[PATCH 1/3] binman: add sign option for binman
Ivan Mikhaylov
fr0st61te at gmail.com
Mon Mar 21 22:43:17 CET 2022
Introduce proof of concept for binman's new option which provides sign
and replace sections in binary images.
Usage as example:
from:
mkimage -G privateky -r -o sha256,rsa4096 -F fit
binman replace -i flash.bin -f fit.fit fit
to:
binman sign -i flash.bin -k privatekey -a sha256,rsa4096 -f fit.fit fit
Signed-off-by: Ivan Mikhaylov <ivan.mikhaylov at siemens.com>
---
tools/binman/cmdline.py | 13 +++++++++++++
tools/binman/control.py | 26 +++++++++++++++++++++++++-
2 files changed, 38 insertions(+), 1 deletion(-)
diff --git a/tools/binman/cmdline.py b/tools/binman/cmdline.py
index 0626b850f4..1a25f95ff1 100644
--- a/tools/binman/cmdline.py
+++ b/tools/binman/cmdline.py
@@ -160,6 +160,19 @@ controlled by a description in the board device tree.'''
replace_parser.add_argument('paths', type=str, nargs='*',
help='Paths within file to replace (wildcard)')
+ sign_parser = subparsers.add_parser('sign',
+ help='Sign entries in image')
+ sign_parser.add_argument('-a', '--algo', type=str, required=True,
+ help='Hash algorithm e.g. sha256,rsa4096')
+ sign_parser.add_argument('-f', '--file', type=str, required=True,
+ help='Input filename to sign')
+ sign_parser.add_argument('-i', '--image', type=str, required=True,
+ help='Image filename to update')
+ sign_parser.add_argument('-k', '--key', type=str, required=True,
+ help='Private key file for signing')
+ sign_parser.add_argument('paths', type=str, nargs='*',
+ help='Paths within file to sign (wildcard)')
+
test_parser = subparsers.add_parser('test', help='Run tests')
test_parser.add_argument('-P', '--processes', type=int,
help='set number of processes to use for running tests')
diff --git a/tools/binman/control.py b/tools/binman/control.py
index a179f78129..7595ea7776 100644
--- a/tools/binman/control.py
+++ b/tools/binman/control.py
@@ -19,6 +19,7 @@ from binman import cbfs_util
from binman import elf
from patman import command
from patman import tout
+from patman import tools
# List of images we plan to create
# Make this global so that it can be referenced from tests
@@ -434,6 +435,26 @@ def ReplaceEntries(image_fname, input_fname, indir, entry_paths,
AfterReplace(image, allow_resize=allow_resize, write_map=write_map)
return image
+def MkimageSign(privatekey_fname, algo, input_fname):
+ tools.Run('mkimage', '-G', privatekey_fname, '-r', '-o', algo, '-F', input_fname)
+
+def SignEntries(image_fname, input_fname, privatekey_fname, algo, entry_paths):
+ """Sign and replace the data from one or more entries from input files
+
+ Args:
+ image_fname: Image filename to process
+ input_fname: Single input filename to use if replacing one file, None
+ otherwise
+ algo: Hashing algorithm
+ privatekey_fname: Private key filename
+
+ Returns:
+ List of EntryInfo records that were signed and replaced
+ """
+
+ MkimageSign(privatekey_fname, algo, input_fname)
+
+ return ReplaceEntries(image_fname, input_fname, None, entry_paths)
def PrepareImagesAndDtbs(dtb_fname, select_images, update_fdt, use_expanded):
"""Prepare the images to be processed and select the device tree
@@ -627,7 +648,7 @@ def Binman(args):
from binman.image import Image
from binman import state
- if args.cmd in ['ls', 'extract', 'replace', 'tool']:
+ if args.cmd in ['ls', 'extract', 'replace', 'tool', 'sign']:
try:
tout.init(args.verbosity)
tools.prepare_output_dir(None)
@@ -643,6 +664,9 @@ def Binman(args):
do_compress=not args.compressed,
allow_resize=not args.fix_size, write_map=args.map)
+ if args.cmd == 'sign':
+ SignEntries(args.image, args.file, args.key, args.algo, args.paths)
+
if args.cmd == 'tool':
tools.set_tool_paths(args.toolpath)
if args.list:
--
2.35.1
More information about the U-Boot
mailing list