On 01/05/2016 11:40 AM, Yegor Yefremov wrote: > On Tue, Jan 5, 2016 at 11:32 AM, Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> wrote: >> On 01/05/2016 11:28 AM, Yegor Yefremov wrote: >>> Hi Marc, >>> >>> thanks for reposting the patches. >>> >>> On Tue, Jan 5, 2016 at 9:11 AM, Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> wrote: >>>> From: Jan Luebbe <jlu@xxxxxxxxxxxxxx> >>>> >>>> This implementation is inspired by U-Boot's FIT support. Instead of >>>> using libfdt (which does not exist in barebox), configuration signatures >>>> are verified by using a simplified DT parser based on barebox's own >>>> code. >>>> >>>> Currently, only signed configurations with hashed images are supported, >>>> as the other variants are less useful for verified boot. Compatible FIT >>>> images can be created using U-Boot's mkimage tool. >>> >>> What about unsigned images? >> >> That's not our use case. We use plain zImages instead. > > The solution would be to introduce an option like in U-Boot? > > CONFIG_FIT_SIGNATURE: > > This option enables signature verification of FIT uImages, > using a hash signed and verified using RSA. If > CONFIG_SHA_PROG_HW_ACCEL is defined, i.e support for progressive > hashing is available using hardware, RSA library will use it. > See doc/uImage.FIT/signature.txt for more details. Technically possible, but I'm not sure what are the benefits of using fit images, if you don't need signatures. barebox implements freedesktop.org's bootspec and this is IMHO the way to go. >>> I also get: unsupported algo crc32 >>> Is it intended to be supported? >> >> Not for our usecase - feel free to add crc32 support. > > OK. > > But what about FIT configuration selection syntax? What's this? Marc -- Pengutronix e.K. | Marc Kleine-Budde | Industrial Linux Solutions | Phone: +49-231-2826-924 | Vertretung West/Dortmund | Fax: +49-5121-206917-5555 | Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox
