[U-Boot] [verified-boot] Compile 'key store' DTB without mkimage and private key
Hi all,
I'm curious if anyone has a script (or if I've missed something within the verified-boot documentation) to compile a DTB given only public keying information, i.e., a x509 certificate.
I have build/test bots that need to build a u-boot with an extra/embedded DTB containing a signing public key. I do not want the private key on those hosts and the only way I've found to build the documented/required nodes in /signature/key-KEYNAME/ ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') is by using mkimage on a FIT with the -K switch. That requires a private key to do the actual signing.
I'm happy to write something, just want to ask first!
Thanks!
Hi Teddy,
On 25 April 2016 at 10:25, Teddy Reed teddy.reed@gmail.com wrote:
Hi all,
I'm curious if anyone has a script (or if I've missed something within the verified-boot documentation) to compile a DTB given only public keying information, i.e., a x509 certificate.
I have build/test bots that need to build a u-boot with an extra/embedded DTB containing a signing public key. I do not want the private key on those hosts and the only way I've found to build the documented/required nodes in /signature/key-KEYNAME/ ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') is by using mkimage on a FIT with the -K switch. That requires a private key to do the actual signing.
I'm happy to write something, just want to ask first!
Not on my side, sorry. Would be useful.
Thanks!
-- Teddy Reed V
Regards, Simon
On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass sjg@chromium.org wrote:
Hi Teddy,
On 25 April 2016 at 10:25, Teddy Reed teddy.reed@gmail.com wrote:
Hi all,
I'm curious if anyone has a script (or if I've missed something within the verified-boot documentation) to compile a DTB given only public keying information, i.e., a x509 certificate.
I have build/test bots that need to build a u-boot with an extra/embedded DTB containing a signing public key. I do not want the private key on those hosts and the only way I've found to build the documented/required nodes in /signature/key-KEYNAME/ ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') is by using mkimage on a FIT with the -K switch. That requires a private key to do the actual signing.
I'm happy to write something, just want to ask first!
Not on my side, sorry. Would be useful.
Ok!
I can't make any promises of completeness, but I quickly hacked together https://github.com/theopolis/fit-certificate-store, to do this. I'll iterate on it over the next few weeks, and I'm more than happy to take bugs/criticism via Github PRs.
Thanks!
-- Teddy Reed V
Regards, Simon
Hi Teddy,
On 29 April 2016 at 18:44, Teddy Reed teddy.reed@gmail.com wrote:
On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass sjg@chromium.org wrote:
Hi Teddy,
On 25 April 2016 at 10:25, Teddy Reed teddy.reed@gmail.com wrote:
Hi all,
I'm curious if anyone has a script (or if I've missed something within the verified-boot documentation) to compile a DTB given only public keying information, i.e., a x509 certificate.
I have build/test bots that need to build a u-boot with an extra/embedded DTB containing a signing public key. I do not want the private key on those hosts and the only way I've found to build the documented/required nodes in /signature/key-KEYNAME/ ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') is by using mkimage on a FIT with the -K switch. That requires a private key to do the actual signing.
I'm happy to write something, just want to ask first!
Not on my side, sorry. Would be useful.
Ok!
I can't make any promises of completeness, but I quickly hacked together https://github.com/theopolis/fit-certificate-store, to do this. I'll iterate on it over the next few weeks, and I'm more than happy to take bugs/criticism via Github PRs.
Looks good. At some point will you do a U-Boot patch?
Regards, Simon
On Mon, May 2, 2016 at 7:06 AM, Simon Glass sjg@chromium.org wrote:
Hi Teddy,
On 29 April 2016 at 18:44, Teddy Reed teddy.reed@gmail.com wrote:
On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass sjg@chromium.org wrote:
Hi Teddy,
On 25 April 2016 at 10:25, Teddy Reed teddy.reed@gmail.com wrote:
Hi all,
I'm curious if anyone has a script (or if I've missed something within the verified-boot documentation) to compile a DTB given only public keying information, i.e., a x509 certificate.
I have build/test bots that need to build a u-boot with an extra/embedded DTB containing a signing public key. I do not want the private key on those hosts and the only way I've found to build the documented/required nodes in /signature/key-KEYNAME/ ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') is by using mkimage on a FIT with the -K switch. That requires a private key to do the actual signing.
I'm happy to write something, just want to ask first!
Not on my side, sorry. Would be useful.
Ok!
I can't make any promises of completeness, but I quickly hacked together https://github.com/theopolis/fit-certificate-store, to do this. I'll iterate on it over the next few weeks, and I'm more than happy to take bugs/criticism via Github PRs.
Looks good. At some point will you do a U-Boot patch?
Could we define a new environment variable, maybe DTB_KEYS_DIR, or build option, that could point to the directory of public keys.
Then the U-Boot/SPL build could synthesize the EXT_DTB inline. :)
Regards, Simon
Hi Teddy,
On 2 May 2016 at 14:24, Teddy Reed teddy.reed@gmail.com wrote:
On Mon, May 2, 2016 at 7:06 AM, Simon Glass sjg@chromium.org wrote:
Hi Teddy,
On 29 April 2016 at 18:44, Teddy Reed teddy.reed@gmail.com wrote:
On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass sjg@chromium.org wrote:
Hi Teddy,
On 25 April 2016 at 10:25, Teddy Reed teddy.reed@gmail.com wrote:
Hi all,
I'm curious if anyone has a script (or if I've missed something within the verified-boot documentation) to compile a DTB given only public keying information, i.e., a x509 certificate.
I have build/test bots that need to build a u-boot with an extra/embedded DTB containing a signing public key. I do not want the private key on those hosts and the only way I've found to build the documented/required nodes in /signature/key-KEYNAME/ ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') is by using mkimage on a FIT with the -K switch. That requires a private key to do the actual signing.
I'm happy to write something, just want to ask first!
Not on my side, sorry. Would be useful.
Ok!
I can't make any promises of completeness, but I quickly hacked together https://github.com/theopolis/fit-certificate-store, to do this. I'll iterate on it over the next few weeks, and I'm more than happy to take bugs/criticism via Github PRs.
Looks good. At some point will you do a U-Boot patch?
Could we define a new environment variable, maybe DTB_KEYS_DIR, or build option, that could point to the directory of public keys.
Then the U-Boot/SPL build could synthesize the EXT_DTB inline. :)
An env variable sounds reasonable to me.
Regards, Simon
participants (2)
-
Simon Glass -
Teddy Reed