diff options
| author | Tom Rini <trini@konsulko.com> | 2020-10-13 10:04:17 -0400 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2020-10-13 10:04:17 -0400 |
| commit | 55fca74a5ba9bb0a101b247f421e81322b945a7b (patch) | |
| tree | d9b0680c0ca27982bd27f1f8cb733728ed3e7039 /doc | |
| parent | 9885313b9add6c04cf3059958c5ee51a4f0ac930 (diff) | |
| parent | ec71cc34c1cef173d9f656d5cc9a2e698fae28fb (diff) | |
Merge branch '2020-10-12-assorted-encryption-changes'
- Fix verified boot on BE targets
- Add support for multiple required keys in verified boots
- Add support for Initialization Vectors in AES keys in FIT images
- Assorted fixes in the RSA code
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/uImage.FIT/signature.txt | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index d4afd755e9..a3455889ed 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -386,6 +386,20 @@ that might be used by the target needs to be signed with 'required' keys. This happens automatically as part of a bootm command when FITs are used. +For Signed Configurations, the default verification behavior can be changed by +the following optional property in /signature node in U-Boot's control FDT. + +- required-mode: Valid values are "any" to allow verified boot to succeed if +the selected configuration is signed by any of the 'required' keys, and "all" +to allow verified boot to succeed if the selected configuration is signed by +all of the 'required' keys. + +This property can be added to a binary device tree using fdtput as shown in +below examples:: + + fdtput -t s control.dtb /signature required-mode any + fdtput -t s control.dtb /signature required-mode all + Enabling FIT Verification ------------------------- |