Hi Diego, > Hi, > > I would like to ask if it is possible to source a script after > verifying its signature. > > Currently I've been able to source a script from a signed FIT image, > before doing "bootm", with: > source <addr>:<name> > But this way the signature is not checked yet, so the script cannot > be trusted. > > According to the docs[1] it seems that it's not possible yet to verify > a FIT image signature without also booting the corresponding image. Is > that right?
You can look into the "spl" command, which does the FIT parsing (to prepare data for falcon mode booting). You may want to re-use such "dry-run" feature to verify the signature, extract the script and use it. (And yes, I don't think that checking the signature for script works out of the box). > > > [1] > https://gitlab.denx.de/u-boot/u-boot/blob/v2019.10/doc/uImage.FIT/signature.txt#L580 > > Thank you, > Diego Rondini Best regards, Lukasz Majewski -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lu...@denx.de
pgpKfyKjHYDcJ.pgp
Description: OpenPGP digital signature
