From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=jJYV=P5=lists.denx.de=u-boot-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 4162AC433F5
	for <u-boot@archiver.kernel.org>; Wed, 10 Nov 2021 19:37:44 +0000 (UTC)
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 8CEDB610A2
	for <u-boot@archiver.kernel.org>; Wed, 10 Nov 2021 19:37:43 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 8CEDB610A2
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 79296839E6;
	Wed, 10 Nov 2021 20:37:41 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.b="lFJPbKix";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 35EBB839F6; Wed, 10 Nov 2021 20:37:40 +0100 (CET)
Received: from mail-ua1-x934.google.com (mail-ua1-x934.google.com
 [IPv6:2607:f8b0:4864:20::934])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id EE651839CA
 for <u-boot@lists.denx.de>; Wed, 10 Nov 2021 20:37:35 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=sjg@google.com
Received: by mail-ua1-x934.google.com with SMTP id v3so7066855uam.10
 for <u-boot@lists.denx.de>; Wed, 10 Nov 2021 11:37:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=o7O/EHukUG5yHn523hzwc8MgK1uTmopHL6JdMYplrdk=;
 b=lFJPbKix1lrpIU2fUoiXXWzMsMWHOW1XYhIK7bfYmyv4DRoSuuCuX+6mcNCQAqPU1J
 h3DERqx7XOLYyC60JDKn0rNsSTz4M9DWFKxYFTl9gYmBDUmWjowfP6fSCSW83A6AMWfF
 0EioU2u8myn2qDX3Et5TL1KVjLoXTf/7mphnY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=o7O/EHukUG5yHn523hzwc8MgK1uTmopHL6JdMYplrdk=;
 b=TF2mUnr/rf64HyAQqSnfcXI6DzEjYVii5S1iTtVBMCo4wQeXIIeR1eo1oa0WWcUSY+
 v2adtvxg5vIprkoUvT9a5oQmwUL5w3ciffWG0DSLagq3PLM7TGbRSzuXEcJ4JPrAk0Uk
 uQ4k+6XEQukFSIHty8zf2V3bu1c33yTLGC8CINXUZD04qgj/kGuqCKeVxlQd84SYshU1
 HBFY1E3si3zUkGMzxGSMj/XKOouNqIcoTd0sA1ogrd7kwbbvkNbsKGiggaD1nvrkMzXK
 pnN3U1dAM6nlJ2QYe9XemK8mCDJuEXtaswjiHWeYPtQIz1PD0kuFflDu6FdnTXIh3THF
 1ncA==
X-Gm-Message-State: AOAM532p5A6vp1Op+JxtAogKfW+AhMC6D2jgF7l6O+KpHON/N+3hhXvP
 CZ/S8tqOBaINiaIxNPwCPZKOhPYo/tARxueHj0J17Q==
X-Google-Smtp-Source: ABdhPJwbL0G6gFaTfdhR9Tn9nB/gNiIiOFlEW4O9wCgMGJhki4fV88KsiimvkiNe6tw0Xipe9nrz5bsBQEmsczpKWsg=
X-Received: by 2002:a05:6102:905:: with SMTP id
 x5mr2629739vsh.58.1636573054557; 
 Wed, 10 Nov 2021 11:37:34 -0800 (PST)
MIME-Version: 1.0
References: <25743c08c4b34f9791e39e687399f802@kaspersky.com>
 <CAPnjgZ2BSCMcN=-3Vr4wcgZgtB5ExdAxDPE2yfQvT5WJTVajbg@mail.gmail.com>
 <94d75c521aed46dbb54a8275be2f529e@kaspersky.com>
 <CAOf5uwmwkmB_npF=1nSE=+Yi+KX=mH9Tu0M8X_M+HF4-2dbVBQ@mail.gmail.com>
 <a408b529bdd845b196b1a4f10ab30530@kaspersky.com>
 <79544e1e9256d8c1c9f36978b15b294b518d480b.camel@bootlin.com>
 <b1a2d516c85d463ab652ebeb17544c55@kaspersky.com>
 <CAPnjgZ3BUW2iw+B1v=CC2PvOa9ur_VGm_k3FBQju01jFNkVz+A@mail.gmail.com>
 <11ae1091-bf2d-800f-d513-840119655fb2@prevas.dk>
 <55a1a03c621f4cdea36f12ebd2cde976@kaspersky.com>
 <0e75f275-d661-7b75-6da8-91ecec53d78c@prevas.dk>
 <4ba7d9814f544d56b32589e86a5e0617@kaspersky.com>
In-Reply-To: <4ba7d9814f544d56b32589e86a5e0617@kaspersky.com>
From: Simon Glass <sjg@chromium.org>
Date: Wed, 10 Nov 2021 12:37:22 -0700
Message-ID: <CAPnjgZ0mmhGteHFuiEFkubq1vwoweUNOXikK2p8gR0P7aNv6fw@mail.gmail.com>
Subject: Re: U-boot
To: Roman Kopytin <Roman.Kopytin@kaspersky.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>,
 U-Boot Mailing List <u-boot@lists.denx.de>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

Hi Roman,

see signature.txt :

- required: If present this indicates that the key must be verified for the
image / configuration to be considered valid. Only required keys are
normally verified by the FIT image booting algorithm. Valid values are
"image" to force verification of all images, and "conf" to force verification
of the selected configuration (which then relies on hashes in the images to
verify those).

Regards,
Simon


On Wed, 10 Nov 2021 at 04:20, Roman Kopytin <Roman.Kopytin@kaspersky.com> wrote:
>
> Hi, Rasmus and Simon
> I need more details about -r <conf|image> for fdt_add_pubkey.
> I need to add small help for tool, please provide details.
>
> -----Original Message-----
> From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
> Sent: Monday, August 2, 2021 12:37 PM
> To: Roman Kopytin <Roman.Kopytin@kaspersky.com>; Simon Glass <sjg@chromium.org>
> Cc: Thomas Perrot <thomas.perrot@bootlin.com>; Michael Nazzareno Trimarchi <michael@amarulasolutions.com>; U-Boot-Denx <u-boot@lists.denx.de>; Alex Kiernan <alex.kiernan@gmail.com>
> Subject: Re: U-boot
>
> Caution: This is an external email. Be cautious while opening links or attachments.
>
>
>
> On 02/08/2021 11.25, Roman Kopytin wrote:
> > Thanks a lot!
> > Yes, looks like using of the 'fdtput' is not very safety for me.
> > As I understood I need to use "fdt_add_pubkey" tool with CMD (example):
> > ./ fdt_add_pubkey  -a rsa2048 -k <keydir> -n <keyname> -r <conf|image>
> > my_file.dtb
> >
> > -r <conf|image> is the same as for mkimage? As I remember we can use -r w/o any values in mkimage.
>
> Yes, that's very close to what our Yocto recipe currently does:
>
>         for b in ${KERNEL_PUBLIC_KEYS} ; do
>                 fdt_add_pubkey -a 'sha1,rsa2048' -k "${KERNEL_SIGNING_DIR}" -n "$b" \
>                         -r conf $dtb
>         done
>
> I doubt that old patch applies nowadays, I've only forward-ported it to
> 2020.04 internally.
>
> As to Simon's old question of whether it could be done in mkimage with a new flag: I'd really prefer not to, mkimage is already an incoherent collection of tools that do very different things with different flags.
> Having a flag that says "create and sign this FIT image, and as a side effect update $this dtb $overhere with the corresponding public key mangled appropriately, oh, and btw, _only_ do that side effect" is a non-starter.
>
> Rasmus