Yes, I don't see this tool in master branch.
May be I will take code and build this tool.
Do you have a plan for sharing it in repo?
-----Original Message-----
From: Rasmus Villemoes <rasmus.villem...@prevas.dk>
Sent: Monday, August 2, 2021 12:37 PM
To: Roman Kopytin <roman.kopy...@kaspersky.com>; Simon Glass <s...@chromium.org>
Cc: Thomas Perrot <thomas.per...@bootlin.com>; Michael Nazzareno Trimarchi
<mich...@amarulasolutions.com>; U-Boot-Denx <u-boot@lists.denx.de>; Alex
Kiernan <alex.kier...@gmail.com>
Subject: Re: U-boot
Caution: This is an external email. Be cautious while opening links or
attachments.
On 02/08/2021 11.25, Roman Kopytin wrote:
> Thanks a lot!
> Yes, looks like using of the 'fdtput' is not very safety for me.
> As I understood I need to use "fdt_add_pubkey" tool with CMD (example):
> ./ fdt_add_pubkey -a rsa2048 -k <keydir> -n <keyname> -r <conf|image>
> my_file.dtb
>
> -r <conf|image> is the same as for mkimage? As I remember we can use -r w/o
> any values in mkimage.
Yes, that's very close to what our Yocto recipe currently does:
for b in ${KERNEL_PUBLIC_KEYS} ; do
fdt_add_pubkey -a 'sha1,rsa2048' -k "${KERNEL_SIGNING_DIR}" -n
"$b" \
-r conf $dtb
done
I doubt that old patch applies nowadays, I've only forward-ported it to
2020.04 internally.
As to Simon's old question of whether it could be done in mkimage with a new
flag: I'd really prefer not to, mkimage is already an incoherent collection of
tools that do very different things with different flags.
Having a flag that says "create and sign this FIT image, and as a side effect
update $this dtb $overhere with the corresponding public key mangled
appropriately, oh, and btw, _only_ do that side effect" is a non-starter.
Rasmus
