I am working on an application needing the ability to update to a verified image from the running kernel/application.
We can follow the "normal" verified image boot sequence, where the chain of trust is verified from U-Boot to image to execution, etc, but unsure how to verify a new image after already running.
Is there a way to extract the public key hash from the U-Boot image so that we can compute a hash on an upgrade image and verify a match? Either an existing tool, or some means that is accessibly from a Linux kernel that we could use to grab this information.
I've done a lot of googling, and I have not seen any means to get to this once the image is already booted and running.
Thank you for any guidance you can provide for this.
Jeridiah Welti