From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
To: u-boot@lists.denx.de
Subject: [PATCH 2/3] tools: add fdt_add_pubkey
Date: Tue, 11 Feb 2020 10:22:27 +0000 [thread overview]
Message-ID: <770e1895-5ddb-6b97-775c-59899f6c5202@prevas.dk> (raw)
In-Reply-To: <CAO5Uq5TyTMacERo01weTEda-5X4Fx-VUoYFHa=mBYhW-RvmVSQ@mail.gmail.com>
On 11/02/2020 10.54, Alex Kiernan wrote:
> On Tue, Feb 11, 2020 at 9:49 AM Rasmus Villemoes
> <rasmus.villemoes@prevas.dk> wrote:
>>
>> Having to use the -K option to mkimage to populate U-Boot's .dtb with the
>> public key while signing the kernel FIT image is often a little
>> awkward. In particular, when using a meta-build system such as
>> bitbake/Yocto, having the tasks of the kernel and U-Boot recipes
>> intertwined, modifying deployed artifacts and rebuilding U-Boot with
>> an updated .dtb is quite cumbersome. Also, in some scenarios one may
>> wish to build U-Boot complete with the public key(s) embedded in the
>> .dtb without the corresponding private keys being present on the same
>> build host.
>>
>
> Have you started looking at the required bitbake pieces? You're
> definitely dealing with a piece of pain that I'd like resolved!
Not really, but I know that something like this is a necessary first
part - and I'm glad to know I'm not the only one struggling with this.
For now I've come to the conclusion that kernel-fitimage.bbclass is not
worth the trouble (for example, I need to create two different fit
images with different initramfs, but a fit image without initramfs is
pointless in my case, and there's no way to use kernel-fitimage.bbclass
for that), so I just set KERNEL_IMAGETYPE to vmlinux, then have my own
extra tasks doing the objcopy -O binary, gzip, and mkimage the different
fit images I need.
[I'm also thinking that adding a companion tool for doing the signing
part might make sense at some point - it's somewhat counter-intuituve
that the .its contains some of the information (base name of key and
algorithm - mkimage currently just segfaults if key-name-hint is
accidentally omitted from the .its), while mkimage needs to be fed with
another part (directory holding the keys).]
Rasmus
next prev parent reply other threads:[~2020-02-11 10:22 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-11 9:49 [PATCH 0/3] RFC: add fdt_add_pubkey tool Rasmus Villemoes
2020-02-11 9:49 ` [PATCH 1/3] test_vboot.py: remove extraneous -k option to fit_check_sign Rasmus Villemoes
2020-02-11 17:14 ` Simon Glass
2020-02-11 9:49 ` [PATCH 2/3] tools: add fdt_add_pubkey Rasmus Villemoes
2020-02-11 9:54 ` Alex Kiernan
2020-02-11 10:22 ` Rasmus Villemoes [this message]
2020-02-11 13:58 ` Alex Kiernan
2020-02-11 17:14 ` Simon Glass
2020-02-11 9:49 ` [PATCH 3/3] test_vboot.py: include test of fdt_add_pubkey tool Rasmus Villemoes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=770e1895-5ddb-6b97-775c-59899f6c5202@prevas.dk \
--to=rasmus.villemoes@prevas.dk \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).