Re: [PATCH v2 3/3] doc: verified-boot: add required-mode information
Hi Thirupathaiah, On Sun, 16 Aug 2020 at 22:09, Thirupathaiah Annapureddy wrote: > > > > On 7/28/2020 11:58 AM, Simon Glass wrote: > > Hi Thirupathaiah, > > > > On Fri, 17 Jul 2020 at 21:20, Thirupathaiah Annapureddy > > wrote: > >> > >> Signed-off-by: Thirupathaiah Annapureddy > >> --- > >> > >> Changes in v2: > >> - New > >> > >> doc/uImage.FIT/signature.txt | 14 ++ > >> 1 file changed, 14 insertions(+) > >> > > > > Reviewed-by: Simon Glass > > > > But I think we need a new mkimage option to set the required-mode > > Is it okay if I do mkimage option change as part of a different patch/ > patch series? > That's fine with me. Regards, SImon
Re: [PATCH v2 3/3] doc: verified-boot: add required-mode information
On 7/28/2020 11:58 AM, Simon Glass wrote: > Hi Thirupathaiah, > > On Fri, 17 Jul 2020 at 21:20, Thirupathaiah Annapureddy > wrote: >> >> Signed-off-by: Thirupathaiah Annapureddy >> --- >> >> Changes in v2: >> - New >> >> doc/uImage.FIT/signature.txt | 14 ++ >> 1 file changed, 14 insertions(+) >> > > Reviewed-by: Simon Glass > > But I think we need a new mkimage option to set the required-mode Is it okay if I do mkimage option change as part of a different patch/ patch series? > > >> diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt >> index d4afd755e9..a3455889ed 100644 >> --- a/doc/uImage.FIT/signature.txt >> +++ b/doc/uImage.FIT/signature.txt >> @@ -386,6 +386,20 @@ that might be used by the target needs to be signed >> with 'required' keys. >> >> This happens automatically as part of a bootm command when FITs are used. >> >> +For Signed Configurations, the default verification behavior can be changed >> by >> +the following optional property in /signature node in U-Boot's control FDT. >> + >> +- required-mode: Valid values are "any" to allow verified boot to succeed if >> +the selected configuration is signed by any of the 'required' keys, and >> "all" >> +to allow verified boot to succeed if the selected configuration is signed by >> +all of the 'required' keys. >> + >> +This property can be added to a binary device tree using fdtput as shown in >> +below examples:: >> + >> + fdtput -t s control.dtb /signature required-mode any >> + fdtput -t s control.dtb /signature required-mode all >> + >> >> Enabling FIT Verification >> - >> -- >> 2.25.2 >>
Re: [PATCH v2 3/3] doc: verified-boot: add required-mode information
Hi Thirupathaiah, On Fri, 17 Jul 2020 at 21:20, Thirupathaiah Annapureddy wrote: > > Signed-off-by: Thirupathaiah Annapureddy > --- > > Changes in v2: > - New > > doc/uImage.FIT/signature.txt | 14 ++ > 1 file changed, 14 insertions(+) > Reviewed-by: Simon Glass But I think we need a new mkimage option to set the required-mode > diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt > index d4afd755e9..a3455889ed 100644 > --- a/doc/uImage.FIT/signature.txt > +++ b/doc/uImage.FIT/signature.txt > @@ -386,6 +386,20 @@ that might be used by the target needs to be signed with > 'required' keys. > > This happens automatically as part of a bootm command when FITs are used. > > +For Signed Configurations, the default verification behavior can be changed > by > +the following optional property in /signature node in U-Boot's control FDT. > + > +- required-mode: Valid values are "any" to allow verified boot to succeed if > +the selected configuration is signed by any of the 'required' keys, and "all" > +to allow verified boot to succeed if the selected configuration is signed by > +all of the 'required' keys. > + > +This property can be added to a binary device tree using fdtput as shown in > +below examples:: > + > + fdtput -t s control.dtb /signature required-mode any > + fdtput -t s control.dtb /signature required-mode all > + > > Enabling FIT Verification > - > -- > 2.25.2 >
[PATCH v2 3/3] doc: verified-boot: add required-mode information
Signed-off-by: Thirupathaiah Annapureddy --- Changes in v2: - New doc/uImage.FIT/signature.txt | 14 ++ 1 file changed, 14 insertions(+) diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index d4afd755e9..a3455889ed 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -386,6 +386,20 @@ that might be used by the target needs to be signed with 'required' keys. This happens automatically as part of a bootm command when FITs are used. +For Signed Configurations, the default verification behavior can be changed by +the following optional property in /signature node in U-Boot's control FDT. + +- required-mode: Valid values are "any" to allow verified boot to succeed if +the selected configuration is signed by any of the 'required' keys, and "all" +to allow verified boot to succeed if the selected configuration is signed by +all of the 'required' keys. + +This property can be added to a binary device tree using fdtput as shown in +below examples:: + + fdtput -t s control.dtb /signature required-mode any + fdtput -t s control.dtb /signature required-mode all + Enabling FIT Verification - -- 2.25.2