Re: [PATCH v3 2/3] tools: binman: Replace 'fit,sign' by 'fit,keys-directory'

2024-11-21 Thread Alexander Kochetkov
Here how I understand Simon’s answer.
He suggested to introduce new property like ‘fit,encrypt’. And if you see that 
property, then you enable keys detection (and so you enable encryption).

Regarding you current (v3) implementation. I would call the new property as 
‘fit,detect-keys-directory’ as it makes more clear that binman have to do during
fit processing.

For me, then I see  ‘fit,keys-directory’ I expect, that directory path must be 
provided with the property. You did that in v2.
But Simon told, that its better to implement that behavior using entyarg 
(https://lists.denx.de/pipermail/u-boot/2024-August/561346.html).
I have no idea how to do that. May be any usage example could clarify.

Regarding implementation of signing in the binman. First, I thought to 
implement singing in the binman. There are another entryargs that implements
signing e.g. preload_enty.py. I could extract signing code into separate file 
and implement signing in the fit entry arg: I see fit,sign, I see fit entries
related to the signature (key-name-hint, algo…) and do signing. Later I found 
that mkimage get called during FIT creation and decided not
to duplicate functionality.

Alexander.


> 21 нояб. 2024 г., в 13:17, Paul HENRYS  
> написал(а):
> 
> Hi Simon,
> 
> On 20/11/2024 14:35, Simon Glass wrote:
>> This Mail comes from Outside of SoftAtHome: Do not answer, click links or 
>> open attachments unless you recognize the sender and know the content is 
>> safe.
>> 
>> Hi Paul,
>> 
>> On Wed, 20 Nov 2024 at 03:09, Paul HENRYS
>>  wrote:
>>> mkimage can be used for both signing the FIT or encrypt its content and the
>>> option '-k' can be used to pass a directory where both signing and 
>>> encryption
>>> keys can be retrieved.
>>> _get_priv_keys_dir() is also renamed as _get_keys_dir() and adapted to 
>>> support
>>> both signing and encryption nodes in the FIT.
>>> 
>>> Signed-off-by: Paul HENRYS 
>>> ---
>>> Changes for v3:
>>>  - Adapt the code after changes made in commit 133c000ca334
>>>  - Rename property 'fit,sign' as 'fit,keys-directory' since this is not only
>>>about signing but passing a key directory to mkimage for both signing and
>>>encrypting
>>>  - Update the tests and documentation accordingly
>>> 
>>> My initial changes proposed in v1 and v2 has been outdated by the changes
>>> proposed in commit 133c000ca334.
>>> 
>>>  tools/binman/btool/mkimage.py   |  8 +++
>>>  tools/binman/entries.rst| 13 ++-
>>>  tools/binman/etype/fit.py   | 31 ++---
>>>  tools/binman/ftest.py   |  2 +-
>>>  tools/binman/test/340_fit_signature.dts |  2 +-
>>>  tools/binman/test/341_fit_signature.dts |  2 +-
>>>  tools/binman/test/342_fit_signature.dts |  2 +-
>>>  7 files changed, 32 insertions(+), 28 deletions(-)
>> I think it is good to be able to specify the keys directory and not
>> just rely on Binman's input path. But do we need to remove the
>> fit,sign property? It is the signal that signing should be done.,
>> although I understand that there is a key directory too.
>> 
>> If we need to remove it, please do that in a separate patch.
>> 
>> Perhaps we also need a signal that encryption should be done?
> Based on my understanding, we don't enable the signing by adding 'fit,sign' 
> property but by having a signature node in the DTS passed to binman and thus 
> also in the ITS passed to mkimage by binman (at least with the current 
> implementation). In the current implementation, adding 'fit,sign property' in 
> the DTS passed to binman only leads to add the argument '-k' with a directory 
> where the private keys are stored and nothing more. The '-k' argument of 
> mkimage is used to specify the keys directory for both signing and ciphering 
> FIT data. That is why I thought the property could be shared for providing 
> the keys directory for both signing and ciphering when generating the FIT.
> Then maybe your idea would be to use such a property, i.e. 'fit,sign' 
> property, to be able to add more options related to the signature 
> (key-name-hint, algo...) instead of having those information in the ITS in a 
> signature node. In this case, I guess it would indeed make sense to have 
> separate properties that could both set the '-k' argument passed to mkimage.
> The current signal for the encryption is to have a 'cipher' node in the ITS 
> provided to mkimage.
>> 
>>> diff --git a/tools/binman/btool/mkimage.py b/tools/binman/btool/mkimage.py
>>> index 78d3301bc1..3f84220fb1 100644
>>> --- a/tools/binman/btool/mkimage.py
>>> +++ b/tools/binman/btool/mkimage.py
>>> @@ -22,7 +22,7 @@ class Bintoolmkimage(bintool.Bintool):
>>> 
>>>  # pylint: disable=R0913
>>>  def run(self, reset_timestamp=False, output_fname=None, external=False,
>>> -pad=None, align=None, priv_keys_dir=None):
>>> +pad=None, align=None, keys_dir=None):
>>>  """Run mkimage
>>> 
>>>  Args:
>>> @@ -34,7 +34,7 @@ clas

Re: [PATCH v3 2/3] tools: binman: Replace 'fit,sign' by 'fit,keys-directory'

2024-11-21 Thread Paul HENRYS

Hi Simon,

On 20/11/2024 14:35, Simon Glass wrote:

This Mail comes from Outside of SoftAtHome: Do not answer, click links or open 
attachments unless you recognize the sender and know the content is safe.

Hi Paul,

On Wed, 20 Nov 2024 at 03:09, Paul HENRYS
 wrote:

mkimage can be used for both signing the FIT or encrypt its content and the
option '-k' can be used to pass a directory where both signing and encryption
keys can be retrieved.
_get_priv_keys_dir() is also renamed as _get_keys_dir() and adapted to support
both signing and encryption nodes in the FIT.

Signed-off-by: Paul HENRYS 
---
Changes for v3:
  - Adapt the code after changes made in commit 133c000ca334
  - Rename property 'fit,sign' as 'fit,keys-directory' since this is not only
about signing but passing a key directory to mkimage for both signing and
encrypting
  - Update the tests and documentation accordingly

My initial changes proposed in v1 and v2 has been outdated by the changes
proposed in commit 133c000ca334.

  tools/binman/btool/mkimage.py   |  8 +++
  tools/binman/entries.rst| 13 ++-
  tools/binman/etype/fit.py   | 31 ++---
  tools/binman/ftest.py   |  2 +-
  tools/binman/test/340_fit_signature.dts |  2 +-
  tools/binman/test/341_fit_signature.dts |  2 +-
  tools/binman/test/342_fit_signature.dts |  2 +-
  7 files changed, 32 insertions(+), 28 deletions(-)

I think it is good to be able to specify the keys directory and not
just rely on Binman's input path. But do we need to remove the
fit,sign property? It is the signal that signing should be done.,
although I understand that there is a key directory too.

If we need to remove it, please do that in a separate patch.

Perhaps we also need a signal that encryption should be done?
Based on my understanding, we don't enable the signing by adding 
'fit,sign' property but by having a signature node in the DTS passed to 
binman and thus also in the ITS passed to mkimage by binman (at least 
with the current implementation). In the current implementation, adding 
'fit,sign property' in the DTS passed to binman only leads to add the 
argument '-k' with a directory where the private keys are stored and 
nothing more. The '-k' argument of mkimage is used to specify the keys 
directory for both signing and ciphering FIT data. That is why I thought 
the property could be shared for providing the keys directory for both 
signing and ciphering when generating the FIT.
Then maybe your idea would be to use such a property, i.e. 'fit,sign' 
property, to be able to add more options related to the signature 
(key-name-hint, algo...) instead of having those information in the ITS 
in a signature node. In this case, I guess it would indeed make sense to 
have separate properties that could both set the '-k' argument passed to 
mkimage.
The current signal for the encryption is to have a 'cipher' node in the 
ITS provided to mkimage.



diff --git a/tools/binman/btool/mkimage.py b/tools/binman/btool/mkimage.py
index 78d3301bc1..3f84220fb1 100644
--- a/tools/binman/btool/mkimage.py
+++ b/tools/binman/btool/mkimage.py
@@ -22,7 +22,7 @@ class Bintoolmkimage(bintool.Bintool):

  # pylint: disable=R0913
  def run(self, reset_timestamp=False, output_fname=None, external=False,
-pad=None, align=None, priv_keys_dir=None):
+pad=None, align=None, keys_dir=None):
  """Run mkimage

  Args:
@@ -34,7 +34,7 @@ class Bintoolmkimage(bintool.Bintool):
  other things to be easily added later, if required, such as
  signatures
  align: Bytes to use for alignment of the FIT and its external data
-priv_keys_dir: Path to directory containing private keys
+keys_dir: Path to directory containing private and encryption keys
  version: True to get the mkimage version
  """
  args = []
@@ -46,8 +46,8 @@ class Bintoolmkimage(bintool.Bintool):
  args += ['-B', f'{align:x}']
  if reset_timestamp:
  args.append('-t')
-if priv_keys_dir:
-args += ['-k', f'{priv_keys_dir}']
+if keys_dir:
+args += ['-k', f'{keys_dir}']
  if output_fname:
  args += ['-F', output_fname]
  return self.run_cmd(*args)
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index e918162fb4..1b1d73ef17 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -864,12 +864,13 @@ The top-level 'fit' node supports the following special 
properties:

  fit,fdt-list-dir = "arch/arm/dts

-fit,sign
-Enable signing FIT images via mkimage as described in
-verified-boot.rst. If the property is found, the private keys path is
-detected among binman include directories and passed to mkimage via
--k flag. All the keys required for signing FIT must be available at
-

Re: [PATCH v3 2/3] tools: binman: Replace 'fit, sign' by 'fit, keys-directory'

2024-11-20 Thread Simon Glass
Hi Paul,

On Wed, 20 Nov 2024 at 03:09, Paul HENRYS
 wrote:
>
> mkimage can be used for both signing the FIT or encrypt its content and the
> option '-k' can be used to pass a directory where both signing and encryption
> keys can be retrieved.
> _get_priv_keys_dir() is also renamed as _get_keys_dir() and adapted to support
> both signing and encryption nodes in the FIT.
>
> Signed-off-by: Paul HENRYS 
> ---
> Changes for v3:
>  - Adapt the code after changes made in commit 133c000ca334
>  - Rename property 'fit,sign' as 'fit,keys-directory' since this is not only
>about signing but passing a key directory to mkimage for both signing and
>encrypting
>  - Update the tests and documentation accordingly
>
> My initial changes proposed in v1 and v2 has been outdated by the changes
> proposed in commit 133c000ca334.
>
>  tools/binman/btool/mkimage.py   |  8 +++
>  tools/binman/entries.rst| 13 ++-
>  tools/binman/etype/fit.py   | 31 ++---
>  tools/binman/ftest.py   |  2 +-
>  tools/binman/test/340_fit_signature.dts |  2 +-
>  tools/binman/test/341_fit_signature.dts |  2 +-
>  tools/binman/test/342_fit_signature.dts |  2 +-
>  7 files changed, 32 insertions(+), 28 deletions(-)

I think it is good to be able to specify the keys directory and not
just rely on Binman's input path. But do we need to remove the
fit,sign property? It is the signal that signing should be done.,
although I understand that there is a key directory too.

If we need to remove it, please do that in a separate patch.

Perhaps we also need a signal that encryption should be done?

>
> diff --git a/tools/binman/btool/mkimage.py b/tools/binman/btool/mkimage.py
> index 78d3301bc1..3f84220fb1 100644
> --- a/tools/binman/btool/mkimage.py
> +++ b/tools/binman/btool/mkimage.py
> @@ -22,7 +22,7 @@ class Bintoolmkimage(bintool.Bintool):
>
>  # pylint: disable=R0913
>  def run(self, reset_timestamp=False, output_fname=None, external=False,
> -pad=None, align=None, priv_keys_dir=None):
> +pad=None, align=None, keys_dir=None):
>  """Run mkimage
>
>  Args:
> @@ -34,7 +34,7 @@ class Bintoolmkimage(bintool.Bintool):
>  other things to be easily added later, if required, such as
>  signatures
>  align: Bytes to use for alignment of the FIT and its external 
> data
> -priv_keys_dir: Path to directory containing private keys
> +keys_dir: Path to directory containing private and encryption 
> keys
>  version: True to get the mkimage version
>  """
>  args = []
> @@ -46,8 +46,8 @@ class Bintoolmkimage(bintool.Bintool):
>  args += ['-B', f'{align:x}']
>  if reset_timestamp:
>  args.append('-t')
> -if priv_keys_dir:
> -args += ['-k', f'{priv_keys_dir}']
> +if keys_dir:
> +args += ['-k', f'{keys_dir}']
>  if output_fname:
>  args += ['-F', output_fname]
>  return self.run_cmd(*args)
> diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
> index e918162fb4..1b1d73ef17 100644
> --- a/tools/binman/entries.rst
> +++ b/tools/binman/entries.rst
> @@ -864,12 +864,13 @@ The top-level 'fit' node supports the following special 
> properties:
>
>  fit,fdt-list-dir = "arch/arm/dts
>
> -fit,sign
> -Enable signing FIT images via mkimage as described in
> -verified-boot.rst. If the property is found, the private keys path is
> -detected among binman include directories and passed to mkimage via
> --k flag. All the keys required for signing FIT must be available at
> -time of signing and must be located in single include directory.
> +fit,keys-directory
> +Look for a directory where signing and encryption keys are stored.
> +If the property is found, the keys path is detected among binman
> +include directories and passed to mkimage via  -k flag. All the keys
> +required for signing and encrypting the FIT must be available at the
> +time of signing and encrypting and must be located in a single
> +include directory.
>
>  Substitutions
>  ~
> diff --git a/tools/binman/etype/fit.py b/tools/binman/etype/fit.py
> index b5afbda41b..e0c1ac08d8 100644
> --- a/tools/binman/etype/fit.py
> +++ b/tools/binman/etype/fit.py
> @@ -102,13 +102,13 @@ class Entry_fit(Entry_section):
>  In this case the input directories are ignored and all devicetree
>  files must be in that directory.
>
> -fit,sign
> -Enable signing FIT images via mkimage as described in
> -verified-boot.rst. If the property is found, the private keys 
> path
> -is detected among binman include directories and passed to 
> mkimage
> -via  -k flag. All the keys required for signing FIT must be

[PATCH v3 2/3] tools: binman: Replace 'fit, sign' by 'fit, keys-directory'

2024-11-20 Thread Paul HENRYS
mkimage can be used for both signing the FIT or encrypt its content and the
option '-k' can be used to pass a directory where both signing and encryption
keys can be retrieved.
_get_priv_keys_dir() is also renamed as _get_keys_dir() and adapted to support
both signing and encryption nodes in the FIT.

Signed-off-by: Paul HENRYS 
---
Changes for v3:
 - Adapt the code after changes made in commit 133c000ca334
 - Rename property 'fit,sign' as 'fit,keys-directory' since this is not only
   about signing but passing a key directory to mkimage for both signing and
   encrypting
 - Update the tests and documentation accordingly

My initial changes proposed in v1 and v2 has been outdated by the changes
proposed in commit 133c000ca334.

 tools/binman/btool/mkimage.py   |  8 +++
 tools/binman/entries.rst| 13 ++-
 tools/binman/etype/fit.py   | 31 ++---
 tools/binman/ftest.py   |  2 +-
 tools/binman/test/340_fit_signature.dts |  2 +-
 tools/binman/test/341_fit_signature.dts |  2 +-
 tools/binman/test/342_fit_signature.dts |  2 +-
 7 files changed, 32 insertions(+), 28 deletions(-)

diff --git a/tools/binman/btool/mkimage.py b/tools/binman/btool/mkimage.py
index 78d3301bc1..3f84220fb1 100644
--- a/tools/binman/btool/mkimage.py
+++ b/tools/binman/btool/mkimage.py
@@ -22,7 +22,7 @@ class Bintoolmkimage(bintool.Bintool):
 
 # pylint: disable=R0913
 def run(self, reset_timestamp=False, output_fname=None, external=False,
-pad=None, align=None, priv_keys_dir=None):
+pad=None, align=None, keys_dir=None):
 """Run mkimage
 
 Args:
@@ -34,7 +34,7 @@ class Bintoolmkimage(bintool.Bintool):
 other things to be easily added later, if required, such as
 signatures
 align: Bytes to use for alignment of the FIT and its external data
-priv_keys_dir: Path to directory containing private keys
+keys_dir: Path to directory containing private and encryption keys
 version: True to get the mkimage version
 """
 args = []
@@ -46,8 +46,8 @@ class Bintoolmkimage(bintool.Bintool):
 args += ['-B', f'{align:x}']
 if reset_timestamp:
 args.append('-t')
-if priv_keys_dir:
-args += ['-k', f'{priv_keys_dir}']
+if keys_dir:
+args += ['-k', f'{keys_dir}']
 if output_fname:
 args += ['-F', output_fname]
 return self.run_cmd(*args)
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index e918162fb4..1b1d73ef17 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -864,12 +864,13 @@ The top-level 'fit' node supports the following special 
properties:
 
 fit,fdt-list-dir = "arch/arm/dts
 
-fit,sign
-Enable signing FIT images via mkimage as described in
-verified-boot.rst. If the property is found, the private keys path is
-detected among binman include directories and passed to mkimage via
--k flag. All the keys required for signing FIT must be available at
-time of signing and must be located in single include directory.
+fit,keys-directory
+Look for a directory where signing and encryption keys are stored.
+If the property is found, the keys path is detected among binman
+include directories and passed to mkimage via  -k flag. All the keys
+required for signing and encrypting the FIT must be available at the
+time of signing and encrypting and must be located in a single
+include directory.
 
 Substitutions
 ~
diff --git a/tools/binman/etype/fit.py b/tools/binman/etype/fit.py
index b5afbda41b..e0c1ac08d8 100644
--- a/tools/binman/etype/fit.py
+++ b/tools/binman/etype/fit.py
@@ -102,13 +102,13 @@ class Entry_fit(Entry_section):
 In this case the input directories are ignored and all devicetree
 files must be in that directory.
 
-fit,sign
-Enable signing FIT images via mkimage as described in
-verified-boot.rst. If the property is found, the private keys path
-is detected among binman include directories and passed to mkimage
-via  -k flag. All the keys required for signing FIT must be
-available at time of signing and must be located in single include
-directory.
+fit,keys-directory
+Look for a directory where signing and encryption keys are stored.
+If the property is found, the keys path is detected among binman
+include directories and passed to mkimage via  -k flag. All the 
keys
+required for signing and encrypting the FIT must be available at 
the
+time of signing and encrypting and must be located in a single
+include directory.
 
 Substitutions
 ~
@@ -518,14 +518,14 @@ class Ent