From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id BB168C3DA78
	for <u-boot@archiver.kernel.org>; Fri, 13 Jan 2023 18:00:58 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id E04AC85376;
	Fri, 13 Jan 2023 19:00:42 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.b="RyxCxv1R";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 09A04852CB; Fri, 13 Jan 2023 19:00:37 +0100 (CET)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com
 [IPv6:2a00:1450:4864:20::634])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 65C448118B
 for <u-boot@lists.denx.de>; Fri, 13 Jan 2023 19:00:34 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=sjg@google.com
Received: by mail-ej1-x634.google.com with SMTP id mp20so7458483ejc.7
 for <u-boot@lists.denx.de>; Fri, 13 Jan 2023 10:00:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:from:to:cc:subject:date:message-id:reply-to;
 bh=OpGU2O277oHGJCT7EIBRNRI5hSFhbuW6MlW/FGal9s8=;
 b=RyxCxv1Rtqm+XNmUL8pZ+pIsbJ8BQNr16DHqn9JD51BhU4PYhDgFnQDxHmGTUHNMM/
 mV8Ugs3kmsrao2YOytgwaG6po6rS+29EPGwFti3u/FOV3pE1og1E3b9l5qH4sWfJkVB0
 4BJLy8B2Hps7CLjtMBDSORotAp7ayGusfLQG0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=OpGU2O277oHGJCT7EIBRNRI5hSFhbuW6MlW/FGal9s8=;
 b=vltTQ+8W0jn/CmjMcNbwsLYVlQzqySTpVtgEVf0KuaML6YumTPk3wVN+2PGxDbgT1B
 tKbPkh3rtYsRZuXZvuyvyz6o0XmEHEfcQd5lpoKcapr3d6BsAC6l74F5FDShonLaU6Q3
 P1PlM5dW2CJ9HOMmUeoQpbcmDdIs7R9hsTcFafoqIQg7iqZblTMxIwXM2OTh+D1vlZCy
 WzhRxOP4nPpE+KBlLf/krncSdG4lXaCu9DrlbyvnC2lUkpgIRcM2Z+eqyti8FrD3pkfA
 00cUypVWffjsVTb2109/+1sJcT/vYyvTQT0mUZ6a0tnIJG0rkMIH9qqJUL+rPebNYZHq
 SjAQ==
X-Gm-Message-State: AFqh2kojDLNCkxJGFGy7uR3smKwKwhI+XyCQmlHDmK4yJSM3L4NARJXb
 F02db+X81Zr3ViEvTF3Aboskh9u+3u111zxtEy3/Ww==
X-Google-Smtp-Source: AMrXdXsND0+czbwMtL0Z7aC2XdBElyGsZCNGP5GuybjrO+/9SdqoXoYTqaIhIeW50PIEhoaM2wb3/PJnoakIkp1p6Hc=
X-Received: by 2002:a17:906:4d4f:b0:85c:86a7:ad7b with SMTP id
 b15-20020a1709064d4f00b0085c86a7ad7bmr1771103ejv.745.1673632833747; Fri, 13
 Jan 2023 10:00:33 -0800 (PST)
MIME-Version: 1.0
References: <20230105093110.1711-1-massimo.pegorer@vimar.com>
In-Reply-To: <20230105093110.1711-1-massimo.pegorer@vimar.com>
From: Simon Glass <sjg@chromium.org>
Date: Fri, 13 Jan 2023 11:00:21 -0700
Message-ID: <CAPnjgZ380iQ9zNJFwpezy7dAj7GgRie2H0NtpD3VLUQvyyFCrg@mail.gmail.com>
Subject: Re: [PATCH] mkimage: fit: Support signed configurations in 'auto' FITs
To: Massimo Pegorer <massimo.pegorer@vimar.com>
Cc: u-boot@lists.denx.de, Heinrich Schuchardt <xypron.glpk@gmx.de>, 
 Jan Kiszka <jan.kiszka@siemens.com>, Jessica Clarke <jrtc27@jrtc27.com>, 
 =?UTF-8?Q?Pali_Roh=C3=A1r?= <pali@kernel.org>, 
 Samuel Holland <samuel@sholland.org>, Sean Anderson <seanga2@gmail.com>, 
 Stefan Eichenberger <eichest@gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

On Thu, 5 Jan 2023 at 02:31, Massimo Pegorer <massimo.pegorer@vimar.com> wrote:
>
> Extend support for signing in auto-generated (-f auto) FIT. Previously,
> it was possible to get signed 'images' subnodes in the FIT using
> options -g and -o together with -f auto. This patch allows signing
> 'configurations' subnodes instead of 'images' ones (which are hashed),
> using option -f auto-conf instead of -f auto. Adding also -K <dtb> and
> -r options, will add public key to <dtb> file with required = "conf"
> property.
>
> Summary:
>     -f auto => FIT with crc32 images
>     -f auto -g ... -o ... => FIT with signed images
>     -f auto-conf -g ... -o ... => FIT with sha1 images and signed confs
>
> Example: FIT with kernel, two device tree files, and signed
> configurations; public key (needed to verify signatures) is
> added to u-boot.dtb with required = "conf" property.
>
> mkimage -f auto-conf -A arm -O linux -T kernel -C none -a 43e00000 \
>         -e 0 -d vmlinuz -b /path/to/first.dtb -b /path/to/second.dtb \
>         -k /folder/with/key-files -g keyname -o sha256,rsa4096 \
>         -K u-boot.dtb -r kernel.itb
>
> Example: Add public key with required = "conf" property to u-boot.dtb
> without needing to sign anything. This will also create a useless FIT
> named unused.itb.
>
> mkimage -f auto-conf -d /dev/null -k /folder/with/key-files \
>         -g keyname -o sha256,rsa4096 -K u-boot.dtb -r unused.itb
>
> Signed-off-by: Massimo Pegorer <massimo.pegorer@vimar.com>
>
> ---
> The commit includes: patch for adding the new feature to mkimage tool;
> updated man page, with description of the new feature and examples,
> plus fixes to wrong/misleading information; test for all of the three
> flavours of auto-FIT (crc32 images, signed images, sha1 hashed images
> and signed configurations).
>
>  doc/mkimage.1                         | 119 +++++++++++-----
>  test/py/tests/test_fit_auto_signed.py | 195 ++++++++++++++++++++++++++
>  tools/fit_image.c                     |  75 ++++++----
>  tools/imagetool.h                     |  10 +-
>  tools/mkimage.c                       |  21 ++-
>  5 files changed, 353 insertions(+), 67 deletions(-)
>  create mode 100644 test/py/tests/test_fit_auto_signed.py

Reviewed-by: Simon Glass <sjg@chromium.org>

We currently avoid using the fdt library in tools/dtoc in tests but
perhaps this policy needs to be changed, as this patch shows.

One option would be to create a new tools/u_boot_lib directory with
the shared functions currently in tools/patman etc., then allow use of
that in tests.

Regards,
Simon