Hi Roman, On Sat, 2021-07-31 at 03:34 +0000, Roman Kopytin wrote: > Thanks, Michael. > Can we sign in the separate state on special server for example?
Yes, it possible, there is a step to build and another one to sign,
that can be separated.
For example, the following command, that build and sign the itb:
# build and sign
mkimage -D "-I dts -O dtb -p 4096" -f ./foo.its -k ./keys -K ./u-
boot.dtb -r ./foo.itb
Can be spitted in two:
# build
uboot-mkimage \
-D "-I dts -O dtb -p 4096" \
-f ./foo.its \
./foo.itb
# sign
uboot-mkimage \
-D "-I dts -O dtb -p 4096" -F
-k ./keys \
-K ./u-boot.dtb \
-r \
./foo.itb
Then the u-boot*.dtb should contains the pubkey node(s) in the
signature node and it can be shared and concatenated to the U-Boot
binary:
make EXT_DTB="./u-boot.dtb"
> Looks like we can work with public key only in this step.
The dtb containing the public key(s) is useful to verify the signature
at the target boot, or with the tool fit_check_sign to perform an
offload checking, for example:
fit_check_sign -f ./foo.itb -k ./u-boot.dtb
Best regards,
Thomas Perrot
>
> From: Michael Nazzareno Trimarchi <mich...@amarulasolutions.com>
> Sent: Friday, July 30, 2021 8:50 PM
> To: Roman Kopytin <roman.kopy...@kaspersky.com>
> Cc: U-Boot-Denx <u-boot@lists.denx.de>; Simon Glass <s...@chromium.org>
> Subject: Re: U-boot
>
> Caution: This is an external email. Be cautious while opening links or
> attachments.
>
>
> Hi Román
>
>
> On Fri, Jul 30, 2021, 7:44 PM Roman Kopytin <
> roman.kopy...@kaspersky.com<mailto:roman.kopy...@kaspersky.com>> wrote:
> Hello, dear U-boot team
>
> I have question about your old feature: U-boot patch for adding of the
> public key to dtb file.
>
> https://patchwork.ozlabs.org/project/uboot/patch/1363650725-30459-37-git-send-email-sjg%40chromium.org/
>
> I can’t understand, can we work only with public key? Why do we need to
> have private key for adding step?
> In documentation it is not very clear for me.
>
> You need to sign with private key and keep it secret and local and
> verify it during booting with public key. Private key is not
> distributed with the image
>
> Michael
>
>
> Thanks a lot.
>
--
Thomas Perrot, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com
signature.asc
Description: This is a digitally signed message part
