AnsweredAssumed Answered

Do I sign only one dtb file?

Question asked by Greg Davies on Oct 19, 2016
Latest reply on Oct 24, 2016 by Greg Davies

Do I need to sign all the dtb files, or just one?

 

I'm working on securing Yocto linux 3.14.52 on an iMX6 SoloX. I've followed the security workshop, and successfully signed u-boot, zImage, and imx6sx-sdb.dtb, and they all work great with no HAB errors.

 

What about the rest of the dtb files in the boot partition (ex. imx6sx-sdb-btwifi.dtb)? They don't appear to be loaded into memory at the time when the kernel and imx6sx-sdb.dtb are checked, so I don't have a location in memory to point to, to verify them. Are hashes of the other dtb files contained in imx6sx-sdb.dtb, so none of them can changed without an updated signature? All the posts I've read made it sound like there's only one dtb file at all, but my yocto build produces many of them. Is there some additional work to sign the rest of them?

Outcomes