Hi Rasmus,
On Mon, 2 Aug 2021 at 03:37, Rasmus Villemoes rasmus.villemoes@prevas.dk wrote:
On 02/08/2021 11.25, Roman Kopytin wrote:
Thanks a lot! Yes, looks like using of the 'fdtput' is not very safety for me. As I understood I need to use "fdt_add_pubkey" tool with CMD (example): ./ fdt_add_pubkey -a rsa2048 -k <keydir> -n <keyname> -r <conf|image> my_file.dtb
-r <conf|image> is the same as for mkimage? As I remember we can use -r w/o any values in mkimage.
Yes, that's very close to what our Yocto recipe currently does:
for b in ${KERNEL_PUBLIC_KEYS} ; do fdt_add_pubkey -a 'sha1,rsa2048' -k"${KERNEL_SIGNING_DIR}" -n "$b" \ -r conf $dtb done
I doubt that old patch applies nowadays, I've only forward-ported it to 2020.04 internally.
As to Simon's old question of whether it could be done in mkimage with a new flag: I'd really prefer not to, mkimage is already an incoherent collection of tools that do very different things with different flags. Having a flag that says "create and sign this FIT image, and as a side effect update $this dtb $overhere with the corresponding public key mangled appropriately, oh, and btw, _only_ do that side effect" is a non-starter.
I missed that comment at the time...I think this tool is useful though.
The series is marked as deferred in patchwork, probably because the thread died. How about reposting it?
Regards, Simon