| Message ID | 20210204195705.2057081-2-mr.nuke.me@gmail.com |
|---|---|
| State | Superseded |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | mkimage: Add a 'keyfile' argument for image signing | expand |
On Thu, 4 Feb 2021 at 12:57, Alexandru Gagniuc <mr.nuke.me@gmail.com> wrote: > > After lots of debating, this documents how we'd like mkimage to treat > 'keydir' and 'keyfile' arguments. The rest is in the docs. > > Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com> > --- > doc/uImage.FIT/signature.txt | 13 +++++++++++++ > 1 file changed, 13 insertions(+) Reviewed-by: Simon Glass <sjg@chromium.org>
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index 0139295d33..d9a9121190 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -472,6 +472,19 @@ Test Verified Boot Run: signed config with bad hash: OK Test passed +Software signing: keydir vs keyfile +----------------------------------- + +In the simplest case, signing is done by giving mkimage the 'keyfile'. This is +the path to a file containing the signing key. + +The alternative is to pass the 'keydir' argument. In this case the filename of +the key is derived from the 'keydir' and the "key-name-hint" property in the +FIT. In this case the "key-name-hint" property is mandatory, and the key must +exist in "<keydir>/<key-name-hint>.<ext>" Here the extension "ext" is +specific to the signing algorithm. + + Hardware Signing with PKCS#11 or with HSM -----------------------------------------
After lots of debating, this documents how we'd like mkimage to treat 'keydir' and 'keyfile' arguments. The rest is in the docs. Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com> --- doc/uImage.FIT/signature.txt | 13 +++++++++++++ 1 file changed, 13 insertions(+)