binman: implement signing FIT images during image build The patch implement new property 'fit,sign' that can be declared at the top-level 'fit' node. If that option is declared, fit tryies to detect private keys directory among binman include directories. That directory than passed to mkimage using '-k' flag and that enable signing of FIT. Signed-off-by: Alexander Kochetkov <al.kochet@gmail.com> Reviewed-by: Simon Glass <sjg@chromium.org> Renumbered files, moved new tests to end: Signed-off-by: Simon Glass <sjg@chromium.org>

commit: a730a289fa3cf56ebc94cdcc11a69323175ce356 [log] [tgz]
author: Alexander Kochetkov <al.kochet@gmail.com> Mon Sep 16 11:24:46 2024 +0300
committer: Simon Glass <sjg@chromium.org> Fri Oct 18 14:10:22 2024 -0600
tree: 421e5612771978ab87616823a47eae57b6c3a8b0
parent: 197ee8b7b71b9672a23c949d39741c2bc7fee115 [diff] [blame]
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index 3006c59..e918162 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst

@@ -864,6 +864,13 @@
 
             fit,fdt-list-dir = "arch/arm/dts
 
+    fit,sign
+        Enable signing FIT images via mkimage as described in
+        verified-boot.rst. If the property is found, the private keys path is
+        detected among binman include directories and passed to mkimage via
+        -k flag. All the keys required for signing FIT must be available at
+        time of signing and must be located in single include directory.
+
 Substitutions
 ~~~~~~~~~~~~~
commit	a730a289fa3cf56ebc94cdcc11a69323175ce356	[log] [tgz]
author	Alexander Kochetkov <al.kochet@gmail.com>	Mon Sep 16 11:24:46 2024 +0300
committer	Simon Glass <sjg@chromium.org>	Fri Oct 18 14:10:22 2024 -0600
tree	421e5612771978ab87616823a47eae57b6c3a8b0
parent	197ee8b7b71b9672a23c949d39741c2bc7fee115 [diff] [blame]