RE: U-boot - Roman Kopytin

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

From: Roman Kopytin <Roman.Kopytin@kaspersky.com>
To: Thomas Perrot <thomas.perrot@bootlin.com>,
	Michael Nazzareno Trimarchi <michael@amarulasolutions.com>
Cc: U-Boot-Denx <u-boot@lists.denx.de>, Simon Glass <sjg@chromium.org>
Subject: RE: U-boot
Date: Sat, 31 Jul 2021 08:26:42 +0000	[thread overview]
Message-ID: <b1a2d516c85d463ab652ebeb17544c55@kaspersky.com> (raw)
In-Reply-To: <79544e1e9256d8c1c9f36978b15b294b518d480b.camel@bootlin.com>

Thank, but my question was about adding of the public key to dtb file without private key. We won't have private key in our side.

-----Original Message-----
From: Thomas Perrot <thomas.perrot@bootlin.com> 
Sent: Saturday, July 31, 2021 9:52 AM
To: Roman Kopytin <Roman.Kopytin@kaspersky.com>; Michael Nazzareno Trimarchi <michael@amarulasolutions.com>
Cc: U-Boot-Denx <u-boot@lists.denx.de>; Simon Glass <sjg@chromium.org>
Subject: Re: U-boot

Hi Roman,

On Sat, 2021-07-31 at 03:34 +0000, Roman Kopytin wrote:
> Thanks, Michael.
> Can we sign in the separate state on special server for example?

Yes, it possible, there is a step to build and another one to sign, that can be separated.

For example, the following command, that build and sign the itb:
# build and sign
mkimage -D "-I dts -O dtb -p 4096" -f ./foo.its -k ./keys -K ./u- boot.dtb -r ./foo.itb

Can be spitted in two:
# build
uboot-mkimage \
    -D "-I dts -O dtb -p 4096" \
    -f ./foo.its \
    ./foo.itb

# sign
uboot-mkimage \
    -D "-I dts -O dtb -p 4096" -F 
    -k ./keys \
    -K ./u-boot.dtb \
    -r \
    ./foo.itb

Then the u-boot*.dtb should contains the pubkey node(s) in the signature node and it can be shared and concatenated to the U-Boot
binary:

make EXT_DTB="./u-boot.dtb"

> Looks like we can work with public key only in this step.

The dtb containing the public key(s) is useful to verify the signature at the target boot, or with the tool fit_check_sign to perform an offload checking, for example:

fit_check_sign -f ./foo.itb -k ./u-boot.dtb

Best regards,
Thomas Perrot

> 
> From: Michael Nazzareno Trimarchi <michael@amarulasolutions.com>
> Sent: Friday, July 30, 2021 8:50 PM
> To: Roman Kopytin <Roman.Kopytin@kaspersky.com>
> Cc: U-Boot-Denx <u-boot@lists.denx.de>; Simon Glass <sjg@chromium.org>
> Subject: Re: U-boot
> 
> Caution: This is an external email. Be cautious while opening links or 
> attachments.
> 
> 
> Hi Román
> 
> 
> On Fri, Jul 30, 2021, 7:44 PM Roman Kopytin < 
> Roman.Kopytin@kaspersky.com<mailto:Roman.Kopytin@kaspersky.com>> wrote:
> Hello, dear U-boot team
> 
> I have question about your old feature: U-boot patch for adding of the 
> public key to dtb file.
>  
> https://patchwork.ozlabs.org/project/uboot/patch/1363650725-30459-37-g
> it-send-email-sjg%40chromium.org/
> 
> I can’t understand, can we work only with public key? Why do we need 
> to have private key for adding step?
> In documentation it is not very clear for me.
> 
> You need to sign with private key and keep it secret and local and 
> verify it during booting with public key. Private key is not 
> distributed with the image
> 
> Michael
> 
> 
> Thanks a lot.
> 

--
Thomas Perrot, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com

next prev parent reply	other threads:[~2021-07-31 10:44 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <25743c08c4b34f9791e39e687399f802@kaspersky.com>
     [not found] ` <CAPnjgZ2BSCMcN=-3Vr4wcgZgtB5ExdAxDPE2yfQvT5WJTVajbg@mail.gmail.com>
2021-07-30 17:34   ` U-boot Roman Kopytin
2021-07-30 17:50     ` U-boot Michael Nazzareno Trimarchi
2021-07-31  3:34       ` U-boot Roman Kopytin
2021-07-31  6:51         ` U-boot Thomas Perrot
2021-07-31  8:26           ` Roman Kopytin [this message]
2021-07-31 16:59             ` U-boot Simon Glass
2021-08-02  9:00               ` U-boot Rasmus Villemoes
2021-08-02  9:25                 ` U-boot Roman Kopytin
2021-08-02  9:37                   ` U-boot Rasmus Villemoes
2021-08-02  9:55                     ` U-boot Roman Kopytin
2021-08-02 11:08                       ` U-boot Rasmus Villemoes
2021-08-02 11:18                         ` U-boot Roman Kopytin
2021-08-02 12:35                         ` U-boot Roman Kopytin
2021-08-02 19:20                     ` U-boot Simon Glass
     [not found]                     ` <4ba7d9814f544d56b32589e86a5e0617@kaspersky.com>
2021-11-10 19:37                       ` U-boot Simon Glass
2005-11-16  0:15 U-Boot mcnernbm
2005-11-16  1:06 ` U-Boot Wolfgang Denk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b1a2d516c85d463ab652ebeb17544c55@kaspersky.com \
    --to=roman.kopytin@kaspersky.com \
    --cc=michael@amarulasolutions.com \
    --cc=sjg@chromium.org \
    --cc=thomas.perrot@bootlin.com \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.