diff options
| -rw-r--r-- | README.md | 23 | ||||
| -rwxr-xr-x | scripts/uboot-script-gen | 74 |
2 files changed, 65 insertions, 32 deletions
@@ -117,6 +117,29 @@ Where:\ produces a standard style of fit image without a script, but has issues with dom0less configurations and isn't recommended. \ -o specifies the output filename for the uboot script and its source.\ +-k specifies the key directory for signing images in a FIT image and the + hint. The hint is the name of the crt and key files minus the + suffix (<hint>.key, <hint>.crt). This is optional and but enables + signature for the fit or fit_std -t options.\ +-u specifies the U-boot control dtb. This is an optional argument but + can only be used in combination with the -k option. This adds the + public key into the dtb. Then one can add this dtb back into the + u-boot bin or elf.\ + +### Signed FIT images + +Signed FIT images are a way to sign images with asymmetrical keys. While +making the FIT image, images are signed with a private key; then during +boot U-Boot uses a public key in its control dtb to verify the +signatures. Some of the U-Boot config options needed are: +CONFIG_FIT_SIGNATURE=y\ +CONFIG_RSA=y\ +CONFIG_LEGACY_IMAGE_FORMAT=n\ + +Once U-boot is built, then take the control dtb, supply it to +Imagebuilder when building a signed image, then use it when booting. +For generating the keys and other documentation, see:\ +u-boot/doc/uImage.FIT/signature.txt\ ## scripts/disk\_image diff --git a/scripts/uboot-script-gen b/scripts/uboot-script-gen index e9e321f..2fad339 100755 --- a/scripts/uboot-script-gen +++ b/scripts/uboot-script-gen @@ -249,7 +249,7 @@ function print_help { script=`basename "$0"` echo "usage:" - echo " $script -c CONFIG_FILE -t UBOOT_TYPE -d DIRECTORY [-o FILE]" + echo " $script -c CONFIG_FILE -t UBOOT_TYPE -d DIRECTORY [-o FILE] [-k KEY_DIR/HINT [-u U-BOOT_DTB]]" echo " $script -h" echo "where:" echo " CONFIG_FILE - configuration file" @@ -262,6 +262,9 @@ function print_help echo " < > - used for uboot load commands" echo " DIRECTORY - root directory where the files of CONFIG_FILE are located" echo " FILE - output filename for the uboot script and its source, overrides option in CONFIG_FILE" + echo " KEY_DIR - key directory used for signing a fit image" + echo " HINT - the file name of the crt and key file minus the suffix (ex, hint.crt and hint.key)" + echo " U-BOOT_DTB - u-boot control dtb so that the public key gets added to it" echo " -h - prints out the help message and exits " echo "Defaults:" echo " CONFIG_FILE=$cfg_file, UBOOT_TYPE=\"LOAD_CMD\" env var, DIRECTORY=$uboot_dir" @@ -269,7 +272,7 @@ function print_help echo " $script -c ../config -d ./build42 -t \"scsi load 1:1\"" } -while getopts ":c:t:d:ho:" opt; do +while getopts ":c:t:d:ho:k:u:" opt; do case ${opt} in t ) case $OPTARG in @@ -302,6 +305,12 @@ while getopts ":c:t:d:ho:" opt; do o ) UBOOT_SCRIPT_ARG=$OPTARG ;; + k ) + FIT_ENC_KEY_DIR=$OPTARG + ;; + u ) + FIT_ENC_UB_DTB=$OPTARG + ;; h ) print_help exit 0 @@ -392,6 +401,26 @@ do i=$(( $i + 1 )) done +fit_algo=$'hash {\n algo = "md5";\n };' +if test "$FIT_ENC_KEY_DIR" || test "$FIT_ENC_UB_DTB" +then + if ! test "$FIT_ENC_KEY_DIR" && test "$FIT_ENC_UB_DTB" + then + echo "if encryption, you need to specify the key directory" + exit 1 + fi + + key_hint="${FIT_ENC_KEY_DIR##*/}" + key_dir="${FIT_ENC_KEY_DIR%/*}/" + + fit_enc_opt="-r -k $key_dir" + if test "$FIT_ENC_UB_DTB" + then + fit_enc_opt+=" -K $FIT_ENC_UB_DTB" + fi + fit_algo=$'signature {\n algo = \"sha1,rsa2048\";\n key-name-hint = \"'"$key_hint"$'\";\n};' +fi + # the cd is needed so that the relative paths will match once we use # tftp or move the files to a partition cd "$uboot_dir" @@ -520,9 +549,7 @@ then compression = "none"; load = <$xen_addr>; entry = <$xen_addr>; - hash { - algo = "md5"; - }; + $fit_algo }; host_fdt { description = "host fdt"; @@ -531,9 +558,7 @@ then arch = "arm64"; compression = "none"; load = <$device_tree_addr>; - hash { - algo = "md5"; - }; + $fit_algo }; dom0_linux { description = "dom0 linux kernel binary"; @@ -543,9 +568,7 @@ then os = "linux"; compression = "none"; load = <$dom0_kernel_addr>; - hash { - algo = "md5"; - }; + $fit_algo }; EOF if test "$DOM0_RAMDISK" @@ -560,9 +583,7 @@ then os = "linux"; compression = "none"; load = <$dom0_ramdisk_addr>; - hash { - algo = "md5"; - }; + $fit_algo }; EOF fi @@ -585,9 +606,7 @@ then os = "linux"; compression = "none"; load = <${domU_kernel_addr[$i]}>; - hash { - algo = "md5"; - }; + $fit_algo }; EOF if test "${DOMU_RAMDISK[$i]}" @@ -602,9 +621,7 @@ then os = "linux"; compression = "none"; load = <${domU_ramdisk_addr[$i]}>; - hash { - algo = "md5"; - }; + $fit_algo }; EOF fi @@ -619,9 +636,7 @@ then arch = "arm64"; compression = "none"; load = <${domU_passthrough_dtb_addr[$i]}>; - hash { - algo = "md5"; - }; + $fit_algo }; EOF fi @@ -638,18 +653,14 @@ then compression = "none"; load = <$uboot_addr>; entry = <$uboot_addr>; - hash { - algo = "md5"; - }; + $fit_algo }; EOF fi # end images echo ' };' >> "$its_file" - # config - if ! test "$LOAD_CMD" = "imxtract" - then - cat >> "$its_file" <<- EOF + # config, signing requires a config even if it isn't used + cat >> "$its_file" <<- EOF configurations { default = "config"; config { @@ -660,11 +671,10 @@ then }; }; EOF - fi # end echo '};' >> "$its_file" - mkimage -q -f "$its_file" "$fit" + mkimage -q -f "$its_file" $fit_enc_opt "$fit" else mkimage -A arm64 -T script -C none -a $uboot_addr -e $uboot_addr -d $UBOOT_SOURCE "$UBOOT_SCRIPT" &> /dev/null fi |