[PATCH V5 07/12] tools: Add script for converting public key into device tree include

Jan Kiszka jan.kiszka at siemens.com
Tue Feb 7 06:47:20 CET 2023


On 07.02.23 05:02, Simon Glass wrote:
> Hi Jan,
> 
> On Mon, 6 Feb 2023 at 03:42, Jan Kiszka <jan.kiszka at siemens.com> wrote:
>>
>> On 04.02.23 23:23, Simon Glass wrote:
>>> Hi Jan,
>>>
>>> On Fri, 3 Feb 2023 at 23:35, Jan Kiszka <jan.kiszka at siemens.com> wrote:
>>>>
>>>> On 04.02.23 01:20, Simon Glass wrote:
>>>>> Hi Jan,
>>>>>
>>>>> On Fri, 3 Feb 2023 at 05:29, Jan Kiszka <jan.kiszka at siemens.com> wrote:
>>>>>>
>>>>>> From: Jan Kiszka <jan.kiszka at siemens.com>
>>>>>>
>>>>>> Allows to create a public key device tree dtsi for inclusion into U-Boot
>>>>>> SPL and proper during first build already. This can be achieved via
>>>>>> CONFIG_DEVICE_TREE_INCLUDES.
>>>>>>
>>>>>> Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
>>>>>> ---
>>>>>>  tools/key2dtsi.py | 64 +++++++++++++++++++++++++++++++++++++++++++++++
>>>>>>  1 file changed, 64 insertions(+)
>>>>>>  create mode 100755 tools/key2dtsi.py
>>>>>
>>>>> Please can you build this into Binman instead? We really don't want
>>>>> any more of these scripts. Perhaps you can add a new entry type?
>>>>>
>>>>
>>>> I don't think you are requesting something that makes any sense:
>>>>
>>>> "Binman creates and manipulate *images* for a board from a set of binaries"
>>>
>>> I mean that Binman can include a public key in the DT, if that it was
>>> you are wanting. We don't want to add scripts for creating images and
>>> pieces of images.
>>>
>>> Perhaps I just don't understand the goal here. How would your script be used?
>>>
>>
>> We feed the generated dtsi into the U-Boot build, using
>> CONFIG_DEVICE_TREE_INCLUDES. This ensures that will be signed along with
>> the built artifacts. Have a look at patch 9 for the steps, specifically
>> the doc update bits. Full bitbake (Isar) integration is available under
>> [1], specifically [2] in combination with [3].
>>
> 
> OK, so is Binman run in this case?
> 

It's run at the end of the build, to assemble the unsigned flash.bin.
And it should have been used also for signing that image (patch 8, see
the other discussion).

Jan

>> Jan
>>
>> [1] https://github.com/siemens/meta-iot2050/tree/master/recipes-bsp/u-boot
>> [2] https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/rules.tmpl
>> [3] https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/secure-boot.cfg
>>
>> --
>> Siemens AG, Technology
>> Competence Center Embedded Linux
>>
> 
> Regards,
> Simon

-- 
Siemens AG, Technology
Competence Center Embedded Linux



More information about the U-Boot mailing list