From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1345EC433F5 for ; Tue, 5 Apr 2022 18:55:11 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 3E65B83BBA; Tue, 5 Apr 2022 20:55:09 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="O6yidoPp"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 45ED483B58; Tue, 5 Apr 2022 20:55:07 +0200 (CEST) Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A6D9183B8B for ; Tue, 5 Apr 2022 20:54:57 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=alpernebiyasak@gmail.com Received: by mail-ej1-x629.google.com with SMTP id r13so28629202ejd.5 for ; Tue, 05 Apr 2022 11:54:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=obZY14EQFADYKTYyyIGfIeDWnd6tEg8B4pOyO9wukCQ=; b=O6yidoPpWDrK4O92Iz5g6Illk24g7A7tdLPmIkSyAw0/RFVU366RUBHDpkzXgXVYfd IoY/YpdayWOZ2IDW+QHOyxBjprW11Uv1F4zfBJsNucQtrA7krcviClYy88lzscB6/xPp h/ROSheNhvcfAaiudOdWwI4ELcIFvTmtnZJ9xA0wkR3Jp6qlhA7o/Tu4aNoeqKRaHOsa Yj/9UQaaae6kdP3MIxb45YXvbxn4qQ4+caQmL44Rxajp/1ke1/yzKpyhjk28/W5AFnAD aSjn4/Nd7G0UwRJLhVEJnvdJWwSZ/tGzAkDdLW3VW6QhklnRkSO9srqQVrMVBcoBV5YQ ZtPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=obZY14EQFADYKTYyyIGfIeDWnd6tEg8B4pOyO9wukCQ=; b=5J/WVfxkYahn6jVWysHgD03sFesxLXPj+Bs10hc7VzFQRZdfGmAFdsPnDAYfIkp0jC 8aoTnsJRQgl5OR1+xRKhawwTHuBWXiYsBbUb2Gpr6ItORwrry75uginVVYg3MZqL5voy fHu0mo6LhijWDSjCEeCVZGR7JHgR2+IZBlDV0MCJqyym2QH7KkEKEFWM5Ln+YBurdtVI aOwjYuISj6wwxcI7qn1Rqm6jTlitB5zIDZDB5l77QNtc5b1I39yg2xm/4ITr6YZBqTnN 20IsuieQ3nZBMNnpkwwe6EkmWG944cQSlFBvW7n6VepIwagHWmoE4HwzOvC0k3ye9/1U n4wA== X-Gm-Message-State: AOAM5305UPa1DcEWzfyv7UQq4jqhVe8zgFHgdj+ilIebnQP0LZ/nZ1wk 9yR0oq0VcWiO3kwLRu3PonE= X-Google-Smtp-Source: ABdhPJzSGWTJAsHj9/zQV86augxM2g8Atyljm3HMR5zdZ/ufy96SNCNyrFKi0RqHRp4LdRwAI85ooQ== X-Received: by 2002:a17:907:9621:b0:6d7:355d:6da5 with SMTP id gb33-20020a170907962100b006d7355d6da5mr4943711ejc.195.1649184897108; Tue, 05 Apr 2022 11:54:57 -0700 (PDT) Received: from [192.168.0.74] ([178.233.178.185]) by smtp.gmail.com with ESMTPSA id j22-20020a50ed16000000b00419366b2146sm7148585eds.43.2022.04.05.11.54.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 05 Apr 2022 11:54:56 -0700 (PDT) Message-ID: Date: Tue, 5 Apr 2022 21:54:52 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH 1/3] binman: add sign option for binman Content-Language: en-US To: Ivan Mikhaylov Cc: U-Boot Mailing List , Ivan Mikhaylov , Simon Glass , Jan Kiszka References: <20220321214319.33254-1-fr0st61te@gmail.com> <20220321214319.33254-2-fr0st61te@gmail.com> From: Alper Nebi Yasak In-Reply-To: <20220321214319.33254-2-fr0st61te@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean On 22/03/2022 00:43, Ivan Mikhaylov wrote: > Introduce proof of concept for binman's new option which provides sign > and replace sections in binary images. > > Usage as example: > > from: > mkimage -G privateky -r -o sha256,rsa4096 -F fit > binman replace -i flash.bin -f fit.fit fit > > to: > binman sign -i flash.bin -k privatekey -a sha256,rsa4096 -f fit.fit fit This shouldn't need the fit.fit input. It can be extracted from the image as you said in the cover letter. But I think instead of doing "extract -> sign with mkimage -> replace", signing should be implemented in the entry types as a new method. This way we can support other entry-specific ways to sign things (see vblock for an example). > Signed-off-by: Ivan Mikhaylov > --- > tools/binman/cmdline.py | 13 +++++++++++++ > tools/binman/control.py | 26 +++++++++++++++++++++++++- > 2 files changed, 38 insertions(+), 1 deletion(-) > > diff --git a/tools/binman/cmdline.py b/tools/binman/cmdline.py > index 0626b850f4..1a25f95ff1 100644 > --- a/tools/binman/cmdline.py > +++ b/tools/binman/cmdline.py > @@ -160,6 +160,19 @@ controlled by a description in the board device tree.''' > replace_parser.add_argument('paths', type=str, nargs='*', > help='Paths within file to replace (wildcard)') > > + sign_parser = subparsers.add_parser('sign', > + help='Sign entries in image') > + sign_parser.add_argument('-a', '--algo', type=str, required=True, > + help='Hash algorithm e.g. sha256,rsa4096') > + sign_parser.add_argument('-f', '--file', type=str, required=True, > + help='Input filename to sign') > + sign_parser.add_argument('-i', '--image', type=str, required=True, > + help='Image filename to update') > + sign_parser.add_argument('-k', '--key', type=str, required=True, > + help='Private key file for signing') > + sign_parser.add_argument('paths', type=str, nargs='*', > + help='Paths within file to sign (wildcard)') > + If we want to support signing entry types other than FIT, I guess we need to base things on "EntryArg"s to make the arguments more dynamic, like named-by-arg blobs do. > test_parser = subparsers.add_parser('test', help='Run tests') > test_parser.add_argument('-P', '--processes', type=int, > help='set number of processes to use for running tests') > diff --git a/tools/binman/control.py b/tools/binman/control.py > index a179f78129..7595ea7776 100644 > --- a/tools/binman/control.py > +++ b/tools/binman/control.py > @@ -19,6 +19,7 @@ from binman import cbfs_util > from binman import elf > from patman import command > from patman import tout > +from patman import tools > > # List of images we plan to create > # Make this global so that it can be referenced from tests > @@ -434,6 +435,26 @@ def ReplaceEntries(image_fname, input_fname, indir, entry_paths, > AfterReplace(image, allow_resize=allow_resize, write_map=write_map) > return image > > +def MkimageSign(privatekey_fname, algo, input_fname): > + tools.Run('mkimage', '-G', privatekey_fname, '-r', '-o', algo, '-F', input_fname) > + > +def SignEntries(image_fname, input_fname, privatekey_fname, algo, entry_paths): > + """Sign and replace the data from one or more entries from input files > + > + Args: > + image_fname: Image filename to process > + input_fname: Single input filename to use if replacing one file, None > + otherwise > + algo: Hashing algorithm > + privatekey_fname: Private key filename > + > + Returns: > + List of EntryInfo records that were signed and replaced > + """ > + > + MkimageSign(privatekey_fname, algo, input_fname) > + > + return ReplaceEntries(image_fname, input_fname, None, entry_paths) I wrote a bit above, but what I mean is the mkimage call would go into a new method in etype/fit.py, and SignEntries() would be something like ReplaceEntries() but end up calling that method instead of WriteData(). > > def PrepareImagesAndDtbs(dtb_fname, select_images, update_fdt, use_expanded): > """Prepare the images to be processed and select the device tree > @@ -627,7 +648,7 @@ def Binman(args): > from binman.image import Image > from binman import state > > - if args.cmd in ['ls', 'extract', 'replace', 'tool']: > + if args.cmd in ['ls', 'extract', 'replace', 'tool', 'sign']: > try: > tout.init(args.verbosity) > tools.prepare_output_dir(None) > @@ -643,6 +664,9 @@ def Binman(args): > do_compress=not args.compressed, > allow_resize=not args.fix_size, write_map=args.map) > > + if args.cmd == 'sign': > + SignEntries(args.image, args.file, args.key, args.algo, args.paths) > + > if args.cmd == 'tool': > tools.set_tool_paths(args.toolpath) > if args.list: