Hi Jan, On Mon, 6 Feb 2023 at 22:47, Jan Kiszka <jan.kis...@siemens.com> wrote: > > On 07.02.23 05:02, Simon Glass wrote: > > Hi Jan, > > > > On Mon, 6 Feb 2023 at 03:42, Jan Kiszka <jan.kis...@siemens.com> wrote: > >> > >> On 04.02.23 23:23, Simon Glass wrote: > >>> Hi Jan, > >>> > >>> On Fri, 3 Feb 2023 at 23:35, Jan Kiszka <jan.kis...@siemens.com> wrote: > >>>> > >>>> On 04.02.23 01:20, Simon Glass wrote: > >>>>> Hi Jan, > >>>>> > >>>>> On Fri, 3 Feb 2023 at 05:29, Jan Kiszka <jan.kis...@siemens.com> wrote: > >>>>>> > >>>>>> From: Jan Kiszka <jan.kis...@siemens.com> > >>>>>> > >>>>>> Allows to create a public key device tree dtsi for inclusion into > >>>>>> U-Boot > >>>>>> SPL and proper during first build already. This can be achieved via > >>>>>> CONFIG_DEVICE_TREE_INCLUDES. > >>>>>> > >>>>>> Signed-off-by: Jan Kiszka <jan.kis...@siemens.com> > >>>>>> --- > >>>>>> tools/key2dtsi.py | 64 +++++++++++++++++++++++++++++++++++++++++++++++ > >>>>>> 1 file changed, 64 insertions(+) > >>>>>> create mode 100755 tools/key2dtsi.py > >>>>> > >>>>> Please can you build this into Binman instead? We really don't want > >>>>> any more of these scripts. Perhaps you can add a new entry type? > >>>>> > >>>> > >>>> I don't think you are requesting something that makes any sense: > >>>> > >>>> "Binman creates and manipulate *images* for a board from a set of > >>>> binaries" > >>> > >>> I mean that Binman can include a public key in the DT, if that it was > >>> you are wanting. We don't want to add scripts for creating images and > >>> pieces of images. > >>> > >>> Perhaps I just don't understand the goal here. How would your script be > >>> used? > >>> > >> > >> We feed the generated dtsi into the U-Boot build, using > >> CONFIG_DEVICE_TREE_INCLUDES. This ensures that will be signed along with > >> the built artifacts. Have a look at patch 9 for the steps, specifically > >> the doc update bits. Full bitbake (Isar) integration is available under > >> [1], specifically [2] in combination with [3]. > >> > > > > OK, so is Binman run in this case? > > > > It's run at the end of the build, to assemble the unsigned flash.bin. > And it should have been used also for signing that image (patch 8, see > the other discussion).
OK, so how can we get this signing thing into Binman? Does it need a new entry type? Is there something I can help with there? The input looks like it should be the key.pem file. Regards, SImon > > Jan > > >> Jan > >> > >> [1] https://github.com/siemens/meta-iot2050/tree/master/recipes-bsp/u-boot > >> [2] > >> https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/rules.tmpl > >> [3] > >> https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/secure-boot.cfg > >> > >> -- > >> Siemens AG, Technology > >> Competence Center Embedded Linux > >> > > > > Regards, > > Simon > > -- > Siemens AG, Technology > Competence Center Embedded Linux >
