Traditionally we included public keys in form of dts snippets generated by U-Boot mkImage and compiled into the barebox device trees. We can now include public keys directly as C structs from the public key PEM files or PKCS#11 uris which is easier to integrate. Nevertheless the dts snippet way is still present which makes the configuration slightly confusing. Remove this old way for good to make configuration easier and to get rid of some maintenance burden.
Another point tackled in this series is that we can compile multiple keys into the binary, but the user is left without a clue which key is finally used. This series adds a sha256 hash over the public keys to struct public_key which can be printed along the key to identify it. Finally Pengutronix created a set of well known development keys for convenient testing of secure boot chains. This series adds a new option to compile the public key parts into the barebox binary with a single knob. With this images signed with these keys can esaily be tested without the need of a BSP or adding the paths to the keys into Kconfig. Finally the output of the FIT image code is improved. It has become very verbose when used with FIT images containing multiple device tree overlays. The information is now hidden behind the verbose option which can be activated with bootm -v or global.bootm.verbose=1. Signed-off-by: Sascha Hauer <[email protected]> --- Sascha Hauer (6): crypto: drop BOOTM_FITIMAGE_PUBKEY crypto: Allow to include development keys in build crypto: include public key hashes commands: add keys command fit: consistently pass around fit_handle fit: improve diagnostics Documentation/user/security.rst | 5 ++ arch/arm/dts/imx6dl-phytec-pbab01.dts | 3 -- arch/arm/dts/imx6dl-phytec-phyboard-subra.dts | 3 -- arch/arm/dts/imx6dl-phytec-phycore-som-emmc.dts | 3 -- arch/arm/dts/imx6dl-phytec-phycore-som-lc-emmc.dts | 3 -- arch/arm/dts/imx6dl-phytec-phycore-som-lc-nand.dts | 3 -- arch/arm/dts/imx6dl-phytec-phycore-som-nand.dts | 3 -- arch/arm/dts/imx6q-phytec-pbab01.dts | 3 -- arch/arm/dts/imx6q-phytec-phyboard-alcor.dts | 3 -- arch/arm/dts/imx6q-phytec-phyboard-subra.dts | 3 -- arch/arm/dts/imx6q-phytec-phycard.dts | 4 -- arch/arm/dts/imx6q-phytec-phycore-som-emmc.dts | 3 -- arch/arm/dts/imx6q-phytec-phycore-som-nand.dts | 3 -- arch/arm/dts/imx6qp-phytec-phycore-som-nand.dts | 3 -- arch/arm/dts/imx6s-phytec-pbab01.dts | 3 -- arch/arm/dts/imx6ul-phytec-phycore-som-emmc.dts | 3 -- arch/arm/dts/imx6ul-phytec-phycore-som-nand.dts | 3 -- arch/arm/dts/imx6ul-tqma6ul-common.dtsi | 4 -- arch/arm/dts/imx6ul-webasto-ccbv2.dts | 4 -- arch/arm/dts/imx6ul-webasto-marvel.dts | 4 -- arch/arm/dts/imx6ull-phytec-phycore-som-emmc.dts | 3 -- .../arm/dts/imx6ull-phytec-phycore-som-lc-nand.dts | 3 -- arch/arm/dts/imx6ull-phytec-phycore-som-nand.dts | 3 -- arch/arm/dts/stm32mp133c-mect1s.dts | 4 -- arch/arm/dts/stm32mp133c-prihmb.dts | 4 -- arch/arm/dts/stm32mp151c-plyaqm.dts | 4 -- commands/Kconfig | 7 +++ commands/Makefile | 1 + commands/keys.c | 30 +++++++++++ common/Kconfig | 32 ------------ common/boards/qemu-virt/fitimage-pubkey.dts | 4 -- common/image-fit.c | 40 ++++++++++----- crypto/Kconfig | 7 +-- crypto/Makefile | 9 ++++ crypto/fit-4096-development.crt | 33 ++++++++++++ crypto/fit-ecdsa-development.crt | 13 +++++ crypto/public-keys.c | 6 ++- include/crypto/public_key.h | 2 + scripts/Makefile.lib | 12 ----- scripts/keytoc.c | 59 ++++++++++++++++++++++ 40 files changed, 194 insertions(+), 148 deletions(-) --- base-commit: 525ccfb5ac381c06898e6403e12ec8c34c42c0f8 change-id: 20250821-keynames-95b43a99e8c5 Best regards, -- Sascha Hauer <[email protected]>
