[PATCH 1/2] tools: add fdt_add_pubkey

Jan Kiszka jan.kiszka at siemens.com
Wed Nov 10 08:39:06 CET 2021 

On 08.11.21 16:28, Roman Kopytin wrote:
> Having to use the -K option to mkimage to populate U-Boot's .dtb with the
> public key while signing the kernel FIT image is often a little
> awkward. In particular, when using a meta-build system such as
> bitbake/Yocto, having the tasks of the kernel and U-Boot recipes
> intertwined, modifying deployed artifacts and rebuilding U-Boot with
> an updated .dtb is quite cumbersome. Also, in some scenarios one may
> wish to build U-Boot complete with the public key(s) embedded in the
> .dtb without the corresponding private keys being present on the same
> build host.
> 
> So this adds a simple tool that allows one to disentangle the kernel
> and U-Boot builds, by simply copy-pasting just enough of the mkimage
> code to allow one to add a public key to a .dtb. When using mkimage,
> some of the information is taken from the .its used to build the
> kernel (algorithm and key name), so that of course needs to be
> supplied on the command line.
> 
> Signed-off-by: Roman Kopytin <Roman.Kopytin at kaspersky.com>
> Cc: Rasmus Villemoes <rasmus.villemoes at prevas.dk>
> ---
>  tools/.gitignore       |  1 +
>  tools/Makefile         |  3 ++
>  tools/fdt_add_pubkey.c | 97 ++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 101 insertions(+)
>  create mode 100755 tools/fdt_add_pubkey.c
> 
> diff --git a/tools/.gitignore b/tools/.gitignore
> index a88453f64d..f312b760e4 100644
> --- a/tools/.gitignore
> +++ b/tools/.gitignore
> @@ -6,6 +6,7 @@
>  /dumpimage
>  /easylogo/easylogo
>  /envcrc
> +/fdt_add_pubkey
>  /fdtgrep
>  /file2include
>  /fit_check_sign
> diff --git a/tools/Makefile b/tools/Makefile
> index 4a86321f64..44f25dda18 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -73,6 +73,7 @@ mkenvimage-objs := mkenvimage.o os_support.o lib/crc32.o
>  
>  hostprogs-y += dumpimage mkimage
>  hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += fit_info fit_check_sign
> +hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += fdt_add_pubkey
>  
>  hostprogs-$(CONFIG_CMD_BOOTEFI_SELFTEST) += file2include
>  
> @@ -153,6 +154,7 @@ dumpimage-objs := $(dumpimage-mkimage-objs) dumpimage.o
>  mkimage-objs   := $(dumpimage-mkimage-objs) mkimage.o
>  fit_info-objs   := $(dumpimage-mkimage-objs) fit_info.o
>  fit_check_sign-objs   := $(dumpimage-mkimage-objs) fit_check_sign.o
> +fdt_add_pubkey-objs   := $(dumpimage-mkimage-objs) fdt_add_pubkey.o
>  file2include-objs := file2include.o
>  
>  ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_TOOLS_LIBCRYPTO),)
> @@ -190,6 +192,7 @@ HOSTCFLAGS_fit_image.o += -DMKIMAGE_DTC=\"$(CONFIG_MKIMAGE_DTC_PATH)\"
>  HOSTLDLIBS_dumpimage := $(HOSTLDLIBS_mkimage)
>  HOSTLDLIBS_fit_info := $(HOSTLDLIBS_mkimage)
>  HOSTLDLIBS_fit_check_sign := $(HOSTLDLIBS_mkimage)
> +HOSTLDLIBS_fdt_add_pubkey := $(HOSTLDLIBS_mkimage)
>  
>  hostprogs-$(CONFIG_EXYNOS5250) += mkexynosspl
>  hostprogs-$(CONFIG_EXYNOS5420) += mkexynosspl
> diff --git a/tools/fdt_add_pubkey.c b/tools/fdt_add_pubkey.c
> new file mode 100755
> index 0000000000..9306ecedd1
> --- /dev/null
> +++ b/tools/fdt_add_pubkey.c
> @@ -0,0 +1,97 @@
> +#include <image.h>
> +#include "fit_common.h"
> +
> +static const char *cmdname;
> +
> +static const char *algo_name = "sha1,rsa2048"; /* -a <algo> */
> +static const char *keydir = "."; /* -k <keydir> */
> +static const char *keyname = "key"; /* -n <keyname> */
> +static const char *require_keys; /* -r <conf|image> */
> +static const char *keydest; /* argv[n] */
> +
> +static void usage(const char *msg)
> +{
> +	fprintf(stderr, "Error: %s\n", msg);
> +	fprintf(stderr, "Usage: %s [-a <algo>] [-k <keydir>] [-n <keyname>] [-r <conf|image>] <fdt blob>\n",
> +		cmdname);

The tool should support --help and document the default of these
optional parameters that way.

Is there an easy way to derive algo from the key?

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

More information about the U-Boot mailing list