[PATCH 08/12] binman: etype: Add u_boot_spl_pubkey_dtb etype

Simon Glass sjg at chromium.org
Fri Jun 30 06:18:30 CEST 2023 

On Thu, 29 Jun 2023 at 15:59, <lukas.funke-oss at weidmueller.com> wrote:
>
> From: Lukas Funke <lukas.funke at weidmueller.com>
>
> This adds a new etype 'u_boot_spl_pubkey_dtb'. The etype adds the public
> key from a certificate to the dtb. This creates a '/signature' node which
> is turn contains the fields which make up the public key. Usually this
> is done by 'mkimage -K'. However, 'binman sign' does not add the public
> key to the SPL. This is why the pubkey is added using this etype.
>
> The etype calls the underlying 'fdt_add_pubkey' tool.
>
> Signed-off-by: Lukas Funke <lukas.funke at weidmueller.com>
> ---
>
>  tools/binman/etype/u_boot_spl_pubkey_dtb.py | 105 ++++++++++++++++++++
>  1 file changed, 105 insertions(+)
>  create mode 100644 tools/binman/etype/u_boot_spl_pubkey_dtb.py

Please can you use 'binman entry-docs >tools/binman/entries.rst' and
add to patch?

>
> diff --git a/tools/binman/etype/u_boot_spl_pubkey_dtb.py b/tools/binman/etype/u_boot_spl_pubkey_dtb.py
> new file mode 100644
> index 0000000000..25aa817975
> --- /dev/null
> +++ b/tools/binman/etype/u_boot_spl_pubkey_dtb.py
> @@ -0,0 +1,105 @@
> +# SPDX-License-Identifier: GPL-2.0+
> +# Copyright (c) 2023 Weidmueller GmbH
> +# Written by Lukas Funke <lukas.funke at weidmueller.com>
> +#
> +# Entry-type module for 'u-boot-spl-pubkey.dtb'
> +#
> +
> +import tempfile
> +import os
> +
> +from binman.etype.blob_dtb import Entry_blob_dtb
> +
> +from dtoc import fdt_util
> +
> +from u_boot_pylib import tools
> +
> +# pylint: disable=C0103
> +class Entry_u_boot_spl_pubkey_dtb(Entry_blob_dtb):
> +    """U-Boot SPL device tree including public key
> +
> +    Properties / Entry arguments:
> +        - key-name: Public key name without extension (e.g. .crt). Default is
> +                    determined by underlying bintool (fdt_add_pubkey),
> +                    usually 'key'
> +        - algo: (Optional) Algorithm used for signing. Default is determined by
> +                underlying bintool (fdt_add_pubkey), usually 'sha1,rsa2048'
> +        - required: (Optional) If present this indicates that the key must be
> +                    verified for the image / configuration to be
> +                    considered valid
> +
> +    The following example shows an image containing an SPL which
> +    is packed together with the dtb. Binman will add a signature
> +    node to the dtb:
> +
> +        image {
> +        ...
> +            spl {
> +                filename = "spl.bin"
> +
> +                u_boot_spl_nodtb {
> +                };
> +                u_boot_spl_pubkey_dtb {
> +                    algo = "sha384,rsa4096";
> +                    required = "conf";
> +                    key-name = "dev";
> +                };
> +            };
> +        ...
> +        }
> +    """
> +
> +    def __init__(self, section, etype, node):
> +        # Put this here to allow entry-docs and help to work without libfdt
> +        global state
> +        from binman import state
> +
> +        super().__init__(section, etype, node)
> +        self.required_props = ['key-name']
> +        self.fdt_add_pubkey = None
> +        self._algo = fdt_util.GetString(self._node, 'algo')
> +        self._required = fdt_util.GetString(self._node, 'required')
> +        self._keyname = fdt_util.GetString(self._node, 'key-name')
> +
> +    def ObtainContents(self, fake_size=0):
> +        """ Add public key which is pointed out by

Please check comment style. The first line should a summary, then a
blank line, then more info

> +            'key-name' to node 'signature' in the spl-dtb
> +
> +            This is equivalent to the '-K' option of 'mkimage'
> +
> +        Args:
> +            fake_size (int): unused
> +        """
> +
> +        # We don't pass fake_size and skip_entry upwards
> +        # because this is currently not support by the blob type

supported

> +        super().ObtainContents()
> +
> +        with tempfile.NamedTemporaryFile(prefix=os.path.basename(
> +                                         self.GetFdtEtype()),
> +                                         dir=tools.get_output_dir())\
> +                                              as pubkey_tdb:
> +            tools.write_file(pubkey_tdb.name, self.GetData())
> +            keyname = tools.get_input_filename(self._keyname + ".crt")
> +            self.fdt_add_pubkey.run(pubkey_tdb.name,
> +                                    os.path.dirname(keyname),
> +                                    self._keyname,
> +                                    self._required, self._algo)
> +            dtb = tools.read_file(pubkey_tdb.name)
> +            self.SetContents(dtb)
> +            state.UpdateFdtContents(self.GetFdtEtype(), dtb)
> +
> +        return True
> +
> +    # pylint: disable=R0201,C0116
> +    def GetDefaultFilename(self):
> +        return 'spl/u-boot-spl-pubkey.dtb'
> +
> +    # pylint: disable=R0201,C0116
> +    def GetFdtEtype(self):
> +        return 'u-boot-spl-dtb'
> +
> +    # pylint: disable=R0201,C0116
> +    def AddBintools(self, btools):
> +        super().AddBintools(btools)
> +        self.fdt_add_pubkey = self.AddBintool(btools, 'fdt_add_pubkey')
> --
> 2.30.2
>

Reviewed-by: Simon Glass <sjg at chromium.org>

Regards,
Simon

More information about the U-Boot mailing list