From patchwork Thu Jun 13 22:10:03 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 251179 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id DA1232C0040 for ; Fri, 14 Jun 2013 08:12:23 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 8CB064A14B; Fri, 14 Jun 2013 00:12:22 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c2rkVeM0azIk; Fri, 14 Jun 2013 00:12:22 +0200 (CEST) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 3EA494A14D; Fri, 14 Jun 2013 00:11:18 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 0D8CD4A126 for ; Fri, 14 Jun 2013 00:11:05 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AnDEYo8CxO5U for ; Fri, 14 Jun 2013 00:10:46 +0200 (CEST) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from mail-qa0-f73.google.com (mail-qa0-f73.google.com [209.85.216.73]) by theia.denx.de (Postfix) with ESMTPS id 6F31C4A125 for ; Fri, 14 Jun 2013 00:10:34 +0200 (CEST) Received: by mail-qa0-f73.google.com with SMTP id hu14so262587qab.2 for ; Thu, 13 Jun 2013 15:10:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references :x-gm-message-state; bh=0T9+E9NufaIIp9IUbRWzqWgwkdG3O3jSXlaj0jh5kc4=; b=SkDCKb7qOtCca8DOoGDE3hil4lnmxYdaQ1QK5AFx2Bd1oEwgezLom2ZzUFzKtdBmRv D+ttKgF0We2mkkciQ8cehEtsaYzKtj7sFdq41qLLJnAQyIqmVXW3wi0Koj9/0IOHi7xB alnc5drtsCAVNGbAUMKu4PRCPk32sdO9KljQ0VPu/pwROT61hW2M3S+NMk5FkOPoX9Oq Qztz+/Q+08HW7sy5xqO7eFBTiXVslx4ZRgbzXZ46lgxvJDz2/4AovvmuxMPGpZ32MoBZ yK4wifWGlRdICRdkdvJ7qfCVd0GRYUscN1A2nuSCjau4u8PMMV/oFAYhSMLBeaZCr02d sJ2w== X-Received: by 10.236.55.129 with SMTP id k1mr1370872yhc.1.1371161433803; Thu, 13 Jun 2013 15:10:33 -0700 (PDT) Received: from corp2gmr1-2.hot.corp.google.com (corp2gmr1-2.hot.corp.google.com [172.24.189.93]) by gmr-mx.google.com with ESMTPS id y4si1464672yhi.3.2013.06.13.15.10.33 for (version=TLSv1.1 cipher=AES128-SHA bits=128/128); Thu, 13 Jun 2013 15:10:33 -0700 (PDT) Received: from kaka.mtv.corp.google.com (kaka.mtv.corp.google.com [172.22.83.1]) by corp2gmr1-2.hot.corp.google.com (Postfix) with ESMTP id 91ECC5A40F6; Thu, 13 Jun 2013 15:10:33 -0700 (PDT) Received: by kaka.mtv.corp.google.com (Postfix, from userid 121222) id 4346F160954; Thu, 13 Jun 2013 15:10:33 -0700 (PDT) From: Simon Glass To: U-Boot Mailing List Date: Thu, 13 Jun 2013 15:10:03 -0700 Message-Id: <1371161411-2834-5-git-send-email-sjg@chromium.org> X-Mailer: git-send-email 1.8.3 In-Reply-To: <1371161411-2834-1-git-send-email-sjg@chromium.org> References: <1371161411-2834-1-git-send-email-sjg@chromium.org> X-Gm-Message-State: ALoCoQmIOdU6fd1JbGnK7PdgOOiSeWMp58XY+V7lthZNLpQiH50574VcxBFyJN/0HJnaQdfEMr6xsIxwF3jdZkRikxl3aMLObaSUWSS6qHEazOgBDy2cPiDPLKkSkyq47N86OzR3ARJyd+Do2uAql064vu4qgl4XmpVXTD9ATkH31k8K9k4Qg7OVQAPwG8AKMlbz3cAlbBL/ Cc: Joel A Fernandes , Will Drewry , Joe Hershberger , u-boot-review@google.com, Bill Richardson , Randall Spangler , Tom Rini , Vadim Bendebury , =?UTF-8?q?Andreas=20B=C3=A4ck?= , Kees Cook Subject: [U-Boot] [PATCH v3 04/12] mkimage: Add -k option to specify key directory X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.11 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de Keys required for signing images will be in a specific directory. Add a -k option to specify that directory. Also update the mkimage man page with this information and a clearer list of available commands. Signed-off-by: Simon Glass Reviewed-by: Marek Vasut (v1) --- Changes in v3: None Changes in v2: - Adjust mkimage help to separate out signing options - Fix checkpatch warnings about split strings doc/mkimage.1 | 25 ++++++++++++++++++++++--- tools/fit_image.c | 2 +- tools/mkimage.c | 15 ++++++++++++++- tools/mkimage.h | 1 + 4 files changed, 38 insertions(+), 5 deletions(-) diff --git a/doc/mkimage.1 b/doc/mkimage.1 index 39652c8..6740fb1 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -4,7 +4,14 @@ mkimage \- Generate image for U-Boot .SH SYNOPSIS .B mkimage -.RB [\fIoptions\fP] +.RB "\-l [" "uimage file name" "]" + +.B mkimage +.RB [\fIoptions\fP] " \-f [" "image tree source file" "]" " [" "uimage file name" "]" + +.B mkimage +.RB [\fIoptions\fP] " (legacy mode)" + .SH "DESCRIPTION" The .B mkimage @@ -26,7 +33,8 @@ etc. The new .I FIT (Flattened Image Tree) format allows for more flexibility in handling images of various types and also -enhances integrity protection of images with stronger checksums. +enhances integrity protection of images with stronger checksums. It also +supports verified boot. .SH "OPTIONS" @@ -67,6 +75,10 @@ Set load address with a hex number. Set entry point with a hex number. .TP +.BI "\-l" +List the contents of an image. + +.TP .BI "\-n [" "image name" "]" Set image name to 'image name'. @@ -91,6 +103,12 @@ create the image. Image tree source file that describes the structure and contents of the FIT image. +.TP +.BI "\-k [" "key_directory" "]" +Specifies the directory containing keys to use for signing. This directory +should contain a private key file .key for use with signing and a +certificate .crt (containing the public key) for use with verification. + .SH EXAMPLES List image information: @@ -115,4 +133,5 @@ http://www.denx.de/wiki/U-Boot/WebHome .PP .SH AUTHOR This manual page was written by Nobuhiro Iwamatsu -and Wolfgang Denk +and Wolfgang Denk . It was updated for image signing by +Simon Glass . diff --git a/tools/fit_image.c b/tools/fit_image.c index ef6ef44..339e0f8 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -137,7 +137,7 @@ static int fit_handle_file (struct mkimage_params *params) goto err_mmap; /* set hashes for images in the blob */ - if (fit_add_verification_data(NULL, NULL, ptr, NULL, 0)) { + if (fit_add_verification_data(params->keydir, NULL, ptr, NULL, 0)) { fprintf (stderr, "%s Can't add hashes to FIT blob", params->cmdname); goto err_add_hashes; diff --git a/tools/mkimage.c b/tools/mkimage.c index e43b09f..def7df2 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -248,6 +248,11 @@ main (int argc, char **argv) params.datafile = *++argv; params.fflag = 1; goto NXTARG; + case 'k': + if (--argc <= 0) + usage(); + params.keydir = *++argv; + goto NXTARG; case 'n': if (--argc <= 0) usage (); @@ -623,8 +628,16 @@ usage () " -d ==> use image data from 'datafile'\n" " -x ==> set XIP (execute in place)\n", params.cmdname); - fprintf (stderr, " %s [-D dtc_options] -f fit-image.its fit-image\n", + fprintf(stderr, " %s [-D dtc_options] -f fit-image.its fit-image\n", params.cmdname); + fprintf(stderr, " -D => set options for device tree compiler\n" + " -f => input filename for FIT source\n"); +#ifdef CONFIG_FIT_SIGNATURE + fprintf(stderr, "Signing / verified boot options: [-k keydir]\n" + " -k => set directory containing private keys\n"); +#else + fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); +#endif fprintf (stderr, " %s -V ==> print version information and exit\n", params.cmdname); diff --git a/tools/mkimage.h b/tools/mkimage.h index 03c6c8f..059e124 100644 --- a/tools/mkimage.h +++ b/tools/mkimage.h @@ -87,6 +87,7 @@ struct mkimage_params { char *datafile; char *imagefile; char *cmdname; + const char *keydir; /* Directory holding private keys */ }; /*