aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorTom Rini <trini@konsulko.com>2021-04-15 17:10:25 -0400
committerTom Rini <trini@konsulko.com>2021-04-15 17:10:25 -0400
commita6232e065dd9e349bf5908c928734c6b5b018112 (patch)
tree49a54d23fc32194ce266f06cb8fae3eff4574339 /doc
parent45b3cf88da24206a6cb847efe837fddc120af3e8 (diff)
parentfbc777429fa35312a9ea5f106692172d3153e659 (diff)
downloadu-boot-a6232e065dd9e349bf5908c928734c6b5b018112.zip
u-boot-a6232e065dd9e349bf5908c928734c6b5b018112.tar.gz
u-boot-a6232e065dd9e349bf5908c928734c6b5b018112.tar.bz2
Merge branch '2021-04-14-assorted-vboot-improvements'WIP/15Apr2021
- Add ECDSA support to FIT images - Improve FIT image loadables (incl fpga) support - Further FIT improvements with SPL
Diffstat (limited to 'doc')
-rw-r--r--doc/uImage.FIT/multi-with-fpga.its3
-rw-r--r--doc/uImage.FIT/signature.txt20
-rw-r--r--doc/uImage.FIT/source_file_format.txt1
3 files changed, 22 insertions, 2 deletions
diff --git a/doc/uImage.FIT/multi-with-fpga.its b/doc/uImage.FIT/multi-with-fpga.its
index 47ee576..021cbc7 100644
--- a/doc/uImage.FIT/multi-with-fpga.its
+++ b/doc/uImage.FIT/multi-with-fpga.its
@@ -29,6 +29,7 @@
arch = "arm";
compression = "none";
load = <0x30000000>;
+ compatible = "u-boot,fpga-legacy"
hash-1 {
algo = "md5";
};
@@ -61,7 +62,7 @@
description = "Linux with fpga";
kernel = "linux_kernel";
fdt = "fdt-1";
- fpga = "fpga";
+ loadables = "fpga";
};
};
};
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index a345588..d9a9121 100644
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -142,7 +142,7 @@ public key in U-Boot's control FDT (using CONFIG_OF_CONTROL).
Public keys should be stored as sub-nodes in a /signature node. Required
properties are:
-- algo: Algorithm name (e.g. "sha1,rsa2048")
+- algo: Algorithm name (e.g. "sha1,rsa2048" or "sha256,ecdsa256")
Optional properties are:
@@ -167,6 +167,11 @@ For RSA the following are mandatory:
- rsa,r-squared: (2^num-bits)^2 as a big-endian multi-word integer
- rsa,n0-inverse: -1 / modulus[0] mod 2^32
+For ECDSA the following are mandatory:
+- ecdsa,curve: Name of ECDSA curve (e.g. "prime256v1")
+- ecdsa,x-point: Public key X coordinate as a big-endian multi-word integer
+- ecdsa,y-point: Public key Y coordinate as a big-endian multi-word integer
+
These parameters can be added to a binary device tree using parameter -K of the
mkimage command::
@@ -467,6 +472,19 @@ Test Verified Boot Run: signed config with bad hash: OK
Test passed
+Software signing: keydir vs keyfile
+-----------------------------------
+
+In the simplest case, signing is done by giving mkimage the 'keyfile'. This is
+the path to a file containing the signing key.
+
+The alternative is to pass the 'keydir' argument. In this case the filename of
+the key is derived from the 'keydir' and the "key-name-hint" property in the
+FIT. In this case the "key-name-hint" property is mandatory, and the key must
+exist in "<keydir>/<key-name-hint>.<ext>" Here the extension "ext" is
+specific to the signing algorithm.
+
+
Hardware Signing with PKCS#11 or with HSM
-----------------------------------------
diff --git a/doc/uImage.FIT/source_file_format.txt b/doc/uImage.FIT/source_file_format.txt
index 00ed3eb..f93ac6d 100644
--- a/doc/uImage.FIT/source_file_format.txt
+++ b/doc/uImage.FIT/source_file_format.txt
@@ -184,6 +184,7 @@ the '/images' node should have the following layout:
Mandatory for types: "firmware", and "kernel".
- compatible : compatible method for loading image.
Mandatory for types: "fpga", and images that do not specify a load address.
+ To use the generic fpga loading routine, use "u-boot,fpga-legacy".
Optional nodes:
- hash-1 : Each hash sub-node represents separate hash or checksum