From mboxrd@z Thu Jan  1 00:00:00 1970
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
Date: Wed, 11 Dec 2019 12:50:14 +0100
Subject: [PATCH v2 2/4] bootm: Add a bootm command for type IH_OS_EFI
In-Reply-To: <20191211113614.GA4476@BV030612LT>
References: <cover.1575967015.git.cristian.ciocaltea@gmail.com>
 <d04ece021749f81515ffc10df849bfbfbe1196ca.1575967015.git.cristian.ciocaltea@gmail.com>
 <a19784cb-8259-2e2d-fbc4-8037b4b9961e@gmx.de>
 <20191211085457.GA1210@BV030612LT>
 <7441ac72-2add-eecf-0c19-0222505f5709@gmx.de>
 <20191211113614.GA4476@BV030612LT>
Message-ID: <22cbbe2c-844c-23bb-da3a-2348503fc75e@gmx.de>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On 12/11/19 12:36 PM, Cristian Ciocaltea wrote:
> On Wed, Dec 11, 2019 at 11:13:28AM +0100, Heinrich Schuchardt wrote:
>> On 12/11/19 9:54 AM, Cristian Ciocaltea wrote:
>>> 1. Create a public/private key pair
>>> $ openssl genpkey -algorithm RSA -out ${DEV_KEY} \
>>>           -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
>>>
>>> 2. Create a certificate containing the public key
>>> $ openssl req -batch -new -x509 -key ${DEV_KEY} -out ${DEV_CRT}
>>>
>>> 3. Dump QEMU virt board DTB
>>> $ qemu-system-arm -nographic -M virt,dumpdtb=${BOARD_DTB} \
>>>           -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin [...]
>>>
>>> 4. Create (unsigned) FIT image and put the public key into DTB, with
>>>      the 'required' property set, telling U-Boot that this key MUST be
>>>      verified for the image to be valid
>>> $ mkimage -f ${FIT_ITS} -K ${BOARD_DTB} -k ${KEYS_DIR} -r ${FIT_IMG}
>>>
>>> 5. Sign the FIT image
>>> $ fit_check_sign -f ${FIT_IMG} -k ${BOARD_DTB}
>>
>> Thanks for the description
>>
>> tools/fit_check_sign does not change any file. The signature is added in
>> step 4.
>
> You are right, I've taken the commands from a script I use to automate
> the whole procedure and I've just missed the verification step.
>
>> What seems to be missing in the U-Boot build system is the capability to
>> specify a public key in the configuation file to automatically include
>> the public key in the generated dtbs similar to Linux's
>> CONFIG_SYSTEM_TRUSTED_KEYS.
>
> That would be a nice addition. Currently it is only possible to pass
> the 'EXT_DTB' parameter to 'make' in order to provide the path to an
> external DTB file to be put in the U-Boot image.

I guess the first thing to do is to change mkimage such that we can add
a public key to a dtb without passing any kernel image:

     tools/mkimage -K filename.dtb -k keys

Currently this is not accepted by mkimage.

Next we can then integrate this command into the build process.

Best regards

Heinrich