Re: [PATCH] mkimage: fit: Support signed configurations in 'auto' FITs
On Thu, Jan 05, 2023 at 10:31:09AM +0100, Massimo Pegorer wrote: > Extend support for signing in auto-generated (-f auto) FIT. Previously, > it was possible to get signed 'images' subnodes in the FIT using > options -g and -o together with -f auto. This patch allows signing > 'configurations' subnodes instead of 'images' ones (which are hashed), > using option -f auto-conf instead of -f auto. Adding also -K and > -r options, will add public key to file with required = "conf" > property. > > Summary: > -f auto => FIT with crc32 images > -f auto -g ... -o ... => FIT with signed images > -f auto-conf -g ... -o ... => FIT with sha1 images and signed confs > > Example: FIT with kernel, two device tree files, and signed > configurations; public key (needed to verify signatures) is > added to u-boot.dtb with required = "conf" property. > > mkimage -f auto-conf -A arm -O linux -T kernel -C none -a 43e0 \ > -e 0 -d vmlinuz -b /path/to/first.dtb -b /path/to/second.dtb \ > -k /folder/with/key-files -g keyname -o sha256,rsa4096 \ > -K u-boot.dtb -r kernel.itb > > Example: Add public key with required = "conf" property to u-boot.dtb > without needing to sign anything. This will also create a useless FIT > named unused.itb. > > mkimage -f auto-conf -d /dev/null -k /folder/with/key-files \ > -g keyname -o sha256,rsa4096 -K u-boot.dtb -r unused.itb > > Signed-off-by: Massimo Pegorer > Reviewed-by: Simon Glass Applied to u-boot/master, thanks! -- Tom signature.asc Description: PGP signature
Re: [PATCH] mkimage: fit: Support signed configurations in 'auto' FITs
On Thu, 5 Jan 2023 at 02:31, Massimo Pegorer wrote: > > Extend support for signing in auto-generated (-f auto) FIT. Previously, > it was possible to get signed 'images' subnodes in the FIT using > options -g and -o together with -f auto. This patch allows signing > 'configurations' subnodes instead of 'images' ones (which are hashed), > using option -f auto-conf instead of -f auto. Adding also -K and > -r options, will add public key to file with required = "conf" > property. > > Summary: > -f auto => FIT with crc32 images > -f auto -g ... -o ... => FIT with signed images > -f auto-conf -g ... -o ... => FIT with sha1 images and signed confs > > Example: FIT with kernel, two device tree files, and signed > configurations; public key (needed to verify signatures) is > added to u-boot.dtb with required = "conf" property. > > mkimage -f auto-conf -A arm -O linux -T kernel -C none -a 43e0 \ > -e 0 -d vmlinuz -b /path/to/first.dtb -b /path/to/second.dtb \ > -k /folder/with/key-files -g keyname -o sha256,rsa4096 \ > -K u-boot.dtb -r kernel.itb > > Example: Add public key with required = "conf" property to u-boot.dtb > without needing to sign anything. This will also create a useless FIT > named unused.itb. > > mkimage -f auto-conf -d /dev/null -k /folder/with/key-files \ > -g keyname -o sha256,rsa4096 -K u-boot.dtb -r unused.itb > > Signed-off-by: Massimo Pegorer > > --- > The commit includes: patch for adding the new feature to mkimage tool; > updated man page, with description of the new feature and examples, > plus fixes to wrong/misleading information; test for all of the three > flavours of auto-FIT (crc32 images, signed images, sha1 hashed images > and signed configurations). > > doc/mkimage.1 | 119 +++- > test/py/tests/test_fit_auto_signed.py | 195 ++ > tools/fit_image.c | 75 ++ > tools/imagetool.h | 10 +- > tools/mkimage.c | 21 ++- > 5 files changed, 353 insertions(+), 67 deletions(-) > create mode 100644 test/py/tests/test_fit_auto_signed.py Reviewed-by: Simon Glass We currently avoid using the fdt library in tools/dtoc in tests but perhaps this policy needs to be changed, as this patch shows. One option would be to create a new tools/u_boot_lib directory with the shared functions currently in tools/patman etc., then allow use of that in tests. Regards, Simon
[PATCH] mkimage: fit: Support signed configurations in 'auto' FITs
Extend support for signing in auto-generated (-f auto) FIT. Previously, it was possible to get signed 'images' subnodes in the FIT using options -g and -o together with -f auto. This patch allows signing 'configurations' subnodes instead of 'images' ones (which are hashed), using option -f auto-conf instead of -f auto. Adding also -K and -r options, will add public key to file with required = "conf" property. Summary: -f auto => FIT with crc32 images -f auto -g ... -o ... => FIT with signed images -f auto-conf -g ... -o ... => FIT with sha1 images and signed confs Example: FIT with kernel, two device tree files, and signed configurations; public key (needed to verify signatures) is added to u-boot.dtb with required = "conf" property. mkimage -f auto-conf -A arm -O linux -T kernel -C none -a 43e0 \ -e 0 -d vmlinuz -b /path/to/first.dtb -b /path/to/second.dtb \ -k /folder/with/key-files -g keyname -o sha256,rsa4096 \ -K u-boot.dtb -r kernel.itb Example: Add public key with required = "conf" property to u-boot.dtb without needing to sign anything. This will also create a useless FIT named unused.itb. mkimage -f auto-conf -d /dev/null -k /folder/with/key-files \ -g keyname -o sha256,rsa4096 -K u-boot.dtb -r unused.itb Signed-off-by: Massimo Pegorer --- The commit includes: patch for adding the new feature to mkimage tool; updated man page, with description of the new feature and examples, plus fixes to wrong/misleading information; test for all of the three flavours of auto-FIT (crc32 images, signed images, sha1 hashed images and signed configurations). doc/mkimage.1 | 119 +++- test/py/tests/test_fit_auto_signed.py | 195 ++ tools/fit_image.c | 75 ++ tools/imagetool.h | 10 +- tools/mkimage.c | 21 ++- 5 files changed, 353 insertions(+), 67 deletions(-) create mode 100644 test/py/tests/test_fit_auto_signed.py diff --git a/doc/mkimage.1 b/doc/mkimage.1 index 353ea8b2f7..d8727ec73c 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -22,7 +22,8 @@ mkimage \- generate images for U-Boot .SY mkimage .RI [ option\~ .\|.\|.\&] .BI \-f\~ image-tree-source-file\c -.RB | auto +.RB | auto\c +.RB | auto-conf .I image-file-name .YS . @@ -296,9 +297,9 @@ FIT. See for details on using external data. . .TP -\fB\-f \fIimage-tree-source-file\fR | \fBauto +\fB\-f \fIimage-tree-source-file\fR | \fBauto\fR | \fBauto-conf .TQ -\fB\-\-fit \fIimage-tree-source-file\fR | \fBauto +\fB\-\-fit \fIimage-tree-source-file\fR | \fBauto\fR | \fBauto-conf Image tree source file that describes the structure and contents of the FIT image. .IP @@ -317,7 +318,25 @@ and options may be used to specify the image to include in the FIT and its attributes. No .I image-tree-source-file -is required. +is required. The +.BR \-g , +.BR \-o , +and +.B \-k +or +.B \-G +options may be used to get \(oqimages\(cq signed subnodes in the generated +auto FIT. Instead, to get \(oqconfigurations\(cq signed subnodes and +\(oqimages\(cq hashed subnodes, pass +.BR "\-f auto-conf". +In this case +.BR \-g , +.BR \-o , +and +.B \-k +or +.B \-G +are mandatory options. . .TP .B \-F @@ -348,16 +367,16 @@ for use with signing, and a certificate necessary when embedding it into another device tree using .BR \-K . .I name -defaults to the value of the signature node's \(oqkey-name-hint\(cq property, -but may be overridden using -.BR \-g . +is the value of the signature node's \(oqkey-name-hint\(cq property. . .TP .BI \-G " key-file" .TQ .BI \-\-key\-file " key-file" Specifies the private key file to use when signing. This option may be used -instead of \-k. +instead of \-k. Useful when the private key file basename does not match +\(oqkey-name-hint\(cq value. But note that it may lead to unexpected results +when used together with -K and/or -k options. . .TP .BI \-K " key-destination" @@ -373,49 +392,50 @@ CONFIG_OF_CONTROL in U-Boot. .BI \-g " key-name-hint" .TQ .BI \-\-key\-name\-hint " key-name-hint" -Overrides the signature node's \(oqkey-name-hint\(cq property. This is -especially useful when signing an image with -.BR "\-f auto" . -This is the -.I name -part of the key. The directory part is set by -.BR \-k . -This option also indicates that the images included in the FIT should be signed. -If this option is specified, then +Specifies the value of signature node \(oqkey-name-hint\(cq property for +an automatically generated FIT image. It makes sense only when used with +.B "\-f auto" +or +.BR "\-f auto-conf". +This option also indicates that the images or configurations included in +the FIT should be signed. If this option is specified, then .B \-o must be specified as well. . .TP -.BI \-o " crypto" , checksum +.BI \-o " checksum" , crypto .TQ -.BI \-\-algo " crypto" , checksum -Specifies the algorithm to be used for signing a FIT image. The
Re: [PATCH] mkimage: fit: Support signed configurations in 'auto' FITs
Hi Pegorer, On Sun, 11 Dec 2022 at 06:54, Pegorer Massimo wrote: > > Hi, > > The patch follows, as per discussion in email thread "Patch proposal > - mkimage: fit: Support signed conf 'auto' FITs". Let me know if you > prefer something to be changed, or patch to be split in several > commits. > > I have updated the man page with description of the new feature and > examples. Also fixed some wrong or misleading information. > > === Use: Commit-notes: notes go here END (assuming you are using patman) We don't want the message above to appear in the commit log. > > mkimage: fit: Support signed configurations in 'auto' FITs > > Extend support for signing in auto-generated (-f auto) FIT. Previously, > it was possible to get signed 'images' subnodes in the FIT using > options -g and -o together with -f auto. This patch allows signing > 'configurations' subnodes instead of 'images' ones (which are hashed), > using option -f auto-conf instead of -f auto. Adding also -K and > -r options, will add public key to file with required = "conf" > property. > > Summary: > -f auto => FIT with crc32 images > -f auto -g ... -o ... => FIT with signed images > -f auto-conf -g ... -o ... => FIT with sha1 images and signed confs > > Example: FIT with kernel, two device tree files, and signed > configurations; public key (needed to verify signatures) is > added to u-boot.dtb with required = "conf" property. > > mkimage -f auto-conf -A arm -O linux -T kernel -C none -a 43e0 \ > -e 0 -d vmlinuz -b /path/to/first.dtb -b /path/to/second.dtb \ > -k /folder/with/key-files -g keyname -o sha256,rsa4096 \ > -K u-boot.dtb -r kernel.itb > > Example: Add public key with required = "conf" property to u-boot.dtb > without needing to sign anything. This will also create a useless FIT > named unused.itb. > > mkimage -f auto-conf -d /dev/null -k /folder/with/key-files \ > -g keyname -o sha256,rsa4096 -K u-boot.dtb -r unused.itb > > Signed-off-by: Massimo Pegorer > --- > doc/mkimage.1 | 119 -- > tools/fit_image.c | 75 +++-- > tools/imagetool.h | 10 +++- > tools/mkimage.c | 23 +++-- > 4 files changed, 160 insertions(+), 67 deletions(-) Looks good, but it does need a test, please. See test/py/tests/fit.py for an example https://u-boot.readthedocs.io/en/latest/develop/py_testing.html Regards, Simon
[PATCH] mkimage: fit: Support signed configurations in 'auto' FITs
Hi, The patch follows, as per discussion in email thread "Patch proposal - mkimage: fit: Support signed conf 'auto' FITs". Let me know if you prefer something to be changed, or patch to be split in several commits. I have updated the man page with description of the new feature and examples. Also fixed some wrong or misleading information. === mkimage: fit: Support signed configurations in 'auto' FITs Extend support for signing in auto-generated (-f auto) FIT. Previously, it was possible to get signed 'images' subnodes in the FIT using options -g and -o together with -f auto. This patch allows signing 'configurations' subnodes instead of 'images' ones (which are hashed), using option -f auto-conf instead of -f auto. Adding also -K and -r options, will add public key to file with required = "conf" property. Summary: -f auto => FIT with crc32 images -f auto -g ... -o ... => FIT with signed images -f auto-conf -g ... -o ... => FIT with sha1 images and signed confs Example: FIT with kernel, two device tree files, and signed configurations; public key (needed to verify signatures) is added to u-boot.dtb with required = "conf" property. mkimage -f auto-conf -A arm -O linux -T kernel -C none -a 43e0 \ -e 0 -d vmlinuz -b /path/to/first.dtb -b /path/to/second.dtb \ -k /folder/with/key-files -g keyname -o sha256,rsa4096 \ -K u-boot.dtb -r kernel.itb Example: Add public key with required = "conf" property to u-boot.dtb without needing to sign anything. This will also create a useless FIT named unused.itb. mkimage -f auto-conf -d /dev/null -k /folder/with/key-files \ -g keyname -o sha256,rsa4096 -K u-boot.dtb -r unused.itb Signed-off-by: Massimo Pegorer --- doc/mkimage.1 | 119 -- tools/fit_image.c | 75 +++-- tools/imagetool.h | 10 +++- tools/mkimage.c | 23 +++-- 4 files changed, 160 insertions(+), 67 deletions(-) diff --git a/doc/mkimage.1 b/doc/mkimage.1 index 353ea8b2f7..d8727ec73c 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -22,7 +22,8 @@ mkimage \- generate images for U-Boot .SY mkimage .RI [ option\~ .\|.\|.\&] .BI \-f\~ image-tree-source-file\c -.RB | auto +.RB | auto\c +.RB | auto-conf .I image-file-name .YS . @@ -296,9 +297,9 @@ FIT. See for details on using external data. . .TP -\fB\-f \fIimage-tree-source-file\fR | \fBauto +\fB\-f \fIimage-tree-source-file\fR | \fBauto\fR | \fBauto-conf .TQ -\fB\-\-fit \fIimage-tree-source-file\fR | \fBauto +\fB\-\-fit \fIimage-tree-source-file\fR | \fBauto\fR | \fBauto-conf Image tree source file that describes the structure and contents of the FIT image. .IP @@ -317,7 +318,25 @@ and options may be used to specify the image to include in the FIT and its attributes. No .I image-tree-source-file -is required. +is required. The +.BR \-g , +.BR \-o , +and +.B \-k +or +.B \-G +options may be used to get \(oqimages\(cq signed subnodes in the generated +auto FIT. Instead, to get \(oqconfigurations\(cq signed subnodes and +\(oqimages\(cq hashed subnodes, pass +.BR "\-f auto-conf". +In this case +.BR \-g , +.BR \-o , +and +.B \-k +or +.B \-G +are mandatory options. . .TP .B \-F @@ -348,16 +367,16 @@ for use with signing, and a certificate necessary when embedding it into another device tree using .BR \-K . .I name -defaults to the value of the signature node's \(oqkey-name-hint\(cq property, -but may be overridden using -.BR \-g . +is the value of the signature node's \(oqkey-name-hint\(cq property. . .TP .BI \-G " key-file" .TQ .BI \-\-key\-file " key-file" Specifies the private key file to use when signing. This option may be used -instead of \-k. +instead of \-k. Useful when the private key file basename does not match +\(oqkey-name-hint\(cq value. But note that it may lead to unexpected results +when used together with -K and/or -k options. . .TP .BI \-K " key-destination" @@ -373,49 +392,50 @@ CONFIG_OF_CONTROL in U-Boot. .BI \-g " key-name-hint" .TQ .BI \-\-key\-name\-hint " key-name-hint" -Overrides the signature node's \(oqkey-name-hint\(cq property. This is -especially useful when signing an image with -.BR "\-f auto" . -This is the -.I name -part of the key. The directory part is set by -.BR \-k . -This option also indicates that the images included in the FIT should be signed. -If this option is specified, then +Specifies the value of signature node \(oqkey-name-hint\(cq property for +an automatically generated FIT image. It makes sense only when used with +.B "\-f auto" +or +.BR "\-f auto-conf". +This option also indicates that the images or configurations included in +the FIT should be signed. If this option is specified, then .B \-o must be specified as well. . .TP -.BI \-o " crypto" , checksum +.BI \-o " checksum" , crypto .TQ -.BI \-\-algo " crypto" , checksum -Specifies the algorithm to be used for signing a FIT image. The default is -taken from the signature node's \(oqalg