[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key

[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key

[Teddy Reed]

Hi all,

I'm curious if anyone has a script (or if I've missed something within
the verified-boot documentation) to compile a DTB given only public
keying information, i.e., a x509 certificate.

I have build/test bots that need to build a u-boot with an
extra/embedded DTB containing a signing public key. I do not want the
private key on those hosts and the only way I've found to build the
documented/required nodes in /signature/key-KEYNAME/
('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits')
is by using mkimage on a FIT with the -K switch. That requires a
private key to do the actual signing.

I'm happy to write something, just want to ask first!

Thanks!

-- 
Teddy Reed V

[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key

[Simon Glass]

Hi Teddy,

On 25 April 2016 at 10:25, Teddy Reed <teddy.reed@gmail.com> wrote:
> Hi all,
>
> I'm curious if anyone has a script (or if I've missed something within
> the verified-boot documentation) to compile a DTB given only public
> keying information, i.e., a x509 certificate.
>
> I have build/test bots that need to build a u-boot with an
> extra/embedded DTB containing a signing public key. I do not want the
> private key on those hosts and the only way I've found to build the
> documented/required nodes in /signature/key-KEYNAME/
> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits')
> is by using mkimage on a FIT with the -K switch. That requires a
> private key to do the actual signing.
>
> I'm happy to write something, just want to ask first!

Not on my side, sorry. Would be useful.

>
> Thanks!
>
> --
> Teddy Reed V

Regards,
Simon

[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key

[Teddy Reed]

On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass <sjg@chromium.org> wrote:
> Hi Teddy,
>
> On 25 April 2016 at 10:25, Teddy Reed <teddy.reed@gmail.com> wrote:
>> Hi all,
>>
>> I'm curious if anyone has a script (or if I've missed something within
>> the verified-boot documentation) to compile a DTB given only public
>> keying information, i.e., a x509 certificate.
>>
>> I have build/test bots that need to build a u-boot with an
>> extra/embedded DTB containing a signing public key. I do not want the
>> private key on those hosts and the only way I've found to build the
>> documented/required nodes in /signature/key-KEYNAME/
>> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits')
>> is by using mkimage on a FIT with the -K switch. That requires a
>> private key to do the actual signing.
>>
>> I'm happy to write something, just want to ask first!
>
> Not on my side, sorry. Would be useful.
>

Ok!

I can't make any promises of completeness, but I quickly hacked
together https://github.com/theopolis/fit-certificate-store, to do
this.
I'll iterate on it over the next few weeks, and I'm more than happy to
take bugs/criticism via Github PRs.

>>
>> Thanks!
>>
>> --
>> Teddy Reed V
>
> Regards,
> Simon

[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key

[Simon Glass]

Hi Teddy,

On 29 April 2016 at 18:44, Teddy Reed <teddy.reed@gmail.com> wrote:
> On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass <sjg@chromium.org> wrote:
>> Hi Teddy,
>>
>> On 25 April 2016 at 10:25, Teddy Reed <teddy.reed@gmail.com> wrote:
>>> Hi all,
>>>
>>> I'm curious if anyone has a script (or if I've missed something within
>>> the verified-boot documentation) to compile a DTB given only public
>>> keying information, i.e., a x509 certificate.
>>>
>>> I have build/test bots that need to build a u-boot with an
>>> extra/embedded DTB containing a signing public key. I do not want the
>>> private key on those hosts and the only way I've found to build the
>>> documented/required nodes in /signature/key-KEYNAME/
>>> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits')
>>> is by using mkimage on a FIT with the -K switch. That requires a
>>> private key to do the actual signing.
>>>
>>> I'm happy to write something, just want to ask first!
>>
>> Not on my side, sorry. Would be useful.
>>
>
> Ok!
>
> I can't make any promises of completeness, but I quickly hacked
> together https://github.com/theopolis/fit-certificate-store, to do
> this.
> I'll iterate on it over the next few weeks, and I'm more than happy to
> take bugs/criticism via Github PRs.

Looks good. At some point will you do a U-Boot patch?

Regards,
Simon

[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key

[Teddy Reed]

On Mon, May 2, 2016 at 7:06 AM, Simon Glass <sjg@chromium.org> wrote:
> Hi Teddy,
>
> On 29 April 2016 at 18:44, Teddy Reed <teddy.reed@gmail.com> wrote:
>> On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass <sjg@chromium.org> wrote:
>>> Hi Teddy,
>>>
>>> On 25 April 2016 at 10:25, Teddy Reed <teddy.reed@gmail.com> wrote:
>>>> Hi all,
>>>>
>>>> I'm curious if anyone has a script (or if I've missed something within
>>>> the verified-boot documentation) to compile a DTB given only public
>>>> keying information, i.e., a x509 certificate.
>>>>
>>>> I have build/test bots that need to build a u-boot with an
>>>> extra/embedded DTB containing a signing public key. I do not want the
>>>> private key on those hosts and the only way I've found to build the
>>>> documented/required nodes in /signature/key-KEYNAME/
>>>> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits')
>>>> is by using mkimage on a FIT with the -K switch. That requires a
>>>> private key to do the actual signing.
>>>>
>>>> I'm happy to write something, just want to ask first!
>>>
>>> Not on my side, sorry. Would be useful.
>>>
>>
>> Ok!
>>
>> I can't make any promises of completeness, but I quickly hacked
>> together https://github.com/theopolis/fit-certificate-store, to do
>> this.
>> I'll iterate on it over the next few weeks, and I'm more than happy to
>> take bugs/criticism via Github PRs.
>
> Looks good. At some point will you do a U-Boot patch?

Could we define a new environment variable, maybe DTB_KEYS_DIR, or
build option, that could point to the directory of public keys.

Then the U-Boot/SPL build could synthesize the EXT_DTB inline. :)

>
> Regards,
> Simon



-- 
Teddy Reed V

[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key

[Simon Glass]

Hi Teddy,

On 2 May 2016 at 14:24, Teddy Reed <teddy.reed@gmail.com> wrote:
>
> On Mon, May 2, 2016 at 7:06 AM, Simon Glass <sjg@chromium.org> wrote:
> > Hi Teddy,
> >
> > On 29 April 2016 at 18:44, Teddy Reed <teddy.reed@gmail.com> wrote:
> >> On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass <sjg@chromium.org> wrote:
> >>> Hi Teddy,
> >>>
> >>> On 25 April 2016 at 10:25, Teddy Reed <teddy.reed@gmail.com> wrote:
> >>>> Hi all,
> >>>>
> >>>> I'm curious if anyone has a script (or if I've missed something within
> >>>> the verified-boot documentation) to compile a DTB given only public
> >>>> keying information, i.e., a x509 certificate.
> >>>>
> >>>> I have build/test bots that need to build a u-boot with an
> >>>> extra/embedded DTB containing a signing public key. I do not want the
> >>>> private key on those hosts and the only way I've found to build the
> >>>> documented/required nodes in /signature/key-KEYNAME/
> >>>> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits')
> >>>> is by using mkimage on a FIT with the -K switch. That requires a
> >>>> private key to do the actual signing.
> >>>>
> >>>> I'm happy to write something, just want to ask first!
> >>>
> >>> Not on my side, sorry. Would be useful.
> >>>
> >>
> >> Ok!
> >>
> >> I can't make any promises of completeness, but I quickly hacked
> >> together https://github.com/theopolis/fit-certificate-store, to do
> >> this.
> >> I'll iterate on it over the next few weeks, and I'm more than happy to
> >> take bugs/criticism via Github PRs.
> >
> > Looks good. At some point will you do a U-Boot patch?
>
> Could we define a new environment variable, maybe DTB_KEYS_DIR, or
> build option, that could point to the directory of public keys.
>
> Then the U-Boot/SPL build could synthesize the EXT_DTB inline. :)

An env variable sounds reasonable to me.

Regards,
Simon