From patchwork Thu Apr 28 23:04:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Anderson X-Patchwork-Id: 1623931 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=seco.com header.i=@seco.com header.a=rsa-sha256 header.s=selector1 header.b=erjaKVvi; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KqB6C3Qwxz9s0r for ; Fri, 29 Apr 2022 09:05:05 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 349E683DB8; Fri, 29 Apr 2022 01:04:57 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=seco.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=seco.com header.i=@seco.com header.b="erjaKVvi"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4D12983DEB; Fri, 29 Apr 2022 01:04:55 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0611.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::611]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id BFC1B83A79 for ; Fri, 29 Apr 2022 01:04:51 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=seco.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=sean.anderson@seco.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NcrYOfy/GCwwXUKV9jbiP05cGUhAc8GVg81bo/zEUjHg/pvn2tkxDB/eGFw5febplHJrfDquiREy7T2ib8AL2xTZMl1iMh69sj91r8mH1NDZ+RTMR7O43oVDUBJEK1u73Bkjt9hdvqVb4Hj1Ruv5PA+k0Wf5SzFK89WadUHZ6T8ET/dFlzLE+NoePeUET5MsQzfG8HdSZ8KxidHoot6Ay4kKb5iVNR18gLlLYwOp498CM8T7ugwy/ouVCPJhOLhGBK33Re10HSKw5GHWsZjpDJvqvbKGl4YrpdzDrC9xusW+Lbw1n1rY/kRyEqE/zKXk3iV7Zsbv10/AmjkDDoERwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rxz6kN6bi2TdV4bjNr0KQVYj7k8nbSurUi1n4K/kyng=; b=EYXYjDYeK8bEQ+/wwg90wbYItYl6UqybuDc4LB9N9BdLteNflRgDTP5xMOyhAcIxSzHSFoCSWdHl9JKSXxr8gRCNRkgXKxKrgbGtmR1rS3jf3KTp3xqNeo5eD8qm0JEPkJ1no4mvUmRUvxSA8N4KW0JF/OYzr1Y/wqD2+BFVgnOZjtw2HAaKgZGnMn6DBqX7xf2RXQG9lF65Urk0JFyXQqfR3plZtfQQ5G8wKd0BcsfjT6tj8wO4Vx6Z7zfEmIy8opXLbWAu4IQwatcfI9Pbk/lp4uSvXiich1GPxqA45uhrDRd28L1A7d/e50O9EnCrdFxo/JKBzn5G7Twwt01Fdw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=seco.com; dmarc=pass action=none header.from=seco.com; dkim=pass header.d=seco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rxz6kN6bi2TdV4bjNr0KQVYj7k8nbSurUi1n4K/kyng=; b=erjaKVviRY7OoLedbqqZVTp6Zw37Mic+0KR7WdrRZUWzhiXcPzvPLutGWzWv0E3KGh//3mQgny5LYBaLaop1DNxpTLI0+X7rhTyYuOGuZ+cmV95fzpMX4bH6D2dECdt8YIN9caEPYGKndq0PRzaakMeN8yxLTo0+xeN6hu6xPIrlW9nenDZVAYn842pDUtv83xPJgd4mI4riVmNJEVw9uzCszazgu8dSQgWy1zDQCnjp0a1ymop4i5hRxoo/bp9AvjP1QruBppYyvLxdN2U1Ui/WdLxRIzl69wdBW14GPJ8rifq8MweOXUiy7pMSZJl804YsX/RE3C201FrZPUc6pQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=seco.com; Received: from DB7PR03MB4972.eurprd03.prod.outlook.com (2603:10a6:10:7d::22) by DB8PR03MB6043.eurprd03.prod.outlook.com (2603:10a6:10:ed::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.13; Thu, 28 Apr 2022 23:04:49 +0000 Received: from DB7PR03MB4972.eurprd03.prod.outlook.com ([fe80::a9d3:8abd:3f5e:a0c]) by DB7PR03MB4972.eurprd03.prod.outlook.com ([fe80::a9d3:8abd:3f5e:a0c%5]) with mapi id 15.20.5206.013; Thu, 28 Apr 2022 23:04:49 +0000 From: Sean Anderson To: Simon Glass , u-boot@lists.denx.de Cc: Heinrich Schuchardt , Sean Anderson Subject: [PATCH v2 1/2] mkimage: Document misc options Date: Thu, 28 Apr 2022 19:04:38 -0400 Message-Id: <20220428230439.2396809-1-sean.anderson@seco.com> X-Mailer: git-send-email 2.35.1.1320.gc452695387.dirty X-ClientProxiedBy: BLAPR03CA0031.namprd03.prod.outlook.com (2603:10b6:208:32d::6) To DB7PR03MB4972.eurprd03.prod.outlook.com (2603:10a6:10:7d::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6be50390-6af8-4d9f-bd45-08da296b7ee6 X-MS-TrafficTypeDiagnostic: DB8PR03MB6043:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 9pMPuh+SXhXWsnJjBIKfINRQYXqtLtxVTNyGpN5MFe1a8hVr4aK6dIFuImUZPqNZUt6NbZRk52nkhjCPWJcIkBtyAVQ3KMI+A43H+FLCsMcS/l35GOQI3ItGp3wn8B5NcBAoNxZBut87rOpMAESzuGg9+8hXa+CtK+F73Nj8xQnx1rDc7sN5rP4p0sjzFCbymUlH517Fmk3S2RhWEEa6NvW1jU2NkM+moFtqpEUhnbbwTMVWuEEHSvitc3vwC3u0/0uCuWl9Q4yKJ/0LOmE4TchAixoXW7kQHyB/bXBrsNv2/KbPexUr3YseJfn0hbYMdStCo/pENbdZkNeGFuwbRnCmZDUZfkx0INuN34X1tb6N0ZcUfXa2o2HaYxanigO1ZT6ccz746Gtm87LSOrOQfuIkIkMLaRRQtDGy0spj9FwmxlCoJql6+mdjtzZJGVwjb5Q0/9AsRBizDjuCtKLX7uz1jYn2Z9OyViMco/KTv1vkjlrNHPzJSEup9qiz6T35/UVmmS+cUKcvJ07u1K8CTH7JS0awQYKU3mtAhnG4i/A/L9fP1FeKdkYtOpHlT5PO+MURvrSUtmR0MVFtNeEAItSC+KZJXUm+2XzqGIR0anZodmgzrJigrUtGeZbvz0xMk8BaRi7+yeBD1CxNXgGGaXKCuo8n9P4kf8Sjw9ZV765KXPa4jHpuSIH/jG7stTbziTwZSDHJE45iDo7SvwqZlA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR03MB4972.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(83380400001)(52116002)(2616005)(2906002)(8676002)(6506007)(4326008)(26005)(66946007)(66556008)(66476007)(38350700002)(5660300002)(44832011)(186003)(38100700002)(316002)(6512007)(6486002)(36756003)(8936002)(86362001)(54906003)(1076003)(508600001)(6666004)(107886003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: nys2frRTJc8HpmHgioOWld8eqGhZV5bkPdzGe/lb7Li7/I0QeW6gjDMNjKkeJkmTcHUmSPD+0erqjdjlHPByTMfPNfstDGcVeOxfPFk1r63vBppOtTFY6np1HsJShhSrfw6da8amyK5aSLt8Gk/jzOFI4d56Fydc4rx32FLYxM9eT1uG7Tcd8AUZdizhRVjQRhqJ5pJUNVatBaXUrmgIAfbt2jJgfequinFSOOrLJ5sezNoGKpl1+iukVYYTVYx3bWshbJBSODrxs8fEI2Wiq7jqSXGNA+kwoXPNc0T9o4/TCfuEPSSr/xn01eZtUOe1C/vec11aPZ1n/B/dz5omTLPpRner2D7DR8d4RvnnsU3a7CyzV1CZ2Q8HFu7TGx2g88nBBr/j0iiPRFglgmWekJt6H4ZXc5+DX/7j178DyhLV1iWdFUvbGO+EyXTn8yeCclWXIYWOH6D91Bxyp5g0jSmUESqJX25iL7AAglf9HvVOk3O4g48UazdmYE/HvYAVEFHOGkEDqO1N0QeoCb7tiDvtpfjSgHgwF66oTJipuDanqKRQG2G4pwtXSC6tpxJW5JrNtNitjQ7l3YHzT8P77VUUvV5Hy3dpEFyaXhRfSx4vW+NIdm/7lgPZ4pXlKbJ9649bxt9aPbKqDTUhs1YIyK8whdufzptzjRJCRm+EHlEZV8Fop6+vySAPH60WzEGuJtZiRldNiJrSWlsGsbwbygh6ESikazhHyvQ3NGOeozQW8kG1yyWcJUQOXshLnB7oDiIzKy8SEv71pByyfOpM8aU8iUhNg8Ltgs0VeTxwA3oxs9eK4vOiB/SXHRe8/vWc5tb+PwDdQIUa5Ie01jqAkwvj6n5Zzo95ns4kreqQGyvvDWerGl+4+awG6sbcL5Bi7m0kRlLqsns1OD/G4yNJB4z2O9OLxcUI4V8K8W2Jycdl9S6i0o2E826Re5enGhp8w3jhpPaotcbCRGnyaeIgLOXGdKjsV1WdnWp3R9JluL+lDRGKY5jRPaoKVAyIt0jS0CdxUkh1cRdRI5FtcB56hBIZq4hIF26yn0ihNoWzE4cl1pK8vzHuEayZY3Di6GY/BHW+q3TZ0kuuqYjS/y/UiCJoMVJvQ6x/kDtpepO3dmSpRcvuoRAr4kuI0tdVBs9hWfvDXWxL1anAnD0ZTpdc7z2Dd/n9kN7PU7/8VBq1gI2OV3nszHIg//MmFYw1CLcOfpG5AL2SdgjGVqWxgXzSw2X6xD0G/Q0blRE1Av90qqTLiiQcv9QqZr6g66qUQdjoCsn4Z0QbCmKKPpn0BmS4YYr4pbrikIqeP3msmg59rpRCgs684RWfBtK60e4kXp6l4Ub+huxicrQoIfGZj1alDgLMXH06H4BoqVeWN8wwy5sekVm+WwLTqXm7qsQ7sjCxx7yZTBXpVl9Dj/GK8LNm6MFT6pnlb1pg4Lv3GcZVTxha1WKru/+fIN8Xt1UiC0rzv5XysZ1tsN/Cz1UnR84n/Pf2jZHKlXr5q7iSHFJC8vwuy3RalhaWcUVafdbdusdOjGRtm/jr224zbX52UzrMQFm3/SBLU6BjJ92V2+NpGG7Sqs4rpgF0YiwpjITdxDyDX1lufiw1L6uGPZHOuh0Ifcox1//rH5vloUdtorfUzim5molqTwpi+ewgzT7mMJORYemZKF4MA761wAasstNQDgRRIW5XCZ3JFXBIipmcs9rTnzNmH28fptj4BoLVtFTIcHurRrIzko1u9tpuPdj9vWTVKe5y3VZVLAuAOPb4RyM= X-OriginatorOrg: seco.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6be50390-6af8-4d9f-bd45-08da296b7ee6 X-MS-Exchange-CrossTenant-AuthSource: DB7PR03MB4972.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2022 23:04:49.5199 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bebe97c3-6438-442e-ade3-ff17aa50e733 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ExM1wxEcYm63f5tfkss6jhTNpVVWai7WhFy2WhVPvGxaDr3hrwx4EcQxeZa4Cg/77yXWi6n6fYn4M41GE71okg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR03MB6043 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Over the years, several options have not made it into the help message. Document them. Do the same for the man page. Signed-off-by: Sean Anderson --- Changes in v2: - Document secondary image types - Move -G directly after -k - Reword documentation for -s doc/mkimage.1 | 60 ++++++++++++++++++++++++++++++++++++++++++++++++- tools/mkimage.c | 15 +++++++++---- 2 files changed, 70 insertions(+), 5 deletions(-) diff --git a/doc/mkimage.1 b/doc/mkimage.1 index 287006279f..10ac31a8fc 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -53,6 +53,10 @@ Parse image file as type. Pass \-h as the image to see the list of supported image type. Without this option image type is autodetected. +.TP +.BI "\-q" +Quiet. Don't print the image header on successful verification. + .P .B Create old legacy image: @@ -91,6 +95,35 @@ List the contents of an image. .BI "\-n [" "image name" "]" Set image name to 'image name'. +.TP +.BI "\-R [" "secondary image name" "]" +Some image types support a second image for additional data. For these types, +use \-R to specify this second image. +.TS +allbox; +lb lbx +l l. +Image Type Secondary Image Description +pblimage Additional RCW-style header, typically used for PBI commands. +zynqimage, zynqmpimage T{ +Initialization parameters, one per line. Each parameter has the form +.sp +.ti 4 +.I address data +.sp +where +.I address +and +.I data +are hexadecimal integers. The boot ROM will write each +.I data +to +.I address +when loading the image. At most 256 parameters may be specified in this +manner. +T} +.TE + .TP .BI "\-d [" "image data file" "]" Use image data from 'image data file'. @@ -99,6 +132,15 @@ Use image data from 'image data file'. .BI "\-x" Set XIP (execute in place) flag. +.TP +.BI "\-s" +Don't copy in the image data. Depending on the image type, this may create +just the header, everything but the image data, or nothing at all. + +.TP +.BI "\-v" +Verbose. Print file names as they are added to the image. + .P .B Create FIT image: @@ -126,6 +168,11 @@ in each image will be replaced with 'data-offset' and 'data-size' properties. A 'data-offset' of 0 indicates that it starts in the first (4-byte aligned) byte after the FIT. +.TP +.BI "\-B [" "alignment" "]" +The alignment, in hexadecimal, that external data will be aligned to. This +option only has an effect when \-E is specified. + .TP .BI "\-f [" "image tree source file" " | " "auto" "]" Image tree source file that describes the structure and contents of the @@ -153,6 +200,11 @@ Specifies the directory containing keys to use for signing. This directory should contain a private key file .key for use with signing and a certificate .crt (containing the public key) for use with verification. +.TP +.BI "\-G [" "key_file" "]" +Specifies the private key file to use when signing. This option may be used +instead of \-k. + .TP .BI "\-K [" "key_destination" "]" Specifies a compiled device tree binary file (typically .dtb) to write @@ -173,11 +225,17 @@ a 'data-offset' property defining the offset from the end of the FIT, \-p will use 'data-position' as the absolute position from the base of the FIT. .TP -.BI "\-r +.BI "\-r" Specifies that keys used to sign the FIT are required. This means that they must be verified for the image to boot. Without this option, the verification will be optional (useful for testing but not for release). +.TP +.BI "\-N [" "engine" "]" +The openssl engine to use when signing and verifying the image. For a complete list of +available engines, refer to +.BR engine (1). + .TP .BI "\-t Update the timestamp in the FIT. diff --git a/tools/mkimage.c b/tools/mkimage.c index be58e56546..5c6a60e851 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -84,7 +84,8 @@ static void usage(const char *msg) fprintf(stderr, "Error: %s\n", msg); fprintf(stderr, "Usage: %s [-T type] -l image\n" " -l ==> list image header information\n" - " -T ==> parse image file as 'type'\n", + " -T ==> parse image file as 'type'\n" + " -q ==> quiet\n", params.cmdname); fprintf(stderr, " %s [-x] -A arch -O os -T type -C comp -a addr -e ep -n name -d data_file[:data_file...] image\n" @@ -95,8 +96,11 @@ static void usage(const char *msg) " -a ==> set load address to 'addr' (hex)\n" " -e ==> set entry point to 'ep' (hex)\n" " -n ==> set image name to 'name'\n" + " -R ==> set second image name to 'name'\n" " -d ==> use image data from 'datafile'\n" - " -x ==> set XIP (execute in place)\n", + " -x ==> set XIP (execute in place)\n" + " -s ==> create an image with no data\n" + " -v ==> verbose\n", params.cmdname); fprintf(stderr, " %s [-D dtc_options] [-f fit-image.its|-f auto|-F] [-b [-b ]] [-E] [-B size] [-i ] fit-image\n" @@ -107,7 +111,9 @@ static void usage(const char *msg) " -f => input filename for FIT source\n" " -i => input filename for ramdisk file\n" " -E => place data outside of the FIT structure\n" - " -B => align size in hex for FIT structure and header\n"); + " -B => align size in hex for FIT structure and header\n" + " -b => append the device tree binary to the FIT\n" + " -t => update the timestamp in the FIT\n"); #ifdef CONFIG_FIT_SIGNATURE fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c ] [-p addr] [-r] [-N engine]\n" @@ -118,7 +124,8 @@ static void usage(const char *msg) " -F => re-sign existing FIT image\n" " -p => place external data at a static position\n" " -r => mark keys used as 'required' in dtb\n" - " -N => openssl engine to use for signing\n"); + " -N => openssl engine to use for signing\n" + " -o => algorithm to use for signing\n"); #else fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); From patchwork Thu Apr 28 23:04:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Anderson X-Patchwork-Id: 1623932 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=seco.com header.i=@seco.com header.a=rsa-sha256 header.s=selector1 header.b=pYM2/lej; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KqB6W4D39z9s0r for ; Fri, 29 Apr 2022 09:05:23 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C7DE683E14; Fri, 29 Apr 2022 01:04:59 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=seco.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=seco.com header.i=@seco.com header.b="pYM2/lej"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id C654F83A79; Fri, 29 Apr 2022 01:04:55 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0611.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::611]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2955D83DC7 for ; Fri, 29 Apr 2022 01:04:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=seco.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=sean.anderson@seco.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gS/KMD5E7KsKtbBl6kfKEf9FQW0j04ZqFmH7DprC8HMCLhPOoLIvv7R1rBWl5ayq1HlYyTVY45uLA7bEzwJ5yfHz0Lt+d9pI+ZpyTGnba1L8yBcOcLHmU1bkHd//XL2wgCbcTjsOe5nHmMYRLuWFJ8Avm8ZA6M2c9kC3am/mXUhVT7VVoKaAZF648Ib6lvcwSclGXrADIzVnqBYRbSTbxzxiw/r9yuxT+GjtjIWSiXQRgRcx7z43PHp6Mp604N/iohPmDLVPo7GD7gjOOMpINFfEWCcClJt25axQ/q/Ksfv1+F75pm7u8i6fdJIMt+2TEP80PppnPWlLQvrJzjEgKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6aqfywFM8tlGBj78/VDofwVrRFBeZcDHxXOhOsTwEeI=; b=mCVwQ1/MQ/eLm96Uov/BvZ9uF9MD9XatxqWK9fPPk322SNCIGfvBIkznV8dv3/+eZQzRbYqDpDcdaJAFnBBV4cV8sbbe9HVc/OWqLY2toQPIndggWD/8lMa8dsXKqs/9QGSnaNorM+BU3U+qMzWR6QSeYwXz2n9qglT5HjJwAFJ8HIqcFPSZKHtVJ02m1x3d6+LSDIw4IR0z9kxKhYxxgrNzVpcJsUdSsCaYTgQXIkYf54WobVZZJVmzh6v93S5j2H69bDdAonjcra0T79torUb6xgp4nBeqHZ4NGgWuU2Px1hQR9HvrHcFTOM3zt3l7IZUa3yt9sjm4bXyXCGqQiQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=seco.com; dmarc=pass action=none header.from=seco.com; dkim=pass header.d=seco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6aqfywFM8tlGBj78/VDofwVrRFBeZcDHxXOhOsTwEeI=; b=pYM2/lejK2/Jm2r3uG+VoLNz+ycs3pedaREUIpXfifyDlj1zqskNHZze8buB+9YwuNh4UY/tBqKhpYRclXRG50kZbQEHir3nivg4YhpgWv1L3BWgyJSX6Htp8o5joXQVREY/urbGubfwYo5gv8LAPxuXCWO3fqFdm1abHDS5tTSQ5lb45PpIL4HvEg5hit+uqMpiIKlaCAzrn6KSrNZcQ8AGvgXeZ9EkiKAIHuPqcC5cQCtoilbuoozjPOOhHsqEX7BckDMdPhFxD4yzDg+35h6i0sJUvmQsZPmDg3LCjNC5w93l25cYvCFBojkTITzpeaSzOESDhLk5wmkb3yHltw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=seco.com; Received: from DB7PR03MB4972.eurprd03.prod.outlook.com (2603:10a6:10:7d::22) by DB8PR03MB6043.eurprd03.prod.outlook.com (2603:10a6:10:ed::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.13; Thu, 28 Apr 2022 23:04:50 +0000 Received: from DB7PR03MB4972.eurprd03.prod.outlook.com ([fe80::a9d3:8abd:3f5e:a0c]) by DB7PR03MB4972.eurprd03.prod.outlook.com ([fe80::a9d3:8abd:3f5e:a0c%5]) with mapi id 15.20.5206.013; Thu, 28 Apr 2022 23:04:50 +0000 From: Sean Anderson To: Simon Glass , u-boot@lists.denx.de Cc: Heinrich Schuchardt , Sean Anderson Subject: [PATCH v2 2/2] mkimage: Support signing 'auto' FITs Date: Thu, 28 Apr 2022 19:04:39 -0400 Message-Id: <20220428230439.2396809-2-sean.anderson@seco.com> X-Mailer: git-send-email 2.35.1.1320.gc452695387.dirty In-Reply-To: <20220428230439.2396809-1-sean.anderson@seco.com> References: <20220428230439.2396809-1-sean.anderson@seco.com> X-ClientProxiedBy: BLAPR03CA0031.namprd03.prod.outlook.com (2603:10b6:208:32d::6) To DB7PR03MB4972.eurprd03.prod.outlook.com (2603:10a6:10:7d::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 88cf8588-f5c8-4bbe-3c9c-08da296b7f8b X-MS-TrafficTypeDiagnostic: DB8PR03MB6043:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: b//IkqpPbifQ25fRKuUHkBWe2pJdf4mHLE2ctivVaKdCQ1GG1gEzDAgVFwl1m3nZsVPfYrLDd2bSsjzZ9SQoNh4vupuNUFZquXWrU2vleFNSATa3M+E8kFzX1DjpC8cI00hJWqtTrwgVtCNbVfYmGqlnlxbT7RSGs5NZYsppUUiFpEHh3NmAyPB9wFnpry6KqSD0FyuL/GyORe8gL+bHykV8IRFcEvN/1pul3nF82JKe8i0YjtQgPRI3NjhP2xcQJQBGXBVz33HdG4CP3PDDzmrNOpo914nmoZ01MHh8BZnBWILkhPZMTzr6/0GKOPmSeTouD7/sbq8q+7KwS0W7bhQ5BeM0QBPea/uPF/y5iUh1ku5h0mNg/PFCjA6YxZgorBh5/dmQraFstjCBxqMo0e+hspsFGPQRI7nUci/UwwuogRne8yxHFixF3aeULpNs4ydPiB2eLXS/ryeZoQV0KzJu/wVf2YUtKRjgJDt67NKMgR2s/3bSfxzpXjhmxRGOwFn5IQt+kSQU/IX29fujdoq8/nOwq9IC+kzASb6I1Frn9IQjJOqmJxg3w4MO2iYXLeVerEB+Z7/d7Bqfe9HJMMnKWEZh8llGMqFLfncs8fN9lPtV+AwODHQjj8EZtr7arO5V5lJfCThjhOhksxBq91qog1JMj7nkGUt38JUIASXyacpj0C+o9+5f0iTOUXc8Fyv2ZdyhLDeO/U675BTU0wkHFEVxAghhTvwZlSAi/5UEpzvKoy8FSxh3q8jVjeobAxGaM3w2Sd6wz+F6doQG3UvwZc4LQ/TxBRvt7UCHFr8= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR03MB4972.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(83380400001)(52116002)(2616005)(2906002)(8676002)(6506007)(4326008)(26005)(66946007)(66556008)(66476007)(38350700002)(5660300002)(44832011)(186003)(966005)(38100700002)(316002)(6512007)(6486002)(36756003)(8936002)(86362001)(54906003)(1076003)(508600001)(6666004)(107886003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ML4hqTnX40ehAFe6+aQmxXuIYh9dtxzpy446EnfeBJvLz44YE0gAdIj6fTmz6DdQtAV5ijjDYl9+2m6ohQCA5E362u5wpcHlwVIJ3TEW1zuMEb0Yx+CoCsbbxoEib+SPt5EodUOuMe9C2Gor+2SGIxEbQoHM1WaqE0zsumEw6S69mOhgVQiRlKR+kXXcnSDMo6U6jk6OQfcIhmCXa0ZfojMr8ER1mUSKuGjGR1eBy8jlSY1d8AsledjXQrxaivujwfbuaeLXFC/84CdbvysexuEk/lUQVo3+Hs2+WD4VF6iAuIkHEJ8brqEbbxEq7UDM0W1sJSa+Nv29HcZtHLgq0CxgFPUDqayUnnhpa2unex4QcLxhczAWtmVHYCaKD7Ly0ewXkKY2uISFvZtyhWWFzQ51JWKMqgusZqz7Orjqnri5HAIMt1K5FrRa/xqmzUp2r99YPNLpDUOfR8eUEre8qqOy7/Ra5uEtgzWRklrEU2T1gDyfq7o6ZkZBoIGgGYnansaMzPuVrJs6V2zkLGvK/0A0YeMNZzGqvZWgtDoEA0RQEkzxa8cfEp8ESmzmQR+uoXnSHRyupu0x0Qu3NauCp0tbSv2y1Hci0QFDIIispxpnqE3evWwN0UjYQI/kMVWqDv1rxAIaJmRJs+YnhtFBmyjSNhYCCXbhqJW8jhyAgS8CaZ9bAEWN2/ptBuF1MTKvpXu4XMHrMs4oZBtUva6cAEwhL8B64oTbq54ZUvA0ZQFG0hi/9esPrmc5550l3Hbrc5uCi9CePK0gCdxeBt2JVL7Mu5AXg+Mj63ZVfJfW+WI6zKVMtjSKrmGfZ5TiCeYDjndalT4ppcEfTfWgJweVxVbWrS1WpDubvUwGmYInfkLtRppOHbdWyvrsbjwHSqwaTa3BuZzQUcf8w5evNtdUbKOzFL6n92XbU9TJPMGC9oWw0fQCZVt23zxcd7fUaywlewYPAzGK55HxOfNv+8uE9d8CtWWauU4AdshOFXl4NtlT52UCytYxUxmsWINjSIeXgF0S87DCHJr85aho8EaZfIWRHF59j7JwJiOxVCn3RW7h2TzepB3AS8M3kYi++KVjS/8l3/Ge7sCLVM9etzHByQgVJ0+byJXR2EJIB3leUVp1hrM9zLPALhsRXK6Z/C3otcNTSk7JMH+a+vF/+gtTVQV9dXPvSn6OaABjO+bvi621XBXHsY4g/KOaeJNK9GV4EwiSErKdjvKorWpvcBGfSsFnwruSZAFdcbvJLK8j11a6XHJ9HSEKLN9Gof10AIc/HfZnZ8JmFqry+AbKuLi4R/fE5hCcMoJCtKI74C/WxF5Zyx2GZ3RHvCGBautPGWuzLCw2bydavQPQLRfTDnIt29qPZTMAcr1X4HF3Drr4vDPckBpvSHXu29fbqlC7wVMGgbHBZhj4SQ8exMYypB7fQHl0+Ne74wzv8j20TdCzJU5bjKdD/pSqGJF+sP+Y0TYUsFW8MTFggLLFAXmUEN9EyPIZwCny2FZMiOQ9q91X/9vttwOapVKNHaHT3nmmh7uroijO3ULwgNORmbbKcmd49crPclu6Fy6iRXHQNrmDGPZ4TtNfPVpSmLkYEIazi0Em3lFj1jFNcyjbCvywzi8q410bcjAqbgpE3tY1yh8hk9WNRFPa/sdQfqSHAlnHehvFUvSfYWmAEFs5FgruGSB8t9hQqTQj83CLft9B5rmORPx1YDEXetYN7n8rcGJLC70fn1yqDJeMwLSJ5l2kjr/WJMYLkHz3eXqckXXG17whMco= X-OriginatorOrg: seco.com X-MS-Exchange-CrossTenant-Network-Message-Id: 88cf8588-f5c8-4bbe-3c9c-08da296b7f8b X-MS-Exchange-CrossTenant-AuthSource: DB7PR03MB4972.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2022 23:04:50.6448 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bebe97c3-6438-442e-ade3-ff17aa50e733 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: liTktm9vBrP4AWWRUdwVVMAygGNltZuPeps7bhjldpWLQ5aTKLGpqOFxnlkfllmq+BFBTwdMeMB5XSUlc85EVQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR03MB6043 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean This adds support for signing images in auto-generated FITs. To do this, we need to add a signature node. The algorithm name property already has its own option, but we need one for the key name hint. We could have gone the -G route and added an explicit name for the public key (like what is done for the private key). However, many places assume the public key can be constructed from the key dir and hint, and I don't want to do the refactoring necessary. As a consequence of this, it is now easier to add public keys to an existing image without signing something. This could be done all along, but now you don't have to create an its just to do it. Ideally, we wouldn't create a FIT at the end. This could be done by calling fit_image_setup_sig/info.crypto->add_verify_data directly. Signed-off-by: Sean Anderson --- (no changes since v1) doc/mkimage.1 | 24 ++++++++++++++++++++++++ tools/fit_image.c | 41 ++++++++++++++++++++++++++++++++++------- tools/imagetool.h | 1 + tools/mkimage.c | 5 ++++- 4 files changed, 63 insertions(+), 8 deletions(-) diff --git a/doc/mkimage.1 b/doc/mkimage.1 index 10ac31a8fc..7f422d0197 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -213,6 +213,13 @@ the corresponding public key is written into this file for for run-time verification. Typically the file here is the device tree binary used by CONFIG_OF_CONTROL in U-Boot. +.TP +.BI "\-g [" "key_name_hint" "]" +Sets the key-name-hint property when used with \-f auto. This is the +part of the key. The directory part is set by \-k. This option also indicates +that the images included in the FIT should be signed. If this option is +specified, \-o must be specified as well. + .TP .BI "\-o [" "signing algorithm" "]" Specifies the algorithm to be used for signing a FIT image. The default is @@ -273,6 +280,15 @@ skipping those for which keys cannot be found. Also add a comment. .B -c """Kernel 3.8 image for production devices""" kernel.itb .fi +.P +Add public keys to u-boot.dtb without needing a FIT to sign. This will also +create a FIT containing an images node with no data named unused.itb. +.nf +.B mkimage -f auto -d /dev/null -k /public/signing-keys -g dev \\\\ +.br +.B -o sha256,rsa2048 -K u-boot.dtb unused.itb +.fi + .P Update an existing FIT image, signing it with additional keys. Add corresponding public keys into u-boot.dtb. This will resign all images @@ -301,6 +317,14 @@ automatic mode. No .its file is required. .B -c """Kernel 4.4 image for production devices""" -d vmlinuz \\\\ .B -b /path/to/rk3288-firefly.dtb -b /path/to/rk3288-jerry.dtb kernel.itb .fi +.P +Create a FIT image containing a signed kernel, using automatic mode. No .its +file is required. +.nf +.B mkimage -f auto -A arm -O linux -T kernel -C none -a 43e00000 -e 0 \\\\ +.br +.B -d vmlinuz -k /secret/signing-keys -g dev -o sha256,rsa2048 kernel.itb +.fi .SH HOMEPAGE http://www.denx.de/wiki/U-Boot/WebHome diff --git a/tools/fit_image.c b/tools/fit_image.c index 0d5a6a28f9..48fc1f5579 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -199,15 +199,36 @@ static void get_basename(char *str, int size, const char *fname) } /** - * add_crc_node() - Add a hash node to request a CRC checksum for an image + * add_hash_node() - Add a hash or signature node * + * @params: Image parameters * @fdt: Device tree to add to (in sequential-write mode) + * + * If there is a key name hint, try to sign the images. Otherwise, just add a + * CRC. + * + * Return: 0 on success, or -1 on failure */ -static void add_crc_node(void *fdt) +static int add_hash_node(struct image_tool_params *params, void *fdt) { - fdt_begin_node(fdt, "hash-1"); - fdt_property_string(fdt, FIT_ALGO_PROP, "crc32"); + if (params->keyname) { + if (!params->algo_name) { + fprintf(stderr, + "%s: Algorithm name must be specified\n", + params->cmdname); + return -1; + } + + fdt_begin_node(fdt, "signature-1"); + fdt_property_string(fdt, FIT_ALGO_PROP, params->algo_name); + fdt_property_string(fdt, FIT_KEY_HINT, params->keyname); + } else { + fdt_begin_node(fdt, "hash-1"); + fdt_property_string(fdt, FIT_ALGO_PROP, "crc32"); + } + fdt_end_node(fdt); + return 0; } /** @@ -248,7 +269,9 @@ static int fit_write_images(struct image_tool_params *params, char *fdt) ret = fdt_property_file(params, fdt, FIT_DATA_PROP, params->datafile); if (ret) return ret; - add_crc_node(fdt); + ret = add_hash_node(params, fdt); + if (ret) + return ret; fdt_end_node(fdt); /* Now the device tree files if available */ @@ -271,7 +294,9 @@ static int fit_write_images(struct image_tool_params *params, char *fdt) genimg_get_arch_short_name(params->arch)); fdt_property_string(fdt, FIT_COMP_PROP, genimg_get_comp_short_name(IH_COMP_NONE)); - add_crc_node(fdt); + ret = add_hash_node(params, fdt); + if (ret) + return ret; fdt_end_node(fdt); } @@ -289,7 +314,9 @@ static int fit_write_images(struct image_tool_params *params, char *fdt) params->fit_ramdisk); if (ret) return ret; - add_crc_node(fdt); + ret = add_hash_node(params, fdt); + if (ret) + return ret; fdt_end_node(fdt); } diff --git a/tools/imagetool.h b/tools/imagetool.h index 05dd94d108..ca7c2e48ba 100644 --- a/tools/imagetool.h +++ b/tools/imagetool.h @@ -71,6 +71,7 @@ struct image_tool_params { const char *keydir; /* Directory holding private keys */ const char *keydest; /* Destination .dtb for public key */ const char *keyfile; /* Filename of private or public key */ + const char *keyname; /* Key name "hint" */ const char *comment; /* Comment to add to signature node */ /* Algorithm name to use for hashing/signing or NULL to use the one * specified in the its */ diff --git a/tools/mkimage.c b/tools/mkimage.c index 5c6a60e851..0e1198b411 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -119,6 +119,7 @@ static void usage(const char *msg) "Signing / verified boot options: [-k keydir] [-K dtb] [ -c ] [-p addr] [-r] [-N engine]\n" " -k => set directory containing private keys\n" " -K => write public keys to this .dtb file\n" + " -g => set key name hint\n" " -G => use this signing key (in lieu of -k)\n" " -c => add comment in signature node\n" " -F => re-sign existing FIT image\n" @@ -163,7 +164,7 @@ static void process_args(int argc, char **argv) int opt; while ((opt = getopt(argc, argv, - "a:A:b:B:c:C:d:D:e:Ef:FG:k:i:K:ln:N:p:o:O:rR:qstT:vVx")) != -1) { + "a:A:b:B:c:C:d:D:e:Ef:Fg:G:k:i:K:ln:N:p:o:O:rR:qstT:vVx")) != -1) { switch (opt) { case 'a': params.addr = strtoull(optarg, &ptr, 16); @@ -239,6 +240,8 @@ static void process_args(int argc, char **argv) params.type = IH_TYPE_FLATDT; params.fflag = 1; break; + case 'g': + params.keyname = optarg; case 'G': params.keyfile = optarg; break;