[PATCH V2 10/13] iot2050: Add script for signing artifacts

Jan Kiszka jan.kiszka at siemens.com
Wed Oct 5 18:16:47 CEST 2022 

On 05.10.22 18:04, Jan Kiszka wrote:
> On 05.10.22 17:58, Simon Glass wrote:
>> Hi Jan,
>>
>> On Wed, 5 Oct 2022 at 02:36, Jan Kiszka <jan.kiszka at siemens.com> wrote:
>>>
>>> From: Jan Kiszka <jan.kiszka at siemens.com>
>>>
>>> There are many ways to get a signed firmware for the IOT2050 devices,
>>> namely for the parts under user-control. This script documents one way
>>> of doing it, given a signing key. Augment the board documentation with
>>> the required procedure around it.
>>>
>>> Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
>>> ---
>>>  doc/board/siemens/iot2050.rst | 52 +++++++++++++++++++++++++++++++++++
>>>  tools/iot2050-sign-fw.sh      | 51 ++++++++++++++++++++++++++++++++++
>>>  2 files changed, 103 insertions(+)
>>>  create mode 100755 tools/iot2050-sign-fw.sh
>>
>> Please use binman for this. You can create  new entry type for your
>> needs. We want to avoid adding arch-specific scripts with no tests.
> 
> We will need a script in the foreseeable future, even when binman should
> be fixed /wrt replace - see how the certs need to be set up.

...and 'binman replace' is still broken:

# source/tools/binman/binman replace -i flash.bin -f tispl.bin_signed blob at 0x180000
binman: Error 1 running 'mkimage -t -F /tmp/binman.ip2gc0oy/fit at 0x380000.fit': Usage: mkimage -l image
          -l ==> list image header information
       mkimage [-x] -A arch -O os -T type -C comp -a addr -e ep -n name -d data_file[:data_file...] image
          -A ==> set architecture to 'arch'
          -O ==> set operating system to 'os'
          -T ==> set image type to 'type'
          -C ==> set compression type 'comp'
          -a ==> set load address to 'addr' (hex)
          -e ==> set entry point to 'ep' (hex)
          -n ==> set image name to 'name'
          -d ==> use image data from 'datafile'
          -x ==> set XIP (execute in place)
       mkimage [-D dtc_options] [-f fit-image.its|-F] fit-image
          -D => set options for device tree compiler
          -f => input filename for FIT source
Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-r]
          -k => set directory containing private keys
          -K => write public keys to this .dtb file
          -c => add comment in signature node
          -F => re-sign existing FIT image
          -r => mark keys used as 'required' in dtb
       mkimage -V ==> print version information and exit

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

More information about the U-Boot mailing list