<lschmid>
So, okay. I've got signatures somewhat working now. The only issue is that i need to use binman to put the public key into spl. But spl is signed by mkimage before binman gets to it
<lschmid>
apritzel: Any idea how I could have either mkimage sign the spl after binman has gotten to it, or run mkimage from within binman to sign it
<apritzel>
but that's a generic issue, nothing Allwinner specific, isn't it?
<lschmid>
Maybe, yes. But I may have just figured out how to do it...
<lschmid>
It finally works! So yes, removing SPL_DM dependency and adding the DM-if to rsa works fine. You need a lot of changes in the sunxi-u-boot.dtsi for the hashes, signature and spl public key injection
<apritzel>
hey, that's great, thanks for figuring this out. Can you put this in some patches, so that others can benefit? The request for a signed boot chain comes up every now and then
<lschmid>
I already tried to do this as cleanly as possible. I'll have a go at upstreaming this when I get to upstreaming all the SoM support stuff
<lschmid>
Primarily I'd like to wait for the kernel to have the dt's so that I don't need to have them in repos twice (if thats a good reason)
<apritzel>
well, it sounds like enabling the SPL signature support is completely board or SoC agnostic, that's pretty much fixing a gap in the Allwinner platform configuration
<apritzel>
I have the secure register setup in proper patches now, but need to somehow test the H3 changes I made. Will probably use my secure Pine64 board for that, with some hacks to run it in 32-bit ...
<lschmid>
We'll I've just had a look and yes it seems that I could submit this without any large dependencies on my side. I'll probably see about making a clean series of this the next few days. If you don't mind, could you maybe have a look beforehand to catch some things early? It's currently only a single commit but I'd split up the DM-Depenency fix of RSA and the actual changes to the dtsi later. Heres the current commit: https://gitlab.com/netcube-sy