From mboxrd@z Thu Jan 1 00:00:00 1970 From: Heinrich Schuchardt Date: Wed, 11 Dec 2019 11:13:28 +0100 Subject: [PATCH v2 2/4] bootm: Add a bootm command for type IH_OS_EFI In-Reply-To: <20191211085457.GA1210@BV030612LT> References: <20191211085457.GA1210@BV030612LT> Message-ID: <7441ac72-2add-eecf-0c19-0222505f5709@gmx.de> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On 12/11/19 9:54 AM, Cristian Ciocaltea wrote: > 1. Create a public/private key pair > $ openssl genpkey -algorithm RSA -out ${DEV_KEY} \ > -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 > > 2. Create a certificate containing the public key > $ openssl req -batch -new -x509 -key ${DEV_KEY} -out ${DEV_CRT} > > 3. Dump QEMU virt board DTB > $ qemu-system-arm -nographic -M virt,dumpdtb=${BOARD_DTB} \ > -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin [...] > > 4. Create (unsigned) FIT image and put the public key into DTB, with > the 'required' property set, telling U-Boot that this key MUST be > verified for the image to be valid > $ mkimage -f ${FIT_ITS} -K ${BOARD_DTB} -k ${KEYS_DIR} -r ${FIT_IMG} > > 5. Sign the FIT image > $ fit_check_sign -f ${FIT_IMG} -k ${BOARD_DTB} Thanks for the description tools/fit_check_sign does not change any file. The signature is added in step 4. What seems to be missing in the U-Boot build system is the capability to specify a public key in the configuation file to automatically include the public key in the generated dtbs similar to Linux's CONFIG_SYSTEM_TRUSTED_KEYS. Best regards Heinrich > > 6. Run QEMU supplying the DTB containing the public key and the > u-boot binary built with CONFIG_OF_BOARD > $ qemu-system-arm -nographic \ > -M virt -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin \ > -dtb ${BOARD_DTB} [...]