Re: [PATCH v2 6/7] spl: fit: add Kconfig option to specify key-hint for fit_generator

28 Apr 2020

On 2020/4/21 上午8:23, Heiko Stuebner wrote:
...
From: Heiko Stuebner heiko.stuebner@theobroma-systems.com
The u-boot.itb can be generated either from a static .its that can
simply include the needed signature nodes with key-hints or from a
fit-generator script referenced in CONFIG_SPL_FIT_GENERATOR.
In the script-case it will need to know what key to include for the
key-hint and specified algorithm, so add an option for that key-name.
Signed-off-by: Heiko Stuebner heiko.stuebner@theobroma-systems.com
Reviewed-by: Philipp Tomsich philipp.tomsich@theobroma-systems.com
Reviewed-by: Kever Yang kever.yang@rock-chips.com
Thanks,
- Kever
...

changes in v2:

add doc snippet explaining the option
Kconfig                  |  8 ++++++++
doc/uImage.FIT/howto.txt | 13 +++++++++++++
2 files changed, 21 insertions(+)

diff --git a/Kconfig b/Kconfig
index 15a783a67d..703762d740 100644
--- a/Kconfig
+++ b/Kconfig
@@ -534,6 +534,14 @@ config SPL_FIT_GENERATOR
     passed a list of supported device tree file stub names to
     include in the generated image.
+config SPL_FIT_GENERATOR_KEY_HINT

string "key hint for signing U-Boot FIT image"

depends on SPL_FIT_SIGNATURE

default "dev"

help

 The key hint to store in both the generated .its file as well as


 u-boot-key.dtb generated separately and embedded into the SPL.


endif # SPL
endif # FIT


diff --git a/doc/uImage.FIT/howto.txt b/doc/uImage.FIT/howto.txt
index 8592719685..f409b3770e 100644
--- a/doc/uImage.FIT/howto.txt
+++ b/doc/uImage.FIT/howto.txt
@@ -66,6 +66,19 @@ can point to a script which generates this image source file during
  the build process. It gets passed a list of device tree files (taken from the
  CONFIG_OF_LIST symbol).
+Signing u-boot.itb with SPL_FIT_GENERATOR
+-----------------------------------------



+u-boot.itb can be signed to verify the integrity of its components.
+When CONFIG_SPL_FIT_SIGNATURE is enabled the CONFIG_SPL_FIT_SIGNATURE_KEY_DIR
+option can be used to specifiy the key directory - either a relative or
+absolute path.



+See signature.txt for general signature handling, but when
+CONFIG_SPL_FIT_GENERATOR is used the option CONFIG_SPL_FIT_GENERATOR_KEY_HINT
+can be used to specify the key-hint that should be included into the
+created u-boot.its by the generator.

Example 1 -- old-style (non-FDT) kernel booting



    