Re: [PATCH v3 2/3] tools: binman: Replace 'fit,sign' by 'fit,keys-directory'
Here how I understand Simon’s answer. He suggested to introduce new property like ‘fit,encrypt’. And if you see that property, then you enable keys detection (and so you enable encryption). Regarding you current (v3) implementation. I would call the new property as ‘fit,detect-keys-directory’ as it makes more clear that binman have to do during fit processing. For me, then I see ‘fit,keys-directory’ I expect, that directory path must be provided with the property. You did that in v2. But Simon told, that its better to implement that behavior using entyarg (https://lists.denx.de/pipermail/u-boot/2024-August/561346.html). I have no idea how to do that. May be any usage example could clarify. Regarding implementation of signing in the binman. First, I thought to implement singing in the binman. There are another entryargs that implements signing e.g. preload_enty.py. I could extract signing code into separate file and implement signing in the fit entry arg: I see fit,sign, I see fit entries related to the signature (key-name-hint, algo…) and do signing. Later I found that mkimage get called during FIT creation and decided not to duplicate functionality. Alexander. > 21 нояб. 2024 г., в 13:17, Paul HENRYS > написал(а): > > Hi Simon, > > On 20/11/2024 14:35, Simon Glass wrote: >> This Mail comes from Outside of SoftAtHome: Do not answer, click links or >> open attachments unless you recognize the sender and know the content is >> safe. >> >> Hi Paul, >> >> On Wed, 20 Nov 2024 at 03:09, Paul HENRYS >> wrote: >>> mkimage can be used for both signing the FIT or encrypt its content and the >>> option '-k' can be used to pass a directory where both signing and >>> encryption >>> keys can be retrieved. >>> _get_priv_keys_dir() is also renamed as _get_keys_dir() and adapted to >>> support >>> both signing and encryption nodes in the FIT. >>> >>> Signed-off-by: Paul HENRYS >>> --- >>> Changes for v3: >>> - Adapt the code after changes made in commit 133c000ca334 >>> - Rename property 'fit,sign' as 'fit,keys-directory' since this is not only >>>about signing but passing a key directory to mkimage for both signing and >>>encrypting >>> - Update the tests and documentation accordingly >>> >>> My initial changes proposed in v1 and v2 has been outdated by the changes >>> proposed in commit 133c000ca334. >>> >>> tools/binman/btool/mkimage.py | 8 +++ >>> tools/binman/entries.rst| 13 ++- >>> tools/binman/etype/fit.py | 31 ++--- >>> tools/binman/ftest.py | 2 +- >>> tools/binman/test/340_fit_signature.dts | 2 +- >>> tools/binman/test/341_fit_signature.dts | 2 +- >>> tools/binman/test/342_fit_signature.dts | 2 +- >>> 7 files changed, 32 insertions(+), 28 deletions(-) >> I think it is good to be able to specify the keys directory and not >> just rely on Binman's input path. But do we need to remove the >> fit,sign property? It is the signal that signing should be done., >> although I understand that there is a key directory too. >> >> If we need to remove it, please do that in a separate patch. >> >> Perhaps we also need a signal that encryption should be done? > Based on my understanding, we don't enable the signing by adding 'fit,sign' > property but by having a signature node in the DTS passed to binman and thus > also in the ITS passed to mkimage by binman (at least with the current > implementation). In the current implementation, adding 'fit,sign property' in > the DTS passed to binman only leads to add the argument '-k' with a directory > where the private keys are stored and nothing more. The '-k' argument of > mkimage is used to specify the keys directory for both signing and ciphering > FIT data. That is why I thought the property could be shared for providing > the keys directory for both signing and ciphering when generating the FIT. > Then maybe your idea would be to use such a property, i.e. 'fit,sign' > property, to be able to add more options related to the signature > (key-name-hint, algo...) instead of having those information in the ITS in a > signature node. In this case, I guess it would indeed make sense to have > separate properties that could both set the '-k' argument passed to mkimage. > The current signal for the encryption is to have a 'cipher' node in the ITS > provided to mkimage. >> >>> diff --git a/tools/binman/btool/mkimage.py b/tools/binman/btool/mkimage.py >>> index 78d3301bc1..3f84220fb1 100644 >>> --- a/tools/binman/btool/mkimage.py >>> +++ b/tools/binman/btool/mkimage.py >>> @@ -22,7 +22,7 @@ class Bintoolmkimage(bintool.Bintool): >>> >>> # pylint: disable=R0913 >>> def run(self, reset_timestamp=False, output_fname=None, external=False, >>> -pad=None, align=None, priv_keys_dir=None): >>> +pad=None, align=None, keys_dir=None): >>> """Run mkimage >>> >>> Args: >>> @@ -34,7 +34,7 @@ clas
Re: [PATCH v3 2/3] tools: binman: Replace 'fit,sign' by 'fit,keys-directory'
Hi Simon, On 20/11/2024 14:35, Simon Glass wrote: This Mail comes from Outside of SoftAtHome: Do not answer, click links or open attachments unless you recognize the sender and know the content is safe. Hi Paul, On Wed, 20 Nov 2024 at 03:09, Paul HENRYS wrote: mkimage can be used for both signing the FIT or encrypt its content and the option '-k' can be used to pass a directory where both signing and encryption keys can be retrieved. _get_priv_keys_dir() is also renamed as _get_keys_dir() and adapted to support both signing and encryption nodes in the FIT. Signed-off-by: Paul HENRYS --- Changes for v3: - Adapt the code after changes made in commit 133c000ca334 - Rename property 'fit,sign' as 'fit,keys-directory' since this is not only about signing but passing a key directory to mkimage for both signing and encrypting - Update the tests and documentation accordingly My initial changes proposed in v1 and v2 has been outdated by the changes proposed in commit 133c000ca334. tools/binman/btool/mkimage.py | 8 +++ tools/binman/entries.rst| 13 ++- tools/binman/etype/fit.py | 31 ++--- tools/binman/ftest.py | 2 +- tools/binman/test/340_fit_signature.dts | 2 +- tools/binman/test/341_fit_signature.dts | 2 +- tools/binman/test/342_fit_signature.dts | 2 +- 7 files changed, 32 insertions(+), 28 deletions(-) I think it is good to be able to specify the keys directory and not just rely on Binman's input path. But do we need to remove the fit,sign property? It is the signal that signing should be done., although I understand that there is a key directory too. If we need to remove it, please do that in a separate patch. Perhaps we also need a signal that encryption should be done? Based on my understanding, we don't enable the signing by adding 'fit,sign' property but by having a signature node in the DTS passed to binman and thus also in the ITS passed to mkimage by binman (at least with the current implementation). In the current implementation, adding 'fit,sign property' in the DTS passed to binman only leads to add the argument '-k' with a directory where the private keys are stored and nothing more. The '-k' argument of mkimage is used to specify the keys directory for both signing and ciphering FIT data. That is why I thought the property could be shared for providing the keys directory for both signing and ciphering when generating the FIT. Then maybe your idea would be to use such a property, i.e. 'fit,sign' property, to be able to add more options related to the signature (key-name-hint, algo...) instead of having those information in the ITS in a signature node. In this case, I guess it would indeed make sense to have separate properties that could both set the '-k' argument passed to mkimage. The current signal for the encryption is to have a 'cipher' node in the ITS provided to mkimage. diff --git a/tools/binman/btool/mkimage.py b/tools/binman/btool/mkimage.py index 78d3301bc1..3f84220fb1 100644 --- a/tools/binman/btool/mkimage.py +++ b/tools/binman/btool/mkimage.py @@ -22,7 +22,7 @@ class Bintoolmkimage(bintool.Bintool): # pylint: disable=R0913 def run(self, reset_timestamp=False, output_fname=None, external=False, -pad=None, align=None, priv_keys_dir=None): +pad=None, align=None, keys_dir=None): """Run mkimage Args: @@ -34,7 +34,7 @@ class Bintoolmkimage(bintool.Bintool): other things to be easily added later, if required, such as signatures align: Bytes to use for alignment of the FIT and its external data -priv_keys_dir: Path to directory containing private keys +keys_dir: Path to directory containing private and encryption keys version: True to get the mkimage version """ args = [] @@ -46,8 +46,8 @@ class Bintoolmkimage(bintool.Bintool): args += ['-B', f'{align:x}'] if reset_timestamp: args.append('-t') -if priv_keys_dir: -args += ['-k', f'{priv_keys_dir}'] +if keys_dir: +args += ['-k', f'{keys_dir}'] if output_fname: args += ['-F', output_fname] return self.run_cmd(*args) diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst index e918162fb4..1b1d73ef17 100644 --- a/tools/binman/entries.rst +++ b/tools/binman/entries.rst @@ -864,12 +864,13 @@ The top-level 'fit' node supports the following special properties: fit,fdt-list-dir = "arch/arm/dts -fit,sign -Enable signing FIT images via mkimage as described in -verified-boot.rst. If the property is found, the private keys path is -detected among binman include directories and passed to mkimage via --k flag. All the keys required for signing FIT must be available at -
Re: [PATCH v3 2/3] tools: binman: Replace 'fit, sign' by 'fit, keys-directory'
Hi Paul, On Wed, 20 Nov 2024 at 03:09, Paul HENRYS wrote: > > mkimage can be used for both signing the FIT or encrypt its content and the > option '-k' can be used to pass a directory where both signing and encryption > keys can be retrieved. > _get_priv_keys_dir() is also renamed as _get_keys_dir() and adapted to support > both signing and encryption nodes in the FIT. > > Signed-off-by: Paul HENRYS > --- > Changes for v3: > - Adapt the code after changes made in commit 133c000ca334 > - Rename property 'fit,sign' as 'fit,keys-directory' since this is not only >about signing but passing a key directory to mkimage for both signing and >encrypting > - Update the tests and documentation accordingly > > My initial changes proposed in v1 and v2 has been outdated by the changes > proposed in commit 133c000ca334. > > tools/binman/btool/mkimage.py | 8 +++ > tools/binman/entries.rst| 13 ++- > tools/binman/etype/fit.py | 31 ++--- > tools/binman/ftest.py | 2 +- > tools/binman/test/340_fit_signature.dts | 2 +- > tools/binman/test/341_fit_signature.dts | 2 +- > tools/binman/test/342_fit_signature.dts | 2 +- > 7 files changed, 32 insertions(+), 28 deletions(-) I think it is good to be able to specify the keys directory and not just rely on Binman's input path. But do we need to remove the fit,sign property? It is the signal that signing should be done., although I understand that there is a key directory too. If we need to remove it, please do that in a separate patch. Perhaps we also need a signal that encryption should be done? > > diff --git a/tools/binman/btool/mkimage.py b/tools/binman/btool/mkimage.py > index 78d3301bc1..3f84220fb1 100644 > --- a/tools/binman/btool/mkimage.py > +++ b/tools/binman/btool/mkimage.py > @@ -22,7 +22,7 @@ class Bintoolmkimage(bintool.Bintool): > > # pylint: disable=R0913 > def run(self, reset_timestamp=False, output_fname=None, external=False, > -pad=None, align=None, priv_keys_dir=None): > +pad=None, align=None, keys_dir=None): > """Run mkimage > > Args: > @@ -34,7 +34,7 @@ class Bintoolmkimage(bintool.Bintool): > other things to be easily added later, if required, such as > signatures > align: Bytes to use for alignment of the FIT and its external > data > -priv_keys_dir: Path to directory containing private keys > +keys_dir: Path to directory containing private and encryption > keys > version: True to get the mkimage version > """ > args = [] > @@ -46,8 +46,8 @@ class Bintoolmkimage(bintool.Bintool): > args += ['-B', f'{align:x}'] > if reset_timestamp: > args.append('-t') > -if priv_keys_dir: > -args += ['-k', f'{priv_keys_dir}'] > +if keys_dir: > +args += ['-k', f'{keys_dir}'] > if output_fname: > args += ['-F', output_fname] > return self.run_cmd(*args) > diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst > index e918162fb4..1b1d73ef17 100644 > --- a/tools/binman/entries.rst > +++ b/tools/binman/entries.rst > @@ -864,12 +864,13 @@ The top-level 'fit' node supports the following special > properties: > > fit,fdt-list-dir = "arch/arm/dts > > -fit,sign > -Enable signing FIT images via mkimage as described in > -verified-boot.rst. If the property is found, the private keys path is > -detected among binman include directories and passed to mkimage via > --k flag. All the keys required for signing FIT must be available at > -time of signing and must be located in single include directory. > +fit,keys-directory > +Look for a directory where signing and encryption keys are stored. > +If the property is found, the keys path is detected among binman > +include directories and passed to mkimage via -k flag. All the keys > +required for signing and encrypting the FIT must be available at the > +time of signing and encrypting and must be located in a single > +include directory. > > Substitutions > ~ > diff --git a/tools/binman/etype/fit.py b/tools/binman/etype/fit.py > index b5afbda41b..e0c1ac08d8 100644 > --- a/tools/binman/etype/fit.py > +++ b/tools/binman/etype/fit.py > @@ -102,13 +102,13 @@ class Entry_fit(Entry_section): > In this case the input directories are ignored and all devicetree > files must be in that directory. > > -fit,sign > -Enable signing FIT images via mkimage as described in > -verified-boot.rst. If the property is found, the private keys > path > -is detected among binman include directories and passed to > mkimage > -via -k flag. All the keys required for signing FIT must be
[PATCH v3 2/3] tools: binman: Replace 'fit, sign' by 'fit, keys-directory'
mkimage can be used for both signing the FIT or encrypt its content and the option '-k' can be used to pass a directory where both signing and encryption keys can be retrieved. _get_priv_keys_dir() is also renamed as _get_keys_dir() and adapted to support both signing and encryption nodes in the FIT. Signed-off-by: Paul HENRYS --- Changes for v3: - Adapt the code after changes made in commit 133c000ca334 - Rename property 'fit,sign' as 'fit,keys-directory' since this is not only about signing but passing a key directory to mkimage for both signing and encrypting - Update the tests and documentation accordingly My initial changes proposed in v1 and v2 has been outdated by the changes proposed in commit 133c000ca334. tools/binman/btool/mkimage.py | 8 +++ tools/binman/entries.rst| 13 ++- tools/binman/etype/fit.py | 31 ++--- tools/binman/ftest.py | 2 +- tools/binman/test/340_fit_signature.dts | 2 +- tools/binman/test/341_fit_signature.dts | 2 +- tools/binman/test/342_fit_signature.dts | 2 +- 7 files changed, 32 insertions(+), 28 deletions(-) diff --git a/tools/binman/btool/mkimage.py b/tools/binman/btool/mkimage.py index 78d3301bc1..3f84220fb1 100644 --- a/tools/binman/btool/mkimage.py +++ b/tools/binman/btool/mkimage.py @@ -22,7 +22,7 @@ class Bintoolmkimage(bintool.Bintool): # pylint: disable=R0913 def run(self, reset_timestamp=False, output_fname=None, external=False, -pad=None, align=None, priv_keys_dir=None): +pad=None, align=None, keys_dir=None): """Run mkimage Args: @@ -34,7 +34,7 @@ class Bintoolmkimage(bintool.Bintool): other things to be easily added later, if required, such as signatures align: Bytes to use for alignment of the FIT and its external data -priv_keys_dir: Path to directory containing private keys +keys_dir: Path to directory containing private and encryption keys version: True to get the mkimage version """ args = [] @@ -46,8 +46,8 @@ class Bintoolmkimage(bintool.Bintool): args += ['-B', f'{align:x}'] if reset_timestamp: args.append('-t') -if priv_keys_dir: -args += ['-k', f'{priv_keys_dir}'] +if keys_dir: +args += ['-k', f'{keys_dir}'] if output_fname: args += ['-F', output_fname] return self.run_cmd(*args) diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst index e918162fb4..1b1d73ef17 100644 --- a/tools/binman/entries.rst +++ b/tools/binman/entries.rst @@ -864,12 +864,13 @@ The top-level 'fit' node supports the following special properties: fit,fdt-list-dir = "arch/arm/dts -fit,sign -Enable signing FIT images via mkimage as described in -verified-boot.rst. If the property is found, the private keys path is -detected among binman include directories and passed to mkimage via --k flag. All the keys required for signing FIT must be available at -time of signing and must be located in single include directory. +fit,keys-directory +Look for a directory where signing and encryption keys are stored. +If the property is found, the keys path is detected among binman +include directories and passed to mkimage via -k flag. All the keys +required for signing and encrypting the FIT must be available at the +time of signing and encrypting and must be located in a single +include directory. Substitutions ~ diff --git a/tools/binman/etype/fit.py b/tools/binman/etype/fit.py index b5afbda41b..e0c1ac08d8 100644 --- a/tools/binman/etype/fit.py +++ b/tools/binman/etype/fit.py @@ -102,13 +102,13 @@ class Entry_fit(Entry_section): In this case the input directories are ignored and all devicetree files must be in that directory. -fit,sign -Enable signing FIT images via mkimage as described in -verified-boot.rst. If the property is found, the private keys path -is detected among binman include directories and passed to mkimage -via -k flag. All the keys required for signing FIT must be -available at time of signing and must be located in single include -directory. +fit,keys-directory +Look for a directory where signing and encryption keys are stored. +If the property is found, the keys path is detected among binman +include directories and passed to mkimage via -k flag. All the keys +required for signing and encrypting the FIT must be available at the +time of signing and encrypting and must be located in a single +include directory. Substitutions ~ @@ -518,14 +518,14 @@ class Ent