[PATCH RFC 2/3] WIP: getting signing nodes to work in FIT generator node

Simon Glass sjg at chromium.org
Fri Jul 28 04:35:31 CEST 2023

Hi Neha,

On Thu, 27 Jul 2023 at 06:12, Neha Malcom Francis <n-francis at ti.com> wrote:
> They need to get the contents of the FIT section beforehand, process
> them and prepend the signing certificate to the FIT contents
> Signed-off-by: Neha Malcom Francis <n-francis at ti.com>
> ---
>  tools/binman/etype/collection.py | 38 +++++++++++++++++++++++---------
>  tools/binman/etype/fit.py        |  1 +
>  tools/binman/etype/ti_secure.py  | 13 ++++++++---
>  tools/binman/etype/x509_cert.py  |  9 ++++++--
>  4 files changed, 46 insertions(+), 15 deletions(-)

I am not quite sure about this, but it seems there is a bit too much magic?

>From what I can tell, you want:

@fdt-SEQ {
   ti-secure {
      content = <&dtb>;
   dtb: blob-ext {
      filename = "u-boot-spl.dtb";

where the 'dtb' phande can work even though it is in a generated node.

Is that right? If so, I suspect it could be done.

Re the fit,fdt-indir that is where I get confused...you want it to
affect the generator somehow? How is that? The last patch gives me
some clues but I don't understand why some nodes have the
fit,fdt-indir property and some do not?

I suspect what would help me understand is to write a test .dts and a
test that doesn't work, but illustrates what you want...then we might
get closer to a suitable design. Once the design is clean, the impl
should follow.


More information about the U-Boot mailing list