From patchwork Fri Jun 19 10:45:48 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?q?Heiko_St=C3=BCbner?= <heiko@sntech.de>
X-Patchwork-Id: 242658
List-Id: U-Boot discussion <u-boot.lists.denx.de>
From: heiko at sntech.de (Heiko Stuebner)
Date: Fri, 19 Jun 2020 12:45:48 +0200
Subject: [PATCH v4 4/6] spl: fit: enable signing a generated u-boot.itb
In-Reply-To: <20200619104550.1972307-1-heiko@sntech.de>
References: <20200619104550.1972307-1-heiko@sntech.de>
Message-ID: <20200619104550.1972307-5-heiko@sntech.de>

From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>

With SPL_FIT_SIGNATURE enabled we will likely want a generated
u-boot.itb to be signed and the key stores so that the spl can
reach it.

So add a SPL_FIT_SIGNATURE_KEY_DIR option and suitable hooks
into the Makefile to have mkimage sign the .itb and store the
used key into the spl dtb file.

The added dependencies should make sure that the u-boot.itb
gets generated before the spl-binary gets build, so that there
is the necessary space for the key to get included.

Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich at theobroma-systems.com>
Reviewed-by: Simon Glass <sjg at chromium.org>
---
 Kconfig  |  8 ++++++++
 Makefile | 11 ++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/Kconfig b/Kconfig
index b34fbf5827..05a13d1836 100644
--- a/Kconfig
+++ b/Kconfig
@@ -465,6 +465,14 @@ config SPL_FIT_SIGNATURE
 	select SPL_RSA_VERIFY
 	select SPL_IMAGE_SIGN_INFO
 
+config SPL_FIT_SIGNATURE_KEY_DIR
+	string "key directory for signing U-Boot FIT image"
+	depends on SPL_FIT_SIGNATURE
+	default "keys"
+	help
+	  The directory to give to mkimage to retrieve keys from when
+	  generating a signed U-Boot FIT image.
+
 config SPL_LOAD_FIT
 	bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"
 	select SPL_FIT
diff --git a/Makefile b/Makefile
index 1cc7e37c37..d19f556a04 100644
--- a/Makefile
+++ b/Makefile
@@ -1409,6 +1409,14 @@ MKIMAGEFLAGS_u-boot.itb =
 else
 MKIMAGEFLAGS_u-boot.itb = -E
 endif
+ifdef CONFIG_SPL_FIT_SIGNATURE
+ifdef CONFIG_SPL_OF_CONTROL
+MKIMAGEFLAGS_u-boot.itb += -K dts/dt-spl.dtb -r
+ifneq ($(CONFIG_SPL_FIT_SIGNATURE_KEY_DIR),"")
+MKIMAGEFLAGS_u-boot.itb += -k $(CONFIG_SPL_FIT_SIGNATURE_KEY_DIR)
+endif
+endif
+endif
 
 u-boot.itb: u-boot-nodtb.bin \
 		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_OF_HOSTFILE),dts/dt.dtb) \
@@ -1924,7 +1932,8 @@ spl/u-boot-spl.bin: spl/u-boot-spl
 
 spl/u-boot-spl: tools prepare \
 		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_SPL_OF_PLATDATA),dts/dt.dtb) \
-		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb)
+		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb) \
+		$(if $(CONFIG_SPL_FIT_SIGNATURE)$(U_BOOT_ITS),u-boot.itb FORCE)
 	$(Q)$(MAKE) obj=spl -f $(srctree)/scripts/Makefile.spl all
 
 spl/sunxi-spl.bin: spl/u-boot-spl