All of lore.kernel.org
 help / color / mirror / Atom feed
From: Heiko Stuebner <heiko@sntech.de>
To: u-boot@lists.denx.de
Subject: [PATCH v3 4/5] spl: fit: add Kconfig option to specify key-hint for fit_generator
Date: Tue, 26 May 2020 12:44:11 +0200	[thread overview]
Message-ID: <20200526104412.3666210-5-heiko@sntech.de> (raw)
In-Reply-To: <20200526104412.3666210-1-heiko@sntech.de>

From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>

The u-boot.itb can be generated either from a static .its that can
simply include the needed signature nodes with key-hints or from a
fit-generator script referenced in CONFIG_SPL_FIT_GENERATOR.

In the script-case it will need to know what key to include for the
key-hint and specified algorithm, so add an option for that key-name.

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
---
changes in v2:
- add doc snippet explaining the option

 Kconfig                  |  8 ++++++++
 doc/uImage.FIT/howto.txt | 13 +++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/Kconfig b/Kconfig
index bab7c4f3ee..6a9bf8d865 100644
--- a/Kconfig
+++ b/Kconfig
@@ -548,6 +548,14 @@ config SPL_FIT_GENERATOR
 	  passed a list of supported device tree file stub names to
 	  include in the generated image.
 
+config SPL_FIT_GENERATOR_KEY_HINT
+	string "key hint for signing U-Boot FIT image"
+	depends on SPL_FIT_SIGNATURE
+	default "dev"
+	help
+	  The key hint to store in both the generated .its file as well as
+	  u-boot-key.dtb generated separately and embedded into the SPL.
+
 endif # SPL
 
 endif # FIT
diff --git a/doc/uImage.FIT/howto.txt b/doc/uImage.FIT/howto.txt
index 8592719685..f409b3770e 100644
--- a/doc/uImage.FIT/howto.txt
+++ b/doc/uImage.FIT/howto.txt
@@ -66,6 +66,19 @@ can point to a script which generates this image source file during
 the build process. It gets passed a list of device tree files (taken from the
 CONFIG_OF_LIST symbol).
 
+Signing u-boot.itb with SPL_FIT_GENERATOR
+-----------------------------------------
+
+u-boot.itb can be signed to verify the integrity of its components.
+When CONFIG_SPL_FIT_SIGNATURE is enabled the CONFIG_SPL_FIT_SIGNATURE_KEY_DIR
+option can be used to specifiy the key directory - either a relative or
+absolute path.
+
+See signature.txt for general signature handling, but when
+CONFIG_SPL_FIT_GENERATOR is used the option CONFIG_SPL_FIT_GENERATOR_KEY_HINT
+can be used to specify the key-hint that should be included into the
+created u-boot.its by the generator.
+
 Example 1 -- old-style (non-FDT) kernel booting
 -----------------------------------------------
 
-- 
2.25.1

  parent reply	other threads:[~2020-05-26 10:44 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-26 10:44 [PATCH v3 0/5] rockchip: make it possible to sign the u-boot.itb Heiko Stuebner
2020-05-26 10:44 ` [PATCH v3 1/5] imx: mkimage_fit_atf: Fix FIT image if BL31.bin missing Heiko Stuebner
2020-05-26 12:53   ` Peng Fan
2020-05-26 10:44 ` [PATCH v3 2/5] mkimage: fit_image: handle multiple errors when writing signatures Heiko Stuebner
2020-05-31 14:07   ` Simon Glass
2020-06-19 10:47     ` Heiko Stuebner
2020-05-26 10:44 ` [PATCH v3 3/5] spl: fit: enable signing a generated u-boot.itb Heiko Stuebner
2020-05-31 14:07   ` Simon Glass
2020-05-26 10:44 ` Heiko Stuebner [this message]
2020-05-26 10:44 ` [PATCH v3 5/5] rockchip: make_fit_atf: add signature handling Heiko Stuebner
2020-05-31 14:07   ` Simon Glass
2020-05-31  8:28 ` [PATCH v3 0/5] rockchip: make it possible to sign the u-boot.itb Kever Yang
2020-06-19 10:47   ` Heiko Stuebner
2020-06-26  1:12     ` Simon Glass

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200526104412.3666210-5-heiko@sntech.de \
    --to=heiko@sntech.de \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.