diff options
author | Jan Kiszka <jan.kiszka@siemens.com> | 2023-02-28 19:19:17 +0100 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2023-03-29 11:58:26 -0400 |
commit | 033ab460d0930e4f7d365279f1c39d914b5e88a4 (patch) | |
tree | a4cb94685e1b022c0555dea3dae74b5c72a27007 /doc/board/siemens | |
parent | 75c89069f0cbf887c12f96db7529430c3932fb81 (diff) | |
download | u-boot-033ab460d0930e4f7d365279f1c39d914b5e88a4.zip u-boot-033ab460d0930e4f7d365279f1c39d914b5e88a4.tar.gz u-boot-033ab460d0930e4f7d365279f1c39d914b5e88a4.tar.bz2 |
iot2050: Add script for signing artifacts
There are many ways to get a signed firmware for the IOT2050 devices,
namely for the parts under user-control. This script documents one way
of doing it, given a signing key. Augment the board documentation with
the required procedure around it.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Diffstat (limited to 'doc/board/siemens')
-rw-r--r-- | doc/board/siemens/iot2050.rst | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/doc/board/siemens/iot2050.rst b/doc/board/siemens/iot2050.rst index 26972e2..4e0925c 100644 --- a/doc/board/siemens/iot2050.rst +++ b/doc/board/siemens/iot2050.rst @@ -79,3 +79,55 @@ Via external programmer Dediprog SF100 or SF600: .. code-block:: text $ dpcmd --vcc 2 -v -u flash.bin + +Signing (optional) +------------------ + +To enable verified boot for the firmware artifacts after the Siemens-managed +first-stage loader (seboot_pg*.bin), the following steps need to be taken +before and after the build: + +Generate dtsi holding the public key +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: text + + tools/key2dtsi.py -c -s key.pem public-key.dtsi + +This will be used to embed the public key into U-Boot SPL and main so that each +step can validate signatures of the succeeding one. + +Adjust U-Boot configuration +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Enabled at least the following options in U-Boot: + +.. code-block:: text + + CONFIG_SPL_FIT_SIGNATURE=y + CONFIG_DEVICE_TREE_INCLUDES="/path/to/public-key.dtsi" + CONFIG_RSA=y + +Note that there are more configuration changes needed in order to lock-down +the command line and the boot process of U-Boot for secure scenarios. These are +not in scope here. + +Build U-Boot +^^^^^^^^^^^^ + +See related section above. + +Sign flash.bin +^^^^^^^^^^^^^^ + +In the build folder still containing artifacts from step 3, invoke: + +.. code-block:: text + + tools/iot2050-sign-fw.sh /path/to/key.pem + +Flash signed flash.bin +^^^^^^^^^^^^^^^^^^^^^^ + +The signing has happen in-place in flash.bin, thus the flashing procedure +described above. |