From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thirupathaiah Annapureddy Date: Sun, 16 Aug 2020 21:09:13 -0700 Subject: [PATCH v2 3/3] doc: verified-boot: add required-mode information In-Reply-To: References: Message-ID: <5eed7c03-feb5-f6da-35d4-724d03924ad0@linux.microsoft.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On 7/28/2020 11:58 AM, Simon Glass wrote: > Hi Thirupathaiah, > > On Fri, 17 Jul 2020 at 21:20, Thirupathaiah Annapureddy > wrote: >> >> Signed-off-by: Thirupathaiah Annapureddy >> --- >> >> Changes in v2: >> - New >> >> doc/uImage.FIT/signature.txt | 14 ++++++++++++++ >> 1 file changed, 14 insertions(+) >> > > Reviewed-by: Simon Glass > > But I think we need a new mkimage option to set the required-mode Is it okay if I do mkimage option change as part of a different patch/ patch series? > > >> diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt >> index d4afd755e9..a3455889ed 100644 >> --- a/doc/uImage.FIT/signature.txt >> +++ b/doc/uImage.FIT/signature.txt >> @@ -386,6 +386,20 @@ that might be used by the target needs to be signed with 'required' keys. >> >> This happens automatically as part of a bootm command when FITs are used. >> >> +For Signed Configurations, the default verification behavior can be changed by >> +the following optional property in /signature node in U-Boot's control FDT. >> + >> +- required-mode: Valid values are "any" to allow verified boot to succeed if >> +the selected configuration is signed by any of the 'required' keys, and "all" >> +to allow verified boot to succeed if the selected configuration is signed by >> +all of the 'required' keys. >> + >> +This property can be added to a binary device tree using fdtput as shown in >> +below examples:: >> + >> + fdtput -t s control.dtb /signature required-mode any >> + fdtput -t s control.dtb /signature required-mode all >> + >> >> Enabling FIT Verification >> ------------------------- >> -- >> 2.25.2 >>