[PATCH v2 7/7] rockchip: make_fit_atf: add signature handling
Kever Yang
kever.yang at rock-chips.com
Tue Apr 28 15:53:47 CEST 2020
On 2020/4/21 上午8:23, Heiko Stuebner wrote:
> From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
>
> If the newly added fit-generator key-options are found, append needed
> signature nodes to all generated image blocks, so that they can get
> signed when mkimage later compiles the .itb from the generated .its.
>
> Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
Reviewed-by: Kever Yang <kever.yang at rock-chips.com>
Thanks,
- Kever
> ---
> arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++-
> 1 file changed, 50 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py
> index d15c32b303..5b353f9d0a 100755
> --- a/arch/arm/mach-rockchip/make_fit_atf.py
> +++ b/arch/arm/mach-rockchip/make_fit_atf.py
> @@ -14,6 +14,8 @@ import sys
> import getopt
> import logging
> import struct
> +import Crypto
> +from Crypto.PublicKey import RSA
>
> DT_HEADER = """
> /*
> @@ -37,7 +39,9 @@ DT_UBOOT = """
> arch = "arm64";
> compression = "none";
> load = <0x%08x>;
> - };
> +"""
> +
> +DT_UBOOT_NODE_END = """ };
>
> """
>
> @@ -47,6 +51,46 @@ DT_IMAGES_NODE_END = """ };
>
> DT_END = "};"
>
> +def append_signature(file):
> + if not os.path.exists("u-boot.cfg"):
> + return
> +
> + config = {}
> + with open("u-boot.cfg") as fd:
> + for line in fd:
> + line = line.strip()
> + values = line[8:].split(' ', 1)
> + if len(values) > 1:
> + key, value = values
> + value = value.strip('"')
> + else:
> + key = values[0]
> + value = '1'
> + if not key.startswith('CONFIG_'):
> + continue
> + config[key] = value
> +
> + try:
> + keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"]
> + except KeyError:
> + return
> +
> + try:
> + keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint)
> + except KeyError:
> + keyfile = keyhint
> +
> + if not os.path.exists('%s.key' % keyfile):
> + return
> +
> + f = open('%s.key' % keyfile,'r')
> + key = RSA.importKey(f.read())
> +
> + file.write('\t\t\tsignature {\n')
> + file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length())
> + file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint)
> + file.write('\t\t\t};\n')
> +
> def append_bl31_node(file, atf_index, phy_addr, elf_entry):
> # Append BL31 DT node to input FIT dts file.
> data = 'bl31_0x%08x.bin' % phy_addr
> @@ -60,6 +104,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry):
> file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
> if atf_index == 1:
> file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
> + append_signature(file);
> file.write('\t\t};\n')
> file.write('\n')
>
> @@ -75,6 +120,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry):
> file.write('\t\t\tcompression = "none";\n')
> file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
> file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
> + append_signature(file);
> file.write('\t\t};\n')
> file.write('\n')
>
> @@ -88,6 +134,7 @@ def append_fdt_node(file, dtbs):
> file.write('\t\t\tdata = /incbin/("%s");\n' % dtb)
> file.write('\t\t\ttype = "flat_dt";\n')
> file.write('\t\t\tcompression = "none";\n')
> + append_signature(file);
> file.write('\t\t};\n')
> file.write('\n')
> cnt = cnt + 1
> @@ -129,6 +176,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name):
> raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name)
> index, entry, p_paddr, data = segments[0]
> fit_file.write(DT_UBOOT % p_paddr)
> + append_signature(fit_file)
> + fit_file.write(DT_UBOOT_NODE_END)
>
> def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name):
> segments = unpack_elf(bl31_file_name)
More information about the U-Boot
mailing list