Hello everyone,

After studying the verified boot feature I have some interrogations.

If my understanding is correct the procedure should be the following : 1) Generate private keys and certificate 2) Generate a uboot and a dts file to describe the key 3) Generate a kernel/dtb/ramdisk and an its file to describe the fit image (files + conf + signatures) 4) Signature of the fit image and creation of a u-boot dtb file containing the public key 5) Insertion of the uboot dtb file in the uboot binary

A am I correct so far ?

My question is why the step 4 is not divided in two steps ? I don't understand why the public key generation needs the fit image as input.This creates a link between uboot and the kernel and I don't see how I can flash a new kernel without re-flashing a linked uboot.

The thing is I don't want to update uboot as often as the kernel.

Sorry if this is a stupid question..

Thanks !