Lines Matching refs:it
12 entire process of signing an image and running U-Boot (sandbox) to check it.
13 However, it might be useful to also have an example on a real board.
19 device tree. They may use the same device tree source, but it is seldom useful
21 U-Boot has its device tree packaged wtih it, and the kernel's device tree is
23 since U-Boot's device tree must be immutable. If it can be changed then the
27 changes when the kernel changes, so it is useful to package an updated device
52 8. Try it
59 this for U-Boot and also for the kernel if you build it. For example if you
60 installed a Linaro version manually it might be something like:
64 or if you just installed gcc-arm-linux-gnueabi then it might be
73 # You can add -j10 if you have 10 CPUs to make it faster
87 use. In our case it is am335x-boneblack.dtb and it is built with the kernel.
92 You can write this to an SD card and then mount it to extract the kernel and
172 But briefly it packages a kernel and device tree, and provides a single
174 with LZO to make it smaller.
188 gets access to that file they can sign kernels with it. Keep it secure.
246 You can also run fit_check_sign to check it:
300 At the top, you see "sha1,rsa2048:dev+". This means that it checked an RSA key
302 'dev' and the '+' means that it verified. If it showed '-' that would be bad.
304 Once the configuration is verified it is then possible to rely on the hashes
313 But it is fun to do this by hand, so you can load image.fit into a hex editor
419 Now check it again:
431 a public key for which it requires a match, and will not permit the use of any
433 configuration will match is if it was signed by the matching private key.
437 configuration in any way. Try it with a fresh (valid) image if you like by
450 Of course it would be possible to add an entirely new configuration and boot
451 with that, but it still needs to be signed, so it won't help.
457 Having confirmed that the signature is doing its job, let's try it out in
459 the private key that you signed with so that it can verify any kernels that
484 can use to verify against it. These values are obtained from the public key
498 for Linux. Put it into your machine and write U-Boot and the kernel to it.
508 8. Try it
584 At this point your kernel has been verified and you can be sure that it is one
592 Several of the steps here can be easily automated. In particular it would be