• Simon Glass's avatar
    mkimage: Add -r option to specify keys that must be verified · 399c744b
    Simon Glass authored
    
    
    Normally, multiple public keys can be provided and U-Boot is not
    required to use all of them for verification. This is because some
    images may not be signed, or may be optionally signed.
    
    But we still need a mechanism to determine when a key must be used.
    This feature cannot be implemented in the FIT itself, since anyone
    could change it to mark a key as optional. The requirement for
    key verification must go in with the public keys, in a place that
    is protected from modification.
    
    Add a -r option which tells mkimage to mark all keys that it uses
    for signing as 'required'.
    
    If some keys are optional and some are required, run mkimage several
    times (perhaps with different key directories if some keys are very
    secret) using the -F flag to update an existing FIT.
    
    Signed-off-by: default avatarSimon Glass <sjg@chromium.org>
    Reviewed-by: default avatarMarek Vasut <marex@denx.de>
    399c744b