* [PATCH 0/3] RFC: add fdt_add_pubkey tool
@ 2020-02-11 9:49 Rasmus Villemoes
2020-02-11 9:49 ` [PATCH 1/3] test_vboot.py: remove extraneous -k option to fit_check_sign Rasmus Villemoes
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Rasmus Villemoes @ 2020-02-11 9:49 UTC (permalink / raw)
To: u-boot
In order to reduce the coupling between building the kernel and
U-Boot, I'd like a tool that can add a public key to U-Boot's dtb
without simultaneously signing a FIT image. That tool doesn't seem to
exist, so I stole the necessary pieces from mkimage et al and put it
in a single .c file.
I'm still working on the details of my proposed "require just k out
these n required keys" and how it should be implemented, but it will
probably involve teaching this tool a bunch of new options. These
patches are not necessarily ready for inclusion (unless someone else
finds fdt_add_pubkey useful as is), but I thought I might as well send
it out for early comments.
Rasmus Villemoes (3):
test_vboot.py: remove extraneous -k option to fit_check_sign
tools: add fdt_add_pubkey
test_vboot.py: include test of fdt_add_pubkey tool
test/py/tests/test_vboot.py | 11 ++++-
tools/.gitignore | 1 +
tools/Makefile | 3 ++
tools/fdt_add_pubkey.c | 96 +++++++++++++++++++++++++++++++++++++
4 files changed, 109 insertions(+), 2 deletions(-)
create mode 100644 tools/fdt_add_pubkey.c
--
2.23.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 1/3] test_vboot.py: remove extraneous -k option to fit_check_sign
2020-02-11 9:49 [PATCH 0/3] RFC: add fdt_add_pubkey tool Rasmus Villemoes
@ 2020-02-11 9:49 ` Rasmus Villemoes
2020-02-11 17:14 ` Simon Glass
2020-02-11 9:49 ` [PATCH 2/3] tools: add fdt_add_pubkey Rasmus Villemoes
2020-02-11 9:49 ` [PATCH 3/3] test_vboot.py: include test of fdt_add_pubkey tool Rasmus Villemoes
2 siblings, 1 reply; 9+ messages in thread
From: Rasmus Villemoes @ 2020-02-11 9:49 UTC (permalink / raw)
To: u-boot
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
---
test/py/tests/test_vboot.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 9c41ee56b1..3dd8e3cb66 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -180,8 +180,7 @@ def test_vboot(u_boot_console):
cons.log.action('%s: Check signed config on the host' % sha_algo)
- util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
- '-k', dtb])
+ util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])
# Replace header bytes
bcfg = u_boot_console.config.buildconfig
--
2.23.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 2/3] tools: add fdt_add_pubkey
2020-02-11 9:49 [PATCH 0/3] RFC: add fdt_add_pubkey tool Rasmus Villemoes
2020-02-11 9:49 ` [PATCH 1/3] test_vboot.py: remove extraneous -k option to fit_check_sign Rasmus Villemoes
@ 2020-02-11 9:49 ` Rasmus Villemoes
2020-02-11 9:54 ` Alex Kiernan
2020-02-11 17:14 ` Simon Glass
2020-02-11 9:49 ` [PATCH 3/3] test_vboot.py: include test of fdt_add_pubkey tool Rasmus Villemoes
2 siblings, 2 replies; 9+ messages in thread
From: Rasmus Villemoes @ 2020-02-11 9:49 UTC (permalink / raw)
To: u-boot
Having to use the -K option to mkimage to populate U-Boot's .dtb with the
public key while signing the kernel FIT image is often a little
awkward. In particular, when using a meta-build system such as
bitbake/Yocto, having the tasks of the kernel and U-Boot recipes
intertwined, modifying deployed artifacts and rebuilding U-Boot with
an updated .dtb is quite cumbersome. Also, in some scenarios one may
wish to build U-Boot complete with the public key(s) embedded in the
.dtb without the corresponding private keys being present on the same
build host.
So this adds a simple tool that allows one to disentangle the kernel
and U-Boot builds, by simply copy-pasting just enough of the mkimage
code to allow one to add a public key to a .dtb. When using mkimage,
some of the information is taken from the .its used to build the
kernel (algorithm and key name), so that of course needs to be
supplied on the command line.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
---
tools/.gitignore | 1 +
tools/Makefile | 3 ++
tools/fdt_add_pubkey.c | 96 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 100 insertions(+)
create mode 100644 tools/fdt_add_pubkey.c
diff --git a/tools/.gitignore b/tools/.gitignore
index 82bdce2782..a9894db853 100644
--- a/tools/.gitignore
+++ b/tools/.gitignore
@@ -6,6 +6,7 @@
/dumpimage
/easylogo/easylogo
/envcrc
+/fdt_add_pubkey
/fdtgrep
/file2include
/fit_check_sign
diff --git a/tools/Makefile b/tools/Makefile
index 345bc84e48..d91edeaddc 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -54,6 +54,7 @@ mkenvimage-objs := mkenvimage.o os_support.o lib/crc32.o
hostprogs-y += dumpimage mkimage
hostprogs-$(CONFIG_FIT_SIGNATURE) += fit_info fit_check_sign
+hostprogs-$(CONFIG_FIT_SIGNATURE) += fdt_add_pubkey
hostprogs-$(CONFIG_CMD_BOOTEFI_SELFTEST) += file2include
@@ -122,6 +123,7 @@ dumpimage-objs := $(dumpimage-mkimage-objs) dumpimage.o
mkimage-objs := $(dumpimage-mkimage-objs) mkimage.o
fit_info-objs := $(dumpimage-mkimage-objs) fit_info.o
fit_check_sign-objs := $(dumpimage-mkimage-objs) fit_check_sign.o
+fdt_add_pubkey-objs := $(dumpimage-mkimage-objs) fdt_add_pubkey.o
file2include-objs := file2include.o
ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_FIT_SIGNATURE),)
@@ -166,6 +168,7 @@ HOSTCFLAGS_fit_image.o += -DMKIMAGE_DTC=\"$(CONFIG_MKIMAGE_DTC_PATH)\"
HOSTLOADLIBES_dumpimage := $(HOSTLOADLIBES_mkimage)
HOSTLOADLIBES_fit_info := $(HOSTLOADLIBES_mkimage)
HOSTLOADLIBES_fit_check_sign := $(HOSTLOADLIBES_mkimage)
+HOSTLOADLIBES_fdt_add_pubkey := $(HOSTLOADLIBES_mkimage)
hostprogs-$(CONFIG_EXYNOS5250) += mkexynosspl
hostprogs-$(CONFIG_EXYNOS5420) += mkexynosspl
diff --git a/tools/fdt_add_pubkey.c b/tools/fdt_add_pubkey.c
new file mode 100644
index 0000000000..45a2ce9ad2
--- /dev/null
+++ b/tools/fdt_add_pubkey.c
@@ -0,0 +1,96 @@
+#include <image.h>
+#include "fit_common.h"
+
+static const char *cmdname;
+
+static const char *algo_name = "sha1,rsa2048"; /* -a <algo> */
+static const char *keydir = "."; /* -k <keydir> */
+static const char *keyname = "key"; /* -n <keyname> */
+static const char *require_keys; /* -r <conf|image> */
+static const char *keydest; /* argv[n] */
+
+static void usage(const char *msg)
+{
+ fprintf(stderr, "Error: %s\n", msg);
+ fprintf(stderr, "Usage: %s [-a <algo>] [-k <keydir>] [-n <keyname>] [-r <conf|image>] <fdt blob>\n",
+ cmdname);
+ exit(EXIT_FAILURE);
+}
+
+static void process_args(int argc, char *argv[])
+{
+ int opt;
+
+ while((opt = getopt(argc, argv, "a:k:n:r:")) != -1) {
+ switch (opt) {
+ case 'k':
+ keydir = optarg;
+ break;
+ case 'a':
+ algo_name = optarg;
+ break;
+ case 'n':
+ keyname = optarg;
+ break;
+ case 'r':
+ require_keys = optarg;
+ break;
+ default:
+ usage("Invalid option");
+ }
+ }
+ /* The last parameter is expected to be the .dtb to add the public key to */
+ if (optind < argc)
+ keydest = argv[optind];
+
+ if (!keydest)
+ usage("Missing dtb file to update");
+}
+
+int main(int argc, char *argv[])
+{
+ struct image_sign_info info;
+ int destfd, ret;
+ void *dest_blob = NULL;
+ struct stat dest_sbuf;
+ size_t size_inc = 0;
+
+ cmdname = argv[0];
+
+ process_args(argc, argv);
+
+ memset(&info, 0, sizeof(info));
+
+ info.keydir = keydir;
+ info.keyname = keyname;
+ info.name = algo_name;
+ info.require_keys = require_keys;
+ info.crypto = image_get_crypto_algo(algo_name);
+ if (!info.crypto) {
+ fprintf(stderr, "Unsupported signature algorithm '%s'\n", algo_name);
+ exit(EXIT_FAILURE);
+ }
+
+ while (1) {
+ destfd = mmap_fdt(cmdname, keydest, size_inc, &dest_blob, &dest_sbuf, false, false);
+ if (destfd < 0)
+ exit(EXIT_FAILURE);
+
+ ret = info.crypto->add_verify_data(&info, dest_blob);
+
+ munmap(dest_blob, dest_sbuf.st_size);
+ close(destfd);
+ if (!ret || ret != -ENOSPC)
+ break;
+ fprintf(stderr, ".dtb too small, increasing size by 1024 bytes\n");
+ size_inc = 1024;
+ }
+
+ if (ret) {
+ fprintf(stderr, "%s: Cannot add public key to FIT blob: %s\n",
+ cmdname, strerror(-ret));
+ exit(EXIT_FAILURE);
+ }
+
+ exit(EXIT_SUCCESS);
+}
--
2.23.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 3/3] test_vboot.py: include test of fdt_add_pubkey tool
2020-02-11 9:49 [PATCH 0/3] RFC: add fdt_add_pubkey tool Rasmus Villemoes
2020-02-11 9:49 ` [PATCH 1/3] test_vboot.py: remove extraneous -k option to fit_check_sign Rasmus Villemoes
2020-02-11 9:49 ` [PATCH 2/3] tools: add fdt_add_pubkey Rasmus Villemoes
@ 2020-02-11 9:49 ` Rasmus Villemoes
2 siblings, 0 replies; 9+ messages in thread
From: Rasmus Villemoes @ 2020-02-11 9:49 UTC (permalink / raw)
To: u-boot
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
---
test/py/tests/test_vboot.py | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 3dd8e3cb66..799c28cc2c 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -182,6 +182,13 @@ def test_vboot(u_boot_console):
util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])
+ # Create a fresh .dtb without the public keys
+ dtc('sandbox-u-boot.dts')
+ # Then add the dev key via the fdt_add_pubkey tool
+ util.run_and_log(cons, [fdt_add_pubkey, '-a', '%s,rsa2048' % sha_algo,
+ '-k', tmpdir, '-n', 'dev', '-r', 'conf', dtb])
+ util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])
+
# Replace header bytes
bcfg = u_boot_console.config.buildconfig
max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0)
@@ -246,6 +253,7 @@ def test_vboot(u_boot_console):
fit = '%stest.fit' % tmpdir
mkimage = cons.config.build_dir + '/tools/mkimage'
fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
+ fdt_add_pubkey = cons.config.build_dir + '/tools/fdt_add_pubkey'
dtc_args = '-I dts -O dtb -i %s' % tmpdir
dtb = '%ssandbox-u-boot.dtb' % tmpdir
sig_node = '/configurations/conf-1/signature'
--
2.23.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 2/3] tools: add fdt_add_pubkey
2020-02-11 9:49 ` [PATCH 2/3] tools: add fdt_add_pubkey Rasmus Villemoes
@ 2020-02-11 9:54 ` Alex Kiernan
2020-02-11 10:22 ` Rasmus Villemoes
2020-02-11 17:14 ` Simon Glass
1 sibling, 1 reply; 9+ messages in thread
From: Alex Kiernan @ 2020-02-11 9:54 UTC (permalink / raw)
To: u-boot
On Tue, Feb 11, 2020 at 9:49 AM Rasmus Villemoes
<rasmus.villemoes@prevas.dk> wrote:
>
> Having to use the -K option to mkimage to populate U-Boot's .dtb with the
> public key while signing the kernel FIT image is often a little
> awkward. In particular, when using a meta-build system such as
> bitbake/Yocto, having the tasks of the kernel and U-Boot recipes
> intertwined, modifying deployed artifacts and rebuilding U-Boot with
> an updated .dtb is quite cumbersome. Also, in some scenarios one may
> wish to build U-Boot complete with the public key(s) embedded in the
> .dtb without the corresponding private keys being present on the same
> build host.
>
Have you started looking at the required bitbake pieces? You're
definitely dealing with a piece of pain that I'd like resolved!
> So this adds a simple tool that allows one to disentangle the kernel
> and U-Boot builds, by simply copy-pasting just enough of the mkimage
> code to allow one to add a public key to a .dtb. When using mkimage,
> some of the information is taken from the .its used to build the
> kernel (algorithm and key name), so that of course needs to be
> supplied on the command line.
>
> Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
> ---
> tools/.gitignore | 1 +
> tools/Makefile | 3 ++
> tools/fdt_add_pubkey.c | 96 ++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 100 insertions(+)
> create mode 100644 tools/fdt_add_pubkey.c
>
> diff --git a/tools/.gitignore b/tools/.gitignore
> index 82bdce2782..a9894db853 100644
> --- a/tools/.gitignore
> +++ b/tools/.gitignore
> @@ -6,6 +6,7 @@
> /dumpimage
> /easylogo/easylogo
> /envcrc
> +/fdt_add_pubkey
> /fdtgrep
> /file2include
> /fit_check_sign
> diff --git a/tools/Makefile b/tools/Makefile
> index 345bc84e48..d91edeaddc 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -54,6 +54,7 @@ mkenvimage-objs := mkenvimage.o os_support.o lib/crc32.o
>
> hostprogs-y += dumpimage mkimage
> hostprogs-$(CONFIG_FIT_SIGNATURE) += fit_info fit_check_sign
> +hostprogs-$(CONFIG_FIT_SIGNATURE) += fdt_add_pubkey
>
> hostprogs-$(CONFIG_CMD_BOOTEFI_SELFTEST) += file2include
>
> @@ -122,6 +123,7 @@ dumpimage-objs := $(dumpimage-mkimage-objs) dumpimage.o
> mkimage-objs := $(dumpimage-mkimage-objs) mkimage.o
> fit_info-objs := $(dumpimage-mkimage-objs) fit_info.o
> fit_check_sign-objs := $(dumpimage-mkimage-objs) fit_check_sign.o
> +fdt_add_pubkey-objs := $(dumpimage-mkimage-objs) fdt_add_pubkey.o
> file2include-objs := file2include.o
>
> ifneq ($(CONFIG_MX23)$(CONFIG_MX28)$(CONFIG_FIT_SIGNATURE),)
> @@ -166,6 +168,7 @@ HOSTCFLAGS_fit_image.o += -DMKIMAGE_DTC=\"$(CONFIG_MKIMAGE_DTC_PATH)\"
> HOSTLOADLIBES_dumpimage := $(HOSTLOADLIBES_mkimage)
> HOSTLOADLIBES_fit_info := $(HOSTLOADLIBES_mkimage)
> HOSTLOADLIBES_fit_check_sign := $(HOSTLOADLIBES_mkimage)
> +HOSTLOADLIBES_fdt_add_pubkey := $(HOSTLOADLIBES_mkimage)
>
> hostprogs-$(CONFIG_EXYNOS5250) += mkexynosspl
> hostprogs-$(CONFIG_EXYNOS5420) += mkexynosspl
> diff --git a/tools/fdt_add_pubkey.c b/tools/fdt_add_pubkey.c
> new file mode 100644
> index 0000000000..45a2ce9ad2
> --- /dev/null
> +++ b/tools/fdt_add_pubkey.c
> @@ -0,0 +1,96 @@
> +#include <image.h>
> +#include "fit_common.h"
> +
> +static const char *cmdname;
> +
> +static const char *algo_name = "sha1,rsa2048"; /* -a <algo> */
> +static const char *keydir = "."; /* -k <keydir> */
> +static const char *keyname = "key"; /* -n <keyname> */
> +static const char *require_keys; /* -r <conf|image> */
> +static const char *keydest; /* argv[n] */
> +
> +static void usage(const char *msg)
> +{
> + fprintf(stderr, "Error: %s\n", msg);
> + fprintf(stderr, "Usage: %s [-a <algo>] [-k <keydir>] [-n <keyname>] [-r <conf|image>] <fdt blob>\n",
> + cmdname);
> + exit(EXIT_FAILURE);
> +}
> +
> +static void process_args(int argc, char *argv[])
> +{
> + int opt;
> +
> + while((opt = getopt(argc, argv, "a:k:n:r:")) != -1) {
> + switch (opt) {
> + case 'k':
> + keydir = optarg;
> + break;
> + case 'a':
> + algo_name = optarg;
> + break;
> + case 'n':
> + keyname = optarg;
> + break;
> + case 'r':
> + require_keys = optarg;
> + break;
> + default:
> + usage("Invalid option");
> + }
> + }
> + /* The last parameter is expected to be the .dtb to add the public key to */
> + if (optind < argc)
> + keydest = argv[optind];
> +
> + if (!keydest)
> + usage("Missing dtb file to update");
> +}
> +
> +int main(int argc, char *argv[])
> +{
> + struct image_sign_info info;
> + int destfd, ret;
> + void *dest_blob = NULL;
> + struct stat dest_sbuf;
> + size_t size_inc = 0;
> +
> + cmdname = argv[0];
> +
> + process_args(argc, argv);
> +
> + memset(&info, 0, sizeof(info));
> +
> + info.keydir = keydir;
> + info.keyname = keyname;
> + info.name = algo_name;
> + info.require_keys = require_keys;
> + info.crypto = image_get_crypto_algo(algo_name);
> + if (!info.crypto) {
> + fprintf(stderr, "Unsupported signature algorithm '%s'\n", algo_name);
> + exit(EXIT_FAILURE);
> + }
> +
> + while (1) {
> + destfd = mmap_fdt(cmdname, keydest, size_inc, &dest_blob, &dest_sbuf, false, false);
> + if (destfd < 0)
> + exit(EXIT_FAILURE);
> +
> + ret = info.crypto->add_verify_data(&info, dest_blob);
> +
> + munmap(dest_blob, dest_sbuf.st_size);
> + close(destfd);
> + if (!ret || ret != -ENOSPC)
> + break;
> + fprintf(stderr, ".dtb too small, increasing size by 1024 bytes\n");
> + size_inc = 1024;
> + }
> +
> + if (ret) {
> + fprintf(stderr, "%s: Cannot add public key to FIT blob: %s\n",
> + cmdname, strerror(-ret));
> + exit(EXIT_FAILURE);
> + }
> +
> + exit(EXIT_SUCCESS);
> +}
> --
> 2.23.0
>
--
Alex Kiernan
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 2/3] tools: add fdt_add_pubkey
2020-02-11 9:54 ` Alex Kiernan
@ 2020-02-11 10:22 ` Rasmus Villemoes
2020-02-11 13:58 ` Alex Kiernan
0 siblings, 1 reply; 9+ messages in thread
From: Rasmus Villemoes @ 2020-02-11 10:22 UTC (permalink / raw)
To: u-boot
On 11/02/2020 10.54, Alex Kiernan wrote:
> On Tue, Feb 11, 2020 at 9:49 AM Rasmus Villemoes
> <rasmus.villemoes@prevas.dk> wrote:
>>
>> Having to use the -K option to mkimage to populate U-Boot's .dtb with the
>> public key while signing the kernel FIT image is often a little
>> awkward. In particular, when using a meta-build system such as
>> bitbake/Yocto, having the tasks of the kernel and U-Boot recipes
>> intertwined, modifying deployed artifacts and rebuilding U-Boot with
>> an updated .dtb is quite cumbersome. Also, in some scenarios one may
>> wish to build U-Boot complete with the public key(s) embedded in the
>> .dtb without the corresponding private keys being present on the same
>> build host.
>>
>
> Have you started looking at the required bitbake pieces? You're
> definitely dealing with a piece of pain that I'd like resolved!
Not really, but I know that something like this is a necessary first
part - and I'm glad to know I'm not the only one struggling with this.
For now I've come to the conclusion that kernel-fitimage.bbclass is not
worth the trouble (for example, I need to create two different fit
images with different initramfs, but a fit image without initramfs is
pointless in my case, and there's no way to use kernel-fitimage.bbclass
for that), so I just set KERNEL_IMAGETYPE to vmlinux, then have my own
extra tasks doing the objcopy -O binary, gzip, and mkimage the different
fit images I need.
[I'm also thinking that adding a companion tool for doing the signing
part might make sense at some point - it's somewhat counter-intuituve
that the .its contains some of the information (base name of key and
algorithm - mkimage currently just segfaults if key-name-hint is
accidentally omitted from the .its), while mkimage needs to be fed with
another part (directory holding the keys).]
Rasmus
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 2/3] tools: add fdt_add_pubkey
2020-02-11 10:22 ` Rasmus Villemoes
@ 2020-02-11 13:58 ` Alex Kiernan
0 siblings, 0 replies; 9+ messages in thread
From: Alex Kiernan @ 2020-02-11 13:58 UTC (permalink / raw)
To: u-boot
On Tue, Feb 11, 2020 at 10:22 AM Rasmus Villemoes
<rasmus.villemoes@prevas.dk> wrote:
>
> On 11/02/2020 10.54, Alex Kiernan wrote:
> > On Tue, Feb 11, 2020 at 9:49 AM Rasmus Villemoes
> > <rasmus.villemoes@prevas.dk> wrote:
> >>
> >> Having to use the -K option to mkimage to populate U-Boot's .dtb with the
> >> public key while signing the kernel FIT image is often a little
> >> awkward. In particular, when using a meta-build system such as
> >> bitbake/Yocto, having the tasks of the kernel and U-Boot recipes
> >> intertwined, modifying deployed artifacts and rebuilding U-Boot with
> >> an updated .dtb is quite cumbersome. Also, in some scenarios one may
> >> wish to build U-Boot complete with the public key(s) embedded in the
> >> .dtb without the corresponding private keys being present on the same
> >> build host.
> >>
> >
> > Have you started looking at the required bitbake pieces? You're
> > definitely dealing with a piece of pain that I'd like resolved!
>
> Not really, but I know that something like this is a necessary first
> part - and I'm glad to know I'm not the only one struggling with this.
>
> For now I've come to the conclusion that kernel-fitimage.bbclass is not
> worth the trouble (for example, I need to create two different fit
> images with different initramfs, but a fit image without initramfs is
> pointless in my case, and there's no way to use kernel-fitimage.bbclass
> for that), so I just set KERNEL_IMAGETYPE to vmlinux, then have my own
> extra tasks doing the objcopy -O binary, gzip, and mkimage the different
> fit images I need.
>
kernel-fitimage is a nightmare... every time someone touches it the
risk of it breaking for someone else is pretty high. FWIW my flow
through it is just kernel (no initramfs), DTBs and configurations,
with keys pre-embedded in U-Boot, so avoiding the loop back through
that otherwise happens. But I could do with the ability to compose
configurations in it, which isn't easy with it today.
I suspect leaving kernel-fitimage to one side and starting again (with
tests) has a lot of merit!
> [I'm also thinking that adding a companion tool for doing the signing
> part might make sense at some point - it's somewhat counter-intuituve
> that the .its contains some of the information (base name of key and
> algorithm - mkimage currently just segfaults if key-name-hint is
> accidentally omitted from the .its), while mkimage needs to be fed with
> another part (directory holding the keys).]
>
> Rasmus
--
Alex Kiernan
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 1/3] test_vboot.py: remove extraneous -k option to fit_check_sign
2020-02-11 9:49 ` [PATCH 1/3] test_vboot.py: remove extraneous -k option to fit_check_sign Rasmus Villemoes
@ 2020-02-11 17:14 ` Simon Glass
0 siblings, 0 replies; 9+ messages in thread
From: Simon Glass @ 2020-02-11 17:14 UTC (permalink / raw)
To: u-boot
Hi Rasmus,
On Tue, 11 Feb 2020 at 02:49, Rasmus Villemoes
<rasmus.villemoes@prevas.dk> wrote:
>
Please add a commit message with motivation and effect.
> Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
> ---
> test/py/tests/test_vboot.py | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
Regards,
Simon
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 2/3] tools: add fdt_add_pubkey
2020-02-11 9:49 ` [PATCH 2/3] tools: add fdt_add_pubkey Rasmus Villemoes
2020-02-11 9:54 ` Alex Kiernan
@ 2020-02-11 17:14 ` Simon Glass
1 sibling, 0 replies; 9+ messages in thread
From: Simon Glass @ 2020-02-11 17:14 UTC (permalink / raw)
To: u-boot
Hi Rasmus,
On Tue, 11 Feb 2020 at 02:49, Rasmus Villemoes
<rasmus.villemoes@prevas.dk> wrote:
>
> Having to use the -K option to mkimage to populate U-Boot's .dtb with the
> public key while signing the kernel FIT image is often a little
> awkward. In particular, when using a meta-build system such as
> bitbake/Yocto, having the tasks of the kernel and U-Boot recipes
> intertwined, modifying deployed artifacts and rebuilding U-Boot with
> an updated .dtb is quite cumbersome. Also, in some scenarios one may
> wish to build U-Boot complete with the public key(s) embedded in the
> .dtb without the corresponding private keys being present on the same
> build host.
>
> So this adds a simple tool that allows one to disentangle the kernel
> and U-Boot builds, by simply copy-pasting just enough of the mkimage
> code to allow one to add a public key to a .dtb. When using mkimage,
> some of the information is taken from the .its used to build the
> kernel (algorithm and key name), so that of course needs to be
> supplied on the command line.
>
> Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
> ---
> tools/.gitignore | 1 +
> tools/Makefile | 3 ++
> tools/fdt_add_pubkey.c | 96 ++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 100 insertions(+)
> create mode 100644 tools/fdt_add_pubkey.c
Would it be possible to modify mkimage instead, with another flag?
Regards,
Simon
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-02-11 17:14 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-11 9:49 [PATCH 0/3] RFC: add fdt_add_pubkey tool Rasmus Villemoes
2020-02-11 9:49 ` [PATCH 1/3] test_vboot.py: remove extraneous -k option to fit_check_sign Rasmus Villemoes
2020-02-11 17:14 ` Simon Glass
2020-02-11 9:49 ` [PATCH 2/3] tools: add fdt_add_pubkey Rasmus Villemoes
2020-02-11 9:54 ` Alex Kiernan
2020-02-11 10:22 ` Rasmus Villemoes
2020-02-11 13:58 ` Alex Kiernan
2020-02-11 17:14 ` Simon Glass
2020-02-11 9:49 ` [PATCH 3/3] test_vboot.py: include test of fdt_add_pubkey tool Rasmus Villemoes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).