[PATCH 1/3] binman: add sign option for binman

Simon Glass sjg at chromium.org
Sat Feb 18 00:49:27 CET 2023


HI Ivan,

On Tue, 14 Feb 2023 at 13:38, Ivan Mikhaylov <fr0st61te at gmail.com> wrote:
>
> On Sat, 2023-02-04 at 15:23 -0700, Simon Glass wrote:
> > Hi Ivan,
> >
> > On Sun, 15 Jan 2023 at 16:54, Ivan Mikhaylov <fr0st61te at gmail.com>
> > wrote:
> > >
> > > On Fri, 2023-01-13 at 11:00 -0700, Simon Glass wrote:
> > > > Hi Ivan,
> > > >
> > > > On Sat, 24 Dec 2022 at 15:35, Ivan Mikhaylov
> > > > <fr0st61te at gmail.com>
> > > > wrote:
> > > > >
> > > > > On Sat, 2022-12-17 at 15:02 -0700, Simon Glass wrote:
> > > > > > Hi Ivan,
> > > > > >
> > > > > > On Tue, 13 Dec 2022 at 11:51, Ivan Mikhaylov
> > > > > > <fr0st61te at gmail.com>
> > > > > > wrote:
> > > > > > >
> > > > > > > On Fri, 2022-11-18 at 13:50 -0700, Simon Glass wrote:
> > > > > > > > Hi Ivan,
> > > > > > > >
> > > > > > > > On Thu, 15 Sept 2022 at 13:44, Ivan Mikhaylov
> > > > > > > > <fr0st61te at gmail.com>
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > On Wed, 2022-09-07 at 15:10 -0600, Simon Glass wrote:
> > > > > > > > > > Hi Ivan,
> > > > > > > > > >
> > > > > > > > > > Section data comes from the BuildSectionData()
> > > > > > > > > > method, so
> > > > > > > > > > you
> > > > > > > > > > could
> > > > > > > > > > try calling that.
> > > > > > > > > >
> > > > > > > > > > See also collect_contents_to_file()
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > > Simon
> > > > > > > > >
> > > > > > > > > Simon, I've tried both these ways and they both don't
> > > > > > > > > work
> > > > > > > > > to
> > > > > > > > > me.
> > > > > > > > > What
> > > > > > > > > I've got:
> > > > > > > > >
> > > > > > > > > def SignEntries(image_fname, input_fname,
> > > > > > > > > privatekey_fname,
> > > > > > > > > algo,
> > > > > > > > > entry_paths):
> > > > > > > > >     image_fname = os.path.abspath(image_fname)
> > > > > > > > >     image = Image.FromFile(image_fname)
> > > > > > > > >     state.PrepareFromLoadedData(image)
> > > > > > > > >     image.LoadData()
> > > > > > > > >
> > > > > > > > > 1. BuildSectionData
> > > > > > > > >
> > > > > > > > >     for entry_path in entry_paths:
> > > > > > > > >         entry = image.FindEntryPath(entry_path)
> > > > > > > > >
> > > > > > > > >         try:
> > > > > > > > >             entry.BuildSectionData(True)
> > > > > > > > >         except Exception as e:
> > > > > > > > >             logging.error(traceback.format_exc())
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > ERROR:root:AttributeError: 'NoneType' object has no
> > > > > > > > > attribute
> > > > > > > > > 'run'
> > > > > > >
> > > > > > > Hi Simon, sorry for long delay.
> > > > > > >
> > > > > > > binman: 'NoneType' object has no attribute 'run'
> > > > > > >
> > > > > > > Traceback (most recent call last):
> > > > > > >   File "/home/fr/upstream_uboot/tools/binman/binman", line
> > > > > > > 133,
> > > > > > > in
> > > > > > > RunBinman
> > > > > > >     ret_code = control.Binman(args)
> > > > > > >   File "/home/fr/upstream_uboot/tools/binman/control.py",
> > > > > > > line
> > > > > > > 684,
> > > > > > > in
> > > > > > > Binman
> > > > > > >     SignEntries(args.image, args.file, args.key, args.algo,
> > > > > > > args.paths)
> > > > > > >   File "/home/fr/upstream_uboot/tools/binman/control.py",
> > > > > > > line
> > > > > > > 469,
> > > > > > > in
> > > > > > > SignEntries
> > > > > > >     entry.BuildSectionData(True)
> > > > > > >   File "/home/fr/upstream_uboot/tools/binman/etype/fit.py",
> > > > > > > line
> > > > > > > 426,
> > > > > > > in BuildSectionData
> > > > > > >     if self.mkimage.run(reset_timestamp=True,
> > > > > > > output_fname=output_fname,
> > > > > > > AttributeError: 'NoneType' object has no attribute 'run'
> > > > > > >
> > > > > >
> > > > > > You need to call image.CollectBintolls() like ReadEntry() and
> > > > > > other
> > > > > > functions similar to yours that read images from a file. This
> > > > > > is
> > > > > > the
> > > > > > only way that the 'mkimage' tool becomes available to fit.py
> > > > > >
> > > > > > See fit.AddBintools() which is called by that function and
> > > > > > sets
> > > > > > 'self.mkimage'
> > > > > > >
> > > > > Simon, thanks, now this part works fine but there is still
> > > > > issue
> > > > > with
> > > > > updating of fit section, saw that there exists some functions
> > > > > like
> > > > > WriteData but for section(etype/fit.py) it is not implemented
> > > > > yet.
> > > > >
> > > > > ValueError: Node '/fit': Replacing sections is not implemented
> > > > > yet
> > > > >
> > > > > Also tried SetContents but it doesn't update fit section in
> > > > > place.
> > > > > Any
> > > > > suggestions here?
> > > >
> > > > Updating a FIT in the image is not supported, or at least not
> > > > tested,
> > > > so presumably doesn't work.
> > > >
> > > > I obtained fdt_add_pubkey
> > > > from
> > > > https://patchwork.ozlabs.org/project/uboot/list/?series=271511&state=
> > > > *
> > > >
> > > > I tried this:
> > > >
> > > > binman test testSignSimple
> > > > ======================== Running binman tests
> > > > ========================
> > > > E
> > > > =================================================================
> > > > ====
> > > > =
> > > > ERROR: binman.ftest.TestFunctional.testSignSimple
> > > > (subunit.RemotedTestCase)
> > > > binman.ftest.TestFunctional.testSignSimple
> > > > -----------------------------------------------------------------
> > > > ----
> > > > -
> > > > testtools.testresult.real._StringException: ValueError: Error 1
> > > > running 'fdt_add_pubkey -a sha256,rsa4096 -k /tmp/binman.1antmyoq
> > > > -n
> > > > test_key /tmp/binman.1antmyoq/source.dtb': .dtb too small,
> > > > increasing
> > > > size by 1024 bytes
> > > > .dtb too small, increasing size by 1024 bytes
> > > > fdt_add_pubkey: Cannot add public key to FIT blob: Unknown error
> > > > -56
> > > >
> > > >
> > > > During handling of the above exception, another exception
> > > > occurred:
> > > >
> > > > UnboundLocalError: local variable 'key_dir' referenced before
> > > > assignment
> > > >
> > > >
> > > > -----------------------------------------------------------------
> > > > ----
> > > > -
> > > > Ran 1 test in 1.658s
> > > >
> > > > FAILED (errors=1)
> > > >
> > > > [sjg at kea u ((5cf6f1f8e7c...) $)]$ binman test testSignSimpleExact
> > > > ======================== Running binman tests
> > > > ========================
> > > >
> > > > -----------------------------------------------------------------
> > > > ----
> > > > -
> > > > Ran 0 tests in 0.067s
> > > >
> > > > OK
> > > >
> > > >
> > > > Can you please:
> > > >
> > > > - push your tree again
> > > > - provide the command line you are using, or test case you are
> > > > trying
> > > > to make work
> > > > - provide the files needed to run it it
> > > >
> > > > With that I should be able to figure out what is needed.
> > > >
> > > > Regards,
> > > > Simon
> > >
> > > Simon, sorry, I forgot about fdt_add_pubkey, I've updated and added
> > > version on which I'm working into branch which I posted before.
> > > There
> > > was update in add_verify_data call for rsa at least which sending
> > > node
> > > number instead of return code because of this you seeing such
> > > errors
> > > with run of this toolkit. Now you should see something like this:
> > >
> > > binman test testSignSimple
> > > ======================== Running binman tests
> > > ========================
> > > E
> > > ===================================================================
> > > ===
> > > ERROR: testSignSimple (binman.ftest.TestFunctional)
> > > Test that a FIT container can be signed in image
> > > -------------------------------------------------------------------
> > > ---
> > > ValueError: Node '/fit': Replacing sections is not implemented yet
> > >
> > > -------------------------------------------------------------------
> > > ---
> > > Ran 1 test in 0.480s
> > >
> > > FAILED (errors=1)
> > >
> > > The command line which I'm using for manual testing:
> > >
> > > binman -D sign -i image-updated.bin -k test_key.key -a
> > > sha256,rsa4096
> > > fit
> >
> > I've had a crack at this and sent a patch to allow updating sections
> > in toto.
> >
> > https://github.com/sjg20/u-boot/tree/try-ivan
> >
> > >
> > > Also, as I see fdt_add_pubkey application still not in the u-boot
> > > tree.
> > > Need I look through and put it in this series or create another
> > > series
> > > of patches for fdt_add_pubkey?
> >
> > Doing it in this series is fine.
> >
> > Regards,
> > Simon
>
> Simon, thanks a lot, now it's looks like working. I've updated my
> branch on https://github.com/fr0st61te/u-boot/commits/signfit,
> everything seems ok - fdt_add_pubkey and tests works fine. I want to
> check everything with qemu or hw, it'll take some time. I'll get back
> with proper patchsets in 2-3 weeks.

Good to hear, and thanks for the update.

Regards,
Simon


More information about the U-Boot mailing list