[oe-core][RFC 0/3] u-boot: Support SPL Verified Boot

Dan Zhang dz4list at gmail.com
Tue Mar 16 08:31:38 AEDT 2021 

Hi Kaus,
What's my suggestion essentially is add a configuration i.e.
DO_UBOOT_SIGN to allow users only create a "signable" fit-image, but
sign later.

in the code
+ uboot_fitimage_assemble() {
...
+       #
+       # Sign the U-boot FIT image and add public key to SPL dtb
+       #
        if [ "x${DO_UBOOT_SIGN}" = "x1" ] ; then
+       ${UBOOT_MKIMAGE_SIGN} \
+               ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if
len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
+               -F -k "${UBOOT_SIGN_KEYDIR}" \
+               -K "${spl_dtb}" \
+               -r ${uboot_bin} \
+               ${UBOOT_MKIMAGE_SIGN_ARGS}
       fi
}




On Mon, Mar 15, 2021 at 9:47 AM Klaus Heinrich Kiwi
<klaus at linux.vnet.ibm.com> wrote:
>
>
>
> On 3/7/2021 11:51 PM, Dan Zhang wrote:
> > Hi Klaus,
>
> Hi Dan - sorry, your reply went under my radar last week!
>
> > Thank you very much for providing this solution to build and sign
> > u-boot fit-image.
> >
> > I have one suggestion: decouple the U-Boot fit build and signing.
> >
> > UBOOT_FIT ==> Create the uboot fit-image (essentially all your
> > proposal did, except the latest sign step in uboot_fit_assemble())
> > SPL_SIGN_ENABLE ==> create the uboot fit-image, also sign it.
> >
> > This similar to kernel_fit means create the kernel fitimage, while
> > UBOOT_SIGN_ENABLE means sign it.
> >
> > This will allow the user to use a simple script to sign an unsigned
> > image with any key, w/o need to be able to tweak the recipe and
> > rebuild the image.
> > i.e. the manufacturing team, the testing team.
>
> Thanks for the suggestion, however, I'm a bit hesitant with this change,
> since for U-Boot the creation/support for the fitImage uImage needs
> to be set in the u-boot config, so unlike the kernel I don't think
> we could simply enable it on the machine.conf and expect it to work.
>
> I'm about to send the patches below as a proper submission to
> openembedded-devel, and I'll continue cross-posting to the openbmc
> list. However, please feel free to answer with you suggestions and
> copy the openembedded mailing-list as well.
>
> Thanks!
>
>   -Klaus
>
>
>
>
> --
> Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>

More information about the openbmc mailing list