Message ID | 20200421002333.111461-8-heiko@sntech.de |
---|---|
State | Accepted |
Delegated to: | Kever Yang |
Headers | show |
Series | rockchip: make it possible to sign the u-boot.itb | expand |
Hi Heiko, On Mon, 20 Apr 2020 at 18:23, Heiko Stuebner <heiko@sntech.de> wrote: > > From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > > If the newly added fit-generator key-options are found, append needed > signature nodes to all generated image blocks, so that they can get > signed when mkimage later compiles the .itb from the generated .its. > > Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > --- > arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++- > 1 file changed, 50 insertions(+), 1 deletion(-) > Can this move to binman? Regards, Simon
On 2020/4/21 上午8:23, Heiko Stuebner wrote: > From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > > If the newly added fit-generator key-options are found, append needed > signature nodes to all generated image blocks, so that they can get > signed when mkimage later compiles the .itb from the generated .its. > > Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> Reviewed-by: Kever Yang <kever.yang@rock-chips.com> Thanks, - Kever > --- > arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++- > 1 file changed, 50 insertions(+), 1 deletion(-) > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py > index d15c32b303..5b353f9d0a 100755 > --- a/arch/arm/mach-rockchip/make_fit_atf.py > +++ b/arch/arm/mach-rockchip/make_fit_atf.py > @@ -14,6 +14,8 @@ import sys > import getopt > import logging > import struct > +import Crypto > +from Crypto.PublicKey import RSA > > DT_HEADER = """ > /* > @@ -37,7 +39,9 @@ DT_UBOOT = """ > arch = "arm64"; > compression = "none"; > load = <0x%08x>; > - }; > +""" > + > +DT_UBOOT_NODE_END = """ }; > > """ > > @@ -47,6 +51,46 @@ DT_IMAGES_NODE_END = """ }; > > DT_END = "};" > > +def append_signature(file): > + if not os.path.exists("u-boot.cfg"): > + return > + > + config = {} > + with open("u-boot.cfg") as fd: > + for line in fd: > + line = line.strip() > + values = line[8:].split(' ', 1) > + if len(values) > 1: > + key, value = values > + value = value.strip('"') > + else: > + key = values[0] > + value = '1' > + if not key.startswith('CONFIG_'): > + continue > + config[key] = value > + > + try: > + keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"] > + except KeyError: > + return > + > + try: > + keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint) > + except KeyError: > + keyfile = keyhint > + > + if not os.path.exists('%s.key' % keyfile): > + return > + > + f = open('%s.key' % keyfile,'r') > + key = RSA.importKey(f.read()) > + > + file.write('\t\t\tsignature {\n') > + file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length()) > + file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint) > + file.write('\t\t\t};\n') > + > def append_bl31_node(file, atf_index, phy_addr, elf_entry): > # Append BL31 DT node to input FIT dts file. > data = 'bl31_0x%08x.bin' % phy_addr > @@ -60,6 +104,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry): > file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) > if atf_index == 1: > file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) > + append_signature(file); > file.write('\t\t};\n') > file.write('\n') > > @@ -75,6 +120,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry): > file.write('\t\t\tcompression = "none";\n') > file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) > file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) > + append_signature(file); > file.write('\t\t};\n') > file.write('\n') > > @@ -88,6 +134,7 @@ def append_fdt_node(file, dtbs): > file.write('\t\t\tdata = /incbin/("%s");\n' % dtb) > file.write('\t\t\ttype = "flat_dt";\n') > file.write('\t\t\tcompression = "none";\n') > + append_signature(file); > file.write('\t\t};\n') > file.write('\n') > cnt = cnt + 1 > @@ -129,6 +176,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name): > raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name) > index, entry, p_paddr, data = segments[0] > fit_file.write(DT_UBOOT % p_paddr) > + append_signature(fit_file) > + fit_file.write(DT_UBOOT_NODE_END) > > def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name): > segments = unpack_elf(bl31_file_name)
On 2020/4/21 上午8:23, Heiko Stuebner wrote: > From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > > If the newly added fit-generator key-options are found, append needed > signature nodes to all generated image blocks, so that they can get > signed when mkimage later compiles the .itb from the generated .its. > > Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > --- > arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++- > 1 file changed, 50 insertions(+), 1 deletion(-) > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py > index d15c32b303..5b353f9d0a 100755 > --- a/arch/arm/mach-rockchip/make_fit_atf.py > +++ b/arch/arm/mach-rockchip/make_fit_atf.py > @@ -14,6 +14,8 @@ import sys > import getopt > import logging > import struct > +import Crypto > +from Crypto.PublicKey import RSA > +Traceback (most recent call last): 1395 <https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1395>+ File "arch/arm/mach-rockchip/make_fit_atf.py", line 17, in <module> 1396 <https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1396>+ import Crypto 1397 <https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1397>+ModuleNotFoundError: No module named 'Crypto' Please help to update .gitlab-ci.yml, or else it will report the error. Thanks, - Kever > DT_HEADER = """ > /* > @@ -37,7 +39,9 @@ DT_UBOOT = """ > arch = "arm64"; > compression = "none"; > load = <0x%08x>; > - }; > +""" > + > +DT_UBOOT_NODE_END = """ }; > > """ > > @@ -47,6 +51,46 @@ DT_IMAGES_NODE_END = """ }; > > DT_END = "};" > > +def append_signature(file): > + if not os.path.exists("u-boot.cfg"): > + return > + > + config = {} > + with open("u-boot.cfg") as fd: > + for line in fd: > + line = line.strip() > + values = line[8:].split(' ', 1) > + if len(values) > 1: > + key, value = values > + value = value.strip('"') > + else: > + key = values[0] > + value = '1' > + if not key.startswith('CONFIG_'): > + continue > + config[key] = value > + > + try: > + keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"] > + except KeyError: > + return > + > + try: > + keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint) > + except KeyError: > + keyfile = keyhint > + > + if not os.path.exists('%s.key' % keyfile): > + return > + > + f = open('%s.key' % keyfile,'r') > + key = RSA.importKey(f.read()) > + > + file.write('\t\t\tsignature {\n') > + file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length()) > + file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint) > + file.write('\t\t\t};\n') > + > def append_bl31_node(file, atf_index, phy_addr, elf_entry): > # Append BL31 DT node to input FIT dts file. > data = 'bl31_0x%08x.bin' % phy_addr > @@ -60,6 +104,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry): > file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) > if atf_index == 1: > file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) > + append_signature(file); > file.write('\t\t};\n') > file.write('\n') > > @@ -75,6 +120,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry): > file.write('\t\t\tcompression = "none";\n') > file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) > file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) > + append_signature(file); > file.write('\t\t};\n') > file.write('\n') > > @@ -88,6 +134,7 @@ def append_fdt_node(file, dtbs): > file.write('\t\t\tdata = /incbin/("%s");\n' % dtb) > file.write('\t\t\ttype = "flat_dt";\n') > file.write('\t\t\tcompression = "none";\n') > + append_signature(file); > file.write('\t\t};\n') > file.write('\n') > cnt = cnt + 1 > @@ -129,6 +176,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name): > raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name) > index, entry, p_paddr, data = segments[0] > fit_file.write(DT_UBOOT % p_paddr) > + append_signature(fit_file) > + fit_file.write(DT_UBOOT_NODE_END) > > def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name): > segments = unpack_elf(bl31_file_name)
Hi Kever, Am Freitag, 1. Mai 2020, 12:32:23 CEST schrieb Kever Yang: > On 2020/4/21 上午8:23, Heiko Stuebner wrote: > > From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > > > > If the newly added fit-generator key-options are found, append needed > > signature nodes to all generated image blocks, so that they can get > > signed when mkimage later compiles the .itb from the generated .its. > > > > Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > > --- > > arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++- > > 1 file changed, 50 insertions(+), 1 deletion(-) > > > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py > > index d15c32b303..5b353f9d0a 100755 > > --- a/arch/arm/mach-rockchip/make_fit_atf.py > > +++ b/arch/arm/mach-rockchip/make_fit_atf.py > > @@ -14,6 +14,8 @@ import sys > > import getopt > > import logging > > import struct > > +import Crypto > > +from Crypto.PublicKey import RSA > > > > +Traceback (most recent call last): > 1395 > <https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1395>+ > File "arch/arm/mach-rockchip/make_fit_atf.py", line 17, in <module> > 1396 > <https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1396>+ > import Crypto > 1397 > <https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1397>+ModuleNotFoundError: > No module named 'Crypto' > > > Please help to update .gitlab-ci.yml, or else it will report the error. The ci stuff probably needs to install pycrypto from pip (or python-crypto when using a .deb), but I have no clue how this works or how to test any changes to that locally. But I guess something like below might do the trick? Heiko diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index beaf9b9042..863c3dea51 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -68,6 +68,7 @@ build all 64bit ARM platforms: - virtualenv -p /usr/bin/python3 /tmp/venv - . /tmp/venv/bin/activate - pip install pyelftools + - pip install pycrypto - ret=0; ./tools/buildman/buildman -o /tmp -P -E -W aarch64 || ret=$?; if [[ $ret -ne 0 ]]; then
Hi Kever, Am Freitag, 1. Mai 2020, 12:32:23 CEST schrieb Kever Yang: > > On 2020/4/21 上午8:23, Heiko Stuebner wrote: > > From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > > > > If the newly added fit-generator key-options are found, append needed > > signature nodes to all generated image blocks, so that they can get > > signed when mkimage later compiles the .itb from the generated .its. > > > > Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com> > > --- > > arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++- > > 1 file changed, 50 insertions(+), 1 deletion(-) > > > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py > > index d15c32b303..5b353f9d0a 100755 > > --- a/arch/arm/mach-rockchip/make_fit_atf.py > > +++ b/arch/arm/mach-rockchip/make_fit_atf.py > > @@ -14,6 +14,8 @@ import sys > > import getopt > > import logging > > import struct > > +import Crypto > > +from Crypto.PublicKey import RSA > > > > +Traceback (most recent call last): > 1395 > <https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1395>+ > File "arch/arm/mach-rockchip/make_fit_atf.py", line 17, in <module> > 1396 > <https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1396>+ > import Crypto > 1397 > <https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1397>+ModuleNotFoundError: > No module named 'Crypto' > > > Please help to update .gitlab-ci.yml, or else it will report the error. I'm not sure, how ... i.e. the missing package is "pycrypto" (or "python-crypto" when installing from a distribution package) So I guess it's about adding that dependency to both .travis.yml and .gitlab-ci.yml, but is it enough to just do a diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index beaf9b9042..863c3dea51 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -68,6 +68,7 @@ build all 64bit ARM platforms: - virtualenv -p /usr/bin/python3 /tmp/venv - . /tmp/venv/bin/activate - pip install pyelftools + - pip install pycrypto - ret=0; ./tools/buildman/buildman -o /tmp -P -E -W aarch64 || ret=$?; if [[ $ret -ne 0 ]]; then
diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py index d15c32b303..5b353f9d0a 100755 --- a/arch/arm/mach-rockchip/make_fit_atf.py +++ b/arch/arm/mach-rockchip/make_fit_atf.py @@ -14,6 +14,8 @@ import sys import getopt import logging import struct +import Crypto +from Crypto.PublicKey import RSA DT_HEADER = """ /* @@ -37,7 +39,9 @@ DT_UBOOT = """ arch = "arm64"; compression = "none"; load = <0x%08x>; - }; +""" + +DT_UBOOT_NODE_END = """ }; """ @@ -47,6 +51,46 @@ DT_IMAGES_NODE_END = """ }; DT_END = "};" +def append_signature(file): + if not os.path.exists("u-boot.cfg"): + return + + config = {} + with open("u-boot.cfg") as fd: + for line in fd: + line = line.strip() + values = line[8:].split(' ', 1) + if len(values) > 1: + key, value = values + value = value.strip('"') + else: + key = values[0] + value = '1' + if not key.startswith('CONFIG_'): + continue + config[key] = value + + try: + keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"] + except KeyError: + return + + try: + keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint) + except KeyError: + keyfile = keyhint + + if not os.path.exists('%s.key' % keyfile): + return + + f = open('%s.key' % keyfile,'r') + key = RSA.importKey(f.read()) + + file.write('\t\t\tsignature {\n') + file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length()) + file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint) + file.write('\t\t\t};\n') + def append_bl31_node(file, atf_index, phy_addr, elf_entry): # Append BL31 DT node to input FIT dts file. data = 'bl31_0x%08x.bin' % phy_addr @@ -60,6 +104,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry): file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) if atf_index == 1: file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) + append_signature(file); file.write('\t\t};\n') file.write('\n') @@ -75,6 +120,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry): file.write('\t\t\tcompression = "none";\n') file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) + append_signature(file); file.write('\t\t};\n') file.write('\n') @@ -88,6 +134,7 @@ def append_fdt_node(file, dtbs): file.write('\t\t\tdata = /incbin/("%s");\n' % dtb) file.write('\t\t\ttype = "flat_dt";\n') file.write('\t\t\tcompression = "none";\n') + append_signature(file); file.write('\t\t};\n') file.write('\n') cnt = cnt + 1 @@ -129,6 +176,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name): raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name) index, entry, p_paddr, data = segments[0] fit_file.write(DT_UBOOT % p_paddr) + append_signature(fit_file) + fit_file.write(DT_UBOOT_NODE_END) def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name): segments = unpack_elf(bl31_file_name)