CONFIG_RSA_KEY and CONFIG_BOOTM_FITIMAGE_PUBKEY can both point at the RSA public key, but with different formats. CONFIG_RSA_KEY is probably easier to integrate, so reference it from CONFIG_BOOTM_FITIMAGE_PUBKEY and be explicit about the different formatting. --- common/Kconfig | 11 ++++++++--- crypto/Kconfig | 3 +++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/common/Kconfig b/common/Kconfig index 3a57e16b3be6..0c7ba6a63685 100644 --- a/common/Kconfig +++ b/common/Kconfig @@ -644,9 +644,10 @@ config BOOTM_FITIMAGE_PUBKEY_ENV bool "Specify path to public key in environment" depends on BOOTM_FITIMAGE_SIGNATURE help - If this option is enabled the path to the public key for verifying - FIT images signature is taken from environment which allows for - better integration with build systems. + If this option is enabled the path to the device tree snippet + containing the public key for verifying FIT images signature is taken + from make's build-time environment, which can allow for better + integration with some build systems. The environment variable has the same name as the corresponding Kconfig variable: @@ -664,6 +665,10 @@ config BOOTM_FITIMAGE_PUBKEY snippet can then be included in a device tree with "#include CONFIG_BOOTM_FITIMAGE_PUBKEY". + This snippet is usually generated by decompiling a device tree produced + by mkimage. An alternative is CONFIG_CRYPTO_RSA_KEY, which takes a PEM + file or a PKCS#11 URI. + endif config BOOTM_FORCE_SIGNED_IMAGES diff --git a/crypto/Kconfig b/crypto/Kconfig index 629f615de1af..04e5ef43705b 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -130,6 +130,9 @@ config CRYPTO_RSA_KEY X.509 certificates to be included into barebox. If the string starts with "pkcs11:" it is interpreted as a PKCS#11 URI rather than a file. + This avoids the mkimage dependency of CONFIG_BOOTM_FITIMAGE_PUBKEY + at the cost of an openssl build-time dependency. + config CRYPTO_RSA_KEY_NAME_HINT depends on CRYPTO_RSA string "FIT image key name hint" -- 2.39.2
