[PATCH 0/2] RFC: add fdt_add_pubkey tool

Jan Kiszka jan.kiszka at siemens.com
Wed Nov 10 21:58:34 CET 2021 

On 10.11.21 20:36, Simon Glass wrote:
> Hi Jan,
> 
> On Wed, 10 Nov 2021 at 09:49, Jan Kiszka <jan.kiszka at siemens.com> wrote:
>>
>> On 10.11.21 17:31, Simon Glass wrote:
>>> Hi Jan,
>>>
>>> On Wed, 10 Nov 2021 at 00:20, Jan Kiszka <jan.kiszka at siemens.com> wrote:
>>>>
>>>> On 10.11.21 07:55, Jan Kiszka wrote:
>>>>> On 10.11.21 01:58, Simon Glass wrote:
>>>>>> Hi,
>>>>>>
>>>>>> On Tue, 9 Nov 2021 at 02:17, Jan Kiszka <jan.kiszka at siemens.com> wrote:
>>>>>>>
>>>>>>> On 08.11.21 16:28, Roman Kopytin wrote:
>>>>>>>> In order to reduce the coupling between building the kernel and
>>>>>>>> U-Boot, I'd like a tool that can add a public key to U-Boot's dtb
>>>>>>>> without simultaneously signing a FIT image. That tool doesn't seem to
>>>>>>>> exist, so I stole the necessary pieces from mkimage et al and put it
>>>>>>>> in a single .c file.
>>>>>>>>
>>>>>>>> I'm still working on the details of my proposed "require just k out
>>>>>>>> these n required keys" and how it should be implemented, but it will
>>>>>>>> probably involve teaching this tool a bunch of new options. These
>>>>>>>> patches are not necessarily ready for inclusion (unless someone else
>>>>>>>> finds fdt_add_pubkey useful as is), but I thought I might as well send
>>>>>>>> it out for early comments.
>>>>>>>
>>>>>>> I'd also like to see the usage of this hooked into the build process.
>>>>>>>
>>>>>>> And to my understanding of [1], that approach will provide a feature
>>>>>>> that permits hooking with the build but would expect the key as dtsi
>>>>>>> fragment. Can we consolidate the approaches?
>>>>>>>
>>>>>>> My current vision of a user interface would be a Kconfig option that
>>>>>>> takes a list of key files to be injected. Maybe make that three lists,
>>>>>>> one for "required=image", one for "required=conf", and one for optional
>>>>>>> keys (if that has a use case in practice, no idea).
>>>>>>
>>>>>> Also please take a look at binman which is designed to handle create
>>>>>> (or later updating from Yocto) the devicetree or firmware image.
>>>>>>
>>>>>
>>>>> Yes, binman is another problem area, but not for the public key
>>>>> injection, rather for permitting to sign fit images that are described
>>>>> for binman (rather than for mkimage). I'm currently back to dd for
>>>>> signing the U-Boot container in
>>>>> arch/arm/dts/k3-am65-iot2050-boot-image.dtsi, or I would have to split
>>>>> that FIT image description from that file - both not optimal.
>>>
>>> Well I don't think binman supports that at present, or at least I'm
>>> not sure what it would do. We don't have a test case for it. If you
>>> have an idea for how it should work, please send some ideas and I can
>>> look at it.
>>>
>>>>
>>>> OK, this can already be optimized with "binman replace" - once I
>>>> understood where fdtmap can go and where not. Why no support for using
>>>> map files?
>>>
>>> The fdtmap provides enough information to extract anything from the
>>> image and regenerate/replace things.
>>>
>>> What is a map file?
>>
>> *.map, e.g. image.map? Also generated by many binmap <cmd> -m?
> 
> Using map files for what? Do you mean passing it to Binman in lieu of
> an in-image fdtmap? If so, they are not equivalent. The map is just a
> simple text output of offsets and sizes. The fdtmap contains the full
> image description.

Too bad. I was looking for a way to avoid having to add fdtmap to an
image when all information is already on the build host - and should
actually only remain there. Embedding fdtmap into the image solely for
build/post-process purposes looks like overkill to me.

> 
>>
>>>
>>>>
>>>> Jan
>>>>
>>>>>
>>>>> And another area: Trust centers that perform the signing (and only that)
>>>>> usually do not support random formats and workflows but just few common
>>>>> ones, e.g. x509. It would be nice to have a way to route out the payload
>>>>> (hashes etc.) that mkimage would sign, ideally into a standard signing
>>>>> request, and permit to inject the resulting signature at the right
>>>>> places into the FIT image.
>>>
>>> Well that needs to be provided somewhere. It should be fairly easy to
>>> get Binman to do this, so long as the image description has info about
>>> what is being signed.
>>
>> I would assume that it has to have that information, already to use
>> mkimage on it or its parts.
> 
> Well, at present the information is there but Binman does not fully
> parse the mkimage subnodes. E.g. it doesn't look to see what things
> are signed/hashed. It just runs mkimage. If we want to output the hash
> for signing, we would need to implement that somewhere. Binman could
> do this after the image is build, i.e. look at the various signature
> nodes, hash the appropriate data and write out an 'instructions' file
> in a suitable format.

Yep, that would be nice. Or would mkimage have more of the needed logic
already on board and would better be extended to write them out?

Jan

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

More information about the U-Boot mailing list