| Message ID | e605069c307275022477e286ab05db0cd643e2b0.1595039992.git.thiruan@linux.microsoft.com |
|---|---|
| State | Superseded |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | Add support for multiple required keys | expand |
Hi Thirupathaiah, On Fri, 17 Jul 2020 at 21:20, Thirupathaiah Annapureddy <thiruan@linux.microsoft.com> wrote: > > Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com> > --- > > Changes in v2: > - New > > doc/uImage.FIT/signature.txt | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > Reviewed-by: Simon Glass <sjg@chromium.org> But I think we need a new mkimage option to set the required-mode > diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt > index d4afd755e9..a3455889ed 100644 > --- a/doc/uImage.FIT/signature.txt > +++ b/doc/uImage.FIT/signature.txt > @@ -386,6 +386,20 @@ that might be used by the target needs to be signed with 'required' keys. > > This happens automatically as part of a bootm command when FITs are used. > > +For Signed Configurations, the default verification behavior can be changed by > +the following optional property in /signature node in U-Boot's control FDT. > + > +- required-mode: Valid values are "any" to allow verified boot to succeed if > +the selected configuration is signed by any of the 'required' keys, and "all" > +to allow verified boot to succeed if the selected configuration is signed by > +all of the 'required' keys. > + > +This property can be added to a binary device tree using fdtput as shown in > +below examples:: > + > + fdtput -t s control.dtb /signature required-mode any > + fdtput -t s control.dtb /signature required-mode all > + > > Enabling FIT Verification > ------------------------- > -- > 2.25.2 >
On 7/28/2020 11:58 AM, Simon Glass wrote: > Hi Thirupathaiah, > > On Fri, 17 Jul 2020 at 21:20, Thirupathaiah Annapureddy > <thiruan@linux.microsoft.com> wrote: >> >> Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com> >> --- >> >> Changes in v2: >> - New >> >> doc/uImage.FIT/signature.txt | 14 ++++++++++++++ >> 1 file changed, 14 insertions(+) >> > > Reviewed-by: Simon Glass <sjg@chromium.org> > > But I think we need a new mkimage option to set the required-mode Is it okay if I do mkimage option change as part of a different patch/ patch series? > > >> diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt >> index d4afd755e9..a3455889ed 100644 >> --- a/doc/uImage.FIT/signature.txt >> +++ b/doc/uImage.FIT/signature.txt >> @@ -386,6 +386,20 @@ that might be used by the target needs to be signed with 'required' keys. >> >> This happens automatically as part of a bootm command when FITs are used. >> >> +For Signed Configurations, the default verification behavior can be changed by >> +the following optional property in /signature node in U-Boot's control FDT. >> + >> +- required-mode: Valid values are "any" to allow verified boot to succeed if >> +the selected configuration is signed by any of the 'required' keys, and "all" >> +to allow verified boot to succeed if the selected configuration is signed by >> +all of the 'required' keys. >> + >> +This property can be added to a binary device tree using fdtput as shown in >> +below examples:: >> + >> + fdtput -t s control.dtb /signature required-mode any >> + fdtput -t s control.dtb /signature required-mode all >> + >> >> Enabling FIT Verification >> ------------------------- >> -- >> 2.25.2 >>
Hi Thirupathaiah, On Sun, 16 Aug 2020 at 22:09, Thirupathaiah Annapureddy <thiruan@linux.microsoft.com> wrote: > > > > On 7/28/2020 11:58 AM, Simon Glass wrote: > > Hi Thirupathaiah, > > > > On Fri, 17 Jul 2020 at 21:20, Thirupathaiah Annapureddy > > <thiruan@linux.microsoft.com> wrote: > >> > >> Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com> > >> --- > >> > >> Changes in v2: > >> - New > >> > >> doc/uImage.FIT/signature.txt | 14 ++++++++++++++ > >> 1 file changed, 14 insertions(+) > >> > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > But I think we need a new mkimage option to set the required-mode > > Is it okay if I do mkimage option change as part of a different patch/ > patch series? > That's fine with me. Regards, SImon
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index d4afd755e9..a3455889ed 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -386,6 +386,20 @@ that might be used by the target needs to be signed with 'required' keys. This happens automatically as part of a bootm command when FITs are used. +For Signed Configurations, the default verification behavior can be changed by +the following optional property in /signature node in U-Boot's control FDT. + +- required-mode: Valid values are "any" to allow verified boot to succeed if +the selected configuration is signed by any of the 'required' keys, and "all" +to allow verified boot to succeed if the selected configuration is signed by +all of the 'required' keys. + +This property can be added to a binary device tree using fdtput as shown in +below examples:: + + fdtput -t s control.dtb /signature required-mode any + fdtput -t s control.dtb /signature required-mode all + Enabling FIT Verification -------------------------
Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com> --- Changes in v2: - New doc/uImage.FIT/signature.txt | 14 ++++++++++++++ 1 file changed, 14 insertions(+)