diff options
author | Simon Glass <sjg@chromium.org> | 2013-06-13 15:10:04 -0700 |
---|---|---|
committer | Tom Rini <trini@ti.com> | 2013-06-26 10:18:56 -0400 |
commit | e29495d37f7c0533d365004ca475218250351c93 (patch) | |
tree | 1ce4db084dea8f629a934abef35140cd79e2b127 | |
parent | 80e4df8ac661ada5308f3bffebe4e6fae1f8e990 (diff) | |
download | u-boot-imx-e29495d37f7c0533d365004ca475218250351c93.zip u-boot-imx-e29495d37f7c0533d365004ca475218250351c93.tar.gz u-boot-imx-e29495d37f7c0533d365004ca475218250351c93.tar.bz2 |
mkimage: Add -K to write public keys to an FDT blob
FIT image verification requires public keys. Add a convenient option to
mkimage to write the public keys to an FDT blob when it uses then for
signing an image. This allows us to use:
mkimage -f test.its -K dest.dtb -k keys test.fit
and have the signatures written to test.fit and the corresponding public
keys written to dest.dtb. Then dest.dtb can be used as the control FDT
for U-Boot (CONFIG_OF_CONTROL), thus providing U-Boot with access to the
public keys it needs.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
-rw-r--r-- | doc/mkimage.1 | 16 | ||||
-rw-r--r-- | tools/fit_image.c | 21 | ||||
-rw-r--r-- | tools/mkimage.c | 10 | ||||
-rw-r--r-- | tools/mkimage.h | 1 |
4 files changed, 44 insertions, 4 deletions
diff --git a/doc/mkimage.1 b/doc/mkimage.1 index 6740fb1..8185ff5 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -109,6 +109,14 @@ Specifies the directory containing keys to use for signing. This directory should contain a private key file <name>.key for use with signing and a certificate <name>.crt (containing the public key) for use with verification. +.TP +.BI "\-K [" "key_destination" "]" +Specifies a compiled device tree binary file (typically .dtb) to write +public key information into. When a private key is used to sign an image, +the corresponding public key is written into this file for for run-time +verification. Typically the file here is the device tree binary used by +CONFIG_OF_CONTROL in U-Boot. + .SH EXAMPLES List image information: @@ -127,6 +135,14 @@ Create FIT image with compressed PowerPC Linux kernel: .nf .B mkimage -f kernel.its kernel.itb .fi +.P +Create FIT image with compressed kernel and sign it with keys in the +/public/signing-keys directory. Add corresponding public keys into u-boot.dtb, +skipping those for which keys cannot be found. Also add a comment. +.nf +.B mkimage -f kernel.its -k /public/signing-keys -K u-boot.dtb \\\\ +-c "Kernel 3.8 image for production devices" kernel.itb +.fi .SH HOMEPAGE http://www.denx.de/wiki/U-Boot/WebHome diff --git a/tools/fit_image.c b/tools/fit_image.c index 339e0f8..b17fa2d 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -105,9 +105,11 @@ static int fit_handle_file (struct mkimage_params *params) { char tmpfile[MKIMAGE_MAX_TMPFILE_LEN]; char cmd[MKIMAGE_MAX_DTC_CMDLINE_LEN]; - int tfd; + int tfd, destfd = 0; + void *dest_blob = NULL; struct stat sbuf; void *ptr; + off_t destfd_size = 0; /* Flattened Image Tree (FIT) format handling */ debug ("FIT format handling\n"); @@ -132,12 +134,20 @@ static int fit_handle_file (struct mkimage_params *params) goto err_system; } + if (params->keydest) { + destfd = mmap_fdt(params, params->keydest, &dest_blob, &sbuf); + if (destfd < 0) + goto err_keydest; + destfd_size = sbuf.st_size; + } + tfd = mmap_fdt(params, tmpfile, &ptr, &sbuf); if (tfd < 0) goto err_mmap; /* set hashes for images in the blob */ - if (fit_add_verification_data(params->keydir, NULL, ptr, NULL, 0)) { + if (fit_add_verification_data(params->keydir, dest_blob, ptr, + NULL, 0)) { fprintf (stderr, "%s Can't add hashes to FIT blob", params->cmdname); goto err_add_hashes; @@ -153,6 +163,10 @@ static int fit_handle_file (struct mkimage_params *params) munmap ((void *)ptr, sbuf.st_size); close (tfd); + if (dest_blob) { + munmap(dest_blob, destfd_size); + close(destfd); + } if (rename (tmpfile, params->imagefile) == -1) { fprintf (stderr, "%s: Can't rename %s to %s: %s\n", @@ -168,6 +182,9 @@ err_add_timestamp: err_add_hashes: munmap(ptr, sbuf.st_size); err_mmap: + if (dest_blob) + munmap(dest_blob, destfd_size); +err_keydest: err_system: unlink(tmpfile); return -1; diff --git a/tools/mkimage.c b/tools/mkimage.c index def7df2..3760392 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -253,6 +253,11 @@ main (int argc, char **argv) usage(); params.keydir = *++argv; goto NXTARG; + case 'K': + if (--argc <= 0) + usage(); + params.keydest = *++argv; + goto NXTARG; case 'n': if (--argc <= 0) usage (); @@ -633,8 +638,9 @@ usage () fprintf(stderr, " -D => set options for device tree compiler\n" " -f => input filename for FIT source\n"); #ifdef CONFIG_FIT_SIGNATURE - fprintf(stderr, "Signing / verified boot options: [-k keydir]\n" - " -k => set directory containing private keys\n"); + fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb]\n" + " -k => set directory containing private keys\n" + " -K => write public keys to this .dtb file\n"); #else fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); #endif diff --git a/tools/mkimage.h b/tools/mkimage.h index 059e124..63b9b4f 100644 --- a/tools/mkimage.h +++ b/tools/mkimage.h @@ -88,6 +88,7 @@ struct mkimage_params { char *imagefile; char *cmdname; const char *keydir; /* Directory holding private keys */ + const char *keydest; /* Destination .dtb for public key */ }; /* |