All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] tools: add fdt_add_pubkey
@ 2021-08-03 11:00 Roman Kopytin
  2021-08-05  7:55 ` Rasmus Villemoes
  0 siblings, 1 reply; 5+ messages in thread
From: Roman Kopytin @ 2021-08-03 11:00 UTC (permalink / raw)
  To: U-Boot-Denx

[-- Attachment #1: Type: text/plain, Size: 1050 bytes --]

Having to use the -K option to mkimage to populate U-Boot's .dtb with the
public key while signing the kernel FIT image is often a little
awkward. In particular, when using a meta-build system such as
bitbake/Yocto, having the tasks of the kernel and U-Boot recipes
intertwined, modifying deployed artifacts and rebuilding U-Boot with
an updated .dtb is quite cumbersome. Also, in some scenarios one may
wish to build U-Boot complete with the public key(s) embedded in the
.dtb without the corresponding private keys being present on the same
build host.

So this adds a simple tool that allows one to disentangle the kernel
and U-Boot builds, by simply copy-pasting just enough of the mkimage
code to allow one to add a public key to a .dtb. When using mkimage,
some of the information is taken from the .its used to build the
kernel (algorithm and key name), so that of course needs to be
supplied on the command line.

Signed-off-by: Roman Kopytin <Roman.Kopytin@kaspersky.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>

[-- Attachment #2: 0001-tools-add-fdt_add_pubkey.patch --]
[-- Type: application/octet-stream, Size: 5372 bytes --]

From f4dd0edaec5fdac5d355eb5bef3f917b35d6c091 Mon Sep 17 00:00:00 2001
From: Roman Kopytin <Roman.Kopytin@kaspersky.com>
Date: Tue, 3 Aug 2021 12:48:15 +0300
Subject: [PATCH] tools: add fdt_add_pubkey

Having to use the -K option to mkimage to populate U-Boot's .dtb with the
public key while signing the kernel FIT image is often a little
awkward. In particular, when using a meta-build system such as
bitbake/Yocto, having the tasks of the kernel and U-Boot recipes
intertwined, modifying deployed artifacts and rebuilding U-Boot with
an updated .dtb is quite cumbersome. Also, in some scenarios one may
wish to build U-Boot complete with the public key(s) embedded in the
.dtb without the corresponding private keys being present on the same
build host.

So this adds a simple tool that allows one to disentangle the kernel
and U-Boot builds, by simply copy-pasting just enough of the mkimage
code to allow one to add a public key to a .dtb. When using mkimage,
some of the information is taken from the .its used to build the
kernel (algorithm and key name), so that of course needs to be
supplied on the command line.

Signed-off-by: Roman Kopytin <Roman.Kopytin@kaspersky.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
---
 tools/.gitignore       |  1 +
 tools/Makefile         |  3 ++
 tools/fdt_add_pubkey.c | 97 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 101 insertions(+)
 create mode 100755 tools/fdt_add_pubkey.c

diff --git a/tools/.gitignore b/tools/.gitignore
index a88453f64d..f312b760e4 100644
--- a/tools/.gitignore
+++ b/tools/.gitignore
@@ -6,6 +6,7 @@
 /dumpimage
 /easylogo/easylogo
 /envcrc
+/fdt_add_pubkey
 /fdtgrep
 /file2include
 /fit_check_sign
diff --git a/tools/Makefile b/tools/Makefile
index 4a86321f64..44f25dda18 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -73,6 +73,7 @@ mkenvimage-objs := mkenvimage.o os_support.o lib/crc32.o
 
 hostprogs-y += dumpimage mkimage
 hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += fit_info fit_check_sign
+hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += fdt_add_pubkey
 
 hostprogs-$(CONFIG_CMD_BOOTEFI_SELFTEST) += file2include
 
@@ -153,6 +154,7 @@ dumpimage-objs := $(dumpimage-mkimage-objs) dumpimage.o
 mkimage-objs   := $(dumpimage-mkimage-objs) mkimage.o
 fit_info-objs   := $(dumpimage-mkimage-objs) fit_info.o
 fit_check_sign-objs   := $(dumpimage-mkimage-objs) fit_check_sign.o
+fdt_add_pubkey-objs   := $(dumpimage-mkimage-objs) fdt_add_pubkey.o
 file2include-objs := file2include.o
 
 ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_TOOLS_LIBCRYPTO),)
@@ -190,6 +192,7 @@ HOSTCFLAGS_fit_image.o += -DMKIMAGE_DTC=\"$(CONFIG_MKIMAGE_DTC_PATH)\"
 HOSTLDLIBS_dumpimage := $(HOSTLDLIBS_mkimage)
 HOSTLDLIBS_fit_info := $(HOSTLDLIBS_mkimage)
 HOSTLDLIBS_fit_check_sign := $(HOSTLDLIBS_mkimage)
+HOSTLDLIBS_fdt_add_pubkey := $(HOSTLDLIBS_mkimage)
 
 hostprogs-$(CONFIG_EXYNOS5250) += mkexynosspl
 hostprogs-$(CONFIG_EXYNOS5420) += mkexynosspl
diff --git a/tools/fdt_add_pubkey.c b/tools/fdt_add_pubkey.c
new file mode 100755
index 0000000000..9306ecedd1
--- /dev/null
+++ b/tools/fdt_add_pubkey.c
@@ -0,0 +1,97 @@
+#include <image.h>
+#include "fit_common.h"
+
+static const char *cmdname;
+
+static const char *algo_name = "sha1,rsa2048"; /* -a <algo> */
+static const char *keydir = "."; /* -k <keydir> */
+static const char *keyname = "key"; /* -n <keyname> */
+static const char *require_keys; /* -r <conf|image> */
+static const char *keydest; /* argv[n] */
+
+static void usage(const char *msg)
+{
+	fprintf(stderr, "Error: %s\n", msg);
+	fprintf(stderr, "Usage: %s [-a <algo>] [-k <keydir>] [-n <keyname>] [-r <conf|image>] <fdt blob>\n",
+		cmdname);
+	exit(EXIT_FAILURE);
+}
+
+static void process_args(int argc, char *argv[])
+{
+	int opt;
+
+	while((opt = getopt(argc, argv, "a:k:n:r:")) != -1) {
+		switch (opt) {
+		case 'k':
+			keydir = optarg;
+			break;
+		case 'a':
+			algo_name = optarg;
+			break;
+		case 'n':
+			keyname = optarg;
+			break;
+		case 'r':
+			require_keys = optarg;
+			break;
+		default:
+			usage("Invalid option");
+		}
+	}
+	/* The last parameter is expected to be the .dtb to add the public key to */
+	if (optind < argc)
+		keydest = argv[optind];
+
+	if (!keydest)
+		usage("Missing dtb file to update");
+}
+
+int main(int argc, char *argv[])
+{
+	struct image_sign_info info;
+	int destfd, ret;
+	void *dest_blob = NULL;
+	struct stat dest_sbuf;
+	size_t size_inc = 0;
+
+	cmdname = argv[0];
+
+	process_args(argc, argv);
+
+	memset(&info, 0, sizeof(info));
+
+	info.keydir = keydir;
+	info.keyname = keyname;
+	info.name = algo_name;
+	info.require_keys = require_keys;
+	info.crypto = image_get_crypto_algo(algo_name);
+	if (!info.crypto) {
+                fprintf(stderr, "Unsupported signature algorithm '%s'\n", algo_name);
+		exit(EXIT_FAILURE);
+	}
+
+	while (1) {
+		destfd = mmap_fdt(cmdname, keydest, size_inc, &dest_blob, &dest_sbuf, false, false);
+		if (destfd < 0)
+			exit(EXIT_FAILURE);
+
+		ret = info.crypto->add_verify_data(&info, dest_blob);
+
+		munmap(dest_blob, dest_sbuf.st_size);
+		close(destfd);
+		if (!ret || ret != -ENOSPC)
+			break;
+		fprintf(stderr, ".dtb too small, increasing size by 1024 bytes\n");
+		size_inc = 1024;
+	}
+
+	if (ret) {
+		fprintf(stderr, "%s: Cannot add public key to FIT blob: %s\n",
+			cmdname, strerror(-ret));
+		exit(EXIT_FAILURE);
+	}
+
+	exit(EXIT_SUCCESS);
+}
+
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] tools: add fdt_add_pubkey
  2021-08-03 11:00 [PATCH] tools: add fdt_add_pubkey Roman Kopytin
@ 2021-08-05  7:55 ` Rasmus Villemoes
  2021-08-05  7:59   ` Roman Kopytin
  2021-08-06 11:28   ` Steffen Jaeckel
  0 siblings, 2 replies; 5+ messages in thread
From: Rasmus Villemoes @ 2021-08-05  7:55 UTC (permalink / raw)
  To: Roman Kopytin, U-Boot-Denx

On 03/08/2021 13.00, Roman Kopytin wrote:

Hi Roman

Thanks for picking this up. A few notes on the process:

- Don't attach the patch, it must be inline in the email. But do not
copy-paste it in to your mail client, that will most likely make it
whitespace-damaged. git send-email is your friend.

- Sending it to u-boot@lists.denx.de is correct, but you should also cc
"interested parties", e.g. at least me (for obvious reasons) and anybody
who participated in the earlier thread. If you had used git send-email,
your "Cc: " line in the patch would actually automatically have included
me on cc. Other people are just as easy to add (with the --cc option to
"git send-email"). Very few people, if any, read every message on the
U-Boot mailing list.

- It would be good if you could also add a test and ensure that it
works. I think my original submission had three commits, of which the
first is now moot, but that last patch was a test case. It may need some
adjustments to apply nowadays, but it should give you a starting point.

Rasmus

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: [PATCH] tools: add fdt_add_pubkey
  2021-08-05  7:55 ` Rasmus Villemoes
@ 2021-08-05  7:59   ` Roman Kopytin
  2021-08-06 10:03     ` Rasmus Villemoes
  2021-08-06 11:28   ` Steffen Jaeckel
  1 sibling, 1 reply; 5+ messages in thread
From: Roman Kopytin @ 2021-08-05  7:59 UTC (permalink / raw)
  To: Rasmus Villemoes, U-Boot-Denx

Thanks a lot.
Can I create 1 patch with tool + test?

-----Original Message-----
From: Rasmus Villemoes <rasmus.villemoes@prevas.dk> 
Sent: Thursday, August 5, 2021 10:56 AM
To: Roman Kopytin <Roman.Kopytin@kaspersky.com>; U-Boot-Denx <u-boot@lists.denx.de>
Subject: Re: [PATCH] tools: add fdt_add_pubkey

Caution: This is an external email. Be cautious while opening links or attachments.



On 03/08/2021 13.00, Roman Kopytin wrote:

Hi Roman

Thanks for picking this up. A few notes on the process:

- Don't attach the patch, it must be inline in the email. But do not copy-paste it in to your mail client, that will most likely make it whitespace-damaged. git send-email is your friend.

- Sending it to u-boot@lists.denx.de is correct, but you should also cc "interested parties", e.g. at least me (for obvious reasons) and anybody who participated in the earlier thread. If you had used git send-email, your "Cc: " line in the patch would actually automatically have included me on cc. Other people are just as easy to add (with the --cc option to "git send-email"). Very few people, if any, read every message on the U-Boot mailing list.

- It would be good if you could also add a test and ensure that it works. I think my original submission had three commits, of which the first is now moot, but that last patch was a test case. It may need some adjustments to apply nowadays, but it should give you a starting point.

Rasmus

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] tools: add fdt_add_pubkey
  2021-08-05  7:59   ` Roman Kopytin
@ 2021-08-06 10:03     ` Rasmus Villemoes
  0 siblings, 0 replies; 5+ messages in thread
From: Rasmus Villemoes @ 2021-08-06 10:03 UTC (permalink / raw)
  To: Roman Kopytin, U-Boot-Denx

On 05/08/2021 09.59, Roman Kopytin wrote:
> Thanks a lot.
> Can I create 1 patch with tool + test?

Preferably not. Each patch should be its own logical entity, doing one
thing. Yes, sometimes the lines are a bit blurred, but adding a new tool
and adding one or more tests of that tool are clearly separate things.
It also makes review easier.

Rasmus

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] tools: add fdt_add_pubkey
  2021-08-05  7:55 ` Rasmus Villemoes
  2021-08-05  7:59   ` Roman Kopytin
@ 2021-08-06 11:28   ` Steffen Jaeckel
  1 sibling, 0 replies; 5+ messages in thread
From: Steffen Jaeckel @ 2021-08-06 11:28 UTC (permalink / raw)
  To: Roman Kopytin; +Cc: Rasmus Villemoes, U-Boot-Denx

Roman,

On 8/5/21 9:55 AM, Rasmus Villemoes wrote:
> On 03/08/2021 13.00, Roman Kopytin wrote:
> 
> Hi Roman
> 
> Thanks for picking this up. A few notes on the process:
> 
> - Don't attach the patch, it must be inline in the email. But do not
> copy-paste it in to your mail client, that will most likely make it
> whitespace-damaged. git send-email is your friend.
> 
> - Sending it to u-boot@lists.denx.de is correct, but you should also cc
> "interested parties", e.g. at least me (for obvious reasons) and anybody
> who participated in the earlier thread. If you had used git send-email,
> your "Cc: " line in the patch would actually automatically have included
> me on cc. Other people are just as easy to add (with the --cc option to
> "git send-email"). Very few people, if any, read every message on the
> U-Boot mailing list.
> 
> - It would be good if you could also add a test and ensure that it
> works. I think my original submission had three commits, of which the
> first is now moot, but that last patch was a test case. It may need some
> adjustments to apply nowadays, but it should give you a starting point.
> 
> Rasmus

I don't remember where exactly I found the information initially but
patman is your friend when submitting patches. c.f. [0] resp. [1] for
more information.

Cheers,
Steffen

[0] `./tools/patman/patman -H`
[1] tools/patman/README

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-08-06 11:29 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-03 11:00 [PATCH] tools: add fdt_add_pubkey Roman Kopytin
2021-08-05  7:55 ` Rasmus Villemoes
2021-08-05  7:59   ` Roman Kopytin
2021-08-06 10:03     ` Rasmus Villemoes
2021-08-06 11:28   ` Steffen Jaeckel

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.