From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 636F9C433EF for ; Thu, 27 Jan 2022 21:56:25 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D1D5D8365D; Thu, 27 Jan 2022 22:56:15 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="prUWmRsY"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 5089A83388; Thu, 27 Jan 2022 11:00:44 +0100 (CET) Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 76BD383381 for ; Thu, 27 Jan 2022 11:00:41 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=fr0st61te@gmail.com Received: by mail-lf1-x12f.google.com with SMTP id x11so4295611lfa.2 for ; Thu, 27 Jan 2022 02:00:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:subject:from:to:cc:date:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=psp4HzUcLrBWGus4p5qg1yky/qYa5XFwq0Rw4a85/58=; b=prUWmRsY683HGEtEVmLXCCXhlaRy8+QfCvyw+QC9mSgwQD1YEMFlA2wgPe4TDObuQ9 cxRPqwqwgtdWG+G/1KCcm6YRZNDtjS4xCAdmlaAK6JUA9qUKSTqZ9A8tmwJvMB9ycd/8 iiP1vmQ/KDrOq6sbjLLU7b/XsZhXrMh/57MxLdQlwg/wh1AJxTro2diIoKV8+SI1J+PG lHpoP1rO5j8qczw2UoI2ptizZVyMo1/hpSFTcc93448aw790ensu2c0g01b30wbdcZWP hqQdwJvlEYmI6NbAnYFrsk64GleWiegCbAu3qIrMypz3NcWxvRYHkBfUa6AA2nlcQ16v hF8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=psp4HzUcLrBWGus4p5qg1yky/qYa5XFwq0Rw4a85/58=; b=p5lv8gixFFDU5m4eQCvxJiOnPso1CapuDm2wjuwCdIABX5hzIaTpLUiHMOqF999rQT gg9S4DPNlB2J7pjDYK0Lh4ircJucyv+/bsjPVls/kEze+mbYEfgckZ4ky68nb4mzbWJ3 P0QUGLrh1jtcrscCwT5Ae0sNLvPluf+yH4gBEz2TgyDw6tSkSUBNSTAf5EdZePXgOSxg qtUFyICE6h862ByEK4jFmkuMTA0onYYf3KwgOyVT2v1Zcaj4ZnalmALVGEBwzMTT6IhK JkEn7HDRSHy0TiehTe08gO/NjR0g3fCWvuMd9mJ4EfBSVMUdgGd3puQKqRI1FgsJjRo4 Z7Yg== X-Gm-Message-State: AOAM5309+vzcmNwzSNLI2Y4hd0N9retup+AmVOvXJek9To8qeA0sR4oy OeRcuFFKJ5Tnb3NlSiW1pE4= X-Google-Smtp-Source: ABdhPJwjqwYvGeW6mRvGp1jGZKEAdazmsX5EEvXel7SmDHvvPB3lVaBmm2gGH4AvjnIM1w9SqoXUIA== X-Received: by 2002:a05:6512:683:: with SMTP id t3mr2356475lfe.61.1643277640452; Thu, 27 Jan 2022 02:00:40 -0800 (PST) Received: from [100.119.79.196] (95-31-189-233.broadband.corbina.ru. [95.31.189.233]) by smtp.gmail.com with ESMTPSA id u12sm1190392lfr.56.2022.01.27.02.00.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Jan 2022 02:00:39 -0800 (PST) Message-ID: <4b1beb6e21598ec8e1c6a25353370b25b1b45273.camel@gmail.com> Subject: Re: [PATCH 1/1] binman: add sign option for binman From: Ivan Mikhaylov To: Simon Glass Cc: Jan Kiszka , U-Boot Mailing List , Ivan Mikhaylov Date: Thu, 27 Jan 2022 13:00:37 +0000 In-Reply-To: References: <20211224212334.7146-1-fr0st61te@gmail.com> <20211224212334.7146-2-fr0st61te@gmail.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Thu, 27 Jan 2022 22:56:13 +0100 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean On Tue, 2021-12-28 at 01:34 -0700, Simon Glass wrote: > Hi Ivan, > > On Fri, 24 Dec 2021 at 11:23, Ivan Mikhaylov > wrote: > > > > Introduce prototype for binman's new option which provides sign > > and replace sections in binary images. > > > > Usage as example: > > > > from: > > mkimage -G privateky -r -o sha256,rsa4096 -F fit@0x280000.fit > > binman replace -i flash.bin -f fit@0x280000.fit fit@0x280000 > > > > to: > > binman sign -i flash.bin -k privatekey -a sha256,rsa4096 -f > > fit@0x280000.fit fit@0x280000 > > > > Signed-off-by: Ivan Mikhaylov > > --- > >  tools/binman/cmdline.py | 13 +++++++++++++ > >  tools/binman/control.py | 27 ++++++++++++++++++++++++++- > >  2 files changed, 39 insertions(+), 1 deletion(-) > > This looks good. Just need a test and docs update (also check 'binman > test -T' for 100% code coverage). Simon, I've tried to figure out with test and stumble a little bit with verification step. How to verify that mkimage sign fit image with existing key, is there any option or any toolkits? I didn't find any suitable option in mkimage either, is it good idea to add key verification inside mkimage? Other way is to have blobs with predefined keys inside test directory in binman which I think is not so good. Thanks.