On Mon, May 2, 2016 at 7:06 AM, Simon Glass <[email protected]> wrote: > Hi Teddy, > > On 29 April 2016 at 18:44, Teddy Reed <[email protected]> wrote: >> On Fri, Apr 29, 2016 at 4:09 PM, Simon Glass <[email protected]> wrote: >>> Hi Teddy, >>> >>> On 25 April 2016 at 10:25, Teddy Reed <[email protected]> wrote: >>>> Hi all, >>>> >>>> I'm curious if anyone has a script (or if I've missed something within >>>> the verified-boot documentation) to compile a DTB given only public >>>> keying information, i.e., a x509 certificate. >>>> >>>> I have build/test bots that need to build a u-boot with an >>>> extra/embedded DTB containing a signing public key. I do not want the >>>> private key on those hosts and the only way I've found to build the >>>> documented/required nodes in /signature/key-KEYNAME/ >>>> ('rsa,r-squared','rsa,modulus', 'rsa,n0-inverse' and 'rsa-num-bits') >>>> is by using mkimage on a FIT with the -K switch. That requires a >>>> private key to do the actual signing. >>>> >>>> I'm happy to write something, just want to ask first! >>> >>> Not on my side, sorry. Would be useful. >>> >> >> Ok! >> >> I can't make any promises of completeness, but I quickly hacked >> together https://github.com/theopolis/fit-certificate-store, to do >> this. >> I'll iterate on it over the next few weeks, and I'm more than happy to >> take bugs/criticism via Github PRs. > > Looks good. At some point will you do a U-Boot patch?
Could we define a new environment variable, maybe DTB_KEYS_DIR, or build option, that could point to the directory of public keys. Then the U-Boot/SPL build could synthesize the EXT_DTB inline. :) > > Regards, > Simon -- Teddy Reed V _______________________________________________ U-Boot mailing list [email protected] http://lists.denx.de/mailman/listinfo/u-boot
