diff options
| author | Tom Rini <trini@konsulko.com> | 2021-04-15 17:10:25 -0400 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2021-04-15 17:10:25 -0400 |
| commit | a6232e065dd9e349bf5908c928734c6b5b018112 (patch) | |
| tree | 49a54d23fc32194ce266f06cb8fae3eff4574339 /doc | |
| parent | 45b3cf88da24206a6cb847efe837fddc120af3e8 (diff) | |
| parent | fbc777429fa35312a9ea5f106692172d3153e659 (diff) | |
| download | u-boot-a6232e065dd9e349bf5908c928734c6b5b018112.zip u-boot-a6232e065dd9e349bf5908c928734c6b5b018112.tar.gz u-boot-a6232e065dd9e349bf5908c928734c6b5b018112.tar.bz2 | |
Merge branch '2021-04-14-assorted-vboot-improvements'WIP/15Apr2021
- Add ECDSA support to FIT images
- Improve FIT image loadables (incl fpga) support
- Further FIT improvements with SPL
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/uImage.FIT/multi-with-fpga.its | 3 | ||||
| -rw-r--r-- | doc/uImage.FIT/signature.txt | 20 | ||||
| -rw-r--r-- | doc/uImage.FIT/source_file_format.txt | 1 |
3 files changed, 22 insertions, 2 deletions
diff --git a/doc/uImage.FIT/multi-with-fpga.its b/doc/uImage.FIT/multi-with-fpga.its index 47ee576..021cbc7 100644 --- a/doc/uImage.FIT/multi-with-fpga.its +++ b/doc/uImage.FIT/multi-with-fpga.its @@ -29,6 +29,7 @@ arch = "arm"; compression = "none"; load = <0x30000000>; + compatible = "u-boot,fpga-legacy" hash-1 { algo = "md5"; }; @@ -61,7 +62,7 @@ description = "Linux with fpga"; kernel = "linux_kernel"; fdt = "fdt-1"; - fpga = "fpga"; + loadables = "fpga"; }; }; }; diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index a345588..d9a9121 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -142,7 +142,7 @@ public key in U-Boot's control FDT (using CONFIG_OF_CONTROL). Public keys should be stored as sub-nodes in a /signature node. Required properties are: -- algo: Algorithm name (e.g. "sha1,rsa2048") +- algo: Algorithm name (e.g. "sha1,rsa2048" or "sha256,ecdsa256") Optional properties are: @@ -167,6 +167,11 @@ For RSA the following are mandatory: - rsa,r-squared: (2^num-bits)^2 as a big-endian multi-word integer - rsa,n0-inverse: -1 / modulus[0] mod 2^32 +For ECDSA the following are mandatory: +- ecdsa,curve: Name of ECDSA curve (e.g. "prime256v1") +- ecdsa,x-point: Public key X coordinate as a big-endian multi-word integer +- ecdsa,y-point: Public key Y coordinate as a big-endian multi-word integer + These parameters can be added to a binary device tree using parameter -K of the mkimage command:: @@ -467,6 +472,19 @@ Test Verified Boot Run: signed config with bad hash: OK Test passed +Software signing: keydir vs keyfile +----------------------------------- + +In the simplest case, signing is done by giving mkimage the 'keyfile'. This is +the path to a file containing the signing key. + +The alternative is to pass the 'keydir' argument. In this case the filename of +the key is derived from the 'keydir' and the "key-name-hint" property in the +FIT. In this case the "key-name-hint" property is mandatory, and the key must +exist in "<keydir>/<key-name-hint>.<ext>" Here the extension "ext" is +specific to the signing algorithm. + + Hardware Signing with PKCS#11 or with HSM ----------------------------------------- diff --git a/doc/uImage.FIT/source_file_format.txt b/doc/uImage.FIT/source_file_format.txt index 00ed3eb..f93ac6d 100644 --- a/doc/uImage.FIT/source_file_format.txt +++ b/doc/uImage.FIT/source_file_format.txt @@ -184,6 +184,7 @@ the '/images' node should have the following layout: Mandatory for types: "firmware", and "kernel". - compatible : compatible method for loading image. Mandatory for types: "fpga", and images that do not specify a load address. + To use the generic fpga loading routine, use "u-boot,fpga-legacy". Optional nodes: - hash-1 : Each hash sub-node represents separate hash or checksum |