On Tue, Jan 5, 2016 at 12:54 PM, Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> wrote: > On 01/05/2016 11:40 AM, Yegor Yefremov wrote: >> On Tue, Jan 5, 2016 at 11:32 AM, Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> wrote: >>> On 01/05/2016 11:28 AM, Yegor Yefremov wrote: >>>> Hi Marc, >>>> >>>> thanks for reposting the patches. >>>> >>>> On Tue, Jan 5, 2016 at 9:11 AM, Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> wrote: >>>>> From: Jan Luebbe <jlu@xxxxxxxxxxxxxx> >>>>> >>>>> This implementation is inspired by U-Boot's FIT support. Instead of >>>>> using libfdt (which does not exist in barebox), configuration signatures >>>>> are verified by using a simplified DT parser based on barebox's own >>>>> code. >>>>> >>>>> Currently, only signed configurations with hashed images are supported, >>>>> as the other variants are less useful for verified boot. Compatible FIT >>>>> images can be created using U-Boot's mkimage tool. >>>> >>>> What about unsigned images? >>> >>> That's not our use case. We use plain zImages instead. >> >> The solution would be to introduce an option like in U-Boot? >> >> CONFIG_FIT_SIGNATURE: >> >> This option enables signature verification of FIT uImages, >> using a hash signed and verified using RSA. If >> CONFIG_SHA_PROG_HW_ACCEL is defined, i.e support for progressive >> hashing is available using hardware, RSA library will use it. >> See doc/uImage.FIT/signature.txt for more details. > > Technically possible, but I'm not sure what are the benefits of using > fit images, if you don't need signatures. barebox implements > freedesktop.org's bootspec and this is IMHO the way to go. For me FIT is just a way to have a kernel and a bunch of device tree blobs in one file. Signed or not signed is an option for me. Just like U-Boot implements it. This is user responsibility. In my use case I just read device ID from EEPROM, load my kernel-fit.itb and select needed DTB via this ID. This way I have only one SD card image, that can be run on more, than 10 different devices using the same core module. >>>> I also get: unsupported algo crc32 >>>> Is it intended to be supported? >>> >>> Not for our usecase - feel free to add crc32 support. >> >> OK. >> >> But what about FIT configuration selection syntax? > > What's this? Have you seen my comments to this patch regarding fit_open_configuration() routine? http://lists.infradead.org/pipermail/barebox/2016-January/025718.html Yegor _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox