[PATCH] tools: add fdt_add_pubkey
Having to use the -K option to mkimage to populate U-Boot's .dtb with the public key while signing the kernel FIT image is often a little awkward. In particular, when using a meta-build system such as bitbake/Yocto, having the tasks of the kernel and U-Boot recipes intertwined, modifying deployed artifacts and rebuilding U-Boot with an updated .dtb is quite cumbersome. Also, in some scenarios one may wish to build U-Boot complete with the public key(s) embedded in the .dtb without the corresponding private keys being present on the same build host.
So this adds a simple tool that allows one to disentangle the kernel and U-Boot builds, by simply copy-pasting just enough of the mkimage code to allow one to add a public key to a .dtb. When using mkimage, some of the information is taken from the .its used to build the kernel (algorithm and key name), so that of course needs to be supplied on the command line.
Signed-off-by: Roman Kopytin Roman.Kopytin@kaspersky.com Cc: Rasmus Villemoes rasmus.villemoes@prevas.dk
On 03/08/2021 13.00, Roman Kopytin wrote:
Hi Roman
Thanks for picking this up. A few notes on the process:
- Don't attach the patch, it must be inline in the email. But do not copy-paste it in to your mail client, that will most likely make it whitespace-damaged. git send-email is your friend.
- Sending it to u-boot@lists.denx.de is correct, but you should also cc "interested parties", e.g. at least me (for obvious reasons) and anybody who participated in the earlier thread. If you had used git send-email, your "Cc: " line in the patch would actually automatically have included me on cc. Other people are just as easy to add (with the --cc option to "git send-email"). Very few people, if any, read every message on the U-Boot mailing list.
- It would be good if you could also add a test and ensure that it works. I think my original submission had three commits, of which the first is now moot, but that last patch was a test case. It may need some adjustments to apply nowadays, but it should give you a starting point.
Rasmus
Thanks a lot. Can I create 1 patch with tool + test?
-----Original Message----- From: Rasmus Villemoes rasmus.villemoes@prevas.dk Sent: Thursday, August 5, 2021 10:56 AM To: Roman Kopytin Roman.Kopytin@kaspersky.com; U-Boot-Denx u-boot@lists.denx.de Subject: Re: [PATCH] tools: add fdt_add_pubkey
Caution: This is an external email. Be cautious while opening links or attachments.
On 03/08/2021 13.00, Roman Kopytin wrote:
Hi Roman
Thanks for picking this up. A few notes on the process:
- Don't attach the patch, it must be inline in the email. But do not copy-paste it in to your mail client, that will most likely make it whitespace-damaged. git send-email is your friend.
- Sending it to u-boot@lists.denx.de is correct, but you should also cc "interested parties", e.g. at least me (for obvious reasons) and anybody who participated in the earlier thread. If you had used git send-email, your "Cc: " line in the patch would actually automatically have included me on cc. Other people are just as easy to add (with the --cc option to "git send-email"). Very few people, if any, read every message on the U-Boot mailing list.
- It would be good if you could also add a test and ensure that it works. I think my original submission had three commits, of which the first is now moot, but that last patch was a test case. It may need some adjustments to apply nowadays, but it should give you a starting point.
Rasmus
On 05/08/2021 09.59, Roman Kopytin wrote:
Thanks a lot. Can I create 1 patch with tool + test?
Preferably not. Each patch should be its own logical entity, doing one thing. Yes, sometimes the lines are a bit blurred, but adding a new tool and adding one or more tests of that tool are clearly separate things. It also makes review easier.
Rasmus
Roman,
On 8/5/21 9:55 AM, Rasmus Villemoes wrote:
On 03/08/2021 13.00, Roman Kopytin wrote:
Hi Roman
Thanks for picking this up. A few notes on the process:
- Don't attach the patch, it must be inline in the email. But do not
copy-paste it in to your mail client, that will most likely make it whitespace-damaged. git send-email is your friend.
- Sending it to u-boot@lists.denx.de is correct, but you should also cc
"interested parties", e.g. at least me (for obvious reasons) and anybody who participated in the earlier thread. If you had used git send-email, your "Cc: " line in the patch would actually automatically have included me on cc. Other people are just as easy to add (with the --cc option to "git send-email"). Very few people, if any, read every message on the U-Boot mailing list.
- It would be good if you could also add a test and ensure that it
works. I think my original submission had three commits, of which the first is now moot, but that last patch was a test case. It may need some adjustments to apply nowadays, but it should give you a starting point.
Rasmus
I don't remember where exactly I found the information initially but patman is your friend when submitting patches. c.f. [0] resp. [1] for more information.
Cheers, Steffen
[0] `./tools/patman/patman -H` [1] tools/patman/README
participants (3)
-
Rasmus Villemoes -
Roman Kopytin -
Steffen Jaeckel