Hi Thirupathaiah,
On Fri, 17 Jul 2020 at 21:20, Thirupathaiah Annapureddy thiruan@linux.microsoft.com wrote:
Signed-off-by: Thirupathaiah Annapureddy thiruan@linux.microsoft.com
Changes in v2:
- New
doc/uImage.FIT/signature.txt | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
Reviewed-by: Simon Glass sjg@chromium.org
But I think we need a new mkimage option to set the required-mode
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index d4afd755e9..a3455889ed 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -386,6 +386,20 @@ that might be used by the target needs to be signed with 'required' keys.
This happens automatically as part of a bootm command when FITs are used.
+For Signed Configurations, the default verification behavior can be changed by +the following optional property in /signature node in U-Boot's control FDT.
+- required-mode: Valid values are "any" to allow verified boot to succeed if +the selected configuration is signed by any of the 'required' keys, and "all" +to allow verified boot to succeed if the selected configuration is signed by +all of the 'required' keys.
+This property can be added to a binary device tree using fdtput as shown in +below examples::
fdtput -t s control.dtb /signature required-mode anyfdtput -t s control.dtb /signature required-mode allEnabling FIT Verification
-- 2.25.2