Do I need to sign all the dtb files, or just one?
I'm working on securing Yocto linux 3.14.52 on an iMX6 SoloX. I've followed the security workshop, and successfully signed u-boot, zImage, and imx6sx-sdb.dtb, and they all work great with no HAB errors.
What about the rest of the dtb files in the boot partition (ex. imx6sx-sdb-btwifi.dtb)? They don't appear to be loaded into memory at the time when the kernel and imx6sx-sdb.dtb are checked, so I don't have a location in memory to point to, to verify them. Are hashes of the other dtb files contained in imx6sx-sdb.dtb, so none of them can changed without an updated signature? All the posts I've read made it sound like there's only one dtb file at all, but my yocto build produces many of them. Is there some additional work to sign the rest of them?