[PATCH] mkimage: Allow 'auto-conf' signing of scripts

Tom Rini trini at konsulko.com
Sat Jul 6 00:39:32 CEST 2024


On Thu, Jun 20, 2024 at 04:20:59PM +0200, Alexander Dahl wrote:

> U-Boot configured for verified boot with the "required" option set to
> "conf" also checks scripts put in FIT images for a valid signature, and
> refuses to source and run such a script if the signature for the
> configuration is bad or missing.  Such a script could not be packaged
> before, because mkimage failed like this:
> 
>     % tools/mkimage -T script -C none -d tmp/my.scr -f auto-conf -k tmp -g dev -o sha256,rsa4096 my.uimg
>     Failed to find any images for configuration 'conf-1/signature'
>     tools/mkimage Can't add hashes to FIT blob: -1
>     Error: Bad parameters for FIT image type
> 
> This is especially unfortunate if LEGACY_IMAGE_FORMAT is disabled as
> recommended.
> 
> Listing the script configuration in a "sign-images" subnode instead,
> would have added even more complexity to the already complex auto fit
> generation code.
> 
> Signed-off-by: Alexander Dahl <ada at thorsis.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20240705/6c7cebe8/attachment.sig>


More information about the U-Boot mailing list