From mboxrd@z Thu Jan 1 00:00:00 1970 From: Simon Glass Date: Mon, 2 May 2016 08:06:51 -0600 Subject: [U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key In-Reply-To: References: Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi Teddy, On 29 April 2016 at 18:44, Teddy Reed wrote: > On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass wrote: >> Hi Teddy, >> >> On 25 April 2016 at 10:25, Teddy Reed wrote: >>> Hi all, >>> >>> I'm curious if anyone has a script (or if I've missed something within >>> the verified-boot documentation) to compile a DTB given only public >>> keying information, i.e., a x509 certificate. >>> >>> I have build/test bots that need to build a u-boot with an >>> extra/embedded DTB containing a signing public key. I do not want the >>> private key on those hosts and the only way I've found to build the >>> documented/required nodes in /signature/key-KEYNAME/ >>> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') >>> is by using mkimage on a FIT with the -K switch. That requires a >>> private key to do the actual signing. >>> >>> I'm happy to write something, just want to ask first! >> >> Not on my side, sorry. Would be useful. >> > > Ok! > > I can't make any promises of completeness, but I quickly hacked > together https://github.com/theopolis/fit-certificate-store, to do > this. > I'll iterate on it over the next few weeks, and I'm more than happy to > take bugs/criticism via Github PRs. Looks good. At some point will you do a U-Boot patch? Regards, Simon