On Thu, Jan 05, 2023 at 10:31:09AM +0100, Massimo Pegorer wrote:

> Extend support for signing in auto-generated (-f auto) FIT. Previously,
> it was possible to get signed 'images' subnodes in the FIT using
> options -g and -o together with -f auto. This patch allows signing
> 'configurations' subnodes instead of 'images' ones (which are hashed),
> using option -f auto-conf instead of -f auto. Adding also -K <dtb> and
> -r options, will add public key to <dtb> file with required = "conf"
> property.
> 
> Summary:
>     -f auto => FIT with crc32 images
>     -f auto -g ... -o ... => FIT with signed images
>     -f auto-conf -g ... -o ... => FIT with sha1 images and signed confs
> 
> Example: FIT with kernel, two device tree files, and signed
> configurations; public key (needed to verify signatures) is
> added to u-boot.dtb with required = "conf" property.
> 
> mkimage -f auto-conf -A arm -O linux -T kernel -C none -a 43e00000 \
>         -e 0 -d vmlinuz -b /path/to/first.dtb -b /path/to/second.dtb \
>         -k /folder/with/key-files -g keyname -o sha256,rsa4096 \
>         -K u-boot.dtb -r kernel.itb
> 
> Example: Add public key with required = "conf" property to u-boot.dtb
> without needing to sign anything. This will also create a useless FIT
> named unused.itb.
> 
> mkimage -f auto-conf -d /dev/null -k /folder/with/key-files \
>         -g keyname -o sha256,rsa4096 -K u-boot.dtb -r unused.itb
> 
> Signed-off-by: Massimo Pegorer <massimo.pegorer@vimar.com>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/master, thanks!

-- 
Tom