On 2/17/21 5:03 PM, Tom Rini wrote:
On Thu, Jan 28, 2021 at 09:52:48AM -0600, Alexandru Gagniuc wrote:
Add a test to make sure that the ECDSA signatures generated by
mkimage can be verified successfully. pyCryptodomex was chosen as the
crypto library because it integrates much better with python code.
Using openssl would have been unnecessarily painful.
Signed-off-by: Alexandru Gagniuc <mr.nuke...@gmail.com>
Reviewed-by: Simon Glass <s...@chromium.org>
So, to run this test I've done a "pip install -r
test/py/requirements.txt" to make sure I have everything now needed
installed. When I run this test (building in /tmp):
+/tmp/.bm-work/sandbox/tools/mkimage -F /tmp/.bm-work/sandbox/test.fit
-k/tmp/.bm-work/sandbox/ecdsa-test-key.pem
Can not get key file '/tmp/.bm-work/sandbox/ecdsa-test-key.pem/dev.pem'
Can not get key file '/tmp/.bm-work/sandbox/ecdsa-test-key.pem/dev.pem'
Failed to sign 'signature' signature node in 'kernel' image node: -2
Failed to sign 'signature' signature node in 'fdt-1' image node: -2
FIT description: Chrome OS kernel image with one or more FDT blobs
...
+fdtget -tbi /tmp/.bm-work/sandbox/test.fit /images/kernel/signature value
Error at 'value': FDT_ERR_NOTFOUND
Which I think means that since we have a key-name-hint of "dev" it's
taking the -k argument as a keydir and that's where it goes wrong.
Did this happen with this series alone?
I realize not that also applying "mkimage: Add a 'keyfile' argument for
image signing" would cause this. I shoudl have (but forgot to) update
the test in that series. I'll update the other series if you want to
pull them in together.
Alex
