| Message ID | 20200619104550.1972307-7-heiko@sntech.de |
|---|---|
| State | Superseded |
| Headers | show |
| Series | rockchip: make it possible to sign the u-boot.itb | expand |
Hi Heiko, On Fri, 19 Jun 2020 at 04:45, Heiko Stuebner <heiko at sntech.de> wrote: > > From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> > > If the newly added fit-generator key-options are found, append needed > signature nodes to all generated image blocks, so that they can get > signed when mkimage later compiles the .itb from the generated .its. > > Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> > --- > arch/arm/mach-rockchip/make_fit_atf.py | 57 +++++++++++++++++++++++++- > 1 file changed, 56 insertions(+), 1 deletion(-) We have to stop the growth of these ad-hoc scripts or U-Boot with become a tangled mess of vendor-specific scripts. I sent a series to convert more of rockchip to use binman. Can you please take a look at that? It deletes the fit_spl_optee.sh script. We need to delete make_fit_atf as well. Regards, Simon
On Fri, Jun 19, 2020 at 12:45:50PM +0200, Heiko Stuebner wrote: > From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> > > If the newly added fit-generator key-options are found, append needed > signature nodes to all generated image blocks, so that they can get > signed when mkimage later compiles the .itb from the generated .its. > > Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> First, I want to echo what Simon said. We need to move towards having less ad-hoc scripts for these kind of final modifiers. > --- > arch/arm/mach-rockchip/make_fit_atf.py | 57 +++++++++++++++++++++++++- > 1 file changed, 56 insertions(+), 1 deletion(-) > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py > index d15c32b303..de7dc19d11 100755 > --- a/arch/arm/mach-rockchip/make_fit_atf.py > +++ b/arch/arm/mach-rockchip/make_fit_atf.py > @@ -14,6 +14,14 @@ import sys > import getopt > import logging > import struct > +try: > + # in python3 Cryptodome succeeds Crypto > + import Cryptodome > + from Cryptodome.PublicKey import RSA > +except: > + import Crypto > + from Crypto.PublicKey import RSA Is it that older python3 would support "Cryto" not "Cryptodome" or python2? If the latter, we should just drop it. We do however need to document, and should try and be user friendly about catching the failure, that we now need the pycrypto module installed. Thanks!
Hi Tom, Am Dienstag, 30. Juni 2020, 14:36:40 CEST schrieb Tom Rini: > On Fri, Jun 19, 2020 at 12:45:50PM +0200, Heiko Stuebner wrote: > > > From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> > > > > If the newly added fit-generator key-options are found, append needed > > signature nodes to all generated image blocks, so that they can get > > signed when mkimage later compiles the .itb from the generated .its. > > > > Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> > > First, I want to echo what Simon said. We need to move towards having > less ad-hoc scripts for these kind of final modifiers. looking at Simon's binman series is on my todo list, so yes I do agree with you :-) . > > --- > > arch/arm/mach-rockchip/make_fit_atf.py | 57 +++++++++++++++++++++++++- > > 1 file changed, 56 insertions(+), 1 deletion(-) > > > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py > > index d15c32b303..de7dc19d11 100755 > > --- a/arch/arm/mach-rockchip/make_fit_atf.py > > +++ b/arch/arm/mach-rockchip/make_fit_atf.py > > @@ -14,6 +14,14 @@ import sys > > import getopt > > import logging > > import struct > > +try: > > + # in python3 Cryptodome succeeds Crypto > > + import Cryptodome > > + from Cryptodome.PublicKey import RSA > > +except: > > + import Crypto > > + from Crypto.PublicKey import RSA > > Is it that older python3 would support "Cryto" not "Cryptodome" or > python2? If the latter, we should just drop it. We do however need to > document, and should try and be user friendly about catching the > failure, that we now need the pycrypto module installed. Thanks! python3 only seems to have Cryptodome, while python2 only seems to have Crypto. And with for example Debian's default python is still being python2 for a bit longer, I wanted to support both, especially as it it works like a drop-in replacement. Heiko
On Tue, Jun 30, 2020 at 02:46:51PM +0200, Heiko St?bner wrote: > Hi Tom, > > Am Dienstag, 30. Juni 2020, 14:36:40 CEST schrieb Tom Rini: > > On Fri, Jun 19, 2020 at 12:45:50PM +0200, Heiko Stuebner wrote: > > > > > From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> > > > > > > If the newly added fit-generator key-options are found, append needed > > > signature nodes to all generated image blocks, so that they can get > > > signed when mkimage later compiles the .itb from the generated .its. > > > > > > Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> > > > > First, I want to echo what Simon said. We need to move towards having > > less ad-hoc scripts for these kind of final modifiers. > > looking at Simon's binman series is on my todo list, so yes I do agree > with you :-) . OK, thanks. > > > --- > > > arch/arm/mach-rockchip/make_fit_atf.py | 57 +++++++++++++++++++++++++- > > > 1 file changed, 56 insertions(+), 1 deletion(-) > > > > > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py > > > index d15c32b303..de7dc19d11 100755 > > > --- a/arch/arm/mach-rockchip/make_fit_atf.py > > > +++ b/arch/arm/mach-rockchip/make_fit_atf.py > > > @@ -14,6 +14,14 @@ import sys > > > import getopt > > > import logging > > > import struct > > > +try: > > > + # in python3 Cryptodome succeeds Crypto > > > + import Cryptodome > > > + from Cryptodome.PublicKey import RSA > > > +except: > > > + import Crypto > > > + from Crypto.PublicKey import RSA > > > > Is it that older python3 would support "Cryto" not "Cryptodome" or > > python2? If the latter, we should just drop it. We do however need to > > document, and should try and be user friendly about catching the > > failure, that we now need the pycrypto module installed. Thanks! > > python3 only seems to have Cryptodome, while python2 only seems to > have Crypto. And with for example Debian's default python is still being > python2 for a bit longer, I wanted to support both, especially as it it > works like a drop-in replacement. I don't _think_ we worry about running on distros where we can't say /usr/bin/env python3 at this point so I'd rather not add more python2 compatibility code.
diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py index d15c32b303..de7dc19d11 100755 --- a/arch/arm/mach-rockchip/make_fit_atf.py +++ b/arch/arm/mach-rockchip/make_fit_atf.py @@ -14,6 +14,14 @@ import sys import getopt import logging import struct +try: + # in python3 Cryptodome succeeds Crypto + import Cryptodome + from Cryptodome.PublicKey import RSA +except: + import Crypto + from Crypto.PublicKey import RSA + DT_HEADER = """ /* @@ -37,7 +45,9 @@ DT_UBOOT = """ arch = "arm64"; compression = "none"; load = <0x%08x>; - }; +""" + +DT_UBOOT_NODE_END = """ }; """ @@ -47,6 +57,46 @@ DT_IMAGES_NODE_END = """ }; DT_END = "};" +def append_signature(file): + if not os.path.exists("u-boot.cfg"): + return + + config = {} + with open("u-boot.cfg") as fd: + for line in fd: + line = line.strip() + values = line[8:].split(' ', 1) + if len(values) > 1: + key, value = values + value = value.strip('"') + else: + key = values[0] + value = '1' + if not key.startswith('CONFIG_'): + continue + config[key] = value + + try: + keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"] + except KeyError: + return + + try: + keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint) + except KeyError: + keyfile = keyhint + + if not os.path.exists('%s.key' % keyfile): + return + + f = open('%s.key' % keyfile,'r') + key = RSA.importKey(f.read()) + + file.write('\t\t\tsignature {\n') + file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length()) + file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint) + file.write('\t\t\t};\n') + def append_bl31_node(file, atf_index, phy_addr, elf_entry): # Append BL31 DT node to input FIT dts file. data = 'bl31_0x%08x.bin' % phy_addr @@ -60,6 +110,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry): file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) if atf_index == 1: file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) + append_signature(file); file.write('\t\t};\n') file.write('\n') @@ -75,6 +126,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry): file.write('\t\t\tcompression = "none";\n') file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) + append_signature(file); file.write('\t\t};\n') file.write('\n') @@ -88,6 +140,7 @@ def append_fdt_node(file, dtbs): file.write('\t\t\tdata = /incbin/("%s");\n' % dtb) file.write('\t\t\ttype = "flat_dt";\n') file.write('\t\t\tcompression = "none";\n') + append_signature(file); file.write('\t\t};\n') file.write('\n') cnt = cnt + 1 @@ -129,6 +182,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name): raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name) index, entry, p_paddr, data = segments[0] fit_file.write(DT_UBOOT % p_paddr) + append_signature(fit_file) + fit_file.write(DT_UBOOT_NODE_END) def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name): segments = unpack_elf(bl31_file_name)