[U-Boot] [PATCH v3 4/6] binman: add optional support for U-Boot image signing

Anatolij Gustschin agust at denx.de
Fri Nov 17 01:15:56 UTC 2017 

Prepare binman for adding image signing support after final image
build stage. Custom image signing functionality for SoCs supporting
verified boot can be added, e.g. like in the subsequent patch with
signing functionality for Bay Trail SoC images.

Read 'sign' and 'socname' properties in /binman node of the DTS file
and setup the SoC specific signing method, if these properties are
present. The directory with signing keys can be specified by '--keydir'
option. The keys are supposed to be in the 'keydir' directory if no
keydir option was given.

Signed-off-by: Anatolij Gustschin <agust at denx.de>
---
NOTE: This patch applies on top of binman changes in binman-working
branch in git://git.denx.de/u-boot-dm.git

Changes in v3:
 - None, new patch in this series

 tools/binman/binman.py         |  3 +++
 tools/binman/cmdline.py        |  2 ++
 tools/binman/control.py        |  1 +
 tools/binman/image.py          | 23 +++++++++++++++++++++++
 tools/binman/signing/signer.py | 22 ++++++++++++++++++++++
 5 files changed, 51 insertions(+)
 create mode 100644 tools/binman/signing/signer.py

diff --git a/tools/binman/binman.py b/tools/binman/binman.py
index 1c8e8dbff6..ad5f351261 100755
--- a/tools/binman/binman.py
+++ b/tools/binman/binman.py
@@ -27,6 +27,9 @@ sys.path.insert(0, 'scripts/dtc/pylibfdt')
 # Also allow entry-type modules to be brought in from the etype directory.
 sys.path.insert(0, os.path.join(our_path, 'etype'))
 
+# Bring in the module for image signing
+sys.path.insert(0, os.path.join(our_path, 'signing'))
+
 import cmdline
 import command
 import control
diff --git a/tools/binman/cmdline.py b/tools/binman/cmdline.py
index 233d5e1d1a..bc47949e40 100644
--- a/tools/binman/cmdline.py
+++ b/tools/binman/cmdline.py
@@ -29,6 +29,8 @@ def ParseArgs(argv):
             help='Enabling debugging (provides a full traceback on error)')
     parser.add_option('-I', '--indir', action='append',
             help='Add a path to a directory to use for input files')
+    parser.add_option('-K', '--keydir', type='string', action='store', default="keydir",
+            help='Path to the directory with image signing keys')
     parser.add_option('-H', '--full-help', action='store_true',
         default=False, help='Display the README file')
     parser.add_option('-O', '--outdir', type='string',
diff --git a/tools/binman/control.py b/tools/binman/control.py
index ffa2bbd80f..2ad1ebf3fb 100644
--- a/tools/binman/control.py
+++ b/tools/binman/control.py
@@ -113,6 +113,7 @@ def Binman(options, args):
                 image.ProcessEntryContents()
                 image.WriteSymbols()
                 image.BuildImage()
+                image.SignImage(options)
         finally:
             tools.FinaliseOutputDir()
     finally:
diff --git a/tools/binman/image.py b/tools/binman/image.py
index 741630f091..2dfa00ae57 100644
--- a/tools/binman/image.py
+++ b/tools/binman/image.py
@@ -15,6 +15,7 @@ import sys
 
 import fdt_util
 import tools
+from signer import GetImageSigner
 
 class Image:
     """A Image, representing an output from binman
@@ -48,6 +49,9 @@ class Image:
              This causes _skip_at_start to be set to the starting memory
              address.
         _entries: OrderedDict() of entries
+        _sign: Flag to indicate whether image signing is requested
+        _socname: Name of the SoC used to obtain the signer object
+        _signer: Signer object implementing SoC specific signing function
     """
     def __init__(self, name, node, test=False):
         global entry
@@ -67,6 +71,9 @@ class Image:
         self._skip_at_start = 0
         self._end_4gb = False
         self._entries = OrderedDict()
+        self._sign = False
+        self._signer = None
+        self._socname = None
 
         if not test:
             self._ReadNode()
@@ -92,6 +99,15 @@ class Image:
         if self._end_4gb:
             self._skip_at_start = 0x100000000 - self._size
 
+        self._sign = fdt_util.GetBool(self._node, 'sign')
+        if self._sign:
+            self._socname = fdt_util.GetString(self._node, 'socname')
+            if not self._socname:
+                self._Raise("SoC name must be provided when signing is enabled")
+            self._signer = GetImageSigner(self._socname)
+            if not self._signer:
+                self._Raise("No image signer found for SoC '%s'" % self._socname)
+
     def CheckSize(self):
         """Check that the image contents does not exceed its size, etc."""
         contents_size = 0
@@ -249,6 +265,13 @@ class Image:
                 fd.seek(self._pad_before + entry.pos - self._skip_at_start)
                 fd.write(data)
 
+    def SignImage(self, options):
+        """Sign the image if verified boot is enabled"""
+        if not self._sign:
+            return
+        fname = tools.GetOutputFilename(self._filename)
+        self._signer.sign(fname, options.keydir, options.indir, options.outdir)
+
     def LookupSymbol(self, sym_name, optional, msg):
         """Look up a symbol in an ELF file
 
diff --git a/tools/binman/signing/signer.py b/tools/binman/signing/signer.py
new file mode 100644
index 0000000000..4ec43d424f
--- /dev/null
+++ b/tools/binman/signing/signer.py
@@ -0,0 +1,22 @@
+# Copyright (c) 2017 DENX Software Engineering
+# Anatolij Gustschin <agust at denx.de>
+#
+# SPDX-License-Identifier:	GPL-2.0+
+#
+# Class for signing the output image of binman
+#
+
+# Dictionary with SoC names and corresponding signing functions.
+# Image signing support for not yet supported SoCs can be added
+# here
+soc_sign_dict = {
+}
+
+class ImageSigner(object):
+    def __init__(self, sign_func):
+        self.sign = sign_func
+
+def GetImageSigner(soc):
+    if not soc in soc_sign_dict:
+        return None
+    return ImageSigner(soc_sign_dict[soc])
-- 
2.11.0

More information about the U-Boot mailing list