[...] > > > If we implement secure boot according the UEFI specification, one option > > > would be to package the device tree as a UEFI driver image and let the > > > stub install it as a configuration table. The unload callback could be > > > used to remove the device tree. > > > > > > > Sure but this is not in scope for the current patchset is it? > > Exactly. > > > Similarly you can just include the DTB in U-Boot and naturally have it > > verified. > > > > I am not arguing that DTB verification is needed. We absolutely agree on > > that. > > All i am saying is that the extra functionality can be added in the future, > > since we already have a valid way of providing it with the current patchset. > > BTW, Ilias, > where should such a discussion about dtb verification be held, > Boot-arch ML, Linaro Connect, ELC or whatever else conference? > Otherwise just leave the decision in distributors' hands?
We did send some e-mails on boot-arch ML in the past [1]. The subject is quite controversial since there are a lot of opinions on this. I think Linaro is working on a device tree evolution project at the moment with one of the subjects being device tree verification. We can certainly discuss more during Linaro Connect. [1] https://lists.linaro.org/pipermail/boot-architecture/2019-June/001053.html Thanks /Ilias > > Thanks, > -Takahiro Akashi > > > Regards > > /Ilias > > > > > > > > > > > > > Best regards > > > > > > > > > > Heinrich > > > > > > >