I'm having trouble getting verified boot working in SPL on an am3358 based platform.
The problem I hit is when fit_image_verify_with_data() calls fit_image_verify_required_sigs(). The 5th argument (sig_blob) is gd_fdt_blob() which resolves to NULL. This argument should be the FDT containing the public keys. I assume this happens because SPL_OF_CONTROL isn't enabled. As far as I can tell, SPL_OF_CONTROL isn't working on am33xx boards; enabling it causes SPL to loop infinitely in i2c init (tried on my custom hardware as well as Beaglebone Black). So the public key needs to be found elsewhere. I can keep a separate FDT with the public key stored in a read-only location. My question is what is the 'right' way to load it? Is there an interface for populating gd_fdt_blob() with my own FDT (without SPL_OF_CONTROL enabled)? Or should I modify fit_image_verify_with_data() to get the FDT from elsewhere (and probably other similar calls as well)? -Doug -- This email and any attachments are for the exclusive use of the intended recipient(s) and may contain confidential and/or privileged information. Inadvertent disclosure of this message does not constitute a waiver of any privilege, right or remedy. If you are not the intended recipient, please do not directly or indirectly use, disclose or distribute this message, and please contact the sender and delete this email, any attachments and all copies. Climate and its affiliates may use, read or archive email communications (including attachments) through its computer network, as permitted by applicable law. Climate and its affiliates (or an external service provider) may also scan emails and attachments on its computer network to ensure systems operate efficiently and to minimize security risks. Thank you. _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot