leandrof/u-boot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mkimage: Add -K to write public keys to an FDT blob

Browse Source 
FIT image verification requires public keys. Add a convenient option to
mkimage to write the public keys to an FDT blob when it uses then for
signing an image. This allows us to use:

   mkimage -f test.its -K dest.dtb -k keys test.fit

and have the signatures written to test.fit and the corresponding public
keys written to dest.dtb. Then dest.dtb can be used as the control FDT
for U-Boot (CONFIG_OF_CONTROL), thus providing U-Boot with access to the
public keys it needs.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
This commit is contained in:
Simon Glass 2013-06-13 15:10:04 -07:00 committed by Tom Rini
parent 80e4df8ac6
commit e29495d37f
4 changed files with 44 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
doc/mkimage.1
View File

@ -109,6 +109,14 @@ Specifies the directory containing keys to use for signing. This directory
should contain a private key file <name>.key for use with signing and a should contain a private key file <name>.key for use with signing and a
certificate <name>.crt (containing the public key) for use with verification. certificate <name>.crt (containing the public key) for use with verification.
.TP
.BI "\-K [" "key_destination" "]"
Specifies a compiled device tree binary file (typically .dtb) to write
public key information into. When a private key is used to sign an image,
the corresponding public key is written into this file for for run-time
verification. Typically the file here is the device tree binary used by
CONFIG_OF_CONTROL in U-Boot.
.SH EXAMPLES .SH EXAMPLES
List image information: List image information:
@ -127,6 +135,14 @@ Create FIT image with compressed PowerPC Linux kernel:
.nf .nf
.B mkimage -f kernel.its kernel.itb .B mkimage -f kernel.its kernel.itb
.fi .fi
.P
Create FIT image with compressed kernel and sign it with keys in the
/public/signing-keys directory. Add corresponding public keys into u-boot.dtb,
skipping those for which keys cannot be found. Also add a comment.
.nf
.B mkimage -f kernel.its -k /public/signing-keys -K u-boot.dtb \\\\
-c "Kernel 3.8 image for production devices" kernel.itb
.fi
.SH HOMEPAGE .SH HOMEPAGE
http://www.denx.de/wiki/U-Boot/WebHome http://www.denx.de/wiki/U-Boot/WebHome

21
tools/fit_image.c
View File

@ -105,9 +105,11 @@ static int fit_handle_file (struct mkimage_params *params)
{ {
char tmpfile[MKIMAGE_MAX_TMPFILE_LEN]; char tmpfile[MKIMAGE_MAX_TMPFILE_LEN];
char cmd[MKIMAGE_MAX_DTC_CMDLINE_LEN]; char cmd[MKIMAGE_MAX_DTC_CMDLINE_LEN];
int tfd; int tfd, destfd = 0;
void *dest_blob = NULL;
struct stat sbuf; struct stat sbuf;
void *ptr; void *ptr;
off_t destfd_size = 0;
/* Flattened Image Tree (FIT) format handling */ /* Flattened Image Tree (FIT) format handling */
debug ("FIT format handling\n"); debug ("FIT format handling\n");
@ -132,12 +134,20 @@ static int fit_handle_file (struct mkimage_params *params)
goto err_system; goto err_system;
} }
if (params->keydest) {
destfd = mmap_fdt(params, params->keydest, &dest_blob, &sbuf);
if (destfd < 0)
goto err_keydest;
destfd_size = sbuf.st_size;
}
tfd = mmap_fdt(params, tmpfile, &ptr, &sbuf); tfd = mmap_fdt(params, tmpfile, &ptr, &sbuf);
if (tfd < 0) if (tfd < 0)
goto err_mmap; goto err_mmap;
/* set hashes for images in the blob */ /* set hashes for images in the blob */
if (fit_add_verification_data(params->keydir, NULL, ptr, NULL, 0)) { if (fit_add_verification_data(params->keydir, dest_blob, ptr,
NULL, 0)) {
fprintf (stderr, "%s Can't add hashes to FIT blob", fprintf (stderr, "%s Can't add hashes to FIT blob",
params->cmdname); params->cmdname);
goto err_add_hashes; goto err_add_hashes;
@ -153,6 +163,10 @@ static int fit_handle_file (struct mkimage_params *params)
munmap ((void *)ptr, sbuf.st_size); munmap ((void *)ptr, sbuf.st_size);
close (tfd); close (tfd);
if (dest_blob) {
munmap(dest_blob, destfd_size);
close(destfd);
}
if (rename (tmpfile, params->imagefile) == -1) { if (rename (tmpfile, params->imagefile) == -1) {
fprintf (stderr, "%s: Can't rename %s to %s: %s\n", fprintf (stderr, "%s: Can't rename %s to %s: %s\n",
@ -168,6 +182,9 @@ err_add_timestamp:
err_add_hashes: err_add_hashes:
munmap(ptr, sbuf.st_size); munmap(ptr, sbuf.st_size);
err_mmap: err_mmap:
if (dest_blob)
munmap(dest_blob, destfd_size);
err_keydest:
err_system: err_system:
unlink(tmpfile); unlink(tmpfile);
return -1; return -1;

10
tools/mkimage.c
View File

@ -253,6 +253,11 @@ main (int argc, char **argv)
usage(); usage();
params.keydir = *++argv; params.keydir = *++argv;
goto NXTARG; goto NXTARG;
case 'K':
if (--argc <= 0)
usage();
params.keydest = *++argv;
goto NXTARG;
case 'n': case 'n':
if (--argc <= 0) if (--argc <= 0)
usage (); usage ();
@ -633,8 +638,9 @@ usage ()
fprintf(stderr, " -D => set options for device tree compiler\n" fprintf(stderr, " -D => set options for device tree compiler\n"
" -f => input filename for FIT source\n"); " -f => input filename for FIT source\n");
#ifdef CONFIG_FIT_SIGNATURE #ifdef CONFIG_FIT_SIGNATURE
fprintf(stderr, "Signing / verified boot options: [-k keydir]\n" fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb]\n"
" -k => set directory containing private keys\n"); " -k => set directory containing private keys\n"
" -K => write public keys to this .dtb file\n");
#else #else
fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
#endif #endif

1
tools/mkimage.h
View File

@ -88,6 +88,7 @@ struct mkimage_params {
char *imagefile; char *imagefile;
char *cmdname; char *cmdname;
const char *keydir; /* Directory holding private keys */ const char *keydir; /* Directory holding private keys */
const char *keydest; /* Destination .dtb for public key */
}; };
/* /*