Hi Ivan, On Thu, 27 Jan 2022 at 03:00, Ivan Mikhaylov <[email protected]> wrote: > > On Tue, 2021-12-28 at 01:34 -0700, Simon Glass wrote: > > Hi Ivan, > > > > On Fri, 24 Dec 2021 at 11:23, Ivan Mikhaylov <[email protected]> > > wrote: > > > > > > Introduce prototype for binman's new option which provides sign > > > and replace sections in binary images. > > > > > > Usage as example: > > > > > > from: > > > mkimage -G privateky -r -o sha256,rsa4096 -F [email protected] > > > binman replace -i flash.bin -f [email protected] fit@0x280000 > > > > > > to: > > > binman sign -i flash.bin -k privatekey -a sha256,rsa4096 -f > > > [email protected] fit@0x280000 > > > > > > Signed-off-by: Ivan Mikhaylov <[email protected]> > > > --- > > > tools/binman/cmdline.py | 13 +++++++++++++ > > > tools/binman/control.py | 27 ++++++++++++++++++++++++++- > > > 2 files changed, 39 insertions(+), 1 deletion(-) > > > > This looks good. Just need a test and docs update (also check 'binman > > test -T' for 100% code coverage). > > Simon, I've tried to figure out with test and stumble a little bit with > verification step. How to verify that mkimage sign fit image with > existing key, is there any option or any toolkits? I didn't find any > suitable option in mkimage either, is it good idea to add key > verification inside mkimage? Other way is to have blobs with predefined > keys inside test directory in binman which I think is not so good.
We already have test_vboot.py which runs U-Boot (and also fit_check_sign) to verify the signature. Can you use that? Regards, Simon
