From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Date: Thu,  4 Feb 2021 13:57:02 -0600
Subject: [PATCH 1/4] doc: signature.txt: Document the keydir and keyfile
 arguments
In-Reply-To: <20210204195705.2057081-1-mr.nuke.me@gmail.com>
References: <20210204195705.2057081-1-mr.nuke.me@gmail.com>
Message-ID: <20210204195705.2057081-2-mr.nuke.me@gmail.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

After lots of debating, this documents how we'd like mkimage to treat
'keydir' and 'keyfile' arguments. The rest is in the docs.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
---
 doc/uImage.FIT/signature.txt | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index 0139295d33..d9a9121190 100644
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -472,6 +472,19 @@ Test Verified Boot Run: signed config with bad hash: OK
 Test passed
 
 
+Software signing: keydir vs keyfile
+-----------------------------------
+
+In the simplest case, signing is done by giving mkimage the 'keyfile'. This is
+the path to a file containing the signing key.
+
+The alternative is to pass the 'keydir' argument. In this case the filename of
+the key is derived from the 'keydir' and the "key-name-hint" property in the
+FIT. In this case the "key-name-hint" property is mandatory, and the key must
+exist in "<keydir>/<key-name-hint>.<ext>" Here the extension "ext" is
+specific to the signing algorithm.
+
+
 Hardware Signing with PKCS#11 or with HSM
 -----------------------------------------
 
-- 
2.26.2