Hi Lukasz, On Thu, Dec 5, 2019 at 11:14 PM Lukasz Majewski <lu...@denx.de> wrote: > > Hi Diego, > > > Hi, > > > > I would like to ask if it is possible to source a script after > > verifying its signature. > > > > Currently I've been able to source a script from a signed FIT image, > > before doing "bootm", with: > > source <addr>:<name> > > But this way the signature is not checked yet, so the script cannot > > be trusted. > > > > According to the docs[1] it seems that it's not possible yet to verify > > a FIT image signature without also booting the corresponding image. Is > > that right? > > You can look into the "spl" command, which does the FIT parsing (to > prepare data for falcon mode booting). > > You may want to re-use such "dry-run" feature to verify the signature, > extract the script and use it. > > (And yes, I don't think that checking the signature for script works > out of the box). >
I will have a look at your suggestion and report back the outcome! Thanks again, Diego Rondini