Thanks a lot! Yes, looks like using of the 'fdtput' is not very safety for me. As I understood I need to use "fdt_add_pubkey" tool with CMD (example): ./ fdt_add_pubkey -a rsa2048 -k <keydir> -n <keyname> -r <conf|image> my_file.dtb
-r <conf|image> is the same as for mkimage? As I remember we can use -r w/o any values in mkimage.
-----Original Message----- From: Rasmus Villemoes rasmus.villemoes@prevas.dk Sent: Monday, August 2, 2021 12:00 PM To: Simon Glass sjg@chromium.org; Roman Kopytin Roman.Kopytin@kaspersky.com Cc: Thomas Perrot thomas.perrot@bootlin.com; Michael Nazzareno Trimarchi michael@amarulasolutions.com; U-Boot-Denx u-boot@lists.denx.de; Alex Kiernan alex.kiernan@gmail.com Subject: Re: U-boot
Caution: This is an external email. Be cautious while opening links or attachments.
On 31/07/2021 18.59, Simon Glass wrote:
Hi Roman,
On Sat, 31 Jul 2021 at 02:26, Roman Kopytin Roman.Kopytin@kaspersky.com wrote:
Thank, but my question was about adding of the public key to dtb file without private key. We won't have private key in our side.
(please try not to top-post on the mailing list)
Presumably this means that you know what the public key is, so one option is to manually add it to the dtb, e.g. in a u-boot.dtsi file for your board. You can see the format of it in the documentation, or just copy what is there when you do the signing.
I sent https://lore.kernel.org/u-boot/20200211094818.14219-3-rasmus.villemoes@preva... 1.5 years ago. Roman, is it something like that you need? We've used that patch/tool internally ever since.
Another option would be to use 'fdtput' to add the various fields in the dtb after building.
Yes, but that, or the .dtsi approach, requires figuring just exactly what those fields are supposed to be. And even if one could "reverse engineer" that and implement the math separately in another tool, it's much better to utilize the same code which "mkimage proper" would use, since there's less risk of messing up endianness etc., and only one place to fix bugs.
Rasmus