From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 175F7C4338F for ; Sat, 31 Jul 2021 17:00:13 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1024660EFD for ; Sat, 31 Jul 2021 17:00:11 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1024660EFD Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D460682BEF; Sat, 31 Jul 2021 19:00:09 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.b="Jy/dmE/W"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 420AA82BD7; Sat, 31 Jul 2021 18:59:49 +0200 (CEST) Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D4DAD80224 for ; Sat, 31 Jul 2021 18:59:45 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=sjg@google.com Received: by mail-wm1-x32f.google.com with SMTP id l4-20020a05600c1d04b02902506f89ad2dso9457264wms.1 for ; Sat, 31 Jul 2021 09:59:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ipNgHlRpXTh/ZdnUI4YdZ11o0sj0m8QJ0VZcwuDVUwc=; b=Jy/dmE/WiPHlsvlYM7vD0fgN+pACyyxou5yr6W6UEI4wd0WB6qfszg5DAcChzO4MSZ xVzbPFHOxKnNlwUcau6dd76vWAbdzLvralCfleMOulgAiJ5jSxYNActwoZOBNEo3YfSE ekXvh8y3Ia26tb97znmRQrZSzFSyqScPFCPko= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ipNgHlRpXTh/ZdnUI4YdZ11o0sj0m8QJ0VZcwuDVUwc=; b=SJT4N0G+xfFfBZmMPa3aaO4wUPbSWHwA9cfQugxK7ZRUPJHOa0wp+9AB04Z6f10q8N KodJjaTOab11F8Lj12CKRCXAvWpQBH6SzL5d5J4B0TXvWPIHYVzUFZqr7z2GwZvYVsp7 kNO4k6rv0gKDKUqpi45E3TkhtloMZgYXwP6JB1UXH/HtxIgEYaA1v2Qjp/TLKTMVnbcI fcUx1uNZWjk22ldNVmlqKqp4wtkEv64ni4Q4dvn2dtceAotLQd0rYtfa/GK6sEq47tPn 85w/HU26vShCJWloZMySPjgxSAvUFZGVq2wLPobxrcY8pMOjazKRHBVY7uyYXJnSieRW 4buw== X-Gm-Message-State: AOAM530mBtw66znox3PdhaBLg7kbAB/igkTiRAW8VFQftFtYiw56Ky0D Ki6AWvNnBKvRRPwwfg/MhO2WR6ZNTLlG6XsI9LxYpQ== X-Google-Smtp-Source: ABdhPJxeAlluvBzA7MPQBtB+MsThFfO/57t0Qs2vSV24n3Tgk+iVS7+ZTKyG1cFw8TmH+BHACpPS2ROB/97oNIS4X+o= X-Received: by 2002:a05:600c:b51:: with SMTP id k17mr8591545wmr.119.1627750782378; Sat, 31 Jul 2021 09:59:42 -0700 (PDT) MIME-Version: 1.0 References: <25743c08c4b34f9791e39e687399f802@kaspersky.com> <94d75c521aed46dbb54a8275be2f529e@kaspersky.com> <79544e1e9256d8c1c9f36978b15b294b518d480b.camel@bootlin.com> In-Reply-To: From: Simon Glass Date: Sat, 31 Jul 2021 10:59:28 -0600 Message-ID: Subject: Re: U-boot To: Roman Kopytin Cc: Thomas Perrot , Michael Nazzareno Trimarchi , U-Boot-Denx Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Hi Roman, On Sat, 31 Jul 2021 at 02:26, Roman Kopytin w= rote: > > Thank, but my question was about adding of the public key to dtb file wit= hout private key. We won't have private key in our side. (please try not to top-post on the mailing list) Presumably this means that you know what the public key is, so one option is to manually add it to the dtb, e.g. in a u-boot.dtsi file for your board. You can see the format of it in the documentation, or just copy what is there when you do the signing. Another option would be to use 'fdtput' to add the various fields in the dtb after building. - Simon > > -----Original Message----- > From: Thomas Perrot > Sent: Saturday, July 31, 2021 9:52 AM > To: Roman Kopytin ; Michael Nazzareno Trimar= chi > Cc: U-Boot-Denx ; Simon Glass > Subject: Re: U-boot > > Hi Roman, > > On Sat, 2021-07-31 at 03:34 +0000, Roman Kopytin wrote: > > Thanks, Michael. > > Can we sign in the separate state on special server for example? > > Yes, it possible, there is a step to build and another one to sign, that = can be separated. > > For example, the following command, that build and sign the itb: > # build and sign > mkimage -D "-I dts -O dtb -p 4096" -f ./foo.its -k ./keys -K ./u- boot.dt= b -r ./foo.itb > > Can be spitted in two: > # build > uboot-mkimage \ > -D "-I dts -O dtb -p 4096" \ > -f ./foo.its \ > ./foo.itb > > # sign > uboot-mkimage \ > -D "-I dts -O dtb -p 4096" -F > -k ./keys \ > -K ./u-boot.dtb \ > -r \ > ./foo.itb > > Then the u-boot*.dtb should contains the pubkey node(s) in the signature = node and it can be shared and concatenated to the U-Boot > binary: > > make EXT_DTB=3D"./u-boot.dtb" > > > Looks like we can work with public key only in this step. > > The dtb containing the public key(s) is useful to verify the signature at= the target boot, or with the tool fit_check_sign to perform an offload che= cking, for example: > > fit_check_sign -f ./foo.itb -k ./u-boot.dtb > > Best regards, > Thomas Perrot > > > > > From: Michael Nazzareno Trimarchi > > Sent: Friday, July 30, 2021 8:50 PM > > To: Roman Kopytin > > Cc: U-Boot-Denx ; Simon Glass > > Subject: Re: U-boot > > > > Caution: This is an external email. Be cautious while opening links or > > attachments. > > > > > > Hi Rom=C3=A1n > > > > > > On Fri, Jul 30, 2021, 7:44 PM Roman Kopytin < > > Roman.Kopytin@kaspersky.com> wrote: > > Hello, dear U-boot team > > > > I have question about your old feature: U-boot patch for adding of the > > public key to dtb file. > > > > https://patchwork.ozlabs.org/project/uboot/patch/1363650725-30459-37-g > > it-send-email-sjg%40chromium.org/ > > > > I can=E2=80=99t understand, can we work only with public key? Why do we= need > > to have private key for adding step? > > In documentation it is not very clear for me. > > > > You need to sign with private key and keep it secret and local and > > verify it during booting with public key. Private key is not > > distributed with the image > > > > Michael > > > > > > Thanks a lot. > > > > -- > Thomas Perrot, Bootlin > Embedded Linux and kernel engineering > https://bootlin.com >