[oe-core][RFC 0/3] u-boot: Support SPL Verified Boot
Klaus Heinrich Kiwi
klaus at linux.vnet.ibm.com
Tue Mar 16 03:47:25 AEDT 2021
On 3/7/2021 11:51 PM, Dan Zhang wrote:
> Hi Klaus,
Hi Dan - sorry, your reply went under my radar last week!
> Thank you very much for providing this solution to build and sign
> u-boot fit-image.
>
> I have one suggestion: decouple the U-Boot fit build and signing.
>
> UBOOT_FIT ==> Create the uboot fit-image (essentially all your
> proposal did, except the latest sign step in uboot_fit_assemble())
> SPL_SIGN_ENABLE ==> create the uboot fit-image, also sign it.
>
> This similar to kernel_fit means create the kernel fitimage, while
> UBOOT_SIGN_ENABLE means sign it.
>
> This will allow the user to use a simple script to sign an unsigned
> image with any key, w/o need to be able to tweak the recipe and
> rebuild the image.
> i.e. the manufacturing team, the testing team.
Thanks for the suggestion, however, I'm a bit hesitant with this change,
since for U-Boot the creation/support for the fitImage uImage needs
to be set in the u-boot config, so unlike the kernel I don't think
we could simply enable it on the machine.conf and expect it to work.
I'm about to send the patches below as a proper submission to
openembedded-devel, and I'll continue cross-posting to the openbmc
list. However, please feel free to answer with you suggestions and
copy the openembedded mailing-list as well.
Thanks!
-Klaus
--
Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>
More information about the openbmc
mailing list