On Wed, Dec 11, 2019 at 11:13:28AM +0100, Heinrich Schuchardt wrote:
> On 12/11/19 9:54 AM, Cristian Ciocaltea wrote:
> > 1. Create a public/private key pair
> > $ openssl genpkey -algorithm RSA -out ${DEV_KEY} \
> > -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
> >
> > 2. Create a certificate containing the public key
> > $ openssl req -batch -new -x509 -key ${DEV_KEY} -out ${DEV_CRT}
> >
> > 3. Dump QEMU virt board DTB
> > $ qemu-system-arm -nographic -M virt,dumpdtb=${BOARD_DTB} \
> > -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin [...]
> >
> > 4. Create (unsigned) FIT image and put the public key into DTB, with
> > the 'required' property set, telling U-Boot that this key MUST be
> > verified for the image to be valid
> > $ mkimage -f ${FIT_ITS} -K ${BOARD_DTB} -k ${KEYS_DIR} -r ${FIT_IMG}
> >
> > 5. Sign the FIT image
> > $ fit_check_sign -f ${FIT_IMG} -k ${BOARD_DTB}
>
> Thanks for the description
>
> tools/fit_check_sign does not change any file. The signature is added in
> step 4.
You are right, I've taken the commands from a script I use to automate
the whole procedure and I've just missed the verification step.
> What seems to be missing in the U-Boot build system is the capability to
> specify a public key in the configuation file to automatically include
> the public key in the generated dtbs similar to Linux's
> CONFIG_SYSTEM_TRUSTED_KEYS.
That would be a nice addition. Currently it is only possible to pass
the 'EXT_DTB' parameter to 'make' in order to provide the path to an
external DTB file to be put in the U-Boot image.
> Best regards
>
> Heinrich
>
> >
> > 6. Run QEMU supplying the DTB containing the public key and the
> > u-boot binary built with CONFIG_OF_BOARD
> > $ qemu-system-arm -nographic \
> > -M virt -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin \
> > -dtb ${BOARD_DTB} [...]
>
