Re: [PATCH V5 07/12] tools: Add script for converting public key into device tree include
Hi Jan, On Mon, 6 Feb 2023 at 22:47, Jan Kiszka wrote: > > On 07.02.23 05:02, Simon Glass wrote: > > Hi Jan, > > > > On Mon, 6 Feb 2023 at 03:42, Jan Kiszka wrote: > >> > >> On 04.02.23 23:23, Simon Glass wrote: > >>> Hi Jan, > >>> > >>> On Fri, 3 Feb 2023 at 23:35, Jan Kiszka wrote: > > On 04.02.23 01:20, Simon Glass wrote: > > Hi Jan, > > > > On Fri, 3 Feb 2023 at 05:29, Jan Kiszka wrote: > >> > >> From: Jan Kiszka > >> > >> Allows to create a public key device tree dtsi for inclusion into > >> U-Boot > >> SPL and proper during first build already. This can be achieved via > >> CONFIG_DEVICE_TREE_INCLUDES. > >> > >> Signed-off-by: Jan Kiszka > >> --- > >> tools/key2dtsi.py | 64 +++ > >> 1 file changed, 64 insertions(+) > >> create mode 100755 tools/key2dtsi.py > > > > Please can you build this into Binman instead? We really don't want > > any more of these scripts. Perhaps you can add a new entry type? > > > > I don't think you are requesting something that makes any sense: > > "Binman creates and manipulate *images* for a board from a set of > binaries" > >>> > >>> I mean that Binman can include a public key in the DT, if that it was > >>> you are wanting. We don't want to add scripts for creating images and > >>> pieces of images. > >>> > >>> Perhaps I just don't understand the goal here. How would your script be > >>> used? > >>> > >> > >> We feed the generated dtsi into the U-Boot build, using > >> CONFIG_DEVICE_TREE_INCLUDES. This ensures that will be signed along with > >> the built artifacts. Have a look at patch 9 for the steps, specifically > >> the doc update bits. Full bitbake (Isar) integration is available under > >> [1], specifically [2] in combination with [3]. > >> > > > > OK, so is Binman run in this case? > > > > It's run at the end of the build, to assemble the unsigned flash.bin. > And it should have been used also for signing that image (patch 8, see > the other discussion). OK, so how can we get this signing thing into Binman? Does it need a new entry type? Is there something I can help with there? The input looks like it should be the key.pem file. Regards, SImon > > Jan > > >> Jan > >> > >> [1] https://github.com/siemens/meta-iot2050/tree/master/recipes-bsp/u-boot > >> [2] > >> https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/rules.tmpl > >> [3] > >> https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/secure-boot.cfg > >> > >> -- > >> Siemens AG, Technology > >> Competence Center Embedded Linux > >> > > > > Regards, > > Simon > > -- > Siemens AG, Technology > Competence Center Embedded Linux >
Re: [PATCH V5 07/12] tools: Add script for converting public key into device tree include
On 07.02.23 05:02, Simon Glass wrote: > Hi Jan, > > On Mon, 6 Feb 2023 at 03:42, Jan Kiszka wrote: >> >> On 04.02.23 23:23, Simon Glass wrote: >>> Hi Jan, >>> >>> On Fri, 3 Feb 2023 at 23:35, Jan Kiszka wrote: On 04.02.23 01:20, Simon Glass wrote: > Hi Jan, > > On Fri, 3 Feb 2023 at 05:29, Jan Kiszka wrote: >> >> From: Jan Kiszka >> >> Allows to create a public key device tree dtsi for inclusion into U-Boot >> SPL and proper during first build already. This can be achieved via >> CONFIG_DEVICE_TREE_INCLUDES. >> >> Signed-off-by: Jan Kiszka >> --- >> tools/key2dtsi.py | 64 +++ >> 1 file changed, 64 insertions(+) >> create mode 100755 tools/key2dtsi.py > > Please can you build this into Binman instead? We really don't want > any more of these scripts. Perhaps you can add a new entry type? > I don't think you are requesting something that makes any sense: "Binman creates and manipulate *images* for a board from a set of binaries" >>> >>> I mean that Binman can include a public key in the DT, if that it was >>> you are wanting. We don't want to add scripts for creating images and >>> pieces of images. >>> >>> Perhaps I just don't understand the goal here. How would your script be >>> used? >>> >> >> We feed the generated dtsi into the U-Boot build, using >> CONFIG_DEVICE_TREE_INCLUDES. This ensures that will be signed along with >> the built artifacts. Have a look at patch 9 for the steps, specifically >> the doc update bits. Full bitbake (Isar) integration is available under >> [1], specifically [2] in combination with [3]. >> > > OK, so is Binman run in this case? > It's run at the end of the build, to assemble the unsigned flash.bin. And it should have been used also for signing that image (patch 8, see the other discussion). Jan >> Jan >> >> [1] https://github.com/siemens/meta-iot2050/tree/master/recipes-bsp/u-boot >> [2] >> https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/rules.tmpl >> [3] >> https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/secure-boot.cfg >> >> -- >> Siemens AG, Technology >> Competence Center Embedded Linux >> > > Regards, > Simon -- Siemens AG, Technology Competence Center Embedded Linux
Re: [PATCH V5 07/12] tools: Add script for converting public key into device tree include
Hi Jan, On Mon, 6 Feb 2023 at 03:42, Jan Kiszka wrote: > > On 04.02.23 23:23, Simon Glass wrote: > > Hi Jan, > > > > On Fri, 3 Feb 2023 at 23:35, Jan Kiszka wrote: > >> > >> On 04.02.23 01:20, Simon Glass wrote: > >>> Hi Jan, > >>> > >>> On Fri, 3 Feb 2023 at 05:29, Jan Kiszka wrote: > > From: Jan Kiszka > > Allows to create a public key device tree dtsi for inclusion into U-Boot > SPL and proper during first build already. This can be achieved via > CONFIG_DEVICE_TREE_INCLUDES. > > Signed-off-by: Jan Kiszka > --- > tools/key2dtsi.py | 64 +++ > 1 file changed, 64 insertions(+) > create mode 100755 tools/key2dtsi.py > >>> > >>> Please can you build this into Binman instead? We really don't want > >>> any more of these scripts. Perhaps you can add a new entry type? > >>> > >> > >> I don't think you are requesting something that makes any sense: > >> > >> "Binman creates and manipulate *images* for a board from a set of binaries" > > > > I mean that Binman can include a public key in the DT, if that it was > > you are wanting. We don't want to add scripts for creating images and > > pieces of images. > > > > Perhaps I just don't understand the goal here. How would your script be > > used? > > > > We feed the generated dtsi into the U-Boot build, using > CONFIG_DEVICE_TREE_INCLUDES. This ensures that will be signed along with > the built artifacts. Have a look at patch 9 for the steps, specifically > the doc update bits. Full bitbake (Isar) integration is available under > [1], specifically [2] in combination with [3]. > OK, so is Binman run in this case? > Jan > > [1] https://github.com/siemens/meta-iot2050/tree/master/recipes-bsp/u-boot > [2] > https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/rules.tmpl > [3] > https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/secure-boot.cfg > > -- > Siemens AG, Technology > Competence Center Embedded Linux > Regards, Simon
Re: [PATCH V5 07/12] tools: Add script for converting public key into device tree include
On 06.02.23 11:42, Jan Kiszka wrote: > On 04.02.23 23:23, Simon Glass wrote: >> Hi Jan, >> >> On Fri, 3 Feb 2023 at 23:35, Jan Kiszka wrote: >>> >>> On 04.02.23 01:20, Simon Glass wrote: Hi Jan, On Fri, 3 Feb 2023 at 05:29, Jan Kiszka wrote: > > From: Jan Kiszka > > Allows to create a public key device tree dtsi for inclusion into U-Boot > SPL and proper during first build already. This can be achieved via > CONFIG_DEVICE_TREE_INCLUDES. > > Signed-off-by: Jan Kiszka > --- > tools/key2dtsi.py | 64 +++ > 1 file changed, 64 insertions(+) > create mode 100755 tools/key2dtsi.py Please can you build this into Binman instead? We really don't want any more of these scripts. Perhaps you can add a new entry type? >>> >>> I don't think you are requesting something that makes any sense: >>> >>> "Binman creates and manipulate *images* for a board from a set of binaries" >> >> I mean that Binman can include a public key in the DT, if that it was >> you are wanting. We don't want to add scripts for creating images and >> pieces of images. >> >> Perhaps I just don't understand the goal here. How would your script be used? >> > > We feed the generated dtsi into the U-Boot build, using > CONFIG_DEVICE_TREE_INCLUDES. This ensures that will be signed along with > the built artifacts. Have a look at patch 9 for the steps, specifically > the doc update bits. Full bitbake (Isar) integration is available under > [1], specifically [2] in combination with [3]. Correction: Patch 8 (https://lore.kernel.org/u-boot/cover.1675427201.git.jan.kis...@siemens.com/T/#m48507dd6db008485b2ebfb0e61ec9b779dfaa2fd). > > Jan > > [1] https://github.com/siemens/meta-iot2050/tree/master/recipes-bsp/u-boot > [2] > https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/rules.tmpl > [3] > https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/secure-boot.cfg > -- Siemens AG, Technology Competence Center Embedded Linux
Re: [PATCH V5 07/12] tools: Add script for converting public key into device tree include
On 04.02.23 23:23, Simon Glass wrote: > Hi Jan, > > On Fri, 3 Feb 2023 at 23:35, Jan Kiszka wrote: >> >> On 04.02.23 01:20, Simon Glass wrote: >>> Hi Jan, >>> >>> On Fri, 3 Feb 2023 at 05:29, Jan Kiszka wrote: From: Jan Kiszka Allows to create a public key device tree dtsi for inclusion into U-Boot SPL and proper during first build already. This can be achieved via CONFIG_DEVICE_TREE_INCLUDES. Signed-off-by: Jan Kiszka --- tools/key2dtsi.py | 64 +++ 1 file changed, 64 insertions(+) create mode 100755 tools/key2dtsi.py >>> >>> Please can you build this into Binman instead? We really don't want >>> any more of these scripts. Perhaps you can add a new entry type? >>> >> >> I don't think you are requesting something that makes any sense: >> >> "Binman creates and manipulate *images* for a board from a set of binaries" > > I mean that Binman can include a public key in the DT, if that it was > you are wanting. We don't want to add scripts for creating images and > pieces of images. > > Perhaps I just don't understand the goal here. How would your script be used? > We feed the generated dtsi into the U-Boot build, using CONFIG_DEVICE_TREE_INCLUDES. This ensures that will be signed along with the built artifacts. Have a look at patch 9 for the steps, specifically the doc update bits. Full bitbake (Isar) integration is available under [1], specifically [2] in combination with [3]. Jan [1] https://github.com/siemens/meta-iot2050/tree/master/recipes-bsp/u-boot [2] https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/rules.tmpl [3] https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/u-boot/files/secure-boot.cfg -- Siemens AG, Technology Competence Center Embedded Linux
Re: [PATCH V5 07/12] tools: Add script for converting public key into device tree include
Hi Jan, On Fri, 3 Feb 2023 at 23:35, Jan Kiszka wrote: > > On 04.02.23 01:20, Simon Glass wrote: > > Hi Jan, > > > > On Fri, 3 Feb 2023 at 05:29, Jan Kiszka wrote: > >> > >> From: Jan Kiszka > >> > >> Allows to create a public key device tree dtsi for inclusion into U-Boot > >> SPL and proper during first build already. This can be achieved via > >> CONFIG_DEVICE_TREE_INCLUDES. > >> > >> Signed-off-by: Jan Kiszka > >> --- > >> tools/key2dtsi.py | 64 +++ > >> 1 file changed, 64 insertions(+) > >> create mode 100755 tools/key2dtsi.py > > > > Please can you build this into Binman instead? We really don't want > > any more of these scripts. Perhaps you can add a new entry type? > > > > I don't think you are requesting something that makes any sense: > > "Binman creates and manipulate *images* for a board from a set of binaries" I mean that Binman can include a public key in the DT, if that it was you are wanting. We don't want to add scripts for creating images and pieces of images. Perhaps I just don't understand the goal here. How would your script be used? > > Or is binman the new systemd? Er, nope. Regards, Simon
Re: [PATCH V5 07/12] tools: Add script for converting public key into device tree include
On 04.02.23 01:20, Simon Glass wrote: > Hi Jan, > > On Fri, 3 Feb 2023 at 05:29, Jan Kiszka wrote: >> >> From: Jan Kiszka >> >> Allows to create a public key device tree dtsi for inclusion into U-Boot >> SPL and proper during first build already. This can be achieved via >> CONFIG_DEVICE_TREE_INCLUDES. >> >> Signed-off-by: Jan Kiszka >> --- >> tools/key2dtsi.py | 64 +++ >> 1 file changed, 64 insertions(+) >> create mode 100755 tools/key2dtsi.py > > Please can you build this into Binman instead? We really don't want > any more of these scripts. Perhaps you can add a new entry type? > I don't think you are requesting something that makes any sense: "Binman creates and manipulate *images* for a board from a set of binaries" Or is binman the new systemd? Jan -- Siemens AG, Technology Competence Center Embedded Linux
Re: [PATCH V5 07/12] tools: Add script for converting public key into device tree include
Hi Jan, On Fri, 3 Feb 2023 at 05:29, Jan Kiszka wrote: > > From: Jan Kiszka > > Allows to create a public key device tree dtsi for inclusion into U-Boot > SPL and proper during first build already. This can be achieved via > CONFIG_DEVICE_TREE_INCLUDES. > > Signed-off-by: Jan Kiszka > --- > tools/key2dtsi.py | 64 +++ > 1 file changed, 64 insertions(+) > create mode 100755 tools/key2dtsi.py Please can you build this into Binman instead? We really don't want any more of these scripts. Perhaps you can add a new entry type? Regards, Simon
[PATCH V5 07/12] tools: Add script for converting public key into device tree include
From: Jan Kiszka Allows to create a public key device tree dtsi for inclusion into U-Boot SPL and proper during first build already. This can be achieved via CONFIG_DEVICE_TREE_INCLUDES. Signed-off-by: Jan Kiszka --- tools/key2dtsi.py | 64 +++ 1 file changed, 64 insertions(+) create mode 100755 tools/key2dtsi.py diff --git a/tools/key2dtsi.py b/tools/key2dtsi.py new file mode 100755 index 000..1dbb2cc94bf --- /dev/null +++ b/tools/key2dtsi.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python3 +# SPDX-License-Identifier: GPL-2.0-only +# +# Public key to dtsi converter. +# +# Copyright (c) Siemens AG, 2022 +# + +from argparse import ArgumentParser, FileType +from os.path import basename, splitext +from Cryptodome.PublicKey import RSA +from Cryptodome.Util.number import inverse + +def int_to_bytestr(n, length=None): +if not length: +length = (n.bit_length() + 7) // 8 +byte_array = n.to_bytes(length, 'big') +return ' '.join(['{:02x}'.format(byte) for byte in byte_array]) + +ap = ArgumentParser(description='Public key to dtsi converter') + +ap.add_argument('--hash', '-H', default='sha256', +help='hash to be used with key (default: sha256)') +ap.add_argument('--required-conf', '-c', action='store_true', +help='mark key required for configuration') +ap.add_argument('--required-image', '-i', action='store_true', +help='mark key required for image') +ap.add_argument('--spl', '-s', action='store_true', +help='mark key for usage in SPL') +ap.add_argument('key_file', metavar='KEY_FILE', type=FileType('r'), +help='key file (formats: X.509, PKCS#1, OpenSSH)') +ap.add_argument('dtsi_file', metavar='DTSI_FILE', type=FileType('w'), +help='dtsi output file') + +args = ap.parse_args() + +key_name, _ = splitext(basename(args.key_file.name)) + +key_data = args.key_file.read() +key = RSA.importKey(key_data) + +r_squared = (2**key.size_in_bits())**2 % key.n +n0_inverse = 2**32 - inverse(key.n, 2**32) + +out = args.dtsi_file +out.write('/ {\n') +out.write('\tsignature {\n') +out.write('\t\tkey-{} {{\n'.format(key_name)) +out.write('\t\t\tkey-name-hint = "{}";\n'.format(key_name)) +out.write('\t\t\talgo = "{},rsa{}";\n'.format(args.hash, key.size_in_bits())) +out.write('\t\t\trsa,num-bits = <{}>;\n'.format(key.size_in_bits())) +out.write('\t\t\trsa,modulus = [{}];\n'.format(int_to_bytestr(key.n))) +out.write('\t\t\trsa,exponent = [{}];\n'.format(int_to_bytestr(key.e, 8))) +out.write('\t\t\trsa,r-squared = [{}];\n'.format(int_to_bytestr(r_squared))) +out.write('\t\t\trsa,n0-inverse = <0x{:x}>;\n'.format(n0_inverse)) +if args.required_conf: +out.write('\t\t\trequired = "conf";\n') +elif args.required_image: +out.write('\t\t\trequired = "image";\n') +if args.spl: +out.write('\t\t\tu-boot,dm-spl;\n') +out.write('\t\t};\n') +out.write('\t};\n') +out.write('};\n') -- 2.35.3