On 05.11.21 11:28, Rasmus Villemoes wrote: > On 05/11/2021 11.16, Jan Kiszka wrote: >> Hi all, >> >> in order to use CONFIG_FIT_SIGNATURE and also >> CONFIG_SPL_FIT_SIGNATURE, a public key needs to be placed into the >> control FDT. So far, I only found mkimage being able to do that during >> FIT image signing. That is fairly unhandy and often incompatible with >> how firmware is built & signed vs. how the lifecycle of the artifacts to >> be loaded and verified look like. Is there really no other way than >> mkimage -K? >> >> I'm currently considering to derive a tool that, given a public key >> (which is easy to hand around, compared to the private key needed for >> signing), injects them into a FDT. Then I would hook that up as generic >> feature for U-Boot builds, enriching all control FTDs already during the >> first build with this when requested. >> >> Am I missing an even simpler approach? > > You're not missing an existing upstream simpler approach, but it's > certainly an itch that others have had [1] [2]. My latest attempt > > https://lore.kernel.org/u-boot/20210928085651.619892-1-rasmus.villem...@prevas.dk/ > > does now have an R-b by Simon, so now I'm just waiting for that to > actually make it into master. I have the script(s) that will convert a > public key to a .dtsi fragment, and I'm happy to share that. >
Cool, that would be very welcome! Jan > Rasmus > > [1] > https://lore.kernel.org/u-boot/CAO5Uq5TyTMacERo01weTEda-5X4Fx-VUoYFHa=mbyhw-rvm...@mail.gmail.com/ > [2] > https://lore.kernel.org/u-boot/94d75c521aed46dbb54a8275be2f5...@kaspersky.com/ > -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux