,
> what do you think?
>
> Thanks.
>


More information about the U-Boot mailing list