doc: verified-boot: add required-mode information

author Thirupathaiah Annapureddy <thiruan@linux.microsoft.com>

Mon, 17 Aug 2020 06:01:11 +0000 (23:01 -0700)

committer Tom Rini <trini@konsulko.com>

Tue, 13 Oct 2020 01:30:37 +0000 (21:30 -0400)
author Thirupathaiah Annapureddy <thiruan@linux.microsoft.com>
Mon, 17 Aug 2020 06:01:11 +0000 (23:01 -0700)
committer Tom Rini <trini@konsulko.com>
Tue, 13 Oct 2020 01:30:37 +0000 (21:30 -0400)
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt

index d4afd75..a345588 100644 (file)
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -386,6 +386,20 @@ that might be used by the target needs to be signed with 'required' keys.
  
  This happens automatically as part of a bootm command when FITs are used.
  
+For Signed Configurations, the default verification behavior can be changed by
+the following optional property in /signature node in U-Boot's control FDT.
+
+- required-mode: Valid values are "any" to allow verified boot to succeed if
+the selected configuration is signed by any of the 'required' keys, and "all"
+to allow verified boot to succeed if the selected configuration is signed by
+all of the 'required' keys.
+
+This property can be added to a binary device tree using fdtput as shown in
+below examples::
+
+       fdtput -t s control.dtb /signature required-mode any
+       fdtput -t s control.dtb /signature required-mode all
+
  
  Enabling FIT Verification
  -------------------------
author	Thirupathaiah Annapureddy <thiruan@linux.microsoft.com>
	Mon, 17 Aug 2020 06:01:11 +0000 (23:01 -0700)
committer	Tom Rini <trini@konsulko.com>
	Tue, 13 Oct 2020 01:30:37 +0000 (21:30 -0400)