[PATCH 0/6] crypto: keys: Some work for public keys
Sascha Hauer
s.hauer at pengutronix.de
Thu Aug 21 06:18:23 PDT 2025
Traditionally we included public keys in form of dts snippets generated
by U-Boot mkImage and compiled into the barebox device trees. We can now
include public keys directly as C structs from the public key PEM files
or PKCS#11 uris which is easier to integrate. Nevertheless the dts
snippet way is still present which makes the configuration slightly
confusing. Remove this old way for good to make configuration easier
and to get rid of some maintenance burden.
Another point tackled in this series is that we can compile multiple
keys into the binary, but the user is left without a clue which key
is finally used. This series adds a sha256 hash over the public keys
to struct public_key which can be printed along the key to identify it.
Finally Pengutronix created a set of well known development keys for
convenient testing of secure boot chains. This series adds a new option
to compile the public key parts into the barebox binary with a single
knob. With this images signed with these keys can esaily be tested
without the need of a BSP or adding the paths to the keys into Kconfig.
Finally the output of the FIT image code is improved. It has become very
verbose when used with FIT images containing multiple device tree
overlays. The information is now hidden behind the verbose option which
can be activated with bootm -v or global.bootm.verbose=1.
Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
---
Sascha Hauer (6):
crypto: drop BOOTM_FITIMAGE_PUBKEY
crypto: Allow to include development keys in build
crypto: include public key hashes
commands: add keys command
fit: consistently pass around fit_handle
fit: improve diagnostics
Documentation/user/security.rst | 5 ++
arch/arm/dts/imx6dl-phytec-pbab01.dts | 3 --
arch/arm/dts/imx6dl-phytec-phyboard-subra.dts | 3 --
arch/arm/dts/imx6dl-phytec-phycore-som-emmc.dts | 3 --
arch/arm/dts/imx6dl-phytec-phycore-som-lc-emmc.dts | 3 --
arch/arm/dts/imx6dl-phytec-phycore-som-lc-nand.dts | 3 --
arch/arm/dts/imx6dl-phytec-phycore-som-nand.dts | 3 --
arch/arm/dts/imx6q-phytec-pbab01.dts | 3 --
arch/arm/dts/imx6q-phytec-phyboard-alcor.dts | 3 --
arch/arm/dts/imx6q-phytec-phyboard-subra.dts | 3 --
arch/arm/dts/imx6q-phytec-phycard.dts | 4 --
arch/arm/dts/imx6q-phytec-phycore-som-emmc.dts | 3 --
arch/arm/dts/imx6q-phytec-phycore-som-nand.dts | 3 --
arch/arm/dts/imx6qp-phytec-phycore-som-nand.dts | 3 --
arch/arm/dts/imx6s-phytec-pbab01.dts | 3 --
arch/arm/dts/imx6ul-phytec-phycore-som-emmc.dts | 3 --
arch/arm/dts/imx6ul-phytec-phycore-som-nand.dts | 3 --
arch/arm/dts/imx6ul-tqma6ul-common.dtsi | 4 --
arch/arm/dts/imx6ul-webasto-ccbv2.dts | 4 --
arch/arm/dts/imx6ul-webasto-marvel.dts | 4 --
arch/arm/dts/imx6ull-phytec-phycore-som-emmc.dts | 3 --
.../arm/dts/imx6ull-phytec-phycore-som-lc-nand.dts | 3 --
arch/arm/dts/imx6ull-phytec-phycore-som-nand.dts | 3 --
arch/arm/dts/stm32mp133c-mect1s.dts | 4 --
arch/arm/dts/stm32mp133c-prihmb.dts | 4 --
arch/arm/dts/stm32mp151c-plyaqm.dts | 4 --
commands/Kconfig | 7 +++
commands/Makefile | 1 +
commands/keys.c | 30 +++++++++++
common/Kconfig | 32 ------------
common/boards/qemu-virt/fitimage-pubkey.dts | 4 --
common/image-fit.c | 40 ++++++++++-----
crypto/Kconfig | 7 +--
crypto/Makefile | 9 ++++
crypto/fit-4096-development.crt | 33 ++++++++++++
crypto/fit-ecdsa-development.crt | 13 +++++
crypto/public-keys.c | 6 ++-
include/crypto/public_key.h | 2 +
scripts/Makefile.lib | 12 -----
scripts/keytoc.c | 59 ++++++++++++++++++++++
40 files changed, 194 insertions(+), 148 deletions(-)
---
base-commit: 525ccfb5ac381c06898e6403e12ec8c34c42c0f8
change-id: 20250821-keynames-95b43a99e8c5
Best regards,
--
Sascha Hauer <s.hauer at pengutronix.de>
More information about the barebox
mailing list