From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 13 May 2025 16:07:05 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uEqHh-005B9t-1U for lore@lore.pengutronix.de; Tue, 13 May 2025 16:07:05 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1uEqHh-0003b7-5s; Tue, 13 May 2025 16:07:05 +0200 Received: from mail.thorsis.com ([217.92.40.78]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1uEqHP-0003ZU-Cl for ptxdist@pengutronix.de; Tue, 13 May 2025 16:06:48 +0200 Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 4A703148A820 for ; Tue, 13 May 2025 16:06:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thorsis.com; s=dkim; t=1747145206; h=from:subject:date:message-id:to:mime-version: content-transfer-encoding; bh=QyROm2rfbuU7YU2F0z9k5Rt7qzLDrRT/u4mMCyG7sZw=; b=cKl6UvfbHAKHvkpV4VQGo40K+g0hAOD9Rp8etslNLkjb2E9lv8Oj3h7BbasEknPE6u99kG zPGmmyAoCjEhFRkHMhBYk56yH+/zvFJssU9Iojf5wXm+uWYzi2eoAmefh7uYgix1K9pi17 jPH1ChmY1zwAc2eEhTbSKmmRsZ2TQYNF8Wdk9c3wAhmOdgR5QXtqCRBsc3ECBbVRD+YSm+ WJc8cD+jrWutkYJzZRmOzIi2xQ1VcdQAB9yGM14l0jvIFUtDzZF/4ydGPDzlxbPrkP7LpZ fbvBXg6t0Omrq0sW3w/aCttatqJUw2UQ+dVvwPJiWIG1hYSjs7BgO3uhX7NJsg== To: ptxdist@pengutronix.de Date: Tue, 13 May 2025 16:06:39 +0200 Message-Id: <20250513140641.4075870-1-ada@thorsis.com> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Last-TLS-Session-Version: TLSv1.3 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-3.3 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] [PATCH v1 0/2] u-boot: Add verified boot support X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Alexander Dahl via ptxdist Reply-To: ptxdist@pengutronix.de Cc: Alexander Dahl Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false Hello everyone, the concept widely known as Secure Boot is called "Verified Boot" in U-Boot and it does the same as you would expect: load a signed kernel image (configuration), verify the signature, abort if verification fails. (Other steps of the verification chain are not covered by this series.) Some foundational work like support for U-Boot loading FIT images was merged last year already. I had the remaining parts lying around working, but some necessary patches were not in mainline U-Boot back then. With u-boot-tools 2024.10 or later it's finally possible to upstream this. See commit messages for details. Let me know if Kconfig help is sufficient or if the documentation should be extended. Greets Alex Alexander Dahl (2): u-boot-tools: Version bump 2020.07 -> 2025.04 u-boot: Add option to load signed kernel FIT images platforms/u-boot.in | 30 +++++++++++++++++++++++++++--- rules/host-u-boot-tools.in | 1 + rules/u-boot-tools.make | 6 +++--- rules/u-boot.make | 13 +++++++++++++ scripts/lib/ptxd_make_fit_image.sh | 7 ------- 5 files changed, 44 insertions(+), 13 deletions(-) -- 2.39.5