From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6CB8C4338F for ; Sat, 31 Jul 2021 06:51:43 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 93FB760F12 for ; Sat, 31 Jul 2021 06:51:42 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 93FB760F12 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bootlin.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C0FAC82F38; Sat, 31 Jul 2021 08:51:39 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=bootlin.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id DE69F83223; Sat, 31 Jul 2021 08:51:37 +0200 (CEST) Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C40178262F for ; Sat, 31 Jul 2021 08:51:33 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=bootlin.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=thomas.perrot@bootlin.com Received: (Authenticated sender: thomas.perrot@bootlin.com) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 9B89960002; Sat, 31 Jul 2021 06:51:32 +0000 (UTC) Message-ID: <79544e1e9256d8c1c9f36978b15b294b518d480b.camel@bootlin.com> Subject: Re: U-boot From: Thomas Perrot To: Roman Kopytin , Michael Nazzareno Trimarchi Cc: U-Boot-Denx , Simon Glass Date: Sat, 31 Jul 2021 08:51:31 +0200 In-Reply-To: References: <25743c08c4b34f9791e39e687399f802@kaspersky.com> <94d75c521aed46dbb54a8275be2f529e@kaspersky.com> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-ZZxg6rOyi9cJmSEZPgaK" User-Agent: Evolution 3.38.4 (3.38.4-1.fc33) MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean --=-ZZxg6rOyi9cJmSEZPgaK Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Roman, On Sat, 2021-07-31 at 03:34 +0000, Roman Kopytin wrote: > Thanks, Michael. > Can we sign in the separate state on special server for example? Yes, it possible, there is a step to build=C2=A0and another one to sign, that can be separated. For example, the following command, that build and sign the itb: # build and sign mkimage -D "-I dts -O dtb -p 4096" -f ./foo.its -k ./keys -K ./u- boot.dtb -r ./foo.itb Can be spitted in two: # build uboot-mkimage \ -D "-I dts -O dtb -p 4096" \ -f ./foo.its \ ./foo.itb # sign uboot-mkimage \ -D "-I dts -O dtb -p 4096" -F=20 -k ./keys \ -K ./u-boot.dtb \ -r \ ./foo.itb Then the u-boot*.dtb should contains the pubkey node(s) in the signature node and it can be shared and concatenated to the U-Boot binary: make EXT_DTB=3D"./u-boot.dtb" > Looks like we can work with public key only in this step. The dtb containing the public key(s) is useful to verify the signature at the target boot, or with the tool fit_check_sign to perform an offload checking, for example: fit_check_sign -f ./foo.itb -k ./u-boot.dtb Best regards, Thomas Perrot >=20 > From: Michael Nazzareno Trimarchi > Sent: Friday, July 30, 2021 8:50 PM > To: Roman Kopytin > Cc: U-Boot-Denx ; Simon Glass > Subject: Re: U-boot >=20 > Caution: This is an external email. Be cautious while opening links or > attachments. >=20 >=20 > Hi Rom=C3=A1n >=20 >=20 > On Fri, Jul 30, 2021, 7:44 PM Roman Kopytin <=20 > Roman.Kopytin@kaspersky.com> wrote: > Hello, dear U-boot team >=20 > I have question about your old feature: U-boot patch for adding of the > public key to dtb file. > =20 > https://patchwork.ozlabs.org/project/uboot/patch/1363650725-30459-37-git-= send-email-sjg%40chromium.org/ >=20 > I can=E2=80=99t understand, can we work only with public key? Why do we n= eed to > have private key for adding step? > In documentation it is not very clear for me. >=20 > You need to sign with private key and keep it secret and local and > verify it during booting with public key. Private key is not > distributed with the image >=20 > Michael >=20 >=20 > Thanks a lot. >=20 --=20 Thomas Perrot, Bootlin Embedded Linux and kernel engineering https://bootlin.com --=-ZZxg6rOyi9cJmSEZPgaK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQGzBAABCAAdFiEEh0B3xqajCiMDqBIhn8ALBXH+Cu0FAmEE8vMACgkQn8ALBXH+ Cu3VzQv7BRSkSkyNr5wRkVSzhuGZ7eBs8uYO7Sq+mXuIZE3VUGhOfCyGDw8HjdKt ZNF3DNjm+degUQw4ZSce610mQLrKoaE8j6ZwAJZ+bFE6QxchE5a2d7o/spbH7wq2 oep7WeI7D/qMfLHFs0BSrkc6y0NIuGIAatiQ205/Qe77KArnNosUbvFglLitMkWS frMdsG/r90Pi3IWkU/Iku0K8QjjALPcoPuE4pJEvDz4LFmrNnezxFxdOnOs3+lw6 abUV7raQ7uo93mWZ7uixzfMrdXoEXGbieUBR7hyasoZaZhHdr4G/go4pwMHKb82Q mvMqxXgbrMDkvG/jPYGU2O3A/XXzrioMwoyT1IVUqmhtcwsnesKCcPK1OdcFPfHa R2K56KaO+CrXxs7+MqrnZa7B09G081Mm2SxiXwqr1A/TImKkE/SoWpgyVZ53rqhl wClMuEHfLRlF7J8FTciAKiBf4t4G+GEi3h0wHkXcCNsc+10CUgAbqVpxrsJYCd2M b08qbOhm =JPhB -----END PGP SIGNATURE----- --=-ZZxg6rOyi9cJmSEZPgaK--