From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50EABC433EF for ; Wed, 10 Nov 2021 16:49:20 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CBF09610D2 for ; Wed, 10 Nov 2021 16:49:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org CBF09610D2 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=siemens.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B6A99839C4; Wed, 10 Nov 2021 17:49:17 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=siemens.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 53B67839A4; Wed, 10 Nov 2021 17:49:16 +0100 (CET) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 69832839D4 for ; Wed, 10 Nov 2021 17:49:11 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=siemens.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jan.kiszka@siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id 1AAGn2v8001342 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 10 Nov 2021 17:49:03 +0100 Received: from [167.87.75.31] ([167.87.75.31]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 1AAGn270003586; Wed, 10 Nov 2021 17:49:02 +0100 Subject: Re: [PATCH 0/2] RFC: add fdt_add_pubkey tool To: Simon Glass Cc: Roman Kopytin , u-boot@lists.denx.de, Rasmus Villemoes References: <20211108152844.3656459-1-Roman.Kopytin@kaspersky.com> <587d4694-5539-8048-7eb0-600d629ffc61@siemens.com> <070cb856-f9d1-90d4-dea5-874ffdaa051a@siemens.com> From: Jan Kiszka Message-ID: Date: Wed, 10 Nov 2021 17:49:02 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean On 10.11.21 17:31, Simon Glass wrote: > Hi Jan, > > On Wed, 10 Nov 2021 at 00:20, Jan Kiszka wrote: >> >> On 10.11.21 07:55, Jan Kiszka wrote: >>> On 10.11.21 01:58, Simon Glass wrote: >>>> Hi, >>>> >>>> On Tue, 9 Nov 2021 at 02:17, Jan Kiszka wrote: >>>>> >>>>> On 08.11.21 16:28, Roman Kopytin wrote: >>>>>> In order to reduce the coupling between building the kernel and >>>>>> U-Boot, I'd like a tool that can add a public key to U-Boot's dtb >>>>>> without simultaneously signing a FIT image. That tool doesn't seem to >>>>>> exist, so I stole the necessary pieces from mkimage et al and put it >>>>>> in a single .c file. >>>>>> >>>>>> I'm still working on the details of my proposed "require just k out >>>>>> these n required keys" and how it should be implemented, but it will >>>>>> probably involve teaching this tool a bunch of new options. These >>>>>> patches are not necessarily ready for inclusion (unless someone else >>>>>> finds fdt_add_pubkey useful as is), but I thought I might as well send >>>>>> it out for early comments. >>>>> >>>>> I'd also like to see the usage of this hooked into the build process. >>>>> >>>>> And to my understanding of [1], that approach will provide a feature >>>>> that permits hooking with the build but would expect the key as dtsi >>>>> fragment. Can we consolidate the approaches? >>>>> >>>>> My current vision of a user interface would be a Kconfig option that >>>>> takes a list of key files to be injected. Maybe make that three lists, >>>>> one for "required=image", one for "required=conf", and one for optional >>>>> keys (if that has a use case in practice, no idea). >>>> >>>> Also please take a look at binman which is designed to handle create >>>> (or later updating from Yocto) the devicetree or firmware image. >>>> >>> >>> Yes, binman is another problem area, but not for the public key >>> injection, rather for permitting to sign fit images that are described >>> for binman (rather than for mkimage). I'm currently back to dd for >>> signing the U-Boot container in >>> arch/arm/dts/k3-am65-iot2050-boot-image.dtsi, or I would have to split >>> that FIT image description from that file - both not optimal. > > Well I don't think binman supports that at present, or at least I'm > not sure what it would do. We don't have a test case for it. If you > have an idea for how it should work, please send some ideas and I can > look at it. > >> >> OK, this can already be optimized with "binman replace" - once I >> understood where fdtmap can go and where not. Why no support for using >> map files? > > The fdtmap provides enough information to extract anything from the > image and regenerate/replace things. > > What is a map file? *.map, e.g. image.map? Also generated by many binmap -m? > >> >> Jan >> >>> >>> And another area: Trust centers that perform the signing (and only that) >>> usually do not support random formats and workflows but just few common >>> ones, e.g. x509. It would be nice to have a way to route out the payload >>> (hashes etc.) that mkimage would sign, ideally into a standard signing >>> request, and permit to inject the resulting signature at the right >>> places into the FIT image. > > Well that needs to be provided somewhere. It should be fairly easy to > get Binman to do this, so long as the image description has info about > what is being signed. I would assume that it has to have that information, already to use mkimage on it or its parts. > >>> >>> But one after the other. > > Possibly, but sometimes it is best to design things up-front. > True as well. Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux