diff mbox series

[7/7] rockchip: make_fit_atf: add signature handling

Message ID 20200417220716.3670302-8-heiko@sntech.de
State Superseded
Headers show
Series rockchip: make it possible to sign the u-boot.itb | expand

Commit Message

Heiko Stuebner April 17, 2020, 10:07 p.m. UTC
From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>

If the newly added fit-generator key-options are found, append needed
signature nodes to all generated image blocks, so that they can get
signed when mkimage later compiles the .itb from the generated .its.

Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
---
 arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++-
 1 file changed, 50 insertions(+), 1 deletion(-)

Comments

Simon Glass April 19, 2020, 11:38 p.m. UTC | #1
Hi Heiko,

On Fri, 17 Apr 2020 at 16:07, Heiko Stuebner <heiko at sntech.de> wrote:
>
> From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
>
> If the newly added fit-generator key-options are found, append needed
> signature nodes to all generated image blocks, so that they can get
> signed when mkimage later compiles the .itb from the generated .its.
>
> Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
> ---
>  arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++-
>  1 file changed, 50 insertions(+), 1 deletion(-)

Was there an effort to move this to binman?

Regards,
Simon
Heiko Stuebner April 20, 2020, 1:20 p.m. UTC | #2
Hi Simon,

Am Montag, 20. April 2020, 01:38:20 CEST schrieb Simon Glass:
> On Fri, 17 Apr 2020 at 16:07, Heiko Stuebner <heiko at sntech.de> wrote:
> >
> > From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
> >
> > If the newly added fit-generator key-options are found, append needed
> > signature nodes to all generated image blocks, so that they can get
> > signed when mkimage later compiles the .itb from the generated .its.
> >
> > Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
> > ---
> >  arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++-
> >  1 file changed, 50 insertions(+), 1 deletion(-)
> 
> Was there an effort to move this to binman?

The generation really is part of the core build process.
When creating the u-boot.itb with signed entries, mkimage -K writes the
data of the used key to dt-spl.dtb which then gets put into the spl binary.
[spl needs the key-data in its dtb to verify the signatures]

So I don't really see how this would work without moving the whole
spl generation to binman.


Heiko
diff mbox series

Patch

diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py
index d15c32b303..5b353f9d0a 100755
--- a/arch/arm/mach-rockchip/make_fit_atf.py
+++ b/arch/arm/mach-rockchip/make_fit_atf.py
@@ -14,6 +14,8 @@  import sys
 import getopt
 import logging
 import struct
+import Crypto
+from Crypto.PublicKey import RSA
 
 DT_HEADER = """
 /*
@@ -37,7 +39,9 @@  DT_UBOOT = """
 			arch = "arm64";
 			compression = "none";
 			load = <0x%08x>;
-		};
+"""
+
+DT_UBOOT_NODE_END = """		};
 
 """
 
@@ -47,6 +51,46 @@  DT_IMAGES_NODE_END = """	};
 
 DT_END = "};"
 
+def append_signature(file):
+    if not os.path.exists("u-boot.cfg"):
+        return
+
+    config = {}
+    with open("u-boot.cfg") as fd:
+        for line in fd:
+            line = line.strip()
+            values = line[8:].split(' ', 1)
+            if len(values) > 1:
+                key, value = values
+                value = value.strip('"')
+            else:
+                key = values[0]
+                value = '1'
+            if not key.startswith('CONFIG_'):
+                continue
+            config[key] = value
+
+    try:
+        keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"]
+    except KeyError:
+        return
+
+    try:
+        keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint)
+    except KeyError:
+        keyfile = keyhint
+
+    if not os.path.exists('%s.key' % keyfile):
+        return
+
+    f = open('%s.key' % keyfile,'r')
+    key = RSA.importKey(f.read())
+
+    file.write('\t\t\tsignature {\n')
+    file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length())
+    file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint)
+    file.write('\t\t\t};\n')
+
 def append_bl31_node(file, atf_index, phy_addr, elf_entry):
     # Append BL31 DT node to input FIT dts file.
     data = 'bl31_0x%08x.bin' % phy_addr
@@ -60,6 +104,7 @@  def append_bl31_node(file, atf_index, phy_addr, elf_entry):
     file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
     if atf_index == 1:
         file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
+    append_signature(file);
     file.write('\t\t};\n')
     file.write('\n')
 
@@ -75,6 +120,7 @@  def append_tee_node(file, atf_index, phy_addr, elf_entry):
     file.write('\t\t\tcompression = "none";\n')
     file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
     file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
+    append_signature(file);
     file.write('\t\t};\n')
     file.write('\n')
 
@@ -88,6 +134,7 @@  def append_fdt_node(file, dtbs):
         file.write('\t\t\tdata = /incbin/("%s");\n' % dtb)
         file.write('\t\t\ttype = "flat_dt";\n')
         file.write('\t\t\tcompression = "none";\n')
+        append_signature(file);
         file.write('\t\t};\n')
         file.write('\n')
         cnt = cnt + 1
@@ -129,6 +176,8 @@  def generate_atf_fit_dts_uboot(fit_file, uboot_file_name):
         raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name)
     index, entry, p_paddr, data = segments[0]
     fit_file.write(DT_UBOOT % p_paddr)
+    append_signature(fit_file)
+    fit_file.write(DT_UBOOT_NODE_END)
 
 def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name):
     segments = unpack_elf(bl31_file_name)