mkimage: Add -K to write public keys to an FDT blob
FIT image verification requires public keys. Add a convenient option to
mkimage to write the public keys to an FDT blob when it uses then for
signing an image. This allows us to use:
mkimage -f test.its -K dest.dtb -k keys test.fit
and have the signatures written to test.fit and the corresponding public
keys written to dest.dtb. Then dest.dtb can be used as the control FDT
for U-Boot (CONFIG_OF_CONTROL), thus providing U-Boot with access to the
public keys it needs.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
diff --git a/tools/mkimage.c b/tools/mkimage.c
index def7df2..3760392 100644
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -253,6 +253,11 @@
usage();
params.keydir = *++argv;
goto NXTARG;
+ case 'K':
+ if (--argc <= 0)
+ usage();
+ params.keydest = *++argv;
+ goto NXTARG;
case 'n':
if (--argc <= 0)
usage ();
@@ -633,8 +638,9 @@
fprintf(stderr, " -D => set options for device tree compiler\n"
" -f => input filename for FIT source\n");
#ifdef CONFIG_FIT_SIGNATURE
- fprintf(stderr, "Signing / verified boot options: [-k keydir]\n"
- " -k => set directory containing private keys\n");
+ fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb]\n"
+ " -k => set directory containing private keys\n"
+ " -K => write public keys to this .dtb file\n");
#else
fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
#endif