* [U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key
@ 2016-04-25 16:25 Teddy Reed
2016-04-29 23:09 ` Simon Glass
0 siblings, 1 reply; 6+ messages in thread
From: Teddy Reed @ 2016-04-25 16:25 UTC (permalink / raw)
To: u-boot
Hi all,
I'm curious if anyone has a script (or if I've missed something within
the verified-boot documentation) to compile a DTB given only public
keying information, i.e., a x509 certificate.
I have build/test bots that need to build a u-boot with an
extra/embedded DTB containing a signing public key. I do not want the
private key on those hosts and the only way I've found to build the
documented/required nodes in /signature/key-KEYNAME/
('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits')
is by using mkimage on a FIT with the -K switch. That requires a
private key to do the actual signing.
I'm happy to write something, just want to ask first!
Thanks!
--
Teddy Reed V
^ permalink raw reply [flat|nested] 6+ messages in thread* [U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key 2016-04-25 16:25 [U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key Teddy Reed @ 2016-04-29 23:09 ` Simon Glass 2016-04-30 0:44 ` Teddy Reed 0 siblings, 1 reply; 6+ messages in thread From: Simon Glass @ 2016-04-29 23:09 UTC (permalink / raw) To: u-boot Hi Teddy, On 25 April 2016 at 10:25, Teddy Reed <teddy.reed@gmail.com> wrote: > Hi all, > > I'm curious if anyone has a script (or if I've missed something within > the verified-boot documentation) to compile a DTB given only public > keying information, i.e., a x509 certificate. > > I have build/test bots that need to build a u-boot with an > extra/embedded DTB containing a signing public key. I do not want the > private key on those hosts and the only way I've found to build the > documented/required nodes in /signature/key-KEYNAME/ > ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') > is by using mkimage on a FIT with the -K switch. That requires a > private key to do the actual signing. > > I'm happy to write something, just want to ask first! Not on my side, sorry. Would be useful. > > Thanks! > > -- > Teddy Reed V Regards, Simon ^ permalink raw reply [flat|nested] 6+ messages in thread
* [U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key 2016-04-29 23:09 ` Simon Glass @ 2016-04-30 0:44 ` Teddy Reed 2016-05-02 14:06 ` Simon Glass 0 siblings, 1 reply; 6+ messages in thread From: Teddy Reed @ 2016-04-30 0:44 UTC (permalink / raw) To: u-boot On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass <sjg@chromium.org> wrote: > Hi Teddy, > > On 25 April 2016 at 10:25, Teddy Reed <teddy.reed@gmail.com> wrote: >> Hi all, >> >> I'm curious if anyone has a script (or if I've missed something within >> the verified-boot documentation) to compile a DTB given only public >> keying information, i.e., a x509 certificate. >> >> I have build/test bots that need to build a u-boot with an >> extra/embedded DTB containing a signing public key. I do not want the >> private key on those hosts and the only way I've found to build the >> documented/required nodes in /signature/key-KEYNAME/ >> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') >> is by using mkimage on a FIT with the -K switch. That requires a >> private key to do the actual signing. >> >> I'm happy to write something, just want to ask first! > > Not on my side, sorry. Would be useful. > Ok! I can't make any promises of completeness, but I quickly hacked together https://github.com/theopolis/fit-certificate-store, to do this. I'll iterate on it over the next few weeks, and I'm more than happy to take bugs/criticism via Github PRs. >> >> Thanks! >> >> -- >> Teddy Reed V > > Regards, > Simon ^ permalink raw reply [flat|nested] 6+ messages in thread
* [U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key 2016-04-30 0:44 ` Teddy Reed @ 2016-05-02 14:06 ` Simon Glass 2016-05-02 20:24 ` Teddy Reed 0 siblings, 1 reply; 6+ messages in thread From: Simon Glass @ 2016-05-02 14:06 UTC (permalink / raw) To: u-boot Hi Teddy, On 29 April 2016 at 18:44, Teddy Reed <teddy.reed@gmail.com> wrote: > On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass <sjg@chromium.org> wrote: >> Hi Teddy, >> >> On 25 April 2016 at 10:25, Teddy Reed <teddy.reed@gmail.com> wrote: >>> Hi all, >>> >>> I'm curious if anyone has a script (or if I've missed something within >>> the verified-boot documentation) to compile a DTB given only public >>> keying information, i.e., a x509 certificate. >>> >>> I have build/test bots that need to build a u-boot with an >>> extra/embedded DTB containing a signing public key. I do not want the >>> private key on those hosts and the only way I've found to build the >>> documented/required nodes in /signature/key-KEYNAME/ >>> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') >>> is by using mkimage on a FIT with the -K switch. That requires a >>> private key to do the actual signing. >>> >>> I'm happy to write something, just want to ask first! >> >> Not on my side, sorry. Would be useful. >> > > Ok! > > I can't make any promises of completeness, but I quickly hacked > together https://github.com/theopolis/fit-certificate-store, to do > this. > I'll iterate on it over the next few weeks, and I'm more than happy to > take bugs/criticism via Github PRs. Looks good. At some point will you do a U-Boot patch? Regards, Simon ^ permalink raw reply [flat|nested] 6+ messages in thread
* [U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key 2016-05-02 14:06 ` Simon Glass @ 2016-05-02 20:24 ` Teddy Reed 2016-05-02 22:15 ` Simon Glass 0 siblings, 1 reply; 6+ messages in thread From: Teddy Reed @ 2016-05-02 20:24 UTC (permalink / raw) To: u-boot On Mon, May 2, 2016 at 7:06 AM, Simon Glass <sjg@chromium.org> wrote: > Hi Teddy, > > On 29 April 2016 at 18:44, Teddy Reed <teddy.reed@gmail.com> wrote: >> On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass <sjg@chromium.org> wrote: >>> Hi Teddy, >>> >>> On 25 April 2016 at 10:25, Teddy Reed <teddy.reed@gmail.com> wrote: >>>> Hi all, >>>> >>>> I'm curious if anyone has a script (or if I've missed something within >>>> the verified-boot documentation) to compile a DTB given only public >>>> keying information, i.e., a x509 certificate. >>>> >>>> I have build/test bots that need to build a u-boot with an >>>> extra/embedded DTB containing a signing public key. I do not want the >>>> private key on those hosts and the only way I've found to build the >>>> documented/required nodes in /signature/key-KEYNAME/ >>>> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') >>>> is by using mkimage on a FIT with the -K switch. That requires a >>>> private key to do the actual signing. >>>> >>>> I'm happy to write something, just want to ask first! >>> >>> Not on my side, sorry. Would be useful. >>> >> >> Ok! >> >> I can't make any promises of completeness, but I quickly hacked >> together https://github.com/theopolis/fit-certificate-store, to do >> this. >> I'll iterate on it over the next few weeks, and I'm more than happy to >> take bugs/criticism via Github PRs. > > Looks good. At some point will you do a U-Boot patch? Could we define a new environment variable, maybe DTB_KEYS_DIR, or build option, that could point to the directory of public keys. Then the U-Boot/SPL build could synthesize the EXT_DTB inline. :) > > Regards, > Simon -- Teddy Reed V ^ permalink raw reply [flat|nested] 6+ messages in thread
* [U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key 2016-05-02 20:24 ` Teddy Reed @ 2016-05-02 22:15 ` Simon Glass 0 siblings, 0 replies; 6+ messages in thread From: Simon Glass @ 2016-05-02 22:15 UTC (permalink / raw) To: u-boot Hi Teddy, On 2 May 2016 at 14:24, Teddy Reed <teddy.reed@gmail.com> wrote: > > On Mon, May 2, 2016 at 7:06 AM, Simon Glass <sjg@chromium.org> wrote: > > Hi Teddy, > > > > On 29 April 2016 at 18:44, Teddy Reed <teddy.reed@gmail.com> wrote: > >> On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass <sjg@chromium.org> wrote: > >>> Hi Teddy, > >>> > >>> On 25 April 2016 at 10:25, Teddy Reed <teddy.reed@gmail.com> wrote: > >>>> Hi all, > >>>> > >>>> I'm curious if anyone has a script (or if I've missed something within > >>>> the verified-boot documentation) to compile a DTB given only public > >>>> keying information, i.e., a x509 certificate. > >>>> > >>>> I have build/test bots that need to build a u-boot with an > >>>> extra/embedded DTB containing a signing public key. I do not want the > >>>> private key on those hosts and the only way I've found to build the > >>>> documented/required nodes in /signature/key-KEYNAME/ > >>>> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') > >>>> is by using mkimage on a FIT with the -K switch. That requires a > >>>> private key to do the actual signing. > >>>> > >>>> I'm happy to write something, just want to ask first! > >>> > >>> Not on my side, sorry. Would be useful. > >>> > >> > >> Ok! > >> > >> I can't make any promises of completeness, but I quickly hacked > >> together https://github.com/theopolis/fit-certificate-store, to do > >> this. > >> I'll iterate on it over the next few weeks, and I'm more than happy to > >> take bugs/criticism via Github PRs. > > > > Looks good. At some point will you do a U-Boot patch? > > Could we define a new environment variable, maybe DTB_KEYS_DIR, or > build option, that could point to the directory of public keys. > > Then the U-Boot/SPL build could synthesize the EXT_DTB inline. :) An env variable sounds reasonable to me. Regards, Simon ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-05-02 22:15 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-04-25 16:25 [U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key Teddy Reed 2016-04-29 23:09 ` Simon Glass 2016-04-30 0:44 ` Teddy Reed 2016-05-02 14:06 ` Simon Glass 2016-05-02 20:24 ` Teddy Reed 2016-05-02 22:15 ` Simon Glass
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.