[PATCH 2/3] binman: Fix signing an encryted FIT with a preload key
yan wang
yan.wang at softathome.com
Thu Jul 3 14:54:53 CEST 2025
At the end of several passes of packing entries, a FIT is already
generated. This is the FIT with which preload header has signed.
Don't rerun the mkimage to generate a new FIT after the preload header
has already signed the FIT. Because when encrypting the image with a
random IV or if the timestamp in the FIT has changed, the signature will
be different.
Signed-off-by: yan wang <yan.wang at softathome.com>
---
tools/binman/image.py | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/tools/binman/image.py b/tools/binman/image.py
index 24ce0af7c72..0118834b76a 100644
--- a/tools/binman/image.py
+++ b/tools/binman/image.py
@@ -13,6 +13,7 @@ import re
import sys
from binman.entry import Entry
+from binman.etype import fit
from binman.etype import fdtmap
from binman.etype import image_header
from binman.etype import section
@@ -178,11 +179,20 @@ class Image(section.Entry_section):
"""Write symbol values into binary files for access at run time"""
super().WriteSymbols(self)
+ def mark_fit_build_done(self):
+ """Mark Entry_fit as already built"""
+ entries = self.GetEntries()
+ if entries:
+ for entry in entries.values():
+ if isinstance(entry, fit.Entry_fit):
+ entry.mark_build_done()
+
def BuildImage(self):
"""Write the image to a file"""
fname = tools.get_output_filename(self._filename)
tout.info("Writing image to '%s'" % fname)
with open(fname, 'wb') as fd:
+ self.mark_fit_build_done()
data = self.GetPaddedData()
fd.write(data)
tout.info("Wrote %#x bytes" % len(data))
--
2.25.1
More information about the U-Boot
mailing list