Hello everyone, After studying the verified boot feature I have some interrogations.
If my understanding is correct the procedure should be the following : 1) Generate private keys and certificate 2) Generate a uboot and a dts file to describe the key 3) Generate a kernel/dtb/ramdisk and an its file to describe the fit image (files + conf + signatures) 4) Signature of the fit image and creation of a u-boot dtb file containing the public key 5) Insertion of the uboot dtb file in the uboot binary A am I correct so far ? My question is why the step 4 is not divided in two steps ? I don't understand why the public key generation needs the fit image as input.This creates a link between uboot and the kernel and I don't see how I can flash a new kernel without re-flashing a linked uboot. The thing is I don't want to update uboot as often as the kernel. Sorry if this is a stupid question.. Thanks ! _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot