[PATCH V5 07/12] tools: Add script for converting public key into device tree include
Simon Glass
sjg at chromium.org
Tue Feb 7 14:38:52 CET 2023
Hi Jan,
On Mon, 6 Feb 2023 at 22:47, Jan Kiszka <jan.kiszka at siemens.com> wrote:
>
> On 07.02.23 05:02, Simon Glass wrote:
> > Hi Jan,
> >
> > On Mon, 6 Feb 2023 at 03:42, Jan Kiszka <jan.kiszka at siemens.com> wrote:
> >>
> >> On 04.02.23 23:23, Simon Glass wrote:
> >>> Hi Jan,
> >>>
> >>> On Fri, 3 Feb 2023 at 23:35, Jan Kiszka <jan.kiszka at siemens.com> wrote:
> >>>>
> >>>> On 04.02.23 01:20, Simon Glass wrote:
> >>>>> Hi Jan,
> >>>>>
> >>>>> On Fri, 3 Feb 2023 at 05:29, Jan Kiszka <jan.kiszka at siemens.com> wrote:
> >>>>>>
> >>>>>> From: Jan Kiszka <jan.kiszka at siemens.com>
> >>>>>>
> >>>>>> Allows to create a public key device tree dtsi for inclusion into U-Boot
> >>>>>> SPL and proper during first build already. This can be achieved via
> >>>>>> CONFIG_DEVICE_TREE_INCLUDES.
> >>>>>>
> >>>>>> Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
> >>>>>> ---
> >>>>>> tools/key2dtsi.py | 64 +++++++++++++++++++++++++++++++++++++++++++++++
> >>>>>> 1 file changed, 64 insertions(+)
> >>>>>> create mode 100755 tools/key2dtsi.py
> >>>>>
> >>>>> Please can you build this into Binman instead? We really don't want
> >>>>> any more of these scripts. Perhaps you can add a new entry type?
> >>>>>
> >>>>
> >>>> I don't think you are requesting something that makes any sense:
> >>>>
> >>>> "Binman creates and manipulate *images* for a board from a set of binaries"
> >>>
> >>> I mean that Binman can include a public key in the DT, if that it was
> >>> you are wanting. We don't want to add scripts for creating images and
> >>> pieces of images.
> >>>
> >>> Perhaps I just don't understand the goal here. How would your script be used?
> >>>
> >>
> >> We feed the generated dtsi into the U-Boot build, using
> >> CONFIG_DEVICE_TREE_INCLUDES. This ensures that will be signed along with
> >> the built artifacts. Have a look at patch 9 for the steps, specifically
> >> the doc update bits. Full bitbake (Isar) integration is available under
> >> [1], specifically [2] in combination with [3].
> >>
> >
> > OK, so is Binman run in this case?
> >
>
> It's run at the end of the build, to assemble the unsigned flash.bin.
> And it should have been used also for signing that image (patch 8, see
> the other discussion).
OK, so how can we get this signing thing into Binman? Does it need a
new entry type? Is there something I can help with there? The input
looks like it should be the key.pem file.
Regards,
SImon
>
> Jan
>
> >> Jan
> >>
> >> [1] https://github.com/siemens/meta-iot2050/tree/master/recipes-bsp/u-boot
> >> [2] https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/rules.tmpl
> >> [3] https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/secure-boot.cfg
> >>
> >> --
> >> Siemens AG, Technology
> >> Competence Center Embedded Linux
> >>
> >
> > Regards,
> > Simon
>
> --
> Siemens AG, Technology
> Competence Center Embedded Linux
>
More information about the U-Boot
mailing list