我正在尝试使用经过u-boot验证的引导来支持我的用例。理想情况下,我想拥有两组内核,即ramdisk,dtb 1)。仅用于生产,2)。用于开发方案。
我生成了两个键,分别对应于public key
-dev.key
,dev.crt
,prod.key
,prod.crt
。
为了进行测试,我按如下所示创建了FIT源文件,但是生成的u-boot.dtb仅将生产密钥放入二进制文件中,没有开发密钥的迹象(结构在那里,但是缺少rsa,r-squared
和[ C0])。任何想法如何正确地做到这一点?谢谢!
rsa,modulus
通过有限的测试,/dts-v1/;
/ {
description = "fitImage for Tegra TX2";
#address-cells = <1>;
images {
kernel-1 {
description = "Linux kernel";
data = /incbin/("Image");
...
hash-1 {
algo = "sha256";
};
};
fdt-1 {
description = "DTB for Tegra TX2";
data = /incbin/("tegra186-base.dtb");
...
hash-1 {
algo = "sha256";
};
};
ramdisk-1 {
description = "Ramdisk Image for Tegra TX2";
data = /incbin/("initrd");
...
hash-1 {
algo = "sha256";
};
};
};
configurations {
default = "conf-1";
conf-1 {
description = "Production build";
kernel = "kernel-1";
fdt = "fdt-1";
ramdisk = "ramdisk-1";
signature-1 {
algo = "sha256,rsa2048";
key-name-hint = "prod";
sign-images = "kernel", "fdt", "ramdisk";
};
};
conf-2 {
description = "Development build";
kernel = "kernel-1";
fdt = "fdt-1";
ramdisk = "ramdisk-1";
signature {
algo = "sha256,rsa2048";
key-name-hint = "dev";
sign-images = "kernel", "fdt", "ramdisk";
};
};
};
};
命令向u-boot.dtb中添加两个密钥的唯一方法是以下设置。本质上,第二个密钥只是用作备份选项。这似乎对应于U-boot文件。但这不适合我的用例。文件说
- key-name-hint:用于签名的密钥名称。这只是一个提示,因为它可以更改名称。验证可以通过检查进行所有可用的签名密钥,直到匹配为止。“
mkimage
您可以使用/dts-v1/;
/ {
description = "fitImage for Tegra TX2";
#address-cells = <1>;
images {
kernel-1 {
description = "Linux kernel";
data = /incbin/("Image");
...
hash-1 {
algo = "sha256";
};
};
fdt-1 {
description = "DTB for Tegra TX2";
data = /incbin/("tegra186-base.dtb");
...
hash-1 {
algo = "sha256";
};
};
ramdisk-1 {
description = "Ramdisk Image for Tegra TX2";
data = /incbin/("initrd");
...
hash-1 {
algo = "sha256";
};
};
};
configurations {
default = "conf-1";
conf-1 {
description = "Production build";
kernel = "kernel-1";
fdt = "fdt-1";
ramdisk = "ramdisk-1";
signature-1 {
algo = "sha256,rsa2048";
key-name-hint = "prod";
sign-images = "kernel", "fdt", "ramdisk";
};
signature-2 {
algo = "sha256,rsa2048";
key-name-hint = "dev";
sign-images = "kernel", "fdt", "ramdisk";
};
};
};
};
在u-boot编译时将密钥嵌入到u-boot dts文件中