subject:"\[PATCH v4 6\/6\] rockchip\: make_fit

Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling【请注意，邮件由s...@google.com代发】

2020-07-09 Thread Simon Glass

Hi Kever,

On Tue, 7 Jul 2020 at 06:01, Kever Yang  wrote:
>
> Hi Simon,
>
> On 2020/6/26 上午9:12, Simon Glass wrote:
> > Hi Heiko,
> >
> > On Fri, 19 Jun 2020 at 04:45, Heiko Stuebner  wrote:
> >> From: Heiko Stuebner 
> >>
> >> If the newly added fit-generator key-options are found, append needed
> >> signature nodes to all generated image blocks, so that they can get
> >> signed when mkimage later compiles the .itb from the generated .its.
> >>
> >> Signed-off-by: Heiko Stuebner 
> >> ---
> >>   arch/arm/mach-rockchip/make_fit_atf.py | 57 +-
> >>   1 file changed, 56 insertions(+), 1 deletion(-)
> > We have to stop the growth of these ad-hoc scripts or U-Boot with
> > become a tangled mess of vendor-specific scripts.
> >
> > I sent a series to convert more of rockchip to use binman. Can you
> > please take a look at that?
> >
> > It deletes the fit_spl_optee.sh script. We need to delete make_fit_atf as 
> > well.
>
> The fit_spl_optee.sh is much more simple because it use optee.bin
> directly for u-boot.itb, while make_fit_atf
>
> needs to parse bl31.elf and get the start address for different blob.
> Any suggestion on how this
>
> could be implement in binman?

See for example elf.GetSymbolAddress() which reads an ELF symbol
value. This is used in the u-boot-spl-bss-pad entry. It should be
pretty simple.

You can create new entry types (in the etypes/) dir to do all sorts of
things fairly easily.

Regards,
Simon

Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling【请注意，邮件由s...@google.com代发】

2020-07-07 Thread Kever Yang


Hi Simon,

On 2020/6/26 上午9:12, Simon Glass wrote:

Hi Heiko,

On Fri, 19 Jun 2020 at 04:45, Heiko Stuebner  wrote:

From: Heiko Stuebner 

If the newly added fit-generator key-options are found, append needed
signature nodes to all generated image blocks, so that they can get
signed when mkimage later compiles the .itb from the generated .its.

Signed-off-by: Heiko Stuebner 
---
  arch/arm/mach-rockchip/make_fit_atf.py | 57 +-
  1 file changed, 56 insertions(+), 1 deletion(-)

We have to stop the growth of these ad-hoc scripts or U-Boot with
become a tangled mess of vendor-specific scripts.

I sent a series to convert more of rockchip to use binman. Can you
please take a look at that?

It deletes the fit_spl_optee.sh script. We need to delete make_fit_atf as well.


The fit_spl_optee.sh is much more simple because it use optee.bin 
directly for u-boot.itb, while make_fit_atf


needs to parse bl31.elf and get the start address for different blob. 
Any suggestion on how this


could be implement in binman?


Thanks,

- Kever



Regards,
Simon

Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling

2020-06-30 Thread Tom Rini

On Tue, Jun 30, 2020 at 02:46:51PM +0200, Heiko Stübner wrote:
> Hi Tom,
> 
> Am Dienstag, 30. Juni 2020, 14:36:40 CEST schrieb Tom Rini:
> > On Fri, Jun 19, 2020 at 12:45:50PM +0200, Heiko Stuebner wrote:
> > 
> > > From: Heiko Stuebner 
> > > 
> > > If the newly added fit-generator key-options are found, append needed
> > > signature nodes to all generated image blocks, so that they can get
> > > signed when mkimage later compiles the .itb from the generated .its.
> > > 
> > > Signed-off-by: Heiko Stuebner 
> > 
> > First, I want to echo what Simon said.  We need to move towards having
> > less ad-hoc scripts for these kind of final modifiers.
> 
> looking at Simon's binman series is on my todo list, so yes I do agree
> with you :-) .

OK, thanks.

> > > ---
> > >  arch/arm/mach-rockchip/make_fit_atf.py | 57 +-
> > >  1 file changed, 56 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py 
> > > b/arch/arm/mach-rockchip/make_fit_atf.py
> > > index d15c32b303..de7dc19d11 100755
> > > --- a/arch/arm/mach-rockchip/make_fit_atf.py
> > > +++ b/arch/arm/mach-rockchip/make_fit_atf.py
> > > @@ -14,6 +14,14 @@ import sys
> > >  import getopt
> > >  import logging
> > >  import struct
> > > +try:
> > > + # in python3 Cryptodome succeeds Crypto
> > > + import Cryptodome
> > > + from Cryptodome.PublicKey import RSA
> > > +except:
> > > + import Crypto
> > > + from Crypto.PublicKey import RSA
> > 
> > Is it that older python3 would support "Cryto" not "Cryptodome"  or
> > python2?  If the latter, we should just drop it.  We do however need to
> > document, and should try and be user friendly about catching the
> > failure, that we now need the pycrypto module installed.  Thanks!
> 
> python3 only seems to have Cryptodome, while python2 only seems to
> have Crypto. And with for example Debian's default python is still being
> python2 for a bit longer, I wanted to support both, especially as it it
> works like a drop-in replacement.

I don't _think_ we worry about running on distros where we can't say
/usr/bin/env python3 at this point so I'd rather not add more python2
compatibility code.

-- 
Tom


signature.asc
Description: PGP signature

Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling

2020-06-30 Thread Heiko Stübner

Hi Tom,

Am Dienstag, 30. Juni 2020, 14:36:40 CEST schrieb Tom Rini:
> On Fri, Jun 19, 2020 at 12:45:50PM +0200, Heiko Stuebner wrote:
> 
> > From: Heiko Stuebner 
> > 
> > If the newly added fit-generator key-options are found, append needed
> > signature nodes to all generated image blocks, so that they can get
> > signed when mkimage later compiles the .itb from the generated .its.
> > 
> > Signed-off-by: Heiko Stuebner 
> 
> First, I want to echo what Simon said.  We need to move towards having
> less ad-hoc scripts for these kind of final modifiers.

looking at Simon's binman series is on my todo list, so yes I do agree
with you :-) .

> > ---
> >  arch/arm/mach-rockchip/make_fit_atf.py | 57 +-
> >  1 file changed, 56 insertions(+), 1 deletion(-)
> > 
> > diff --git a/arch/arm/mach-rockchip/make_fit_atf.py 
> > b/arch/arm/mach-rockchip/make_fit_atf.py
> > index d15c32b303..de7dc19d11 100755
> > --- a/arch/arm/mach-rockchip/make_fit_atf.py
> > +++ b/arch/arm/mach-rockchip/make_fit_atf.py
> > @@ -14,6 +14,14 @@ import sys
> >  import getopt
> >  import logging
> >  import struct
> > +try:
> > +   # in python3 Cryptodome succeeds Crypto
> > +   import Cryptodome
> > +   from Cryptodome.PublicKey import RSA
> > +except:
> > +   import Crypto
> > +   from Crypto.PublicKey import RSA
> 
> Is it that older python3 would support "Cryto" not "Cryptodome"  or
> python2?  If the latter, we should just drop it.  We do however need to
> document, and should try and be user friendly about catching the
> failure, that we now need the pycrypto module installed.  Thanks!

python3 only seems to have Cryptodome, while python2 only seems to
have Crypto. And with for example Debian's default python is still being
python2 for a bit longer, I wanted to support both, especially as it it
works like a drop-in replacement.

Heiko

Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling

2020-06-30 Thread Tom Rini

On Fri, Jun 19, 2020 at 12:45:50PM +0200, Heiko Stuebner wrote:

> From: Heiko Stuebner 
> 
> If the newly added fit-generator key-options are found, append needed
> signature nodes to all generated image blocks, so that they can get
> signed when mkimage later compiles the .itb from the generated .its.
> 
> Signed-off-by: Heiko Stuebner 

First, I want to echo what Simon said.  We need to move towards having
less ad-hoc scripts for these kind of final modifiers.

> ---
>  arch/arm/mach-rockchip/make_fit_atf.py | 57 +-
>  1 file changed, 56 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/arm/mach-rockchip/make_fit_atf.py 
> b/arch/arm/mach-rockchip/make_fit_atf.py
> index d15c32b303..de7dc19d11 100755
> --- a/arch/arm/mach-rockchip/make_fit_atf.py
> +++ b/arch/arm/mach-rockchip/make_fit_atf.py
> @@ -14,6 +14,14 @@ import sys
>  import getopt
>  import logging
>  import struct
> +try:
> + # in python3 Cryptodome succeeds Crypto
> + import Cryptodome
> + from Cryptodome.PublicKey import RSA
> +except:
> + import Crypto
> + from Crypto.PublicKey import RSA

Is it that older python3 would support "Cryto" not "Cryptodome"  or
python2?  If the latter, we should just drop it.  We do however need to
document, and should try and be user friendly about catching the
failure, that we now need the pycrypto module installed.  Thanks!

-- 
Tom


signature.asc
Description: PGP signature

Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling

2020-06-25 Thread Simon Glass

Hi Heiko,

On Fri, 19 Jun 2020 at 04:45, Heiko Stuebner  wrote:
>
> From: Heiko Stuebner 
>
> If the newly added fit-generator key-options are found, append needed
> signature nodes to all generated image blocks, so that they can get
> signed when mkimage later compiles the .itb from the generated .its.
>
> Signed-off-by: Heiko Stuebner 
> ---
>  arch/arm/mach-rockchip/make_fit_atf.py | 57 +-
>  1 file changed, 56 insertions(+), 1 deletion(-)

We have to stop the growth of these ad-hoc scripts or U-Boot with
become a tangled mess of vendor-specific scripts.

I sent a series to convert more of rockchip to use binman. Can you
please take a look at that?

It deletes the fit_spl_optee.sh script. We need to delete make_fit_atf as well.

Regards,
Simon

[PATCH v4 6/6] rockchip: make_fit_atf: add signature handling

2020-06-19 Thread Heiko Stuebner

From: Heiko Stuebner 

If the newly added fit-generator key-options are found, append needed
signature nodes to all generated image blocks, so that they can get
signed when mkimage later compiles the .itb from the generated .its.

Signed-off-by: Heiko Stuebner 
---
 arch/arm/mach-rockchip/make_fit_atf.py | 57 +-
 1 file changed, 56 insertions(+), 1 deletion(-)

diff --git a/arch/arm/mach-rockchip/make_fit_atf.py 
b/arch/arm/mach-rockchip/make_fit_atf.py
index d15c32b303..de7dc19d11 100755
--- a/arch/arm/mach-rockchip/make_fit_atf.py
+++ b/arch/arm/mach-rockchip/make_fit_atf.py
@@ -14,6 +14,14 @@ import sys
 import getopt
 import logging
 import struct
+try:
+   # in python3 Cryptodome succeeds Crypto
+   import Cryptodome
+   from Cryptodome.PublicKey import RSA
+except:
+   import Crypto
+   from Crypto.PublicKey import RSA
+
 
 DT_HEADER = """
 /*
@@ -37,7 +45,9 @@ DT_UBOOT = """
arch = "arm64";
compression = "none";
load = <0x%08x>;
-   };
+"""
+
+DT_UBOOT_NODE_END = """};
 
 """
 
@@ -47,6 +57,46 @@ DT_IMAGES_NODE_END = """ };
 
 DT_END = "};"
 
+def append_signature(file):
+if not os.path.exists("u-boot.cfg"):
+return
+
+config = {}
+with open("u-boot.cfg") as fd:
+for line in fd:
+line = line.strip()
+values = line[8:].split(' ', 1)
+if len(values) > 1:
+key, value = values
+value = value.strip('"')
+else:
+key = values[0]
+value = '1'
+if not key.startswith('CONFIG_'):
+continue
+config[key] = value
+
+try:
+keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"]
+except KeyError:
+return
+
+try:
+keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], 
keyhint)
+except KeyError:
+keyfile = keyhint
+
+if not os.path.exists('%s.key' % keyfile):
+return
+
+f = open('%s.key' % keyfile,'r')
+key = RSA.importKey(f.read())
+
+file.write('\t\t\tsignature {\n')
+file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length())
+file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint)
+file.write('\t\t\t};\n')
+
 def append_bl31_node(file, atf_index, phy_addr, elf_entry):
 # Append BL31 DT node to input FIT dts file.
 data = 'bl31_0x%08x.bin' % phy_addr
@@ -60,6 +110,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry):
 file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
 if atf_index == 1:
 file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
+append_signature(file);
 file.write('\t\t};\n')
 file.write('\n')
 
@@ -75,6 +126,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry):
 file.write('\t\t\tcompression = "none";\n')
 file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
 file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
+append_signature(file);
 file.write('\t\t};\n')
 file.write('\n')
 
@@ -88,6 +140,7 @@ def append_fdt_node(file, dtbs):
 file.write('\t\t\tdata = /incbin/("%s");\n' % dtb)
 file.write('\t\t\ttype = "flat_dt";\n')
 file.write('\t\t\tcompression = "none";\n')
+append_signature(file);
 file.write('\t\t};\n')
 file.write('\n')
 cnt = cnt + 1
@@ -129,6 +182,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name):
 raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name)
 index, entry, p_paddr, data = segments[0]
 fit_file.write(DT_UBOOT % p_paddr)
+append_signature(fit_file)
+fit_file.write(DT_UBOOT_NODE_END)
 
 def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, 
dtbs_file_name):
 segments = unpack_elf(bl31_file_name)
-- 
2.26.2

Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling【请注意，邮件由s...@google.com代发】

Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling【请注意，邮件由s...@google.com代发】

Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling

Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling

Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling

Re: [PATCH v4 6/6] rockchip: make_fit_atf: add signature handling

[PATCH v4 6/6] rockchip: make_fit_atf: add signature handling

7 matches

Site Navigation

Mail list logo

Footer information