Hi Thirupathaiah, On Fri, 17 Jul 2020 at 21:20, Thirupathaiah Annapureddy <thir...@linux.microsoft.com> wrote: > > Signed-off-by: Thirupathaiah Annapureddy <thir...@linux.microsoft.com> > --- > > Changes in v2: > - New > > doc/uImage.FIT/signature.txt | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) >
Reviewed-by: Simon Glass <s...@chromium.org> But I think we need a new mkimage option to set the required-mode > diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt > index d4afd755e9..a3455889ed 100644 > --- a/doc/uImage.FIT/signature.txt > +++ b/doc/uImage.FIT/signature.txt > @@ -386,6 +386,20 @@ that might be used by the target needs to be signed with > 'required' keys. > > This happens automatically as part of a bootm command when FITs are used. > > +For Signed Configurations, the default verification behavior can be changed > by > +the following optional property in /signature node in U-Boot's control FDT. > + > +- required-mode: Valid values are "any" to allow verified boot to succeed if > +the selected configuration is signed by any of the 'required' keys, and "all" > +to allow verified boot to succeed if the selected configuration is signed by > +all of the 'required' keys. > + > +This property can be added to a binary device tree using fdtput as shown in > +below examples:: > + > + fdtput -t s control.dtb /signature required-mode any > + fdtput -t s control.dtb /signature required-mode all > + > > Enabling FIT Verification > ------------------------- > -- > 2.25.2 >
