On Thu, 5 Jan 2023 at 02:31, Massimo Pegorer <[email protected]> wrote: > > Extend support for signing in auto-generated (-f auto) FIT. Previously, > it was possible to get signed 'images' subnodes in the FIT using > options -g and -o together with -f auto. This patch allows signing > 'configurations' subnodes instead of 'images' ones (which are hashed), > using option -f auto-conf instead of -f auto. Adding also -K <dtb> and > -r options, will add public key to <dtb> file with required = "conf" > property. > > Summary: > -f auto => FIT with crc32 images > -f auto -g ... -o ... => FIT with signed images > -f auto-conf -g ... -o ... => FIT with sha1 images and signed confs > > Example: FIT with kernel, two device tree files, and signed > configurations; public key (needed to verify signatures) is > added to u-boot.dtb with required = "conf" property. > > mkimage -f auto-conf -A arm -O linux -T kernel -C none -a 43e00000 \ > -e 0 -d vmlinuz -b /path/to/first.dtb -b /path/to/second.dtb \ > -k /folder/with/key-files -g keyname -o sha256,rsa4096 \ > -K u-boot.dtb -r kernel.itb > > Example: Add public key with required = "conf" property to u-boot.dtb > without needing to sign anything. This will also create a useless FIT > named unused.itb. > > mkimage -f auto-conf -d /dev/null -k /folder/with/key-files \ > -g keyname -o sha256,rsa4096 -K u-boot.dtb -r unused.itb > > Signed-off-by: Massimo Pegorer <[email protected]> > > --- > The commit includes: patch for adding the new feature to mkimage tool; > updated man page, with description of the new feature and examples, > plus fixes to wrong/misleading information; test for all of the three > flavours of auto-FIT (crc32 images, signed images, sha1 hashed images > and signed configurations). > > doc/mkimage.1 | 119 +++++++++++----- > test/py/tests/test_fit_auto_signed.py | 195 ++++++++++++++++++++++++++ > tools/fit_image.c | 75 ++++++---- > tools/imagetool.h | 10 +- > tools/mkimage.c | 21 ++- > 5 files changed, 353 insertions(+), 67 deletions(-) > create mode 100644 test/py/tests/test_fit_auto_signed.py
Reviewed-by: Simon Glass <[email protected]> We currently avoid using the fdt library in tools/dtoc in tests but perhaps this policy needs to be changed, as this patch shows. One option would be to create a new tools/u_boot_lib directory with the shared functions currently in tools/patman etc., then allow use of that in tests. Regards, Simon
