| Message ID | 20200421002333.111461-7-heiko@sntech.de |
|---|---|
| State | Accepted |
| Delegated to: | Kever Yang |
| Headers | show |
| Series | rockchip: make it possible to sign the u-boot.itb | expand |
On Mon, 20 Apr 2020 at 18:23, Heiko Stuebner <heiko@sntech.de> wrote: > > From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > > The u-boot.itb can be generated either from a static .its that can > simply include the needed signature nodes with key-hints or from a > fit-generator script referenced in CONFIG_SPL_FIT_GENERATOR. > > In the script-case it will need to know what key to include for the > key-hint and specified algorithm, so add an option for that key-name. > > Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com> > --- > changes in v2: > - add doc snippet explaining the option > > Kconfig | 8 ++++++++ > doc/uImage.FIT/howto.txt | 13 +++++++++++++ > 2 files changed, 21 insertions(+) > Reviewed-by: Simon Glass <sjg@chromium.org>
On 2020/4/21 上午8:23, Heiko Stuebner wrote: > From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > > The u-boot.itb can be generated either from a static .its that can > simply include the needed signature nodes with key-hints or from a > fit-generator script referenced in CONFIG_SPL_FIT_GENERATOR. > > In the script-case it will need to know what key to include for the > key-hint and specified algorithm, so add an option for that key-name. > > Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com> Reviewed-by: Kever Yang <kever.yang@rock-chips.com> Thanks, - Kever > --- > changes in v2: > - add doc snippet explaining the option > > Kconfig | 8 ++++++++ > doc/uImage.FIT/howto.txt | 13 +++++++++++++ > 2 files changed, 21 insertions(+) > > diff --git a/Kconfig b/Kconfig > index 15a783a67d..703762d740 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -534,6 +534,14 @@ config SPL_FIT_GENERATOR > passed a list of supported device tree file stub names to > include in the generated image. > > +config SPL_FIT_GENERATOR_KEY_HINT > + string "key hint for signing U-Boot FIT image" > + depends on SPL_FIT_SIGNATURE > + default "dev" > + help > + The key hint to store in both the generated .its file as well as > + u-boot-key.dtb generated separately and embedded into the SPL. > + > endif # SPL > > endif # FIT > diff --git a/doc/uImage.FIT/howto.txt b/doc/uImage.FIT/howto.txt > index 8592719685..f409b3770e 100644 > --- a/doc/uImage.FIT/howto.txt > +++ b/doc/uImage.FIT/howto.txt > @@ -66,6 +66,19 @@ can point to a script which generates this image source file during > the build process. It gets passed a list of device tree files (taken from the > CONFIG_OF_LIST symbol). > > +Signing u-boot.itb with SPL_FIT_GENERATOR > +----------------------------------------- > + > +u-boot.itb can be signed to verify the integrity of its components. > +When CONFIG_SPL_FIT_SIGNATURE is enabled the CONFIG_SPL_FIT_SIGNATURE_KEY_DIR > +option can be used to specifiy the key directory - either a relative or > +absolute path. > + > +See signature.txt for general signature handling, but when > +CONFIG_SPL_FIT_GENERATOR is used the option CONFIG_SPL_FIT_GENERATOR_KEY_HINT > +can be used to specify the key-hint that should be included into the > +created u-boot.its by the generator. > + > Example 1 -- old-style (non-FDT) kernel booting > ----------------------------------------------- >
diff --git a/Kconfig b/Kconfig index 15a783a67d..703762d740 100644 --- a/Kconfig +++ b/Kconfig @@ -534,6 +534,14 @@ config SPL_FIT_GENERATOR passed a list of supported device tree file stub names to include in the generated image. +config SPL_FIT_GENERATOR_KEY_HINT + string "key hint for signing U-Boot FIT image" + depends on SPL_FIT_SIGNATURE + default "dev" + help + The key hint to store in both the generated .its file as well as + u-boot-key.dtb generated separately and embedded into the SPL. + endif # SPL endif # FIT diff --git a/doc/uImage.FIT/howto.txt b/doc/uImage.FIT/howto.txt index 8592719685..f409b3770e 100644 --- a/doc/uImage.FIT/howto.txt +++ b/doc/uImage.FIT/howto.txt @@ -66,6 +66,19 @@ can point to a script which generates this image source file during the build process. It gets passed a list of device tree files (taken from the CONFIG_OF_LIST symbol). +Signing u-boot.itb with SPL_FIT_GENERATOR +----------------------------------------- + +u-boot.itb can be signed to verify the integrity of its components. +When CONFIG_SPL_FIT_SIGNATURE is enabled the CONFIG_SPL_FIT_SIGNATURE_KEY_DIR +option can be used to specifiy the key directory - either a relative or +absolute path. + +See signature.txt for general signature handling, but when +CONFIG_SPL_FIT_GENERATOR is used the option CONFIG_SPL_FIT_GENERATOR_KEY_HINT +can be used to specify the key-hint that should be included into the +created u-boot.its by the generator. + Example 1 -- old-style (non-FDT) kernel booting -----------------------------------------------