mkimage can be used for both signing the FIT or encrypt its content and the
option '-k' can be used to pass a directory where both signing and encryption
keys can be retrieved.
_get_priv_keys_dir() is also renamed as _get_keys_dir() and adapted to support
both signing and encryption nodes in the FIT.

Signed-off-by: Paul HENRYS <paul.henrys_...@softathome.com>
---
Changes for v3:
 - Adapt the code after changes made in commit 133c000ca334
 - Rename property 'fit,sign' as 'fit,keys-directory' since this is not only
   about signing but passing a key directory to mkimage for both signing and
   encrypting
 - Update the tests and documentation accordingly

My initial changes proposed in v1 and v2 has been outdated by the changes
proposed in commit 133c000ca334.

 tools/binman/btool/mkimage.py           |  8 +++----
 tools/binman/entries.rst                | 13 ++++++-----
 tools/binman/etype/fit.py               | 31 ++++++++++++++-----------
 tools/binman/ftest.py                   |  2 +-
 tools/binman/test/340_fit_signature.dts |  2 +-
 tools/binman/test/341_fit_signature.dts |  2 +-
 tools/binman/test/342_fit_signature.dts |  2 +-
 7 files changed, 32 insertions(+), 28 deletions(-)

diff --git a/tools/binman/btool/mkimage.py b/tools/binman/btool/mkimage.py
index 78d3301bc1..3f84220fb1 100644
--- a/tools/binman/btool/mkimage.py
+++ b/tools/binman/btool/mkimage.py
@@ -22,7 +22,7 @@ class Bintoolmkimage(bintool.Bintool):
 
     # pylint: disable=R0913
     def run(self, reset_timestamp=False, output_fname=None, external=False,
-            pad=None, align=None, priv_keys_dir=None):
+            pad=None, align=None, keys_dir=None):
         """Run mkimage
 
         Args:
@@ -34,7 +34,7 @@ class Bintoolmkimage(bintool.Bintool):
                 other things to be easily added later, if required, such as
                 signatures
             align: Bytes to use for alignment of the FIT and its external data
-            priv_keys_dir: Path to directory containing private keys
+            keys_dir: Path to directory containing private and encryption keys
             version: True to get the mkimage version
         """
         args = []
@@ -46,8 +46,8 @@ class Bintoolmkimage(bintool.Bintool):
             args += ['-B', f'{align:x}']
         if reset_timestamp:
             args.append('-t')
-        if priv_keys_dir:
-            args += ['-k', f'{priv_keys_dir}']
+        if keys_dir:
+            args += ['-k', f'{keys_dir}']
         if output_fname:
             args += ['-F', output_fname]
         return self.run_cmd(*args)
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index e918162fb4..1b1d73ef17 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -864,12 +864,13 @@ The top-level 'fit' node supports the following special 
properties:
 
             fit,fdt-list-dir = "arch/arm/dts
 
-    fit,sign
-        Enable signing FIT images via mkimage as described in
-        verified-boot.rst. If the property is found, the private keys path is
-        detected among binman include directories and passed to mkimage via
-        -k flag. All the keys required for signing FIT must be available at
-        time of signing and must be located in single include directory.
+    fit,keys-directory
+        Look for a directory where signing and encryption keys are stored.
+        If the property is found, the keys path is detected among binman
+        include directories and passed to mkimage via  -k flag. All the keys
+        required for signing and encrypting the FIT must be available at the
+        time of signing and encrypting and must be located in a single
+        include directory.
 
 Substitutions
 ~~~~~~~~~~~~~
diff --git a/tools/binman/etype/fit.py b/tools/binman/etype/fit.py
index b5afbda41b..e0c1ac08d8 100644
--- a/tools/binman/etype/fit.py
+++ b/tools/binman/etype/fit.py
@@ -102,13 +102,13 @@ class Entry_fit(Entry_section):
             In this case the input directories are ignored and all devicetree
             files must be in that directory.
 
-        fit,sign
-            Enable signing FIT images via mkimage as described in
-            verified-boot.rst. If the property is found, the private keys path
-            is detected among binman include directories and passed to mkimage
-            via  -k flag. All the keys required for signing FIT must be
-            available at time of signing and must be located in single include
-            directory.
+        fit,keys-directory
+            Look for a directory where signing and encryption keys are stored.
+            If the property is found, the keys path is detected among binman
+            include directories and passed to mkimage via  -k flag. All the 
keys
+            required for signing and encrypting the FIT must be available at 
the
+            time of signing and encrypting and must be located in a single
+            include directory.
 
     Substitutions
     ~~~~~~~~~~~~~
@@ -518,14 +518,14 @@ class Entry_fit(Entry_section):
         # are removed from self._entries later.
         self._priv_entries = dict(self._entries)
 
-    def _get_priv_keys_dir(self, data):
-        """Detect private keys path among binman include directories
+    def _get_keys_dir(self, data):
+        """Detect private and encryption keys path among binman include 
directories
 
         Args:
             data: FIT image in binary format
 
         Returns:
-            str: Single path containing all private keys found or None
+            str: Single path containing all keys found or None
 
         Raises:
             ValueError: Filename 'rsa2048.key' not found in input path
@@ -533,11 +533,14 @@ class Entry_fit(Entry_section):
         """
         def _find_keys_dir(node):
             for subnode in node.subnodes:
-                if subnode.name.startswith('signature'):
+                if (subnode.name.startswith('signature') or
+                    subnode.name.startswith('cipher')):
                     if subnode.props.get('key-name-hint') is None:
                         continue
                     hint = subnode.props['key-name-hint'].value
-                    name = tools.get_input_filename(f"{hint}.key")
+                    name = tools.get_input_filename(
+                        f"{hint}.key" if subnode.name.startswith('signature')
+                        else f"{hint}.bin")
                     path = os.path.dirname(name)
                     if path not in paths:
                         paths.append(path)
@@ -587,8 +590,8 @@ class Entry_fit(Entry_section):
         align = self._fit_props.get('fit,align')
         if align is not None:
             args.update({'align': fdt_util.fdt32_to_cpu(align.value)})
-        if self._fit_props.get('fit,sign') is not None:
-            args.update({'priv_keys_dir': self._get_priv_keys_dir(data)})
+        if self._fit_props.get('fit,keys-directory') is not None:
+            args.update({'keys_dir': self._get_keys_dir(data)})
         if self.mkimage.run(reset_timestamp=True, output_fname=output_fname,
                             **args) is None:
             if not self.GetAllowMissing():
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index 156567ace7..adab65e579 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -7885,7 +7885,7 @@ fdt         fdtmap                Extract the devicetree 
blob from the fdtmap
             str(e.exception))
 
     def testFitSignNoSingatureNodes(self):
-        """Test that fit,sign doens't raise error if no signature nodes 
found"""
+        """Test that fit,keys-directory doesn't raise error if no signature 
nodes found"""
         if not elf.ELF_TOOLS:
             self.skipTest('Python elftools not available')
         entry_args = {
diff --git a/tools/binman/test/340_fit_signature.dts 
b/tools/binman/test/340_fit_signature.dts
index 9dce62e52d..97c0cbd05e 100644
--- a/tools/binman/test/340_fit_signature.dts
+++ b/tools/binman/test/340_fit_signature.dts
@@ -11,7 +11,7 @@
                        description = "test desc";
                        #address-cells = <1>;
                        fit,fdt-list = "of-list";
-                       fit,sign;
+                       fit,keys-directory;
 
                        images {
                                u-boot {
diff --git a/tools/binman/test/341_fit_signature.dts 
b/tools/binman/test/341_fit_signature.dts
index 77bec8df1e..4a4da7e589 100644
--- a/tools/binman/test/341_fit_signature.dts
+++ b/tools/binman/test/341_fit_signature.dts
@@ -11,7 +11,7 @@
                        description = "test desc";
                        #address-cells = <1>;
                        fit,fdt-list = "of-list";
-                       fit,sign;
+                       fit,keys-directory;
 
                        images {
                                u-boot {
diff --git a/tools/binman/test/342_fit_signature.dts 
b/tools/binman/test/342_fit_signature.dts
index 267105d0f6..9c61aea044 100644
--- a/tools/binman/test/342_fit_signature.dts
+++ b/tools/binman/test/342_fit_signature.dts
@@ -11,7 +11,7 @@
                        description = "test desc";
                        #address-cells = <1>;
                        fit,fdt-list = "of-list";
-                       fit,sign;
+                       fit,keys-directory;
 
                        images {
                                u-boot {
-- 
2.43.0

Reply via email to