mkimage: Allow to specify the signature algorithm on the command line

This permits to prepare FIT image description that do not hard-code the
final choice of the signature algorithm, possibly requiring the user to
patch the sources.

When -o <algo> is specified, this information is used in favor of the
'algo' property in the signature node. Furthermore, that property is set
accordingly when writing the image.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This commit is contained in:
Jan Kiszka 2022-01-14 10:21:19 +01:00 committed by Tom Rini
parent 6ae2434689
commit 5902a397d0
6 changed files with 42 additions and 23 deletions

View File

@ -155,6 +155,11 @@ the corresponding public key is written into this file for for run-time
verification. Typically the file here is the device tree binary used by
CONFIG_OF_CONTROL in U-Boot.
.TP
.BI "\-o [" "signing algorithm" "]"
Specifies the algorithm to be used for signing a FIT image. The default is
taken from the target signature nodes 'algo' properties.
.TP
.BI "\-p [" "external position" "]"
Place external data at a static external position. See \-E. Instead of writing

View File

@ -1031,6 +1031,7 @@ int fit_cipher_data(const char *keydir, void *keydest, void *fit,
* @require_keys: Mark all keys as 'required'
* @engine_id: Engine to use for signing
* @cmdname: Command name used when reporting errors
* @algo_name: Algorithm name, or NULL if to be read from FIT
*
* Adds hash values for all component images in the FIT blob.
* Hashes are calculated for all component images which have hash subnodes
@ -1045,7 +1046,7 @@ int fit_cipher_data(const char *keydir, void *keydest, void *fit,
int fit_add_verification_data(const char *keydir, const char *keyfile,
void *keydest, void *fit, const char *comment,
int require_keys, const char *engine_id,
const char *cmdname);
const char *cmdname, const char *algo_name);
int fit_image_verify_with_data(const void *fit, int image_noffset,
const void *data, size_t size);

View File

@ -73,7 +73,8 @@ static int fit_add_file_data(struct image_tool_params *params, size_t size_inc,
params->comment,
params->require_keys,
params->engine_id,
params->cmdname);
params->cmdname,
params->algo_name);
}
if (dest_blob) {

View File

@ -107,7 +107,7 @@ static int fit_image_process_hash(void *fit, const char *image_name,
*/
static int fit_image_write_sig(void *fit, int noffset, uint8_t *value,
int value_len, const char *comment, const char *region_prop,
int region_proplen, const char *cmdname)
int region_proplen, const char *cmdname, const char *algo_name)
{
int string_size;
int ret;
@ -150,6 +150,8 @@ static int fit_image_write_sig(void *fit, int noffset, uint8_t *value,
strdata, sizeof(strdata));
}
}
if (algo_name && !ret)
ret = fdt_setprop_string(fit, noffset, "algo", algo_name);
return ret;
}
@ -157,17 +159,18 @@ static int fit_image_write_sig(void *fit, int noffset, uint8_t *value,
static int fit_image_setup_sig(struct image_sign_info *info,
const char *keydir, const char *keyfile, void *fit,
const char *image_name, int noffset, const char *require_keys,
const char *engine_id)
const char *engine_id, const char *algo_name)
{
const char *node_name;
const char *algo_name;
const char *padding_name;
node_name = fit_get_name(fit, noffset, NULL);
if (fit_image_hash_get_algo(fit, noffset, &algo_name)) {
printf("Can't get algo property for '%s' signature node in '%s' image node\n",
node_name, image_name);
return -1;
if (!algo_name) {
if (fit_image_hash_get_algo(fit, noffset, &algo_name)) {
printf("Can't get algo property for '%s' signature node in '%s' image node\n",
node_name, image_name);
return -1;
}
}
padding_name = fdt_getprop(fit, noffset, "padding", NULL);
@ -215,7 +218,7 @@ static int fit_image_process_sig(const char *keydir, const char *keyfile,
void *keydest, void *fit, const char *image_name,
int noffset, const void *data, size_t size,
const char *comment, int require_keys, const char *engine_id,
const char *cmdname)
const char *cmdname, const char *algo_name)
{
struct image_sign_info info;
struct image_region region;
@ -226,7 +229,7 @@ static int fit_image_process_sig(const char *keydir, const char *keyfile,
if (fit_image_setup_sig(&info, keydir, keyfile, fit, image_name,
noffset, require_keys ? "image" : NULL,
engine_id))
engine_id, algo_name))
return -1;
node_name = fit_get_name(fit, noffset, NULL);
@ -244,7 +247,7 @@ static int fit_image_process_sig(const char *keydir, const char *keyfile,
}
ret = fit_image_write_sig(fit, noffset, value, value_len, comment,
NULL, 0, cmdname);
NULL, 0, cmdname, algo_name);
if (ret) {
if (ret == -FDT_ERR_NOSPACE)
return -ENOSPC;
@ -606,7 +609,7 @@ int fit_image_cipher_data(const char *keydir, void *keydest,
int fit_image_add_verification_data(const char *keydir, const char *keyfile,
void *keydest, void *fit, int image_noffset,
const char *comment, int require_keys, const char *engine_id,
const char *cmdname)
const char *cmdname, const char* algo_name)
{
const char *image_name;
const void *data;
@ -643,7 +646,8 @@ int fit_image_add_verification_data(const char *keydir, const char *keyfile,
strlen(FIT_SIG_NODENAME))) {
ret = fit_image_process_sig(keydir, keyfile, keydest,
fit, image_name, noffset, data, size,
comment, require_keys, engine_id, cmdname);
comment, require_keys, engine_id, cmdname,
algo_name);
}
if (ret)
return ret;
@ -927,7 +931,8 @@ static int fit_config_get_data(void *fit, int conf_noffset, int noffset,
static int fit_config_process_sig(const char *keydir, const char *keyfile,
void *keydest, void *fit, const char *conf_name,
int conf_noffset, int noffset, const char *comment,
int require_keys, const char *engine_id, const char *cmdname)
int require_keys, const char *engine_id, const char *cmdname,
const char *algo_name)
{
struct image_sign_info info;
const char *node_name;
@ -945,7 +950,8 @@ static int fit_config_process_sig(const char *keydir, const char *keyfile,
return -1;
if (fit_image_setup_sig(&info, keydir, keyfile, fit, conf_name, noffset,
require_keys ? "conf" : NULL, engine_id))
require_keys ? "conf" : NULL, engine_id,
algo_name))
return -1;
ret = info.crypto->sign(&info, region, region_count, &value,
@ -962,7 +968,8 @@ static int fit_config_process_sig(const char *keydir, const char *keyfile,
}
ret = fit_image_write_sig(fit, noffset, value, value_len, comment,
region_prop, region_proplen, cmdname);
region_prop, region_proplen, cmdname,
algo_name);
if (ret) {
if (ret == -FDT_ERR_NOSPACE)
return -ENOSPC;
@ -992,7 +999,7 @@ static int fit_config_process_sig(const char *keydir, const char *keyfile,
static int fit_config_add_verification_data(const char *keydir,
const char *keyfile, void *keydest, void *fit, int conf_noffset,
const char *comment, int require_keys, const char *engine_id,
const char *cmdname)
const char *cmdname, const char *algo_name)
{
const char *conf_name;
int noffset;
@ -1011,7 +1018,7 @@ static int fit_config_add_verification_data(const char *keydir,
strlen(FIT_SIG_NODENAME))) {
ret = fit_config_process_sig(keydir, keyfile, keydest,
fit, conf_name, conf_noffset, noffset, comment,
require_keys, engine_id, cmdname);
require_keys, engine_id, cmdname, algo_name);
}
if (ret)
return ret;
@ -1058,7 +1065,7 @@ int fit_cipher_data(const char *keydir, void *keydest, void *fit,
int fit_add_verification_data(const char *keydir, const char *keyfile,
void *keydest, void *fit, const char *comment,
int require_keys, const char *engine_id,
const char *cmdname)
const char *cmdname, const char *algo_name)
{
int images_noffset, confs_noffset;
int noffset;
@ -1082,7 +1089,7 @@ int fit_add_verification_data(const char *keydir, const char *keyfile,
*/
ret = fit_image_add_verification_data(keydir, keyfile, keydest,
fit, noffset, comment, require_keys, engine_id,
cmdname);
cmdname, algo_name);
if (ret)
return ret;
}
@ -1106,7 +1113,8 @@ int fit_add_verification_data(const char *keydir, const char *keyfile,
ret = fit_config_add_verification_data(keydir, keyfile, keydest,
fit, noffset, comment,
require_keys,
engine_id, cmdname);
engine_id, cmdname,
algo_name);
if (ret)
return ret;
}

View File

@ -69,6 +69,7 @@ struct image_tool_params {
const char *keydest; /* Destination .dtb for public key */
const char *keyfile; /* Filename of private or public key */
const char *comment; /* Comment to add to signature node */
const char *algo_name; /* Algorithm name to use hashing/signing */
int require_keys; /* 1 to mark signing keys as 'required' */
int file_size; /* Total size of output file */
int orig_file_size; /* Original size for file before padding */

View File

@ -154,7 +154,7 @@ static void process_args(int argc, char **argv)
int opt;
while ((opt = getopt(argc, argv,
"a:A:b:B:c:C:d:D:e:Ef:FG:k:i:K:ln:N:p:O:rR:qstT:vVx")) != -1) {
"a:A:b:B:c:C:d:D:e:Ef:FG:k:i:K:ln:N:p:o:O:rR:qstT:vVx")) != -1) {
switch (opt) {
case 'a':
params.addr = strtoull(optarg, &ptr, 16);
@ -250,6 +250,9 @@ static void process_args(int argc, char **argv)
case 'N':
params.engine_id = optarg;
break;
case 'o':
params.algo_name = optarg;
break;
case 'O':
params.os = genimg_get_os_id(optarg);
if (params.os < 0) {