[PATCH] mkimage: fit: Support signed configurations in 'auto' FITs
Simon Glass
sjg at chromium.org
Fri Jan 13 19:00:21 CET 2023
On Thu, 5 Jan 2023 at 02:31, Massimo Pegorer <massimo.pegorer at vimar.com> wrote:
>
> Extend support for signing in auto-generated (-f auto) FIT. Previously,
> it was possible to get signed 'images' subnodes in the FIT using
> options -g and -o together with -f auto. This patch allows signing
> 'configurations' subnodes instead of 'images' ones (which are hashed),
> using option -f auto-conf instead of -f auto. Adding also -K <dtb> and
> -r options, will add public key to <dtb> file with required = "conf"
> property.
>
> Summary:
> -f auto => FIT with crc32 images
> -f auto -g ... -o ... => FIT with signed images
> -f auto-conf -g ... -o ... => FIT with sha1 images and signed confs
>
> Example: FIT with kernel, two device tree files, and signed
> configurations; public key (needed to verify signatures) is
> added to u-boot.dtb with required = "conf" property.
>
> mkimage -f auto-conf -A arm -O linux -T kernel -C none -a 43e00000 \
> -e 0 -d vmlinuz -b /path/to/first.dtb -b /path/to/second.dtb \
> -k /folder/with/key-files -g keyname -o sha256,rsa4096 \
> -K u-boot.dtb -r kernel.itb
>
> Example: Add public key with required = "conf" property to u-boot.dtb
> without needing to sign anything. This will also create a useless FIT
> named unused.itb.
>
> mkimage -f auto-conf -d /dev/null -k /folder/with/key-files \
> -g keyname -o sha256,rsa4096 -K u-boot.dtb -r unused.itb
>
> Signed-off-by: Massimo Pegorer <massimo.pegorer at vimar.com>
>
> ---
> The commit includes: patch for adding the new feature to mkimage tool;
> updated man page, with description of the new feature and examples,
> plus fixes to wrong/misleading information; test for all of the three
> flavours of auto-FIT (crc32 images, signed images, sha1 hashed images
> and signed configurations).
>
> doc/mkimage.1 | 119 +++++++++++-----
> test/py/tests/test_fit_auto_signed.py | 195 ++++++++++++++++++++++++++
> tools/fit_image.c | 75 ++++++----
> tools/imagetool.h | 10 +-
> tools/mkimage.c | 21 ++-
> 5 files changed, 353 insertions(+), 67 deletions(-)
> create mode 100644 test/py/tests/test_fit_auto_signed.py
Reviewed-by: Simon Glass <sjg at chromium.org>
We currently avoid using the fdt library in tools/dtoc in tests but
perhaps this policy needs to be changed, as this patch shows.
One option would be to create a new tools/u_boot_lib directory with
the shared functions currently in tools/patman etc., then allow use of
that in tests.
Regards,
Simon
More information about the U-Boot
mailing list