Re: [PATCH] mkimage: fit: Support signed configurations in 'auto' FITs

From: Simon Glass <sjg@chromium.org>
To: Pegorer Massimo <Massimo.Pegorer@vimar.com>
Cc: Sean Anderson <sean.anderson@seco.com>,
	"u-boot@lists.denx.de" <u-boot@lists.denx.de>
Subject: Re: [PATCH] mkimage: fit: Support signed configurations in 'auto' FITs
Date: Thu, 15 Dec 2022 14:16:30 -0700	[thread overview]
Message-ID: <CAPnjgZ12MXe4zQ5P=Jz+7=cKom-6XWVeP97ONQHKVkNGkXwNXg@mail.gmail.com> (raw)
In-Reply-To: <GV1PR08MB801066863097F9433F1BD87CE51E9@GV1PR08MB8010.eurprd08.prod.outlook.com>

Hi Pegorer,

On Sun, 11 Dec 2022 at 06:54, Pegorer Massimo <Massimo.Pegorer@vimar.com> wrote:
>
> Hi,
>
> The patch follows, as per discussion in email thread "Patch proposal
>  - mkimage: fit: Support signed conf 'auto' FITs". Let me know if you
> prefer something to be changed, or patch to be split in several
> commits.
>
> I have updated the man page with description of the new feature and
> examples. Also fixed some wrong or misleading information.
>
> ===

Use:

Commit-notes:
notes go here
END

(assuming you are using patman)

We don't want the message above to appear in the commit log.

>
> mkimage: fit: Support signed configurations in 'auto' FITs
>
> Extend support for signing in auto-generated (-f auto) FIT. Previously,
> it was possible to get signed 'images' subnodes in the FIT using
> options -g and -o together with -f auto. This patch allows signing
> 'configurations' subnodes instead of 'images' ones (which are hashed),
> using option -f auto-conf instead of -f auto. Adding also -K <dtb> and
> -r options, will add public key to <dtb> file with required = "conf"
> property.
>
> Summary:
>     -f auto => FIT with crc32 images
>     -f auto -g ... -o ... => FIT with signed images
>     -f auto-conf -g ... -o ... => FIT with sha1 images and signed confs
>
> Example: FIT with kernel, two device tree files, and signed
> configurations; public key (needed to verify signatures) is
> added to u-boot.dtb with required = "conf" property.
>
> mkimage -f auto-conf -A arm -O linux -T kernel -C none -a 43e00000 \
>         -e 0 -d vmlinuz -b /path/to/first.dtb -b /path/to/second.dtb \
>         -k /folder/with/key-files -g keyname -o sha256,rsa4096 \
>         -K u-boot.dtb -r kernel.itb
>
> Example: Add public key with required = "conf" property to u-boot.dtb
> without needing to sign anything. This will also create a useless FIT
> named unused.itb.
>
> mkimage -f auto-conf -d /dev/null -k /folder/with/key-files \
>         -g keyname -o sha256,rsa4096 -K u-boot.dtb -r unused.itb
>
> Signed-off-by: Massimo Pegorer <massimo.pegorer@vimar.com>
> ---
>  doc/mkimage.1     | 119 ++++++++++++++++++++++++++++++++--------------
>  tools/fit_image.c |  75 +++++++++++++++++++----------
>  tools/imagetool.h |  10 +++-
>  tools/mkimage.c   |  23 +++++++--
>  4 files changed, 160 insertions(+), 67 deletions(-)

Looks good, but it does need a test, please. See test/py/tests/fit.py
for an example

https://u-boot.readthedocs.io/en/latest/develop/py_testing.html

Regards,
Simon