Hi, On Tue, 9 Nov 2021 at 02:17, Jan Kiszka <jan.kis...@siemens.com> wrote: > > On 08.11.21 16:28, Roman Kopytin wrote: > > In order to reduce the coupling between building the kernel and > > U-Boot, I'd like a tool that can add a public key to U-Boot's dtb > > without simultaneously signing a FIT image. That tool doesn't seem to > > exist, so I stole the necessary pieces from mkimage et al and put it > > in a single .c file. > > > > I'm still working on the details of my proposed "require just k out > > these n required keys" and how it should be implemented, but it will > > probably involve teaching this tool a bunch of new options. These > > patches are not necessarily ready for inclusion (unless someone else > > finds fdt_add_pubkey useful as is), but I thought I might as well send > > it out for early comments. > > I'd also like to see the usage of this hooked into the build process. > > And to my understanding of [1], that approach will provide a feature > that permits hooking with the build but would expect the key as dtsi > fragment. Can we consolidate the approaches? > > My current vision of a user interface would be a Kconfig option that > takes a list of key files to be injected. Maybe make that three lists, > one for "required=image", one for "required=conf", and one for optional > keys (if that has a use case in practice, no idea).
Also please take a look at binman which is designed to handle create (or later updating from Yocto) the devicetree or firmware image. Regards, Simon > > Jan > > [1] > https://lore.kernel.org/u-boot/20210928085651.619892-1-rasmus.villem...@prevas.dk/ > > -- > Siemens AG, T RDA IOT > Corporate Competence Center Embedded Linux
