diff options
author | Sean Anderson <sean.anderson@seco.com> | 2022-05-16 16:11:08 -0400 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2022-06-06 18:01:20 -0400 |
commit | 87b0af9317cb4105f3f29cb0a4c28c7cd87ea65f (patch) | |
tree | 34dbf5df7e5c357a8ba32c0ab3c10310c7a6f5b8 /tools/fit_image.c | |
parent | 5920e5c838d1b6647878e51c0b9b8c9e4eaf1928 (diff) |
mkimage: Support signing 'auto' FITs
This adds support for signing images in auto-generated FITs. To do this,
we need to add a signature node. The algorithm name property already has
its own option, but we need one for the key name hint. We could have
gone the -G route and added an explicit name for the public key (like
what is done for the private key). However, many places assume the
public key can be constructed from the key dir and hint, and I don't
want to do the refactoring necessary.
As a consequence of this, it is now easier to add public keys to an
existing image without signing something. This could be done all along,
but now you don't have to create an its just to do it. Ideally, we
wouldn't create a FIT at the end. This could be done by calling
fit_image_setup_sig/info.crypto->add_verify_data directly.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Diffstat (limited to 'tools/fit_image.c')
-rw-r--r-- | tools/fit_image.c | 41 |
1 files changed, 34 insertions, 7 deletions
diff --git a/tools/fit_image.c b/tools/fit_image.c index 1884a2eb0b..979f2411ee 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -199,15 +199,36 @@ static void get_basename(char *str, int size, const char *fname) } /** - * add_crc_node() - Add a hash node to request a CRC checksum for an image + * add_hash_node() - Add a hash or signature node * + * @params: Image parameters * @fdt: Device tree to add to (in sequential-write mode) + * + * If there is a key name hint, try to sign the images. Otherwise, just add a + * CRC. + * + * Return: 0 on success, or -1 on failure */ -static void add_crc_node(void *fdt) +static int add_hash_node(struct image_tool_params *params, void *fdt) { - fdt_begin_node(fdt, "hash-1"); - fdt_property_string(fdt, FIT_ALGO_PROP, "crc32"); + if (params->keyname) { + if (!params->algo_name) { + fprintf(stderr, + "%s: Algorithm name must be specified\n", + params->cmdname); + return -1; + } + + fdt_begin_node(fdt, "signature-1"); + fdt_property_string(fdt, FIT_ALGO_PROP, params->algo_name); + fdt_property_string(fdt, FIT_KEY_HINT, params->keyname); + } else { + fdt_begin_node(fdt, "hash-1"); + fdt_property_string(fdt, FIT_ALGO_PROP, "crc32"); + } + fdt_end_node(fdt); + return 0; } /** @@ -248,7 +269,9 @@ static int fit_write_images(struct image_tool_params *params, char *fdt) ret = fdt_property_file(params, fdt, FIT_DATA_PROP, params->datafile); if (ret) return ret; - add_crc_node(fdt); + ret = add_hash_node(params, fdt); + if (ret) + return ret; fdt_end_node(fdt); /* Now the device tree files if available */ @@ -271,7 +294,9 @@ static int fit_write_images(struct image_tool_params *params, char *fdt) genimg_get_arch_short_name(params->arch)); fdt_property_string(fdt, FIT_COMP_PROP, genimg_get_comp_short_name(IH_COMP_NONE)); - add_crc_node(fdt); + ret = add_hash_node(params, fdt); + if (ret) + return ret; fdt_end_node(fdt); } @@ -289,7 +314,9 @@ static int fit_write_images(struct image_tool_params *params, char *fdt) params->fit_ramdisk); if (ret) return ret; - add_crc_node(fdt); + ret = add_hash_node(params, fdt); + if (ret) + return ret; fdt_end_node(fdt); } |