On Thu, 29 Jun 2023 at 15:59, <lukas.funke-...@weidmueller.com> wrote: > > From: Lukas Funke <lukas.fu...@weidmueller.com> > > This adds a new etype 'u_boot_spl_pubkey_dtb'. The etype adds the public > key from a certificate to the dtb. This creates a '/signature' node which > is turn contains the fields which make up the public key. Usually this > is done by 'mkimage -K'. However, 'binman sign' does not add the public > key to the SPL. This is why the pubkey is added using this etype. > > The etype calls the underlying 'fdt_add_pubkey' tool. > > Signed-off-by: Lukas Funke <lukas.fu...@weidmueller.com> > --- > > tools/binman/etype/u_boot_spl_pubkey_dtb.py | 105 ++++++++++++++++++++ > 1 file changed, 105 insertions(+) > create mode 100644 tools/binman/etype/u_boot_spl_pubkey_dtb.py
Please can you use 'binman entry-docs >tools/binman/entries.rst' and add to patch? > > diff --git a/tools/binman/etype/u_boot_spl_pubkey_dtb.py > b/tools/binman/etype/u_boot_spl_pubkey_dtb.py > new file mode 100644 > index 0000000000..25aa817975 > --- /dev/null > +++ b/tools/binman/etype/u_boot_spl_pubkey_dtb.py > @@ -0,0 +1,105 @@ > +# SPDX-License-Identifier: GPL-2.0+ > +# Copyright (c) 2023 Weidmueller GmbH > +# Written by Lukas Funke <lukas.fu...@weidmueller.com> > +# > +# Entry-type module for 'u-boot-spl-pubkey.dtb' > +# > + > +import tempfile > +import os > + > +from binman.etype.blob_dtb import Entry_blob_dtb > + > +from dtoc import fdt_util > + > +from u_boot_pylib import tools > + > +# pylint: disable=C0103 > +class Entry_u_boot_spl_pubkey_dtb(Entry_blob_dtb): > + """U-Boot SPL device tree including public key > + > + Properties / Entry arguments: > + - key-name: Public key name without extension (e.g. .crt). Default is > + determined by underlying bintool (fdt_add_pubkey), > + usually 'key' > + - algo: (Optional) Algorithm used for signing. Default is determined > by > + underlying bintool (fdt_add_pubkey), usually 'sha1,rsa2048' > + - required: (Optional) If present this indicates that the key must be > + verified for the image / configuration to be > + considered valid > + > + The following example shows an image containing an SPL which > + is packed together with the dtb. Binman will add a signature > + node to the dtb: > + > + image { > + ... > + spl { > + filename = "spl.bin" > + > + u_boot_spl_nodtb { > + }; > + u_boot_spl_pubkey_dtb { > + algo = "sha384,rsa4096"; > + required = "conf"; > + key-name = "dev"; > + }; > + }; > + ... > + } > + """ > + > + def __init__(self, section, etype, node): > + # Put this here to allow entry-docs and help to work without libfdt > + global state > + from binman import state > + > + super().__init__(section, etype, node) > + self.required_props = ['key-name'] > + self.fdt_add_pubkey = None > + self._algo = fdt_util.GetString(self._node, 'algo') > + self._required = fdt_util.GetString(self._node, 'required') > + self._keyname = fdt_util.GetString(self._node, 'key-name') > + > + def ObtainContents(self, fake_size=0): > + """ Add public key which is pointed out by Please check comment style. The first line should a summary, then a blank line, then more info > + 'key-name' to node 'signature' in the spl-dtb > + > + This is equivalent to the '-K' option of 'mkimage' > + > + Args: > + fake_size (int): unused > + """ > + > + # We don't pass fake_size and skip_entry upwards > + # because this is currently not support by the blob type supported > + super().ObtainContents() > + > + with tempfile.NamedTemporaryFile(prefix=os.path.basename( > + self.GetFdtEtype()), > + dir=tools.get_output_dir())\ > + as pubkey_tdb: > + tools.write_file(pubkey_tdb.name, self.GetData()) > + keyname = tools.get_input_filename(self._keyname + ".crt") > + self.fdt_add_pubkey.run(pubkey_tdb.name, > + os.path.dirname(keyname), > + self._keyname, > + self._required, self._algo) > + dtb = tools.read_file(pubkey_tdb.name) > + self.SetContents(dtb) > + state.UpdateFdtContents(self.GetFdtEtype(), dtb) > + > + return True > + > + # pylint: disable=R0201,C0116 > + def GetDefaultFilename(self): > + return 'spl/u-boot-spl-pubkey.dtb' > + > + # pylint: disable=R0201,C0116 > + def GetFdtEtype(self): > + return 'u-boot-spl-dtb' > + > + # pylint: disable=R0201,C0116 > + def AddBintools(self, btools): > + super().AddBintools(btools) > + self.fdt_add_pubkey = self.AddBintool(btools, 'fdt_add_pubkey') > -- > 2.30.2 > Reviewed-by: Simon Glass <s...@chromium.org> Regards, Simon