[PATCH 1/1] binman: add sign option for binman

Ivan Mikhaylov fr0st61te at gmail.com
Fri Dec 24 22:23:34 CET 2021

Introduce prototype for binman's new option which provides sign
and replace sections in binary images.

Usage as example:

mkimage -G privateky -r -o sha256,rsa4096 -F fit at 0x280000.fit
binman replace -i flash.bin -f fit at 0x280000.fit fit at 0x280000

binman sign -i flash.bin -k privatekey -a sha256,rsa4096 -f fit at 0x280000.fit fit at 0x280000

Signed-off-by: Ivan Mikhaylov <ivan.mikhaylov at siemens.com>
 tools/binman/cmdline.py | 13 +++++++++++++
 tools/binman/control.py | 27 ++++++++++++++++++++++++++-
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/tools/binman/cmdline.py b/tools/binman/cmdline.py
index e73ff78095..c3cfd17d1c 100644
--- a/tools/binman/cmdline.py
+++ b/tools/binman/cmdline.py
@@ -113,6 +113,19 @@ controlled by a description in the board device tree.'''
     replace_parser.add_argument('paths', type=str, nargs='*',
                                 help='Paths within file to replace (wildcard)')
+    sign_parser = subparsers.add_parser('sign',
+                                           help='Sign entries in image')
+    sign_parser.add_argument('-i', '--image', type=str, required=True,
+                                help='Image filename to update')
+    sign_parser.add_argument('-k', '--key', type=str, required=True,
+                                help='Private key file for sign')
+    sign_parser.add_argument('-a', '--algo', type=str, required=True,
+                                help='Hash algorithm')
+    sign_parser.add_argument('-f', '--file', type=str, required=True,
+                                help='Input filename to sign')
+    sign_parser.add_argument('paths', type=str, nargs='*',
+                                help='Paths within file to sign (wildcard)')
     test_parser = subparsers.add_parser('test', help='Run tests')
     test_parser.add_argument('-P', '--processes', type=int,
         help='set number of processes to use for running tests')
diff --git a/tools/binman/control.py b/tools/binman/control.py
index 7da69ba38d..ec0e55f7c3 100644
--- a/tools/binman/control.py
+++ b/tools/binman/control.py
@@ -18,6 +18,7 @@ from binman import cbfs_util
 from binman import elf
 from patman import command
 from patman import tout
+from patman import tools
 # List of images we plan to create
 # Make this global so that it can be referenced from tests
@@ -401,6 +402,26 @@ def ReplaceEntries(image_fname, input_fname, indir, entry_paths,
     AfterReplace(image, allow_resize=allow_resize, write_map=write_map)
     return image
+def MkimageSign(privatekey_fname, algo, input_fname):
+    tools.Run('mkimage', '-G', privatekey_fname, '-r', '-o', algo, '-F', input_fname)
+def SignEntries(image_fname, input_fname, privatekey_fname, algo, entry_paths):
+    """Sign and replace the data from one or more entries from input files
+    Args:
+        image_fname: Image filename to process
+        input_fname: Single input filename to use if replacing one file, None
+            otherwise
+        algo: Hashing algorithm
+        privatekey_fname: Private key filename
+    Returns:
+        List of EntryInfo records that were signed and replaced
+    """
+    MkimageSign(privatekey_fname, algo, input_fname)
+    return ReplaceEntries(image_fname, input_fname, None, entry_paths)
 def PrepareImagesAndDtbs(dtb_fname, select_images, update_fdt, use_expanded):
     """Prepare the images to be processed and select the device tree
@@ -575,7 +596,7 @@ def Binman(args):
     from binman.image import Image
     from binman import state
-    if args.cmd in ['ls', 'extract', 'replace']:
+    if args.cmd in ['ls', 'extract', 'replace', 'sign']:
@@ -590,6 +611,10 @@ def Binman(args):
                 ReplaceEntries(args.image, args.filename, args.indir, args.paths,
                                do_compress=not args.compressed,
                                allow_resize=not args.fix_size, write_map=args.map)
+            if args.cmd == 'sign':
+                SignEntries(args.image, args.file, args.key, args.algo, args.paths)

More information about the U-Boot mailing list