From: Heiko Stuebner <heiko@sntech.de>
To: u-boot@lists.denx.de
Subject: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling
Date: Fri, 19 Jun 2020 12:45:50 +0200 [thread overview]
Message-ID: <20200619104550.1972307-7-heiko@sntech.de> (raw)
In-Reply-To: <20200619104550.1972307-1-heiko@sntech.de>
From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
If the newly added fit-generator key-options are found, append needed
signature nodes to all generated image blocks, so that they can get
signed when mkimage later compiles the .itb from the generated .its.
Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
---
arch/arm/mach-rockchip/make_fit_atf.py | 57 +++++++++++++++++++++++++-
1 file changed, 56 insertions(+), 1 deletion(-)
diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py
index d15c32b303..de7dc19d11 100755
--- a/arch/arm/mach-rockchip/make_fit_atf.py
+++ b/arch/arm/mach-rockchip/make_fit_atf.py
@@ -14,6 +14,14 @@ import sys
import getopt
import logging
import struct
+try:
+ # in python3 Cryptodome succeeds Crypto
+ import Cryptodome
+ from Cryptodome.PublicKey import RSA
+except:
+ import Crypto
+ from Crypto.PublicKey import RSA
+
DT_HEADER = """
/*
@@ -37,7 +45,9 @@ DT_UBOOT = """
arch = "arm64";
compression = "none";
load = <0x%08x>;
- };
+"""
+
+DT_UBOOT_NODE_END = """ };
"""
@@ -47,6 +57,46 @@ DT_IMAGES_NODE_END = """ };
DT_END = "};"
+def append_signature(file):
+ if not os.path.exists("u-boot.cfg"):
+ return
+
+ config = {}
+ with open("u-boot.cfg") as fd:
+ for line in fd:
+ line = line.strip()
+ values = line[8:].split(' ', 1)
+ if len(values) > 1:
+ key, value = values
+ value = value.strip('"')
+ else:
+ key = values[0]
+ value = '1'
+ if not key.startswith('CONFIG_'):
+ continue
+ config[key] = value
+
+ try:
+ keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"]
+ except KeyError:
+ return
+
+ try:
+ keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint)
+ except KeyError:
+ keyfile = keyhint
+
+ if not os.path.exists('%s.key' % keyfile):
+ return
+
+ f = open('%s.key' % keyfile,'r')
+ key = RSA.importKey(f.read())
+
+ file.write('\t\t\tsignature {\n')
+ file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length())
+ file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint)
+ file.write('\t\t\t};\n')
+
def append_bl31_node(file, atf_index, phy_addr, elf_entry):
# Append BL31 DT node to input FIT dts file.
data = 'bl31_0x%08x.bin' % phy_addr
@@ -60,6 +110,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry):
file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
if atf_index == 1:
file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
+ append_signature(file);
file.write('\t\t};\n')
file.write('\n')
@@ -75,6 +126,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry):
file.write('\t\t\tcompression = "none";\n')
file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
+ append_signature(file);
file.write('\t\t};\n')
file.write('\n')
@@ -88,6 +140,7 @@ def append_fdt_node(file, dtbs):
file.write('\t\t\tdata = /incbin/("%s");\n' % dtb)
file.write('\t\t\ttype = "flat_dt";\n')
file.write('\t\t\tcompression = "none";\n')
+ append_signature(file);
file.write('\t\t};\n')
file.write('\n')
cnt = cnt + 1
@@ -129,6 +182,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name):
raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name)
index, entry, p_paddr, data = segments[0]
fit_file.write(DT_UBOOT % p_paddr)
+ append_signature(fit_file)
+ fit_file.write(DT_UBOOT_NODE_END)
def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name):
segments = unpack_elf(bl31_file_name)
--
2.26.2
next prev parent reply other threads:[~2020-06-19 10:45 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-19 10:45 [PATCH v4 0/6] rockchip: make it possible to sign the u-boot.itb Heiko Stuebner
2020-06-19 10:45 ` [PATCH v4 1/6] imx: mkimage_fit_atf: Fix FIT image if BL31.bin missing Heiko Stuebner
2020-06-19 10:45 ` [PATCH v4 2/6] mkimage: fit_image: handle multiple errors when writing signatures Heiko Stuebner
2020-06-19 10:45 ` [PATCH v4 3/6] spl: fit: dont set U_BOOT_ITS var if not build SPL_FIT support Heiko Stuebner
2020-06-19 10:45 ` [PATCH v4 4/6] spl: fit: enable signing a generated u-boot.itb Heiko Stuebner
2020-06-19 10:45 ` [PATCH v4 5/6] spl: fit: add Kconfig option to specify key-hint for fit_generator Heiko Stuebner
2020-06-19 10:45 ` Heiko Stuebner [this message]
2020-06-26 1:12 ` [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling Simon Glass
2020-07-07 12:00 ` [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling【请注意,邮件由sjg@google.com代发】 Kever Yang
2020-07-10 0:35 ` Simon Glass
2020-06-30 12:36 ` [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling Tom Rini
2020-06-30 12:46 ` Heiko Stübner
2020-06-30 13:04 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200619104550.1972307-7-heiko@sntech.de \
--to=heiko@sntech.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox