Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling【请注意,邮件由s...@google.com代发】
Hi Kever, On Tue, 7 Jul 2020 at 06:01, Kever Yang wrote: > > Hi Simon, > > On 2020/6/26 上午9:12, Simon Glass wrote: > > Hi Heiko, > > > > On Fri, 19 Jun 2020 at 04:45, Heiko Stuebner wrote: > >> From: Heiko Stuebner > >> > >> If the newly added fit-generator key-options are found, append needed > >> signature nodes to all generated image blocks, so that they can get > >> signed when mkimage later compiles the .itb from the generated .its. > >> > >> Signed-off-by: Heiko Stuebner > >> --- > >> arch/arm/mach-rockchip/make_fit_atf.py | 57 +- > >> 1 file changed, 56 insertions(+), 1 deletion(-) > > We have to stop the growth of these ad-hoc scripts or U-Boot with > > become a tangled mess of vendor-specific scripts. > > > > I sent a series to convert more of rockchip to use binman. Can you > > please take a look at that? > > > > It deletes the fit_spl_optee.sh script. We need to delete make_fit_atf as > > well. > > The fit_spl_optee.sh is much more simple because it use optee.bin > directly for u-boot.itb, while make_fit_atf > > needs to parse bl31.elf and get the start address for different blob. > Any suggestion on how this > > could be implement in binman? See for example elf.GetSymbolAddress() which reads an ELF symbol value. This is used in the u-boot-spl-bss-pad entry. It should be pretty simple. You can create new entry types (in the etypes/) dir to do all sorts of things fairly easily. Regards, Simon
Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling【请注意,邮件由s...@google.com代发】
Hi Simon, On 2020/6/26 上午9:12, Simon Glass wrote: Hi Heiko, On Fri, 19 Jun 2020 at 04:45, Heiko Stuebner wrote: From: Heiko Stuebner If the newly added fit-generator key-options are found, append needed signature nodes to all generated image blocks, so that they can get signed when mkimage later compiles the .itb from the generated .its. Signed-off-by: Heiko Stuebner --- arch/arm/mach-rockchip/make_fit_atf.py | 57 +- 1 file changed, 56 insertions(+), 1 deletion(-) We have to stop the growth of these ad-hoc scripts or U-Boot with become a tangled mess of vendor-specific scripts. I sent a series to convert more of rockchip to use binman. Can you please take a look at that? It deletes the fit_spl_optee.sh script. We need to delete make_fit_atf as well. The fit_spl_optee.sh is much more simple because it use optee.bin directly for u-boot.itb, while make_fit_atf needs to parse bl31.elf and get the start address for different blob. Any suggestion on how this could be implement in binman? Thanks, - Kever Regards, Simon
Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling
On Tue, Jun 30, 2020 at 02:46:51PM +0200, Heiko Stübner wrote: > Hi Tom, > > Am Dienstag, 30. Juni 2020, 14:36:40 CEST schrieb Tom Rini: > > On Fri, Jun 19, 2020 at 12:45:50PM +0200, Heiko Stuebner wrote: > > > > > From: Heiko Stuebner > > > > > > If the newly added fit-generator key-options are found, append needed > > > signature nodes to all generated image blocks, so that they can get > > > signed when mkimage later compiles the .itb from the generated .its. > > > > > > Signed-off-by: Heiko Stuebner > > > > First, I want to echo what Simon said. We need to move towards having > > less ad-hoc scripts for these kind of final modifiers. > > looking at Simon's binman series is on my todo list, so yes I do agree > with you :-) . OK, thanks. > > > --- > > > arch/arm/mach-rockchip/make_fit_atf.py | 57 +- > > > 1 file changed, 56 insertions(+), 1 deletion(-) > > > > > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py > > > b/arch/arm/mach-rockchip/make_fit_atf.py > > > index d15c32b303..de7dc19d11 100755 > > > --- a/arch/arm/mach-rockchip/make_fit_atf.py > > > +++ b/arch/arm/mach-rockchip/make_fit_atf.py > > > @@ -14,6 +14,14 @@ import sys > > > import getopt > > > import logging > > > import struct > > > +try: > > > + # in python3 Cryptodome succeeds Crypto > > > + import Cryptodome > > > + from Cryptodome.PublicKey import RSA > > > +except: > > > + import Crypto > > > + from Crypto.PublicKey import RSA > > > > Is it that older python3 would support "Cryto" not "Cryptodome" or > > python2? If the latter, we should just drop it. We do however need to > > document, and should try and be user friendly about catching the > > failure, that we now need the pycrypto module installed. Thanks! > > python3 only seems to have Cryptodome, while python2 only seems to > have Crypto. And with for example Debian's default python is still being > python2 for a bit longer, I wanted to support both, especially as it it > works like a drop-in replacement. I don't _think_ we worry about running on distros where we can't say /usr/bin/env python3 at this point so I'd rather not add more python2 compatibility code. -- Tom signature.asc Description: PGP signature
Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling
Hi Tom, Am Dienstag, 30. Juni 2020, 14:36:40 CEST schrieb Tom Rini: > On Fri, Jun 19, 2020 at 12:45:50PM +0200, Heiko Stuebner wrote: > > > From: Heiko Stuebner > > > > If the newly added fit-generator key-options are found, append needed > > signature nodes to all generated image blocks, so that they can get > > signed when mkimage later compiles the .itb from the generated .its. > > > > Signed-off-by: Heiko Stuebner > > First, I want to echo what Simon said. We need to move towards having > less ad-hoc scripts for these kind of final modifiers. looking at Simon's binman series is on my todo list, so yes I do agree with you :-) . > > --- > > arch/arm/mach-rockchip/make_fit_atf.py | 57 +- > > 1 file changed, 56 insertions(+), 1 deletion(-) > > > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py > > b/arch/arm/mach-rockchip/make_fit_atf.py > > index d15c32b303..de7dc19d11 100755 > > --- a/arch/arm/mach-rockchip/make_fit_atf.py > > +++ b/arch/arm/mach-rockchip/make_fit_atf.py > > @@ -14,6 +14,14 @@ import sys > > import getopt > > import logging > > import struct > > +try: > > + # in python3 Cryptodome succeeds Crypto > > + import Cryptodome > > + from Cryptodome.PublicKey import RSA > > +except: > > + import Crypto > > + from Crypto.PublicKey import RSA > > Is it that older python3 would support "Cryto" not "Cryptodome" or > python2? If the latter, we should just drop it. We do however need to > document, and should try and be user friendly about catching the > failure, that we now need the pycrypto module installed. Thanks! python3 only seems to have Cryptodome, while python2 only seems to have Crypto. And with for example Debian's default python is still being python2 for a bit longer, I wanted to support both, especially as it it works like a drop-in replacement. Heiko
Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling
On Fri, Jun 19, 2020 at 12:45:50PM +0200, Heiko Stuebner wrote: > From: Heiko Stuebner > > If the newly added fit-generator key-options are found, append needed > signature nodes to all generated image blocks, so that they can get > signed when mkimage later compiles the .itb from the generated .its. > > Signed-off-by: Heiko Stuebner First, I want to echo what Simon said. We need to move towards having less ad-hoc scripts for these kind of final modifiers. > --- > arch/arm/mach-rockchip/make_fit_atf.py | 57 +- > 1 file changed, 56 insertions(+), 1 deletion(-) > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py > b/arch/arm/mach-rockchip/make_fit_atf.py > index d15c32b303..de7dc19d11 100755 > --- a/arch/arm/mach-rockchip/make_fit_atf.py > +++ b/arch/arm/mach-rockchip/make_fit_atf.py > @@ -14,6 +14,14 @@ import sys > import getopt > import logging > import struct > +try: > + # in python3 Cryptodome succeeds Crypto > + import Cryptodome > + from Cryptodome.PublicKey import RSA > +except: > + import Crypto > + from Crypto.PublicKey import RSA Is it that older python3 would support "Cryto" not "Cryptodome" or python2? If the latter, we should just drop it. We do however need to document, and should try and be user friendly about catching the failure, that we now need the pycrypto module installed. Thanks! -- Tom signature.asc Description: PGP signature
Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling
Hi Heiko, On Fri, 19 Jun 2020 at 04:45, Heiko Stuebner wrote: > > From: Heiko Stuebner > > If the newly added fit-generator key-options are found, append needed > signature nodes to all generated image blocks, so that they can get > signed when mkimage later compiles the .itb from the generated .its. > > Signed-off-by: Heiko Stuebner > --- > arch/arm/mach-rockchip/make_fit_atf.py | 57 +- > 1 file changed, 56 insertions(+), 1 deletion(-) We have to stop the growth of these ad-hoc scripts or U-Boot with become a tangled mess of vendor-specific scripts. I sent a series to convert more of rockchip to use binman. Can you please take a look at that? It deletes the fit_spl_optee.sh script. We need to delete make_fit_atf as well. Regards, Simon
[PATCH v4 6/6] rockchip: make_fit_atf: add signature handling
From: Heiko Stuebner If the newly added fit-generator key-options are found, append needed signature nodes to all generated image blocks, so that they can get signed when mkimage later compiles the .itb from the generated .its. Signed-off-by: Heiko Stuebner --- arch/arm/mach-rockchip/make_fit_atf.py | 57 +- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py index d15c32b303..de7dc19d11 100755 --- a/arch/arm/mach-rockchip/make_fit_atf.py +++ b/arch/arm/mach-rockchip/make_fit_atf.py @@ -14,6 +14,14 @@ import sys import getopt import logging import struct +try: + # in python3 Cryptodome succeeds Crypto + import Cryptodome + from Cryptodome.PublicKey import RSA +except: + import Crypto + from Crypto.PublicKey import RSA + DT_HEADER = """ /* @@ -37,7 +45,9 @@ DT_UBOOT = """ arch = "arm64"; compression = "none"; load = <0x%08x>; - }; +""" + +DT_UBOOT_NODE_END = """}; """ @@ -47,6 +57,46 @@ DT_IMAGES_NODE_END = """ }; DT_END = "};" +def append_signature(file): +if not os.path.exists("u-boot.cfg"): +return + +config = {} +with open("u-boot.cfg") as fd: +for line in fd: +line = line.strip() +values = line[8:].split(' ', 1) +if len(values) > 1: +key, value = values +value = value.strip('"') +else: +key = values[0] +value = '1' +if not key.startswith('CONFIG_'): +continue +config[key] = value + +try: +keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"] +except KeyError: +return + +try: +keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint) +except KeyError: +keyfile = keyhint + +if not os.path.exists('%s.key' % keyfile): +return + +f = open('%s.key' % keyfile,'r') +key = RSA.importKey(f.read()) + +file.write('\t\t\tsignature {\n') +file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length()) +file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint) +file.write('\t\t\t};\n') + def append_bl31_node(file, atf_index, phy_addr, elf_entry): # Append BL31 DT node to input FIT dts file. data = 'bl31_0x%08x.bin' % phy_addr @@ -60,6 +110,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry): file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) if atf_index == 1: file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) +append_signature(file); file.write('\t\t};\n') file.write('\n') @@ -75,6 +126,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry): file.write('\t\t\tcompression = "none";\n') file.write('\t\t\tload = <0x%08x>;\n' % phy_addr) file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry) +append_signature(file); file.write('\t\t};\n') file.write('\n') @@ -88,6 +140,7 @@ def append_fdt_node(file, dtbs): file.write('\t\t\tdata = /incbin/("%s");\n' % dtb) file.write('\t\t\ttype = "flat_dt";\n') file.write('\t\t\tcompression = "none";\n') +append_signature(file); file.write('\t\t};\n') file.write('\n') cnt = cnt + 1 @@ -129,6 +182,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name): raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name) index, entry, p_paddr, data = segments[0] fit_file.write(DT_UBOOT % p_paddr) +append_signature(fit_file) +fit_file.write(DT_UBOOT_NODE_END) def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name): segments = unpack_elf(bl31_file_name) -- 2.26.2