From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 96C92C64EC4 for ; Wed, 8 Mar 2023 13:21:27 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 19FC185DC0; Wed, 8 Mar 2023 14:20:33 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="NdNBBiE4"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id EFF5985C4C; Tue, 7 Mar 2023 23:13:55 +0100 (CET) Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id AE76985C5E for ; Tue, 7 Mar 2023 23:13:50 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=fr0st61te@gmail.com Received: by mail-lf1-x129.google.com with SMTP id s20so18983454lfb.11 for ; Tue, 07 Mar 2023 14:13:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678227230; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=807WOyRVZM/wpeHLSOXQBWuCFyo5Meo7Rxy+TnxTeRw=; b=NdNBBiE49ZS4JEtGAeaABpxryeAWKeZPQPiBZi5SFCvWGPcPjw2l41SdvrfFE3j8gk IL3+NV3ocU3m7MTvdfSQ4FK5yG1AS5yxz6lZuBcRdkFCWavu4Z4+hTYHBb1KN+rUnY8A iIchTcihp6cPbvfCdK+dBI3MRf6Lnn0xicyPXUUXga7NmT3GFNgS68hziH/562XWaYNL i5trp8r9fwP7GFgbozfsNi3YbY+uWWEe5EmXqxk0s84E+JDBx9GmRm3AD6ZvuM/Dlllj p4BraiiWXza40kub67K2oziATPozSy6RbtkUKqH79wC1+WRYcF9btjt+28FVhL4Qk0uy 5TPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678227230; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=807WOyRVZM/wpeHLSOXQBWuCFyo5Meo7Rxy+TnxTeRw=; b=1QGzumHFnge01hNzybxCJf/y3fTSDWbLLrYUZznXhk8X8wXln96fMLNq8uQ9ctW0y5 f9YaOwUJ0T+htpuwgCDqmQHRvKJSgRkhYKjfef5sxXOezoew9ufnJ2i363qE6QYhYNrR yxCvIrM0kmR7CihEbV8KbqTqxaycMBHXlss0vYsrnvDukG5Q6f05TK9SjFanelrOQ2Td 8wT1PcJbUfD7EATDHA6BgEz4mdci2ClHs8F5KwMlwpWbnvENBnY9XL+ahBNMpw91SPio CwUpbzOmq30M1lTj0Me6P18uuQbqpthSL06U1lF/OxqyeMIueTRJPUH28fhlK/2l6qEZ sezQ== X-Gm-Message-State: AO0yUKWMSnbaWAVswaqt1LMeBpl24885+XKogHi08vDyjKF4uYGlGVy0 qaeqDyBpPtnyauPxWyPJe5NVBuhPc5Qj5+Dh X-Google-Smtp-Source: AK7set8Dw/WLxz8ZALpzCEQM4Dy61dfaOsoqrwLICmx+BD45l34uCHi+bHex7VzlkJagq1brIGXRDQ== X-Received: by 2002:ac2:5633:0:b0:4dd:9f86:859d with SMTP id b19-20020ac25633000000b004dd9f86859dmr3998119lff.13.1678227230049; Tue, 07 Mar 2023 14:13:50 -0800 (PST) Received: from localhost.localdomain (95-31-185-99.broadband.corbina.ru. [95.31.185.99]) by smtp.googlemail.com with ESMTPSA id l8-20020a19c208000000b004db3890cb53sm2159726lfc.223.2023.03.07.14.13.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 14:13:49 -0800 (PST) From: Ivan Mikhaylov To: Simon Glass , Jan Kiszka Cc: u-boot@lists.denx.de, Ivan Mikhaylov Subject: [PATCH v2 2/5] binman: add sign option for binman Date: Wed, 8 Mar 2023 01:13:39 +0000 Message-Id: <20230308011342.21992-3-fr0st61te@gmail.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230308011342.21992-1-fr0st61te@gmail.com> References: <20230308011342.21992-1-fr0st61te@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Wed, 08 Mar 2023 14:20:15 +0100 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Introduce proof of concept for binman's new option which provides sign and replace FIT containers in binary images. Usage as example: from: mkimage -G privateky -r -o sha256,rsa4096 -F fit binman replace -i flash.bin -f fit.fit fit to: binman sign -i flash.bin -k privatekey -a sha256,rsa4096 -f fit.fit fit and to this one if it's need to be extracted, signed with key and put it back in image: binman sign -i flash.bin -k privatekey -a sha256,rsa4096 fit Signed-off-by: Ivan Mikhaylov --- tools/binman/cmdline.py | 13 +++++++++++++ tools/binman/control.py | 29 ++++++++++++++++++++++++++++- tools/binman/etype/fit.py | 18 ++++++++++++++++++ tools/binman/etype/section.py | 3 +++ 4 files changed, 62 insertions(+), 1 deletion(-) diff --git a/tools/binman/cmdline.py b/tools/binman/cmdline.py index 986d6f1a31..e2961ed11f 100644 --- a/tools/binman/cmdline.py +++ b/tools/binman/cmdline.py @@ -163,6 +163,19 @@ controlled by a description in the board device tree.''' replace_parser.add_argument('paths', type=str, nargs='*', help='Paths within file to replace (wildcard)') + sign_parser = subparsers.add_parser('sign', + help='Sign entries in image') + sign_parser.add_argument('-a', '--algo', type=str, required=True, + help='Hash algorithm e.g. sha256,rsa4096') + sign_parser.add_argument('-f', '--file', type=str, required=False, + help='Input filename to sign') + sign_parser.add_argument('-i', '--image', type=str, required=True, + help='Image filename to update') + sign_parser.add_argument('-k', '--key', type=str, required=True, + help='Private key file for signing') + sign_parser.add_argument('paths', type=str, nargs='*', + help='Paths within file to sign (wildcard)') + test_parser = subparsers.add_parser('test', help='Run tests') test_parser.add_argument('-P', '--processes', type=int, help='set number of processes to use for running tests') diff --git a/tools/binman/control.py b/tools/binman/control.py index e64740094f..9ebd73913a 100644 --- a/tools/binman/control.py +++ b/tools/binman/control.py @@ -20,6 +20,7 @@ from patman import command from binman import elf from binman import entry from patman import tout +from patman import tools # These are imported if needed since they import libfdt state = None @@ -445,6 +446,29 @@ def ReplaceEntries(image_fname, input_fname, indir, entry_paths, AfterReplace(image, allow_resize=allow_resize, write_map=write_map) return image +def SignEntries(image_fname, input_fname, privatekey_fname, algo, entry_paths, + write_map=False): + """Sign and replace the data from one or more entries from input files + + Args: + image_fname: Image filename to process + input_fname: Single input filename to use if replacing one file, None + otherwise + algo: Hashing algorithm + entry_paths: List of entry paths to sign + privatekey_fname: Private key filename + write_map (bool): True to write the map file + """ + image_fname = os.path.abspath(image_fname) + image = Image.FromFile(image_fname) + + BeforeReplace(image, allow_resize=True) + + for entry_path in entry_paths: + entry = image.FindEntryPath(entry_path) + entry.UpdateSignatures(privatekey_fname, algo, input_fname) + + AfterReplace(image, allow_resize=True, write_map=write_map) def PrepareImagesAndDtbs(dtb_fname, select_images, update_fdt, use_expanded): """Prepare the images to be processed and select the device tree @@ -650,7 +674,7 @@ def Binman(args): from binman.image import Image from binman import state - if args.cmd in ['ls', 'extract', 'replace', 'tool']: + if args.cmd in ['ls', 'extract', 'replace', 'tool', 'sign']: try: tout.init(args.verbosity) tools.prepare_output_dir(None) @@ -666,6 +690,9 @@ def Binman(args): do_compress=not args.compressed, allow_resize=not args.fix_size, write_map=args.map) + if args.cmd == 'sign': + SignEntries(args.image, args.file, args.key, args.algo, args.paths) + if args.cmd == 'tool': tools.set_tool_paths(args.toolpath) if args.list: diff --git a/tools/binman/etype/fit.py b/tools/binman/etype/fit.py index cd2943533c..c0451fe765 100644 --- a/tools/binman/etype/fit.py +++ b/tools/binman/etype/fit.py @@ -828,3 +828,21 @@ class Entry_fit(Entry_section): # missing for entry in self._priv_entries.values(): entry.CheckMissing(missing_list) + + def UpdateSignatures(self, privatekey_fname, algo, input_fname): + uniq = self.GetUniqueName() + args = [ '-G', privatekey_fname, '-r', '-o', algo, '-F' ] + if input_fname: + fname = input_fname + else: + fname = tools.get_output_filename('%s.fit' % uniq) + tools.write_file(fname, self.GetData()) + args.append(fname) + + if self.mkimage.run_cmd(*args) is None: + # Bintool is missing; just use empty data as the output + self.record_missing_bintool(self.mkimage) + return + + data = tools.read_file(fname) + self.WriteData(data) diff --git a/tools/binman/etype/section.py b/tools/binman/etype/section.py index 57b91ff726..4d0152e194 100644 --- a/tools/binman/etype/section.py +++ b/tools/binman/etype/section.py @@ -1000,3 +1000,6 @@ class Entry_section(Entry): for entry in entries.values(): return entry.read_elf_segments() return None + + def UpdateSignatures(self, privatekey_fname, algo, input_fname): + self.Raise('Updating signatures is not supported with this entry type') -- 2.39.1