Hi Roman,

see signature.txt :

- required: If present this indicates that the key must be verified for the image / configuration to be considered valid. Only required keys are normally verified by the FIT image booting algorithm. Valid values are "image" to force verification of all images, and "conf" to force verification of the selected configuration (which then relies on hashes in the images to verify those).

Regards, Simon

On Wed, 10 Nov 2021 at 04:20, Roman Kopytin Roman.Kopytin@kaspersky.com wrote:

Hi, Rasmus and Simon I need more details about -r <conf|image> for fdt_add_pubkey. I need to add small help for tool, please provide details.

-----Original Message----- From: Rasmus Villemoes rasmus.villemoes@prevas.dk Sent: Monday, August 2, 2021 12:37 PM To: Roman Kopytin Roman.Kopytin@kaspersky.com; Simon Glass sjg@chromium.org Cc: Thomas Perrot thomas.perrot@bootlin.com; Michael Nazzareno Trimarchi michael@amarulasolutions.com; U-Boot-Denx u-boot@lists.denx.de; Alex Kiernan alex.kiernan@gmail.com Subject: Re: U-boot

Caution: This is an external email. Be cautious while opening links or attachments.

On 02/08/2021 11.25, Roman Kopytin wrote:

...

Thanks a lot! Yes, looks like using of the 'fdtput' is not very safety for me. As I understood I need to use "fdt_add_pubkey" tool with CMD (example): ./ fdt_add_pubkey -a rsa2048 -k <keydir> -n <keyname> -r <conf|image> my_file.dtb

-r <conf|image> is the same as for mkimage? As I remember we can use -r w/o any values in mkimage.

Yes, that's very close to what our Yocto recipe currently does:

    for b in ${KERNEL_PUBLIC_KEYS} ; do
            fdt_add_pubkey -a 'sha1,rsa2048' -k "${KERNEL_SIGNING_DIR}" -n "$b" \
                    -r conf $dtb
    done

I doubt that old patch applies nowadays, I've only forward-ported it to 2020.04 internally.

As to Simon's old question of whether it could be done in mkimage with a new flag: I'd really prefer not to, mkimage is already an incoherent collection of tools that do very different things with different flags. Having a flag that says "create and sign this FIT image, and as a side effect update $this dtb $overhere with the corresponding public key mangled appropriately, oh, and btw, _only_ do that side effect" is a non-starter.

Rasmus