colin/u-boot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tools: binman: add 'fit, encrypt' property to pass keys directory to mkimage

Browse Source 
mkimage can be used for both signing the FIT or encrypt its content and the
option '-k' can be used to pass a directory where both signing and encryption
keys can be retrieved. Adding 'fit,encrypt' property to the 'fit' node, leads to
try to find keys directory among binman include directories.
_get_priv_keys_dir() is renamed as _get_keys_dir() and adapted to support both
signing and encryption nodes in the FIT.

Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Paul HENRYS
2024-11-25 18:47:16 +01:00
committed by Tom Rini
parent 79d7b11102
commit e2cc9b4fc1
3 changed files with 29 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tools/binman/btool/mkimage.py
View File

@@ -22,7 +22,7 @@ class Bintoolmkimage(bintool.Bintool):
# pylint: disable=R0913 # pylint: disable=R0913
def run(self, reset_timestamp=False, output_fname=None, external=False, def run(self, reset_timestamp=False, output_fname=None, external=False,
pad=None, align=None, priv_keys_dir=None): pad=None, align=None, keys_dir=None):
"""Run mkimage """Run mkimage
Args: Args:
@@ -34,7 +34,7 @@ class Bintoolmkimage(bintool.Bintool):
other things to be easily added later, if required, such as other things to be easily added later, if required, such as
signatures signatures
align: Bytes to use for alignment of the FIT and its external data align: Bytes to use for alignment of the FIT and its external data
priv_keys_dir: Path to directory containing private keys keys_dir: Path to directory containing private and encryption keys
version: True to get the mkimage version version: True to get the mkimage version
""" """
args = [] args = []
@@ -46,8 +46,8 @@ class Bintoolmkimage(bintool.Bintool):
args += ['-B', f'{align:x}'] args += ['-B', f'{align:x}']
if reset_timestamp: if reset_timestamp:
args.append('-t') args.append('-t')
if priv_keys_dir: if keys_dir:
args += ['-k', f'{priv_keys_dir}'] args += ['-k', f'{keys_dir}']
if output_fname: if output_fname:
args += ['-F', output_fname] args += ['-F', output_fname]
return self.run_cmd(*args) return self.run_cmd(*args)

7
tools/binman/entries.rst
View File

@@ -871,6 +871,13 @@ The top-level 'fit' node supports the following special properties:
-k flag. All the keys required for signing FIT must be available at -k flag. All the keys required for signing FIT must be available at
time of signing and must be located in single include directory. time of signing and must be located in single include directory.
fit,encrypt
Enable data encryption in FIT images via mkimage. If the property
is found, the keys path is detected among binman include
directories and passed to mkimage via -k flag. All the keys
required for encrypting the FIT must be available at the time of
encrypting and must be located in a single include directory.
Substitutions Substitutions
~~~~~~~~~~~~~ ~~~~~~~~~~~~~

25
tools/binman/etype/fit.py
View File

@@ -110,6 +110,13 @@ class Entry_fit(Entry_section):
available at time of signing and must be located in single include available at time of signing and must be located in single include
directory. directory.
fit,encrypt
Enable data encryption in FIT images via mkimage. If the property
is found, the keys path is detected among binman include
directories and passed to mkimage via -k flag. All the keys
required for encrypting the FIT must be available at the time of
encrypting and must be located in a single include directory.
Substitutions Substitutions
~~~~~~~~~~~~~ ~~~~~~~~~~~~~
@@ -518,14 +525,14 @@ class Entry_fit(Entry_section):
# are removed from self._entries later. # are removed from self._entries later.
self._priv_entries = dict(self._entries) self._priv_entries = dict(self._entries)
def _get_priv_keys_dir(self, data): def _get_keys_dir(self, data):
"""Detect private keys path among binman include directories """Detect private and encryption keys path among binman include directories
Args: Args:
data: FIT image in binary format data: FIT image in binary format
Returns: Returns:
str: Single path containing all private keys found or None str: Single path containing all keys found or None
Raises: Raises:
ValueError: Filename 'rsa2048.key' not found in input path ValueError: Filename 'rsa2048.key' not found in input path
@@ -533,11 +540,14 @@ class Entry_fit(Entry_section):
""" """
def _find_keys_dir(node): def _find_keys_dir(node):
for subnode in node.subnodes: for subnode in node.subnodes:
if subnode.name.startswith('signature'): if (subnode.name.startswith('signature') or
subnode.name.startswith('cipher')):
if subnode.props.get('key-name-hint') is None: if subnode.props.get('key-name-hint') is None:
continue continue
hint = subnode.props['key-name-hint'].value hint = subnode.props['key-name-hint'].value
name = tools.get_input_filename(f"{hint}.key") name = tools.get_input_filename(
f"{hint}.key" if subnode.name.startswith('signature')
else f"{hint}.bin")
path = os.path.dirname(name) path = os.path.dirname(name)
if path not in paths: if path not in paths:
paths.append(path) paths.append(path)
@@ -587,8 +597,9 @@ class Entry_fit(Entry_section):
align = self._fit_props.get('fit,align') align = self._fit_props.get('fit,align')
if align is not None: if align is not None:
args.update({'align': fdt_util.fdt32_to_cpu(align.value)}) args.update({'align': fdt_util.fdt32_to_cpu(align.value)})
if self._fit_props.get('fit,sign') is not None: if (self._fit_props.get('fit,sign') is not None or
args.update({'priv_keys_dir': self._get_priv_keys_dir(data)}) self._fit_props.get('fit,encrypt') is not None):
args.update({'keys_dir': self._get_keys_dir(data)})
if self.mkimage.run(reset_timestamp=True, output_fname=output_fname, if self.mkimage.run(reset_timestamp=True, output_fname=output_fname,
**args) is None: **args) is None:
if not self.GetAllowMissing(): if not self.GetAllowMissing():