doc: verified-boot: add required-mode information

Add documentation about 'required-mode' property in /signature node in U-Boot's control FDT. Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com> Reviewed-by: Simon Glass <sjg@chromium.org>
author: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com> 2020-08-16 23:01:11 -0700
committer: Tom Rini <trini@konsulko.com> 2020-10-12 21:30:37 -0400
commit: 6a0498a5fd41b58b0c61b34f315771aac0eca0e0 (patch)
tree: 7c6e3f55fbdff4deb82d89d6aad5f6d8bcd42254 /doc
parent: feaeee8b5ff59477e0372ae7b9a655ecca05b24a (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index d4afd755e9..a3455889ed 100644
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -386,6 +386,20 @@ that might be used by the target needs to be signed with 'required' keys.
 
 This happens automatically as part of a bootm command when FITs are used.
 
+For Signed Configurations, the default verification behavior can be changed by
+the following optional property in /signature node in U-Boot's control FDT.
+
+- required-mode: Valid values are "any" to allow verified boot to succeed if
+the selected configuration is signed by any of the 'required' keys, and "all"
+to allow verified boot to succeed if the selected configuration is signed by
+all of the 'required' keys.
+
+This property can be added to a binary device tree using fdtput as shown in
+below examples::
+
+	fdtput -t s control.dtb /signature required-mode any
+	fdtput -t s control.dtb /signature required-mode all
+
 
 Enabling FIT Verification
 -------------------------
author	Thirupathaiah Annapureddy <thiruan@linux.microsoft.com>	2020-08-16 23:01:11 -0700
committer	Tom Rini <trini@konsulko.com>	2020-10-12 21:30:37 -0400
commit	6a0498a5fd41b58b0c61b34f315771aac0eca0e0 (patch)
tree	7c6e3f55fbdff4deb82d89d6aad5f6d8bcd42254 /doc
parent	feaeee8b5ff59477e0372ae7b9a655ecca05b24a (diff)