Hi there,
First of all, I would like to thank you for the tool, I like it a lot.
I've been trying to sign uboot by placing signature section into configurations section. Something like:
{ algo = "sha256,rsa2048"; key-name-hint = "dev"; sign-images = "fdt", "loadables"; }
But I can't find how to sign the second stage uboot, and integrate the public key into uboot spl device tree with binman. Prior to binman I used mkimage to do that, as follows:
mkimage -f uboot.its -K u-boot.dtb -k ./keys -r image.fit
Could not find it in the documentation, I only saw pre-load, but I am not sure that this is what I am looking for.
Would appreciate if you could give some hint on how this could be done.
Thank you for your help
Cheers, Andy
Hi Andy,
On Wed, 26 Apr 2023 at 12:49, Andy Pandy andypandy123g@gmail.com wrote:
Hi there,
First of all, I would like to thank you for the tool, I like it a lot.
Great!
I've been trying to sign uboot by placing signature section into configurations section. Something like:
{ algo = "sha256,rsa2048"; key-name-hint = "dev"; sign-images = "fdt", "loadables"; }
But I can't find how to sign the second stage uboot, and integrate the public key into uboot spl device tree with binman. Prior to binman I used mkimage to do that, as follows:
mkimage -f uboot.its -K u-boot.dtb -k ./keys -r image.fit
Could not find it in the documentation, I only saw pre-load, but I am not sure that this is what I am looking for.
Would appreciate if you could give some hint on how this could be done.
Thank you for your help
+Ivan Mikhaylov
I believe that 'binman sign' does this:
https://u-boot.readthedocs.io/en/latest/develop/package/binman.html#signing-...
Regards, Simon
On Wed, 2023-04-26 at 15:29 -0600, Simon Glass wrote:
Hi Andy,
On Wed, 26 Apr 2023 at 12:49, Andy Pandy andypandy123g@gmail.com wrote:
Hi there,
First of all, I would like to thank you for the tool, I like it a lot.
Great!
I've been trying to sign uboot by placing signature section into configurations section. Something like:
{ algo = "sha256,rsa2048"; key-name-hint = "dev"; sign-images = "fdt", "loadables"; }
But I can't find how to sign the second stage uboot, and integrate the public key into uboot spl device tree with binman. Prior to binman I used mkimage to do that, as follows:
mkimage -f uboot.its -K u-boot.dtb -k ./keys -r image.fit
Could not find it in the documentation, I only saw pre-load, but I am not sure that this is what I am looking for.
Would appreciate if you could give some hint on how this could be done.
Thank you for your help
+Ivan Mikhaylov
I believe that 'binman sign' does this:
https://u-boot.readthedocs.io/en/latest/develop/package/binman.html#signing-...
Regards, Simon
Andy, also you can look at tests there as examples https://github.com/u-boot/u-boot/blob/288fe30a2367b8d0e3f416493150a38ebaa884...
You can add pubkeys with fdt_add_pubkey utility also if you need just that.
Simon, maybe I need to add possibility to add pubkeys via binman sign, what do you think?
Thanks.
Hi Ivan,
On Thu, 27 Apr 2023 at 07:41, Ivan Mikhaylov fr0st61te@gmail.com wrote:
On Wed, 2023-04-26 at 15:29 -0600, Simon Glass wrote:
Hi Andy,
On Wed, 26 Apr 2023 at 12:49, Andy Pandy andypandy123g@gmail.com wrote:
Hi there,
First of all, I would like to thank you for the tool, I like it a lot.
Great!
I've been trying to sign uboot by placing signature section into configurations section. Something like:
{ algo = "sha256,rsa2048"; key-name-hint = "dev"; sign-images = "fdt", "loadables"; }
But I can't find how to sign the second stage uboot, and integrate the public key into uboot spl device tree with binman. Prior to binman I used mkimage to do that, as follows:
mkimage -f uboot.its -K u-boot.dtb -k ./keys -r image.fit
Could not find it in the documentation, I only saw pre-load, but I am not sure that this is what I am looking for.
Would appreciate if you could give some hint on how this could be done.
Thank you for your help
+Ivan Mikhaylov
I believe that 'binman sign' does this:
https://u-boot.readthedocs.io/en/latest/develop/package/binman.html#signing-...
Regards, Simon
Andy, also you can look at tests there as examples https://github.com/u-boot/u-boot/blob/288fe30a2367b8d0e3f416493150a38ebaa884...
You can add pubkeys with fdt_add_pubkey utility also if you need just that.
Simon, maybe I need to add possibility to add pubkeys via binman sign, what do you think?
Yes I think that would be useful.
Regards, Simon
Hi Ivan,
Thank you for the reference, didn't see the tool, as I'd been using uboot v2023.04. These are all recent improvements, sign option in binman and fdt_add_pubkey tool. Nice!
Not part of this request, but in an ideal world :), it would be just a matter of putting private/public keys in let's say /keys directory, and if signing is enabled in spl or the second stage uboot, the make would produce a binary with expected chain of trust. Yes I know, how the saying goes: "It is simple but not easy".
Who knows, one day my dream may come true. Meanwhile I will do it in an old school way, scripting. :)
Cheers, Andy
On Thu, Apr 27, 2023, 16:41 Ivan Mikhaylov fr0st61te@gmail.com wrote:
On Wed, 2023-04-26 at 15:29 -0600, Simon Glass wrote:
Hi Andy,
On Wed, 26 Apr 2023 at 12:49, Andy Pandy andypandy123g@gmail.com wrote:
Hi there,
First of all, I would like to thank you for the tool, I like it a lot.
Great!
I've been trying to sign uboot by placing signature section into configurations section. Something like:
{ algo = "sha256,rsa2048"; key-name-hint = "dev"; sign-images = "fdt", "loadables"; }
But I can't find how to sign the second stage uboot, and integrate the public key into uboot spl device tree with binman. Prior to binman I used mkimage to do that, as follows:
mkimage -f uboot.its -K u-boot.dtb -k ./keys -r image.fit
Could not find it in the documentation, I only saw pre-load, but I am not sure that this is what I am looking for.
Would appreciate if you could give some hint on how this could be done.
Thank you for your help
+Ivan Mikhaylov
I believe that 'binman sign' does this:
https://u-boot.readthedocs.io/en/latest/develop/package/binman.html#signing-...
Regards, Simon
Andy, also you can look at tests there as examples
https://github.com/u-boot/u-boot/blob/288fe30a2367b8d0e3f416493150a38ebaa884...
You can add pubkeys with fdt_add_pubkey utility also if you need just that.
Simon, maybe I need to add possibility to add pubkeys via binman sign, what do you think?
Thanks.
participants (3)
-
Andy Pandy -
Ivan Mikhaylov -
Simon Glass