Re: [PATCH 0/2] RFC: add fdt_add_pubkey tool

From: Simon Glass <sjg@chromium.org>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Roman Kopytin <Roman.Kopytin@kaspersky.com>,
	u-boot@lists.denx.de,
	 Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Subject: Re: [PATCH 0/2] RFC: add fdt_add_pubkey tool
Date: Wed, 10 Nov 2021 17:31:29 -0700	[thread overview]
Message-ID: <CAPnjgZ1ZL4MF1f9k-B0xBZYeFWT4xB1fgqfe9djiM68G_iTASg@mail.gmail.com> (raw)
In-Reply-To: <d132279d-5d5c-0f93-1e96-c21dafe0845a@siemens.com>

Hi Jan,

On Wed, 10 Nov 2021 at 13:58, Jan Kiszka <jan.kiszka@siemens.com> wrote:
>
> On 10.11.21 20:36, Simon Glass wrote:
> > Hi Jan,
> >
> > On Wed, 10 Nov 2021 at 09:49, Jan Kiszka <jan.kiszka@siemens.com> wrote:
> >>
> >> On 10.11.21 17:31, Simon Glass wrote:
> >>> Hi Jan,
> >>>
> >>> On Wed, 10 Nov 2021 at 00:20, Jan Kiszka <jan.kiszka@siemens.com> wrote:
> >>>>
> >>>> On 10.11.21 07:55, Jan Kiszka wrote:
> >>>>> On 10.11.21 01:58, Simon Glass wrote:
> >>>>>> Hi,
> >>>>>>
> >>>>>> On Tue, 9 Nov 2021 at 02:17, Jan Kiszka <jan.kiszka@siemens.com> wrote:
> >>>>>>>
> >>>>>>> On 08.11.21 16:28, Roman Kopytin wrote:
> >>>>>>>> In order to reduce the coupling between building the kernel and
> >>>>>>>> U-Boot, I'd like a tool that can add a public key to U-Boot's dtb
> >>>>>>>> without simultaneously signing a FIT image. That tool doesn't seem to
> >>>>>>>> exist, so I stole the necessary pieces from mkimage et al and put it
> >>>>>>>> in a single .c file.
> >>>>>>>>
> >>>>>>>> I'm still working on the details of my proposed "require just k out
> >>>>>>>> these n required keys" and how it should be implemented, but it will
> >>>>>>>> probably involve teaching this tool a bunch of new options. These
> >>>>>>>> patches are not necessarily ready for inclusion (unless someone else
> >>>>>>>> finds fdt_add_pubkey useful as is), but I thought I might as well send
> >>>>>>>> it out for early comments.
> >>>>>>>
> >>>>>>> I'd also like to see the usage of this hooked into the build process.
> >>>>>>>
> >>>>>>> And to my understanding of [1], that approach will provide a feature
> >>>>>>> that permits hooking with the build but would expect the key as dtsi
> >>>>>>> fragment. Can we consolidate the approaches?
> >>>>>>>
> >>>>>>> My current vision of a user interface would be a Kconfig option that
> >>>>>>> takes a list of key files to be injected. Maybe make that three lists,
> >>>>>>> one for "required=image", one for "required=conf", and one for optional
> >>>>>>> keys (if that has a use case in practice, no idea).
> >>>>>>
> >>>>>> Also please take a look at binman which is designed to handle create
> >>>>>> (or later updating from Yocto) the devicetree or firmware image.
> >>>>>>
> >>>>>
> >>>>> Yes, binman is another problem area, but not for the public key
> >>>>> injection, rather for permitting to sign fit images that are described
> >>>>> for binman (rather than for mkimage). I'm currently back to dd for
> >>>>> signing the U-Boot container in
> >>>>> arch/arm/dts/k3-am65-iot2050-boot-image.dtsi, or I would have to split
> >>>>> that FIT image description from that file - both not optimal.
> >>>
> >>> Well I don't think binman supports that at present, or at least I'm
> >>> not sure what it would do. We don't have a test case for it. If you
> >>> have an idea for how it should work, please send some ideas and I can
> >>> look at it.
> >>>
> >>>>
> >>>> OK, this can already be optimized with "binman replace" - once I
> >>>> understood where fdtmap can go and where not. Why no support for using
> >>>> map files?
> >>>
> >>> The fdtmap provides enough information to extract anything from the
> >>> image and regenerate/replace things.
> >>>
> >>> What is a map file?
> >>
> >> *.map, e.g. image.map? Also generated by many binmap <cmd> -m?
> >
> > Using map files for what? Do you mean passing it to Binman in lieu of
> > an in-image fdtmap? If so, they are not equivalent. The map is just a
> > simple text output of offsets and sizes. The fdtmap contains the full
> > image description.
>
> Too bad. I was looking for a way to avoid having to add fdtmap to an
> image when all information is already on the build host - and should
> actually only remain there. Embedding fdtmap into the image solely for
> build/post-process purposes looks like overkill to me.

and for run-time access and for being able to list the image and
extract things from it.

Regards,
Simon

>
> >
> >>
> >>>
> >>>>
> >>>> Jan
> >>>>
> >>>>>
> >>>>> And another area: Trust centers that perform the signing (and only that)
> >>>>> usually do not support random formats and workflows but just few common
> >>>>> ones, e.g. x509. It would be nice to have a way to route out the payload
> >>>>> (hashes etc.) that mkimage would sign, ideally into a standard signing
> >>>>> request, and permit to inject the resulting signature at the right
> >>>>> places into the FIT image.
> >>>
> >>> Well that needs to be provided somewhere. It should be fairly easy to
> >>> get Binman to do this, so long as the image description has info about
> >>> what is being signed.
> >>
> >> I would assume that it has to have that information, already to use
> >> mkimage on it or its parts.
> >
> > Well, at present the information is there but Binman does not fully
> > parse the mkimage subnodes. E.g. it doesn't look to see what things
> > are signed/hashed. It just runs mkimage. If we want to output the hash
> > for signing, we would need to implement that somewhere. Binman could
> > do this after the image is build, i.e. look at the various signature
> > nodes, hash the appropriate data and write out an 'instructions' file
> > in a suitable format.
>
> Yep, that would be nice. Or would mkimage have more of the needed logic
> already on board and would better be extended to write them out?
>
> Jan
>
> --
> Siemens AG, T RDA IOT
> Corporate Competence Center Embedded Linux