Hi, On Fri, 2017-02-17 at 13:55 -0800, Rick Altherr wrote: > How would you verify that the public key hasn't been tampered with? > > On Fri, Feb 17, 2017 at 12:37 AM, Maria Sepulveda <electron...@cojali.com> > wrote: > > > > > Good morning, > > > > I am working with FIT image in U-Boot 2013.07. I have configured the image > > verification with signed image and kernel boots fine so, I would like to > > know if I can store my public key in an external device (like crypto-memory > > or an i2c device) because I am storing the key in DBT with the > > CONFIG_OF_CONTROL configuration. Imho is perfectly fine to store the public key in the u-boot.dtb for most needs(specially for using it with fit-images). Do you have a specific reason for wanting to store it elsewhere? > > The aim of this is that U-Boot should check the i2c address of my > > external device, read the public key and verify the signed image later. > > I work with am335x board and Kernel 3.14. As Rick suggests you should verify your public key with a checksum which is somehow protected from being tampered. In the most cases there is some OTP- Fuse-Register that can do the job.
best regards Markus _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
