[PATCH v3 07/11] binman: etype: Add u-boot-spl-pubkey-dtb etype

lukas.funke-oss at weidmueller.com lukas.funke-oss at weidmueller.com
Tue Jul 18 13:53:15 CEST 2023


From: Lukas Funke <lukas.funke at weidmueller.com>

This adds a new etype 'u-boot-spl-pubkey-dtb'. The etype adds the public
key from a certificate to the dtb. This creates a '/signature' node which
is turn contains the fields which make up the public key. Usually this
is done by 'mkimage -K'. However, 'binman sign' does not add the public
key to the SPL. This is why the pubkey is added using this etype.

The etype calls the underlying 'fdt_add_pubkey' tool.

Signed-off-by: Lukas Funke <lukas.funke at weidmueller.com>
Reviewed-by: Simon Glass <sjg at chromium.org>

---

Changes in v3:
- Fixed minor python doc typo in u-boot-spl-pubkey-dtb etype
- Renamed key property from 'key-name' to 'key-name-hint'

Changes in v2:
- Improved rst/python documentation
- Changed u_boot_spl_pubkey_dtb to u-boot-spl-pubkey-dtb in example

 tools/binman/entries.rst                    |  39 +++++++
 tools/binman/etype/u_boot_spl_pubkey_dtb.py | 109 ++++++++++++++++++++
 2 files changed, 148 insertions(+)
 create mode 100644 tools/binman/etype/u_boot_spl_pubkey_dtb.py

diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index b71af801fd..c368ea8053 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -1912,6 +1912,45 @@ binman uses that to look up symbols to write into the SPL binary.
 
 
 
+.. _etype_u_boot_spl_pubkey_dtb:
+
+Entry: u-boot-spl-pubkey-dtb: U-Boot SPL device tree including public key
+-------------------------------------------------------------------------
+
+Properties / Entry arguments:
+    - key-name-hint: Public key name without extension (.crt).
+                Default is determined by underlying
+                bintool (fdt_add_pubkey), usually 'key'.
+    - algo: (Optional) Algorithm used for signing. Default is determined by
+            underlying bintool (fdt_add_pubkey), usually 'sha1,rsa2048'
+    - required: (Optional) If present this indicates that the key must be
+                verified for the image / configuration to be
+                considered valid
+
+The following example shows an image containing an SPL which
+is packed together with the dtb. Binman will add a signature
+node to the dtb.
+
+Example node::
+
+    image {
+    ...
+        spl {
+            filename = "spl.bin"
+
+            u-boot-spl-nodtb {
+            };
+            u-boot-spl-pubkey-dtb {
+                algo = "sha384,rsa4096";
+                required = "conf";
+                key-name-hint = "dev";
+            };
+        };
+    ...
+    }
+
+
+
 .. _etype_u_boot_spl_with_ucode_ptr:
 
 Entry: u-boot-spl-with-ucode-ptr: U-Boot SPL with embedded microcode pointer
diff --git a/tools/binman/etype/u_boot_spl_pubkey_dtb.py b/tools/binman/etype/u_boot_spl_pubkey_dtb.py
new file mode 100644
index 0000000000..cc92175ca3
--- /dev/null
+++ b/tools/binman/etype/u_boot_spl_pubkey_dtb.py
@@ -0,0 +1,109 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (c) 2023 Weidmueller GmbH
+# Written by Lukas Funke <lukas.funke at weidmueller.com>
+#
+# Entry-type module for 'u-boot-spl-pubkey.dtb'
+#
+
+import tempfile
+import os
+
+from binman.etype.blob_dtb import Entry_blob_dtb
+
+from dtoc import fdt_util
+
+from u_boot_pylib import tools
+
+# pylint: disable=C0103
+class Entry_u_boot_spl_pubkey_dtb(Entry_blob_dtb):
+    """U-Boot SPL device tree including public key
+
+    Properties / Entry arguments:
+        - key-name-hint: Public key name without extension (.crt).
+                    Default is determined by underlying
+                    bintool (fdt_add_pubkey), usually 'key'.
+        - algo: (Optional) Algorithm used for signing. Default is determined by
+                underlying bintool (fdt_add_pubkey), usually 'sha1,rsa2048'
+        - required: (Optional) If present this indicates that the key must be
+                    verified for the image / configuration to be
+                    considered valid
+
+    The following example shows an image containing an SPL which
+    is packed together with the dtb. Binman will add a signature
+    node to the dtb.
+
+    Example node::
+
+        image {
+        ...
+            spl {
+                filename = "spl.bin"
+
+                u-boot-spl-nodtb {
+                };
+                u-boot-spl-pubkey-dtb {
+                    algo = "sha384,rsa4096";
+                    required = "conf";
+                    key-name-hint = "dev";
+                };
+            };
+        ...
+        }
+    """
+
+    def __init__(self, section, etype, node):
+        # Put this here to allow entry-docs and help to work without libfdt
+        global state
+        from binman import state
+
+        super().__init__(section, etype, node)
+        self.required_props = ['key-name-hint']
+        self.fdt_add_pubkey = None
+        self._algo = fdt_util.GetString(self._node, 'algo')
+        self._required = fdt_util.GetString(self._node, 'required')
+        self._key_name_hint = fdt_util.GetString(self._node, 'key-name-hint')
+
+    def ObtainContents(self, fake_size=0):
+        """Add public key to SPL dtb
+
+            Add public key which is pointed out by
+            'key-name-hint' to node 'signature' in the spl-dtb
+
+            This is equivalent to the '-K' option of 'mkimage'
+
+        Args:
+            fake_size (int): unused
+        """
+
+        # We don't pass fake_size upwards because this is currently
+        # not supported by the blob type
+        super().ObtainContents()
+
+        with tempfile.NamedTemporaryFile(prefix=os.path.basename(
+                                         self.GetFdtEtype()),
+                                         dir=tools.get_output_dir())\
+                                              as pubkey_tdb:
+            tools.write_file(pubkey_tdb.name, self.GetData())
+            keyname = tools.get_input_filename(self._key_name_hint + ".crt")
+            self.fdt_add_pubkey.run(pubkey_tdb.name,
+                                    os.path.dirname(keyname),
+                                    self._key_name_hint,
+                                    self._required, self._algo)
+            dtb = tools.read_file(pubkey_tdb.name)
+            self.SetContents(dtb)
+            state.UpdateFdtContents(self.GetFdtEtype(), dtb)
+
+        return True
+
+    # pylint: disable=R0201,C0116
+    def GetDefaultFilename(self):
+        return 'spl/u-boot-spl-pubkey.dtb'
+
+    # pylint: disable=R0201,C0116
+    def GetFdtEtype(self):
+        return 'u-boot-spl-dtb'
+
+    # pylint: disable=R0201,C0116
+    def AddBintools(self, btools):
+        super().AddBintools(btools)
+        self.fdt_add_pubkey = self.AddBintool(btools, 'fdt_add_pubkey')
-- 
2.30.2



More information about the U-Boot mailing list