On 09.11.21 10:37, Roman Kopytin wrote:
Can we have discussion with code lines? For me it is not very clear, because it isn't my code.
Please do not top-post.
-----Original Message----- From: Jan Kiszka jan.kiszka@siemens.com Sent: Tuesday, November 9, 2021 12:17 PM To: Roman Kopytin Roman.Kopytin@kaspersky.com; u-boot@lists.denx.de; Rasmus Villemoes rasmus.villemoes@prevas.dk Subject: Re: [PATCH 0/2] RFC: add fdt_add_pubkey tool
On 08.11.21 16:28, Roman Kopytin wrote:
In order to reduce the coupling between building the kernel and U-Boot, I'd like a tool that can add a public key to U-Boot's dtb without simultaneously signing a FIT image. That tool doesn't seem to exist, so I stole the necessary pieces from mkimage et al and put it in a single .c file.
I'm still working on the details of my proposed "require just k out these n required keys" and how it should be implemented, but it will probably involve teaching this tool a bunch of new options. These patches are not necessarily ready for inclusion (unless someone else finds fdt_add_pubkey useful as is), but I thought I might as well send it out for early comments.
I'd also like to see the usage of this hooked into the build process.
And to my understanding of [1], that approach will provide a feature that permits hooking with the build but would expect the key as dtsi fragment. Can we consolidate the approaches?
My current vision of a user interface would be a Kconfig option that takes a list of key files to be injected. Maybe make that three lists, one for "required=image", one for "required=conf", and one for optional keys (if that has a use case in practice, no idea).
Jan
[1] https://lore.kernel.org/u-boot/20210928085651.619892-1-rasmus.villemoes@prev...
-- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux
For what would you like to have code? The kconfig addition?
diff --git a/common/Kconfig.boot b/common/Kconfig.boot index d3a12be228..a9ed4d4ec4 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -279,6 +279,14 @@ config SPL_FIT_GENERATOR
endif # SPL
+config FIT_SIGNATURE_PUB_KEYS + string "Public keys to use for FIT image verification" + depends on FIT_SIGNATURE || SPL_FIT_SIGNATURE + help + Public keys, or certificate files to extract them from, that shall + be used to verify signed FIT images. The keys will be embedded into + the control device tree of U-Boot. + endif # FIT
config LEGACY_IMAGE_FORMAT
But note that we are in a design discussion here, and I'm at least reluctant to code up n-versions without having some common idea where things should move.
Jan