[PATCH v4 4/6] spl: fit: enable signing a generated u-boot.itb

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: Heiko Stuebner <heiko@sntech.de>
To: u-boot@lists.denx.de
Subject: [PATCH v4 4/6] spl: fit: enable signing a generated u-boot.itb
Date: Fri, 19 Jun 2020 12:45:48 +0200	[thread overview]
Message-ID: <20200619104550.1972307-5-heiko@sntech.de> (raw)
In-Reply-To: <20200619104550.1972307-1-heiko@sntech.de>

From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>

With SPL_FIT_SIGNATURE enabled we will likely want a generated
u-boot.itb to be signed and the key stores so that the spl can
reach it.

So add a SPL_FIT_SIGNATURE_KEY_DIR option and suitable hooks
into the Makefile to have mkimage sign the .itb and store the
used key into the spl dtb file.

The added dependencies should make sure that the u-boot.itb
gets generated before the spl-binary gets build, so that there
is the necessary space for the key to get included.

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 Kconfig  |  8 ++++++++
 Makefile | 11 ++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/Kconfig b/Kconfig
index b34fbf5827..05a13d1836 100644
--- a/Kconfig
+++ b/Kconfig
@@ -465,6 +465,14 @@ config SPL_FIT_SIGNATURE
 	select SPL_RSA_VERIFY
 	select SPL_IMAGE_SIGN_INFO
 
+config SPL_FIT_SIGNATURE_KEY_DIR
+	string "key directory for signing U-Boot FIT image"
+	depends on SPL_FIT_SIGNATURE
+	default "keys"
+	help
+	  The directory to give to mkimage to retrieve keys from when
+	  generating a signed U-Boot FIT image.
+
 config SPL_LOAD_FIT
 	bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"
 	select SPL_FIT
diff --git a/Makefile b/Makefile
index 1cc7e37c37..d19f556a04 100644
--- a/Makefile
+++ b/Makefile
@@ -1409,6 +1409,14 @@ MKIMAGEFLAGS_u-boot.itb =
 else
 MKIMAGEFLAGS_u-boot.itb = -E
 endif
+ifdef CONFIG_SPL_FIT_SIGNATURE
+ifdef CONFIG_SPL_OF_CONTROL
+MKIMAGEFLAGS_u-boot.itb += -K dts/dt-spl.dtb -r
+ifneq ($(CONFIG_SPL_FIT_SIGNATURE_KEY_DIR),"")
+MKIMAGEFLAGS_u-boot.itb += -k $(CONFIG_SPL_FIT_SIGNATURE_KEY_DIR)
+endif
+endif
+endif
 
 u-boot.itb: u-boot-nodtb.bin \
 		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_OF_HOSTFILE),dts/dt.dtb) \
@@ -1924,7 +1932,8 @@ spl/u-boot-spl.bin: spl/u-boot-spl
 
 spl/u-boot-spl: tools prepare \
 		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_SPL_OF_PLATDATA),dts/dt.dtb) \
-		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb)
+		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb) \
+		$(if $(CONFIG_SPL_FIT_SIGNATURE)$(U_BOOT_ITS),u-boot.itb FORCE)
 	$(Q)$(MAKE) obj=spl -f $(srctree)/scripts/Makefile.spl all
 
 spl/sunxi-spl.bin: spl/u-boot-spl
-- 
2.26.2

next prev parent reply	other threads:[~2020-06-19 10:45 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-19 10:45 [PATCH v4 0/6] rockchip: make it possible to sign the u-boot.itb Heiko Stuebner
2020-06-19 10:45 ` [PATCH v4 1/6] imx: mkimage_fit_atf: Fix FIT image if BL31.bin missing Heiko Stuebner
2020-06-19 10:45 ` [PATCH v4 2/6] mkimage: fit_image: handle multiple errors when writing signatures Heiko Stuebner
2020-06-19 10:45 ` [PATCH v4 3/6] spl: fit: dont set U_BOOT_ITS var if not build SPL_FIT support Heiko Stuebner
2020-06-19 10:45 ` Heiko Stuebner [this message]
2020-06-19 10:45 ` [PATCH v4 5/6] spl: fit: add Kconfig option to specify key-hint for fit_generator Heiko Stuebner
2020-06-19 10:45 ` [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling Heiko Stuebner
2020-06-26  1:12   ` Simon Glass
2020-07-07 12:00     ` [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling【请注意，邮件由sjg@google.com代发】 Kever Yang
2020-07-10  0:35       ` Simon Glass
2020-06-30 12:36   ` [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling Tom Rini
2020-06-30 12:46     ` Heiko Stübner
2020-06-30 13:04       ` Tom Rini

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b34fbf582 dfblob:05a13d183 dfblob:1cc7e37c3 dfblob:d19f556a0 )
 OR (
bs:"[PATCH v4 4/6] spl: fit: enable signing a generated u-boot.itb" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200619104550.1972307-5-heiko@sntech.de \
    --to=heiko@sntech.de \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox