i have read https://community.nxp.com/t5/i-MX-Processors/Do-I-sign-only-one-dtb-file/m-p/654150#M100180.
But In our product scenario:
a device derives multiple models of devices. These devices all use the same zImage, but distinguish them in difference dtb. This zImage and multiple dtbs are saved in the /boot directory of the same firmware.
New derived models of devices are constantly being added,and we only want to a new dtb to the existing firmware.
how do dull with the signature of this scenario?
anyone have ideas?
Dear, @weidong_sun
can you show me how to sign a dtb?
is it a signed dtb required in bootz of u-boot in secure boot?
someone say yes, but i can sucess to "bootz zImage_signed - dtb_not_signed" in my uboot, and i find bootz only authenticate zImage and do not auth authenticate dtb. see below:
/*
* zImage booting support
*/
static int bootz_start(cmd_tbl_t *cmdtp, int flag, int argc,
char * const argv[], bootm_headers_t *images)
{
int ret;
ulong zi_start, zi_end;
ret = do_bootm_states(cmdtp, flag, argc, argv, BOOTM_STATE_START,
images, 1);
/* Setup Linux kernel zImage entry point */
if (!argc) {
images->ep = load_addr;
debug("* kernel: default image load address = 0x%08lx\n",
load_addr);
} else {
images->ep = simple_strtoul(argv[0], NULL, 16);
debug("* kernel: cmdline image address = 0x%08lx\n",
images->ep);
}
ret = bootz_setup(images->ep, &zi_start, &zi_end);
if (ret != 0)
return 1;
lmb_reserve(&images->lmb, images->ep, zi_end - zi_start);
/*
* Handle the BOOTM_STATE_FINDOTHER state ourselves as we do not
* have a header that provide this informaiton.
*/
if (bootm_find_images(flag, argc, argv))
return 1;
#ifdef CONFIG_SECURE_BOOT
extern uint32_t authenticate_image(
uint32_t ddr_start, uint32_t image_size);
if (authenticate_image(images->ep, zi_end - zi_start) == 0) {
printf("Authenticate zImage Fail, Please check\n");
return 1;
}
#endif
return 0;
}
if we need to authenticate dtb, does it mean that we need to add the corresponding code to authenticate dtb in bootz()?
Hi,
Different products use the same zImage but different dtb.
If your zImage has already been signed, you only need to sign the new dtb.
Hope this information is helpful to you.
Have a nice day!
B.R,
Weidong