Message ID | 20200421002333.111461-8-heiko@sntech.de |
---|---|
State | Superseded |
Headers | show |
Series | rockchip: make it possible to sign the u-boot.itb | expand |
Hi Heiko, On Mon, 20 Apr 2020 at 18:23, Heiko Stuebner <heiko at sntech.de> wrote: > > From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> > > If the newly added fit-generator key-options are found, append needed > signature nodes to all generated image blocks, so that they can get > signed when mkimage later compiles the .itb from the generated .its. > > Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> > --- > arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++- > 1 file changed, 50 insertions(+), 1 deletion(-) > Can this move to binman? Regards, Simon
On 2020/4/21 ??8:23, Heiko Stuebner wrote: > From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> > > If the newly added fit-generator key-options are found, append needed > signature nodes to all generated image blocks, so that they can get > signed when mkimage later compiles the .itb from the generated .its. > > Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> Reviewed-by: Kever Yang <kever.yang at rock-chips.com> Thanks, - Kever > --- > arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++- > 1 file changed, 50 insertions(+), 1 deletion(-) > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py > index d15c32b303..5b353f9d0a 100755 > --- a/arch/arm/mach-rockchip/make_fit_atf.py > +++ b/arch/arm/mach-rockchip/make_fit_atf.py > @@ -14,6 +14,8 @@ import sys > import getopt > import logging > import struct > +import Crypto > +from Crypto.PublicKey import RSA > > DT_HEADER = """ > /* > @@ -37,7 +39,9 @@ DT_UBOOT = """ > arch = "arm64"; > compression = "none"; > load = <0x%08x>; > - }; > +""" > + > +DT_UBOOT_NODE_END = """ }; > > """ > > @@ -47,6 +51,46 @@ DT_IMAGES_NODE_END = """ }; > > DT_END = "};" > > +def append_signature(file): > + if not os.path.exists("u-boot.cfg"): > + return > + > + config = {} > + with open("u-boot.cfg") as fd: > + for line in fd: > + line = line.strip() > + values = line[8:].split(' ', 1) > + if len(values) > 1: > + key, value = values > + value = value.strip('"') > + else: > + key = values[0] > + value = '1' > + if not key.startswith('CONFIG_'): > + continue > + config[key] = value > + > + try: > + keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"] > + except KeyError: > + return > + > + try: > + keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint) > + except KeyError: > + keyfile = keyhint > + > + if not os.path.exists('%s.key' % keyfile): > + return > + > + f = open('%s.key' % keyfile,'r') > + key = RSA.importKey(f.read()) > + > + file.write('\t\t\tsignature {\n') > + file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length()) > + file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint) > + file.write('\t\t\t};\n') > + > def append_bl31_node(file, atf_index, phy_addr, elf_entry): > # Append BL31 DT node to input FIT dts file. > data = 'bl31_0x%08x.bin' % phy_addr > @@ -60,6 +104,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry): > file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) > if atf_index == 1: > file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) > + append_signature(file); > file.write('\t\t};\n') > file.write('\n') > > @@ -75,6 +120,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry): > file.write('\t\t\tcompression = "none";\n') > file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) > file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) > + append_signature(file); > file.write('\t\t};\n') > file.write('\n') > > @@ -88,6 +134,7 @@ def append_fdt_node(file, dtbs): > file.write('\t\t\tdata = /incbin/("%s");\n' % dtb) > file.write('\t\t\ttype = "flat_dt";\n') > file.write('\t\t\tcompression = "none";\n') > + append_signature(file); > file.write('\t\t};\n') > file.write('\n') > cnt = cnt + 1 > @@ -129,6 +176,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name): > raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name) > index, entry, p_paddr, data = segments[0] > fit_file.write(DT_UBOOT % p_paddr) > + append_signature(fit_file) > + fit_file.write(DT_UBOOT_NODE_END) > > def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name): > segments = unpack_elf(bl31_file_name)
On 2020/4/21 ??8:23, Heiko Stuebner wrote: > From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> > > If the newly added fit-generator key-options are found, append needed > signature nodes to all generated image blocks, so that they can get > signed when mkimage later compiles the .itb from the generated .its. > > Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com> > --- > arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++- > 1 file changed, 50 insertions(+), 1 deletion(-) > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py > index d15c32b303..5b353f9d0a 100755 > --- a/arch/arm/mach-rockchip/make_fit_atf.py > +++ b/arch/arm/mach-rockchip/make_fit_atf.py > @@ -14,6 +14,8 @@ import sys > import getopt > import logging > import struct > +import Crypto > +from Crypto.PublicKey import RSA > +Traceback (most recent call last): 1395 <https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1395>+ File "arch/arm/mach-rockchip/make_fit_atf.py", line 17, in <module> 1396 <https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1396>+ import Crypto 1397 <https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1397>+ModuleNotFoundError: No module named 'Crypto' Please help to update .gitlab-ci.yml, or else it will report the error. Thanks, - Kever > DT_HEADER = """ > /* > @@ -37,7 +39,9 @@ DT_UBOOT = """ > arch = "arm64"; > compression = "none"; > load = <0x%08x>; > - }; > +""" > + > +DT_UBOOT_NODE_END = """ }; > > """ > > @@ -47,6 +51,46 @@ DT_IMAGES_NODE_END = """ }; > > DT_END = "};" > > +def append_signature(file): > + if not os.path.exists("u-boot.cfg"): > + return > + > + config = {} > + with open("u-boot.cfg") as fd: > + for line in fd: > + line = line.strip() > + values = line[8:].split(' ', 1) > + if len(values) > 1: > + key, value = values > + value = value.strip('"') > + else: > + key = values[0] > + value = '1' > + if not key.startswith('CONFIG_'): > + continue > + config[key] = value > + > + try: > + keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"] > + except KeyError: > + return > + > + try: > + keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint) > + except KeyError: > + keyfile = keyhint > + > + if not os.path.exists('%s.key' % keyfile): > + return > + > + f = open('%s.key' % keyfile,'r') > + key = RSA.importKey(f.read()) > + > + file.write('\t\t\tsignature {\n') > + file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length()) > + file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint) > + file.write('\t\t\t};\n') > + > def append_bl31_node(file, atf_index, phy_addr, elf_entry): > # Append BL31 DT node to input FIT dts file. > data = 'bl31_0x%08x.bin' % phy_addr > @@ -60,6 +104,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry): > file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) > if atf_index == 1: > file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) > + append_signature(file); > file.write('\t\t};\n') > file.write('\n') > > @@ -75,6 +120,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry): > file.write('\t\t\tcompression = "none";\n') > file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) > file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) > + append_signature(file); > file.write('\t\t};\n') > file.write('\n') > > @@ -88,6 +134,7 @@ def append_fdt_node(file, dtbs): > file.write('\t\t\tdata = /incbin/("%s");\n' % dtb) > file.write('\t\t\ttype = "flat_dt";\n') > file.write('\t\t\tcompression = "none";\n') > + append_signature(file); > file.write('\t\t};\n') > file.write('\n') > cnt = cnt + 1 > @@ -129,6 +176,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name): > raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name) > index, entry, p_paddr, data = segments[0] > fit_file.write(DT_UBOOT % p_paddr) > + append_signature(fit_file) > + fit_file.write(DT_UBOOT_NODE_END) > > def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name): > segments = unpack_elf(bl31_file_name)
diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py index d15c32b303..5b353f9d0a 100755 --- a/arch/arm/mach-rockchip/make_fit_atf.py +++ b/arch/arm/mach-rockchip/make_fit_atf.py @@ -14,6 +14,8 @@ import sys import getopt import logging import struct +import Crypto +from Crypto.PublicKey import RSA DT_HEADER = """ /* @@ -37,7 +39,9 @@ DT_UBOOT = """ arch = "arm64"; compression = "none"; load = <0x%08x>; - }; +""" + +DT_UBOOT_NODE_END = """ }; """ @@ -47,6 +51,46 @@ DT_IMAGES_NODE_END = """ }; DT_END = "};" +def append_signature(file): + if not os.path.exists("u-boot.cfg"): + return + + config = {} + with open("u-boot.cfg") as fd: + for line in fd: + line = line.strip() + values = line[8:].split(' ', 1) + if len(values) > 1: + key, value = values + value = value.strip('"') + else: + key = values[0] + value = '1' + if not key.startswith('CONFIG_'): + continue + config[key] = value + + try: + keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"] + except KeyError: + return + + try: + keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint) + except KeyError: + keyfile = keyhint + + if not os.path.exists('%s.key' % keyfile): + return + + f = open('%s.key' % keyfile,'r') + key = RSA.importKey(f.read()) + + file.write('\t\t\tsignature {\n') + file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length()) + file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint) + file.write('\t\t\t};\n') + def append_bl31_node(file, atf_index, phy_addr, elf_entry): # Append BL31 DT node to input FIT dts file. data = 'bl31_0x%08x.bin' % phy_addr @@ -60,6 +104,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry): file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) if atf_index == 1: file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) + append_signature(file); file.write('\t\t};\n') file.write('\n') @@ -75,6 +120,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry): file.write('\t\t\tcompression = "none";\n') file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) + append_signature(file); file.write('\t\t};\n') file.write('\n') @@ -88,6 +134,7 @@ def append_fdt_node(file, dtbs): file.write('\t\t\tdata = /incbin/("%s");\n' % dtb) file.write('\t\t\ttype = "flat_dt";\n') file.write('\t\t\tcompression = "none";\n') + append_signature(file); file.write('\t\t};\n') file.write('\n') cnt = cnt + 1 @@ -129,6 +176,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name): raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name) index, entry, p_paddr, data = segments[0] fit_file.write(DT_UBOOT % p_paddr) + append_signature(fit_file) + fit_file.write(DT_UBOOT_NODE_END) def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name): segments = unpack_elf(bl31_file_name)