From mboxrd@z Thu Jan 1 00:00:00 1970 From: Heiko =?ISO-8859-1?Q?St=FCbner?= Date: Thu, 30 Apr 2020 14:18:27 +0200 Subject: [PATCH v2 5/7] spl: fit: enable signing a generated u-boot.itb In-Reply-To: <28fdf752-0e2a-8161-fc6f-508ff308bde7@rock-chips.com> References: <20200421002333.111461-1-heiko@sntech.de> <20200421002333.111461-6-heiko@sntech.de> <28fdf752-0e2a-8161-fc6f-508ff308bde7@rock-chips.com> Message-ID: <2027730.If5eCpfMFM@diego> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi Kever, Am Donnerstag, 30. April 2020, 11:03:38 CEST schrieb Kever Yang: > This patch will cause build fail on sandbox_spl_defconfig: > > dtc: option requires an argument -- 'p' sandbox_spl is confusing on first glance, it enables the spl_fit-options but does not define any fit sources. But I also found a general issue with my code below, and by fixing that one sandbox_spl also gets happy again. > On 2020/4/21 ??8:23, Heiko Stuebner wrote: > > From: Heiko Stuebner > > > > With SPL_FIT_SIGNATURE enabled we will likely want a generated > > u-boot.itb to be signed and the key stores so that the spl can > > reach it. > > > > So add a SPL_FIT_SIGNATURE_KEY_DIR option and suitable hooks > > into the Makefile to have mkimage sign the .itb and store the > > used key into the spl dtb file. > > > > The added dependencies should make sure that the u-boot.itb > > gets generated before the spl-binary gets build, so that there > > is the necessary space for the key to get included. > > > > Signed-off-by: Heiko Stuebner > > Reviewed-by: Philipp Tomsich > > --- > > Kconfig | 8 ++++++++ > > Makefile | 11 ++++++++++- > > 2 files changed, 18 insertions(+), 1 deletion(-) > > > > diff --git a/Kconfig b/Kconfig > > index 4051746319..15a783a67d 100644 > > --- a/Kconfig > > +++ b/Kconfig > > @@ -451,6 +451,14 @@ config SPL_FIT_SIGNATURE > > select SPL_RSA_VERIFY > > select IMAGE_SIGN_INFO > > > > +config SPL_FIT_SIGNATURE_KEY_DIR > > + string "key directory for signing U-Boot FIT image" > > + depends on SPL_FIT_SIGNATURE > > + default "keys" > > + help > > + The directory to give to mkimage to retrieve keys from when > > + generating a signed U-Boot FIT image. > > + > > config SPL_LOAD_FIT > > bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)" > > select SPL_FIT > > diff --git a/Makefile b/Makefile > > index 26307fd4a6..8e7a7cb50e 100644 > > --- a/Makefile > > +++ b/Makefile > > @@ -1394,6 +1394,14 @@ MKIMAGEFLAGS_u-boot.itb = > > else > > MKIMAGEFLAGS_u-boot.itb = -E > > endif > > +ifdef CONFIG_SPL_FIT_SIGNATURE > > +ifdef CONFIG_SPL_OF_CONTROL > > +MKIMAGEFLAGS_u-boot.itb += -K dts/dt-spl.dtb -r > > +ifneq ($(CONFIG_SPL_FIT_SIGNATURE_KEY_DIR),"") > > +MKIMAGEFLAGS_u-boot.itb += -k $(CONFIG_SPL_FIT_SIGNATURE_KEY_DIR) > > +endif > > +endif > > +endif > > > > u-boot.itb: u-boot-nodtb.bin \ > > $(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_OF_HOSTFILE),dts/dt.dtb) \ > > @@ -1913,7 +1921,8 @@ spl/u-boot-spl.bin: spl/u-boot-spl > > > > spl/u-boot-spl: tools prepare \ > > $(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_SPL_OF_PLATDATA),dts/dt.dtb) \ > > - $(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb) > > + $(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb) \ > > + $(if $(CONFIG_SPL_FIT_GENERATOR),u-boot.itb FORCE) I now realized that this is the wrong check ... i.e. it only checks for SPL_FIT_GENERATOR but that is a string so always defined if SPL_LOAD_FIT is enabled ... also this doesn't take into account SPL_FIT_SOURCE, so the way to go seems to be to check against $U_BOOT_ITS and CONFIG_SPL_FIT_SIGNATZRE instead which gets defined if a suitable fit source is available. Background for this dependency is that the signature must be done before the spl-binary gets build, because mkimage for the .itb needs to write the key to the spl dtb. I'll send an updated patch as a reply to this mail. Heiko