Hi Tom,
On Thu, Jun 13, 2013 at 3:10 PM, Simon Glass sjg@chromium.org wrote:
Add a description of how to implement verified boot using signed FIT images, and a simple test which verifies operation on sandbox.
The test signs a FIT image and verifies it, then signs a FIT configuration and verifies it. Then it corrupts the signature to check that this is detected.
Signed-off-by: Simon Glass sjg@chromium.org
If it helps, here are the results of my build for this series (and the trace one). No new failures but you can see quite a few problems with Xscale.
./tools/buildman/buildman -b us-vboot9c -s Summary of 35 commits for 1124 boards (32 threads, 1 job per thread) 01: pci: introduce CONFIG_PCI_INDIRECT_BRIDGE option blackfin: + bf561-acvilon cm-bf561 blackstamp br4 bct-brettl2 cm-bf527 dnp5370 bf506f-ezkit ip04 bf527-sdp bf609-ezkit bf537-stamp bf527-ezkit-v2 cm-bf537e tcm-bf518 cm-bf537u bf527-ezkit bf537-pnav cm-bf533 pr1 bf533-ezkit ibf-dsp561 bf537-srv1 cm-bf548 bf537-minotaur bf538f-ezkit bf548-ezkit bf525-ucr2 blackvme tcm-bf537 bf533-stamp bf518f-ezbrd bf527-ad7160-eval bf526-ezbrd bf561-ezkit m68k: + M54455EVB_a66 M5329AFEE M5249EVB idmr M5208EVBE M5475FFE M54451EVB astro_mcf5373l M54418TWR_serial_rmii M54455EVB_intel M5282EVB M54455EVB_i66 M5475GFE M5253DEMO M54455EVB_stm33 M5485BFE M5485DFE M5329BFEE M52277EVB M5475EFE M5475CFE M5485AFE M53017EVB M5475AFE M5485HFE M5235EVB M5253EVBE M54418TWR_nand_mii M54418TWR_nand_rmii_lowfreq TASREG cobra5272 M5475BFE M5475DFE M5275EVB M52277EVB_stmicro eb_cpu5282 eb_cpu5282_internal M54451EVB_stmicro M5271EVB M5485GFE M5485EFE M5485FFE M54418TWR M5235EVB_Flash32 M5373EVB M54418TWR_nand_rmii M54418TWR_serial_mii M5485CFE M54455EVB M5272C3 powerpc: + MVBLM7 MVSMR lcd4_lwmon5 sh: + rsk7269 rsk7264 sh7757lcr sh7752evb rsk7203 microblaze: + microblaze-generic openrisc: + openrisc-generic arm: + palmtc zipitz2 VCMA9 lubbock zynq_dcc vpac270_nor_128 colibri_pxa270 kzm9g zynq xaeniax polaris pxa255_idp vpac270_ond_256 vpac270_nor_256 smdk2410 h2200 balloon3 palmld trizepsiv nds32: + adp-ag101p adp-ag102 adp-ag101 02: pci: Convert extern inline functions to static inline 03: x86: Correct missing local variable in bootm 04: Fix missing return in do_mem_loop() 05: Show stdout on error in fit-test 06: bootstage: Correct printf types 07: Add function to print a number with grouped digits 08: Add trace library 09: Add a trace command 10: Support tracing in config.mk when enabled 11: Add trace support to generic board 12: Add proftool to decode profile data 13: sandbox: Support trace feature 14: Add a simple test for sandbox trace 15: Clarify bootm OS arguments 16: Refactor the bootm command to reduce code duplication 17: Add a 'fake' go command to the bootm command 18: arm: Implement the 'fake' go command 19: exynos: Avoid function instrumentation for microsecond timer 20: exynos: config: Add tracing options 21: x86: Support tracing function 22: x86: config: Add tracing options 23: wip 24: image: Add signing infrastructure 25: image: Support signing of images 26: image: Add RSA support for image signing 27: mkimage: Add -k option to specify key directory 28: mkimage: Add -K to write public keys to an FDT blob 29: mkimage: Add -F option to modify an existing .fit file 30: mkimage: Add -c option to specify a comment for key signing 31: mkimage: Add -r option to specify keys that must be verified 32: libfdt: Add fdt_find_regions() 33: image: Add support for signing of FIT configurations 34: sandbox: config: Enable FIT signatures with RSA 35: Add verified boot information and test
Regards, Simon