Yes, I don't see this tool in master branch. May be I will take code and build this tool.
Do you have a plan for sharing it in repo?
-----Original Message----- From: Rasmus Villemoes rasmus.villemoes@prevas.dk Sent: Monday, August 2, 2021 12:37 PM To: Roman Kopytin Roman.Kopytin@kaspersky.com; Simon Glass sjg@chromium.org Cc: Thomas Perrot thomas.perrot@bootlin.com; Michael Nazzareno Trimarchi michael@amarulasolutions.com; U-Boot-Denx u-boot@lists.denx.de; Alex Kiernan alex.kiernan@gmail.com Subject: Re: U-boot
Caution: This is an external email. Be cautious while opening links or attachments.
On 02/08/2021 11.25, Roman Kopytin wrote:
Thanks a lot! Yes, looks like using of the 'fdtput' is not very safety for me. As I understood I need to use "fdt_add_pubkey" tool with CMD (example): ./ fdt_add_pubkey -a rsa2048 -k <keydir> -n <keyname> -r <conf|image> my_file.dtb
-r <conf|image> is the same as for mkimage? As I remember we can use -r w/o any values in mkimage.
Yes, that's very close to what our Yocto recipe currently does:
for b in ${KERNEL_PUBLIC_KEYS} ; do fdt_add_pubkey -a 'sha1,rsa2048' -k "${KERNEL_SIGNING_DIR}" -n "$b" \ -r conf $dtb done
I doubt that old patch applies nowadays, I've only forward-ported it to 2020.04 internally.
As to Simon's old question of whether it could be done in mkimage with a new flag: I'd really prefer not to, mkimage is already an incoherent collection of tools that do very different things with different flags. Having a flag that says "create and sign this FIT image, and as a side effect update $this dtb $overhere with the corresponding public key mangled appropriately, oh, and btw, _only_ do that side effect" is a non-starter.
Rasmus