On 24/01/2022 18.57, Simon Glass wrote: >> And the thing about "adding the signature" - yes, indeed, _signing_ can >> and should be done after building. But that is not at all what this >> started with, this is about embedding the metadata that U-Boot (or SPL) >> will need for _verifying_ during the build itself - when the private key >> may not even be available. Again, I think that it's a fundamental design >> bug that generating and adding that metadata in the form needed by >> U-Boot can only be done as a side effect of signing some unrelated image. > > It is a side effect of signing *the same* image, i.e. the image that > holds the signature and the public key. There is only one image, the > firmware image produced by binman.
Huh? Are we talking about the same thing? What you write makes no sense at all. Rasmus
