[PATCH v2 5/7] spl: fit: enable signing a generated u-boot.itb

Kever Yang kever.yang at rock-chips.com
Tue Apr 28 15:48:44 CEST 2020 

On 2020/4/21 上午8:23, Heiko Stuebner wrote:
> From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
>
> With SPL_FIT_SIGNATURE enabled we will likely want a generated
> u-boot.itb to be signed and the key stores so that the spl can
> reach it.
>
> So add a SPL_FIT_SIGNATURE_KEY_DIR option and suitable hooks
> into the Makefile to have mkimage sign the .itb and store the
> used key into the spl dtb file.
>
> The added dependencies should make sure that the u-boot.itb
> gets generated before the spl-binary gets build, so that there
> is the necessary space for the key to get included.
>
> Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
> Reviewed-by: Philipp Tomsich <philipp.tomsich at theobroma-systems.com>

Reviewed-by: Kever Yang <kever.yang at rock-chips.com>

Thanks,
- Kever
> ---
>   Kconfig  |  8 ++++++++
>   Makefile | 11 ++++++++++-
>   2 files changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/Kconfig b/Kconfig
> index 4051746319..15a783a67d 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -451,6 +451,14 @@ config SPL_FIT_SIGNATURE
>   	select SPL_RSA_VERIFY
>   	select IMAGE_SIGN_INFO
>   
> +config SPL_FIT_SIGNATURE_KEY_DIR
> +	string "key directory for signing U-Boot FIT image"
> +	depends on SPL_FIT_SIGNATURE
> +	default "keys"
> +	help
> +	  The directory to give to mkimage to retrieve keys from when
> +	  generating a signed U-Boot FIT image.
> +
>   config SPL_LOAD_FIT
>   	bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"
>   	select SPL_FIT
> diff --git a/Makefile b/Makefile
> index 26307fd4a6..8e7a7cb50e 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1394,6 +1394,14 @@ MKIMAGEFLAGS_u-boot.itb =
>   else
>   MKIMAGEFLAGS_u-boot.itb = -E
>   endif
> +ifdef CONFIG_SPL_FIT_SIGNATURE
> +ifdef CONFIG_SPL_OF_CONTROL
> +MKIMAGEFLAGS_u-boot.itb += -K dts/dt-spl.dtb -r
> +ifneq ($(CONFIG_SPL_FIT_SIGNATURE_KEY_DIR),"")
> +MKIMAGEFLAGS_u-boot.itb += -k $(CONFIG_SPL_FIT_SIGNATURE_KEY_DIR)
> +endif
> +endif
> +endif
>   
>   u-boot.itb: u-boot-nodtb.bin \
>   		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_OF_HOSTFILE),dts/dt.dtb) \
> @@ -1913,7 +1921,8 @@ spl/u-boot-spl.bin: spl/u-boot-spl
>   
>   spl/u-boot-spl: tools prepare \
>   		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_SPL_OF_PLATDATA),dts/dt.dtb) \
> -		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb)
> +		$(if $(CONFIG_OF_SEPARATE)$(CONFIG_OF_EMBED)$(CONFIG_TPL_OF_PLATDATA),dts/dt.dtb) \
> +		$(if $(CONFIG_SPL_FIT_GENERATOR),u-boot.itb FORCE)
>   	$(Q)$(MAKE) obj=spl -f $(srctree)/scripts/Makefile.spl all
>   
>   spl/sunxi-spl.bin: spl/u-boot-spl

More information about the U-Boot mailing list