On Tue, Jan 5, 2016 at 11:32 AM, Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> wrote: > On 01/05/2016 11:28 AM, Yegor Yefremov wrote: >> Hi Marc, >> >> thanks for reposting the patches. >> >> On Tue, Jan 5, 2016 at 9:11 AM, Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> wrote: >>> From: Jan Luebbe <jlu@xxxxxxxxxxxxxx> >>> >>> This implementation is inspired by U-Boot's FIT support. Instead of >>> using libfdt (which does not exist in barebox), configuration signatures >>> are verified by using a simplified DT parser based on barebox's own >>> code. >>> >>> Currently, only signed configurations with hashed images are supported, >>> as the other variants are less useful for verified boot. Compatible FIT >>> images can be created using U-Boot's mkimage tool. >> >> What about unsigned images? > > That's not our use case. We use plain zImages instead. The solution would be to introduce an option like in U-Boot? CONFIG_FIT_SIGNATURE: This option enables signature verification of FIT uImages, using a hash signed and verified using RSA. If CONFIG_SHA_PROG_HW_ACCEL is defined, i.e support for progressive hashing is available using hardware, RSA library will use it. See doc/uImage.FIT/signature.txt for more details. >> I also get: unsupported algo crc32 >> Is it intended to be supported? > > Not for our usecase - feel free to add crc32 support. OK. But what about FIT configuration selection syntax? Yegor _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox
