From patchwork Mon Mar 21 21:43:17 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ivan Mikhaylov <fr0st61te@gmail.com>
X-Patchwork-Id: 1607878
X-Patchwork-Delegate: sjg@chromium.org
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20210112 header.b=moRUkcvM;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KMl553NhJz9s1l
	for <incoming@patchwork.ozlabs.org>; Tue, 22 Mar 2022 06:27:53 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 0F38983B03;
	Mon, 21 Mar 2022 20:27:31 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.b="moRUkcvM";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 5364681B5B; Mon, 21 Mar 2022 19:44:02 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_NONE,
 SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
 version=3.4.2
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com
 [IPv6:2a00:1450:4864:20::235])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 7ABE883919
 for <u-boot@lists.denx.de>; Mon, 21 Mar 2022 19:43:58 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=fr0st61te@gmail.com
Received: by mail-lj1-x235.google.com with SMTP id o6so21141616ljp.3
 for <u-boot@lists.denx.de>; Mon, 21 Mar 2022 11:43:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=A+X92zme/T02qYVEyTHhDXQwq7joiI4qzy+cW/q6f98=;
 b=moRUkcvMel159/Tg95xYjo37vRhXZmkCS3sl1mzSDHWHQrYHnug8GovugyvmB3JJAB
 JEZwjFapI9m0P/PMbrn8c6hUj1X7iAMvD6R39xg1VrW8Fwt687PzBoUnarJJHenXT8y9
 BkENwFMtqP+74jxoxg7RxM0Sxre65js7MvFaifQC9Ynl56/75luIZv6eN0XV7ZZvOiGH
 LaNp0nYY6RSgF8P/Ggf9EipySfE5XMviESNSll9yDnH/oGVH2s7CDLrxf6nk3hbX4ww8
 PQ5t5h6TaahZHrdHXU6P6NJrY8ZEyiZE6NLbpB7Oo49ZZBTb6HrzeF2C5P7n5COspKwW
 RMNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=A+X92zme/T02qYVEyTHhDXQwq7joiI4qzy+cW/q6f98=;
 b=aaGgRyi2XYVP1ebucxtwcWgl2uWCoRg0DSb0UyOVDvExatpKmlcBoO0SHxieWYt5qC
 sBMIBuvPNT7xpxMLJoYbAhwKVP/ueaHELfR93WpggI+071WCbkH8JNwYLKDPze3jH/eN
 X2o2Jq+zR3j//MWO9kzTOnRsEn2M/uXdlpamo4gWA6N8KQCunAYdVPiaOqGDpCuAMnn1
 QOtqr8YWKFzGTO22tCBq3sgPKC8a9fEzzyyKgdDt12wnNrkwUmOAAVoU2OYFwqNoYYV4
 r9JntueFp7xFu6OcCMsBc9k+kJuFa3QFR7OwCh+TzKN/hlQplRdgbES29Q7eDVwqoAD3
 a7iA==
X-Gm-Message-State: AOAM532B+cPOwkwYtjSbLXm5/cHWgFUvKR2D1bFTu21gBODmJuJuZWu8
 +wINZKlHZQYIlVl9+KAd/sY=
X-Google-Smtp-Source: 
 ABdhPJxtBa7TIrymAdwJjBN+aTrc2eu25rozk4MI6h20tpDzEZvzmCKF2pZUS2OBA3Zz5t5SaLwg5g==
X-Received: by 2002:a05:651c:515:b0:249:8d1c:5af6 with SMTP id
 o21-20020a05651c051500b002498d1c5af6mr1257194ljp.51.1647888237823;
 Mon, 21 Mar 2022 11:43:57 -0700 (PDT)
Received: from localhost.localdomain (93-80-66-251.broadband.corbina.ru.
 [93.80.66.251]) by smtp.googlemail.com with ESMTPSA id
 m17-20020ac24251000000b00439fe142a0esm1875041lfl.162.2022.03.21.11.43.57
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 21 Mar 2022 11:43:57 -0700 (PDT)
From: Ivan Mikhaylov <fr0st61te@gmail.com>
To: Simon Glass <sjg@chromium.org>,
	Jan Kiszka <jan.kiszka@siemens.com>
Cc: u-boot@lists.denx.de, Ivan Mikhaylov <fr0st61te@gmail.com>,
 Ivan Mikhaylov <ivan.mikhaylov@siemens.com>
Subject: [PATCH 1/3] binman: add sign option for binman
Date: Mon, 21 Mar 2022 21:43:17 +0000
Message-Id: <20220321214319.33254-2-fr0st61te@gmail.com>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220321214319.33254-1-fr0st61te@gmail.com>
References: <20220321214319.33254-1-fr0st61te@gmail.com>
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 21 Mar 2022 20:27:26 +0100
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

Introduce proof of concept for binman's new option which provides sign
and replace sections in binary images.

Usage as example:

from:
mkimage -G privateky -r -o sha256,rsa4096 -F fit
binman replace -i flash.bin -f fit.fit fit

to:
binman sign -i flash.bin -k privatekey -a sha256,rsa4096 -f fit.fit fit

Signed-off-by: Ivan Mikhaylov <ivan.mikhaylov@siemens.com>
---
 tools/binman/cmdline.py | 13 +++++++++++++
 tools/binman/control.py | 26 +++++++++++++++++++++++++-
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/tools/binman/cmdline.py b/tools/binman/cmdline.py
index 0626b850f4..1a25f95ff1 100644
--- a/tools/binman/cmdline.py
+++ b/tools/binman/cmdline.py
@@ -160,6 +160,19 @@ controlled by a description in the board device tree.'''
     replace_parser.add_argument('paths', type=str, nargs='*',
                                 help='Paths within file to replace (wildcard)')
 
+    sign_parser = subparsers.add_parser('sign',
+                                           help='Sign entries in image')
+    sign_parser.add_argument('-a', '--algo', type=str, required=True,
+                                help='Hash algorithm e.g. sha256,rsa4096')
+    sign_parser.add_argument('-f', '--file', type=str, required=True,
+                                help='Input filename to sign')
+    sign_parser.add_argument('-i', '--image', type=str, required=True,
+                                help='Image filename to update')
+    sign_parser.add_argument('-k', '--key', type=str, required=True,
+                                help='Private key file for signing')
+    sign_parser.add_argument('paths', type=str, nargs='*',
+                                help='Paths within file to sign (wildcard)')
+
     test_parser = subparsers.add_parser('test', help='Run tests')
     test_parser.add_argument('-P', '--processes', type=int,
         help='set number of processes to use for running tests')
diff --git a/tools/binman/control.py b/tools/binman/control.py
index a179f78129..7595ea7776 100644
--- a/tools/binman/control.py
+++ b/tools/binman/control.py
@@ -19,6 +19,7 @@ from binman import cbfs_util
 from binman import elf
 from patman import command
 from patman import tout
+from patman import tools
 
 # List of images we plan to create
 # Make this global so that it can be referenced from tests
@@ -434,6 +435,26 @@ def ReplaceEntries(image_fname, input_fname, indir, entry_paths,
     AfterReplace(image, allow_resize=allow_resize, write_map=write_map)
     return image
 
+def MkimageSign(privatekey_fname, algo, input_fname):
+    tools.Run('mkimage', '-G', privatekey_fname, '-r', '-o', algo, '-F', input_fname)
+
+def SignEntries(image_fname, input_fname, privatekey_fname, algo, entry_paths):
+    """Sign and replace the data from one or more entries from input files
+
+    Args:
+        image_fname: Image filename to process
+        input_fname: Single input filename to use if replacing one file, None
+            otherwise
+        algo: Hashing algorithm
+        privatekey_fname: Private key filename
+
+    Returns:
+        List of EntryInfo records that were signed and replaced
+    """
+
+    MkimageSign(privatekey_fname, algo, input_fname)
+
+    return ReplaceEntries(image_fname, input_fname, None, entry_paths)
 
 def PrepareImagesAndDtbs(dtb_fname, select_images, update_fdt, use_expanded):
     """Prepare the images to be processed and select the device tree
@@ -627,7 +648,7 @@ def Binman(args):
     from binman.image import Image
     from binman import state
 
-    if args.cmd in ['ls', 'extract', 'replace', 'tool']:
+    if args.cmd in ['ls', 'extract', 'replace', 'tool', 'sign']:
         try:
             tout.init(args.verbosity)
             tools.prepare_output_dir(None)
@@ -643,6 +664,9 @@ def Binman(args):
                                do_compress=not args.compressed,
                                allow_resize=not args.fix_size, write_map=args.map)
 
+            if args.cmd == 'sign':
+                SignEntries(args.image, args.file, args.key, args.algo, args.paths)
+
             if args.cmd == 'tool':
                 tools.set_tool_paths(args.toolpath)
                 if args.list: