@@ -152,7 +152,7 @@ dumpimage-objs := $(dumpimage-mkimage-objs) dumpimage.o
mkimage-objs := $(dumpimage-mkimage-objs) mkimage.o
fit_info-objs := $(dumpimage-mkimage-objs) fit_info.o
fit_check_sign-objs := $(dumpimage-mkimage-objs) fit_check_sign.o
-fdt_add_pubkey-objs := $(dumpimage-mkimage-objs) fdt_add_pubkey.o
+fdt_add_pubkey-objs := $(dumpimage-mkimage-objs) fdt_add_pubkey.o fdt_add_pubkey_esl.o
file2include-objs := file2include.o
ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_TOOLS_LIBCRYPTO),)
@@ -2,18 +2,21 @@
#include <image.h>
#include "fit_common.h"
+extern int fdt_embed_esl(const char *esl_file, void *keydest);
+
static const char *cmdname;
static const char *algo_name = "sha1,rsa2048"; /* -a <algo> */
static const char *keydir = "."; /* -k <keydir> */
static const char *keyname = "key"; /* -n <keyname> */
static const char *require_keys; /* -r <conf|image> */
+static const char *esl_file; /* -e <esl file> */
static const char *keydest; /* argv[n] */
static void __attribute__((__noreturn__)) print_usage(const char *msg)
{
fprintf(stderr, "Error: %s\n", msg);
- fprintf(stderr, "Usage: %s [-a <algo>] [-k <keydir>] [-n <keyname>] [-r <conf|image>]"
+ fprintf(stderr, "Usage: %s [-a <algo>] [-e <esl file>] [-k <keydir>] [-n <keyname>] [-r <conf|image>]"
" <fdt blob>\n", cmdname);
fprintf(stderr, "Help information: %s [-h]\n", cmdname);
exit(EXIT_FAILURE);
@@ -23,6 +26,7 @@ static void __attribute__((__noreturn__)) print_help(void)
{
fprintf(stderr, "Options:\n"
"\t-a <algo> Cryptographic algorithm. Optional parameter, default value: sha1,rsa2048\n"
+ "\t-e <esl file> EFI Signature List(ESL) file to embed into the FDT\n"
"\t-k <keydir> Directory with public key. Optional parameter, default value: .\n"
"\t-n <keyname> Public key name. Optional parameter, default value: key\n"
"\t-r <conf|image> Required: If present this indicates that the key must be verified for the image / configuration to be considered valid.\n"
@@ -34,7 +38,7 @@ static void process_args(int argc, char *argv[])
{
int opt;
- while ((opt = getopt(argc, argv, "a:k:n:r:h")) != -1) {
+ while ((opt = getopt(argc, argv, "a:e:k:n:r:h")) != -1) {
switch (opt) {
case 'k':
keydir = optarg;
@@ -48,6 +52,9 @@ static void process_args(int argc, char *argv[])
case 'r':
require_keys = optarg;
break;
+ case 'e':
+ esl_file = optarg;
+ break;
case 'h':
print_help();
default:
@@ -106,7 +113,10 @@ static int add_pubkey(struct image_sign_info *info)
if (destfd < 0)
exit(EXIT_FAILURE);
- ret = info->crypto->add_verify_data(info, dest_blob);
+
+ ret = esl_file ? fdt_embed_esl(esl_file, dest_blob) :
+ info->crypto->add_verify_data(info, dest_blob);
+
if (ret == -ENOSPC)
continue;
else if (ret < 0)
new file mode 100644
@@ -0,0 +1,98 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright 2023 Linaro Limited
+ *
+ */
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#include <linux/libfdt.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include "mkimage.h"
+
+#define ESL_SIG_NODENAME "signature"
+
+static int get_esl_pub_key(const char *esl_file, void **key_ptr, int *key_fd,
+ off_t *key_size)
+{
+ int ret;
+ struct stat pub_key;
+
+ debug("%s: esl file => %s\n", __func__, esl_file);
+ *key_fd = open(esl_file, O_RDONLY);
+ if (*key_fd == -1) {
+ fprintf(stderr, "Unable to open %s: %s\n",
+ esl_file, strerror(errno));
+ return -EACCES;
+ }
+
+ ret = fstat(*key_fd, &pub_key);
+ if (ret == -1) {
+ fprintf(stderr, "Can't stat %s: %s\n",
+ esl_file, strerror(errno));
+ ret = errno;
+ goto err;
+ }
+ *key_size = pub_key.st_size;
+
+ /* mmap the public key esl file */
+ *key_ptr = mmap(0, *key_size, PROT_READ, MAP_SHARED, *key_fd, 0);
+ if ((*key_ptr == MAP_FAILED) || (errno != 0)) {
+ fprintf(stderr, "Failed to mmap %s:%s\n",
+ esl_file, strerror(errno));
+ ret = errno;
+ goto err;
+ }
+
+ return 0;
+err:
+ close(*key_fd);
+
+ return ret;
+}
+
+int fdt_embed_esl(const char *esl_file, void *keydest)
+{
+ int ret, key_fd;
+ off_t key_size = 0;
+ void *key_ptr = NULL;
+ int parent;
+
+ ret = get_esl_pub_key(esl_file, &key_ptr, &key_fd, &key_size);
+ if (ret) {
+ debug("Unable to open the public key esl file\n");
+ goto out;
+ }
+
+ parent = fdt_subnode_offset(keydest, 0, ESL_SIG_NODENAME);
+ if (parent == -FDT_ERR_NOTFOUND) {
+ parent = fdt_add_subnode(keydest, 0, ESL_SIG_NODENAME);
+ if (parent < 0) {
+ ret = parent;
+ if (ret != -FDT_ERR_NOSPACE) {
+ fprintf(stderr, "Couldn't create signature node: %s\n",
+ fdt_strerror(parent));
+ }
+ }
+ }
+
+ if (ret)
+ goto out;
+
+ ret = fdt_setprop(keydest, parent, "capsule-key",
+ key_ptr, key_size);
+
+out:
+ close(key_fd);
+ munmap(key_ptr, key_size);
+
+ if (ret)
+ return ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO;
+
+ return ret;
+}
The fdt_add_pubkey tool is used for adding a public key to the devicetree, which is then used for verifying the FIT signatures. Add a function for embedding the public key in the form of an EFI Signature List(ESL) file as a property under the signature node of the device tree. Unlike the public key added for FIT signature verification, the ESL file contents are added as a whole, as a property under the signature node in the DTB. The public key in the ESL form is used by the capsule authentication feature for authenticating the capsules, prior to update. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> --- Changes since V1: * New patch * Use fdt_add_pubkey tool for adding the ESL into the dtb instead of using the shell script used in the earlier version. tools/Makefile | 2 +- tools/fdt_add_pubkey.c | 16 +++++-- tools/fdt_add_pubkey_esl.c | 98 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 112 insertions(+), 4 deletions(-) create mode 100644 tools/fdt_add_pubkey_esl.c