diff options
-rw-r--r-- | doc/mkimage.1 | 6 | ||||
-rw-r--r-- | tools/fit_image.c | 9 | ||||
-rw-r--r-- | tools/mkimage.c | 8 | ||||
-rw-r--r-- | tools/mkimage.h | 1 |
4 files changed, 18 insertions, 6 deletions
diff --git a/doc/mkimage.1 b/doc/mkimage.1 index b67a351..14374da 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -133,6 +133,12 @@ the corresponding public key is written into this file for for run-time verification. Typically the file here is the device tree binary used by CONFIG_OF_CONTROL in U-Boot. +.TP +.BI "\-r +Specifies that keys used to sign the FIT are required. This means that they +must be verified for the image to boot. Without this option, the verification +will be optional (useful for testing but not for release). + .SH EXAMPLES List image information: diff --git a/tools/fit_image.c b/tools/fit_image.c index d48f571..281c2bd 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -152,10 +152,11 @@ static int fit_handle_file (struct mkimage_params *params) goto err_mmap; /* set hashes for images in the blob */ - if (fit_add_verification_data(params->keydir, dest_blob, ptr, - params->comment, 0)) { - fprintf (stderr, "%s Can't add hashes to FIT blob", - params->cmdname); + if (fit_add_verification_data(params->keydir, + dest_blob, ptr, params->comment, + params->require_keys)) { + fprintf(stderr, "%s Can't add hashes to FIT blob\n", + params->cmdname); goto err_add_hashes; } diff --git a/tools/mkimage.c b/tools/mkimage.c index b3b45a4..d312844 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -270,6 +270,9 @@ main (int argc, char **argv) usage (); params.imagename = *++argv; goto NXTARG; + case 'r': + params.require_keys = 1; + break; case 'R': if (--argc <= 0) usage(); @@ -645,11 +648,12 @@ usage () fprintf(stderr, " -D => set options for device tree compiler\n" " -f => input filename for FIT source\n"); #ifdef CONFIG_FIT_SIGNATURE - fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>]\n" + fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-r]\n" " -k => set directory containing private keys\n" " -K => write public keys to this .dtb file\n" " -c => add comment in signature node\n" - " -F => re-sign existing FIT image\n"); + " -F => re-sign existing FIT image\n" + " -r => mark keys used as 'required' in dtb\n"); #else fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); #endif diff --git a/tools/mkimage.h b/tools/mkimage.h index ab8baf8..1d9984e 100644 --- a/tools/mkimage.h +++ b/tools/mkimage.h @@ -90,6 +90,7 @@ struct mkimage_params { const char *keydir; /* Directory holding private keys */ const char *keydest; /* Destination .dtb for public key */ const char *comment; /* Comment to add to signature node */ + int require_keys; /* 1 to mark signing keys as 'required' */ }; /* |