Extend support for signing in auto-generated (-f auto) FIT. Previously,
it was possible to get signed 'images' subnodes in the FIT using
options -g and -o together with -f auto. This patch allows signing
'configurations' subnodes instead of 'images' ones (which are hashed),
using option -f auto-conf instead of -f auto. Adding also -K <dtb> and
-r options, will add public key to <dtb> file with required = "conf"
property.
Summary:
-f auto => FIT with crc32 images
-f auto -g ... -o ... => FIT with signed images
-f auto-conf -g ... -o ... => FIT with sha1 images and signed confs
Example: FIT with kernel, two device tree files, and signed
configurations; public key (needed to verify signatures) is
added to u-boot.dtb with required = "conf" property.
mkimage -f auto-conf -A arm -O linux -T kernel -C none -a 43e00000 \
-e 0 -d vmlinuz -b /path/to/first.dtb -b /path/to/second.dtb \
-k /folder/with/key-files -g keyname -o sha256,rsa4096 \
-K u-boot.dtb -r kernel.itb
Example: Add public key with required = "conf" property to u-boot.dtb
without needing to sign anything. This will also create a useless FIT
named unused.itb.
mkimage -f auto-conf -d /dev/null -k /folder/with/key-files \
-g keyname -o sha256,rsa4096 -K u-boot.dtb -r unused.itb
Signed-off-by: Massimo Pegorer <massimo.pegorer@vimar.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
In case there's no struct image_type_params::set_header callback, no
"errno" will be set. Don't fail with an error message, followed by
"Success". Remove the printing of the human readable "errno" value.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
The copy_datafile(ifd, params.datafile) function has been
implemented to copy data by reducing the number of lines in the main
function.
Signed-off-by: Mikhail Ilin <ilin.mikhail.ol@gmail.com>
This is not needed and we should avoid typedefs. Use the struct instead
and rename it to indicate that it really is a legacy struct.
Signed-off-by: Simon Glass <sjg@chromium.org>
The mkimage command has had many options added over the years.
Unfortunately, we are starting to run out of short options. Recent options
don't have any obvious relation to their meaning (e.g. -o/-g). Fortunately,
long options exist. Add long options for each current short option.
For the curious, the remaining short options are HIkLmMPQSuUwWXyYzZ.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This adds support for signing images in auto-generated FITs. To do this,
we need to add a signature node. The algorithm name property already has
its own option, but we need one for the key name hint. We could have
gone the -G route and added an explicit name for the public key (like
what is done for the private key). However, many places assume the
public key can be constructed from the key dir and hint, and I don't
want to do the refactoring necessary.
As a consequence of this, it is now easier to add public keys to an
existing image without signing something. This could be done all along,
but now you don't have to create an its just to do it. Ideally, we
wouldn't create a FIT at the end. This could be done by calling
fit_image_setup_sig/info.crypto->add_verify_data directly.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Over the years, several options have not made it into the help message.
Document them. Do the same for the man page.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
If image backend provides verify_header callback then call it after writing
image to disk. This ensures that written image is correct.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
The sunxi_egon type used to take no -A argument (because we assume sunxi
targets are all ARM). However, as Allwinner D1 appears as the first
RISC-V sunxi target, we need to support -A; in addition, as external
projects rely on U-Boot mkimage to generate sunxi eGON.BT0 header, we
need to keep compatibility with command line without -A.
As the default value of arch in mkimage is not proper (IH_ARCH_PPC
instead of IH_ARCH_INVALID), to keep more compatibility, add an Aflag
field to image parameters to describe whether an architecture is
explicitly specified.
Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
If parameter -F is given but FIT support is missing, a NULL pointer might
dereferenced (Coverity CID 350249).
If incorrect parameters are given, provide a message and show usage.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Currently -l option for mkimage and dumpimage ignores option -T and always
tries to autodetect image type.
With this change it is possible to tell mkimage and dumpimage to parse
image file as specific type (and not random autodetected type). This allows
to use mkimage -l or dumpimage -l as tool for validating image.
params.type for -l option is now by default initialized to zero
(IH_TYPE_INVALID) instead of IH_TYPE_KERNEL. imagetool_get_type() for
IH_TYPE_INVALID returns NULL, which is assigned to tparams. mkimage and
dumpimage code is extended to handle tparams with NULL for -l option. And
imagetool_verify_print_header() is extended to do validation via tparams if
is not NULL.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
At present mkimage displays the node information but it is not clear what
signing action was taken. Add a message that shows it. For now it only
supports showing a single signing action, since that is the common case.
Sample:
Signature written to 'sha1-basic/test.fit',
node '/configurations/conf-1/signature'
Public key written to 'sha1-basic/sandbox-u-boot.dtb',
node '/signature/key-dev'
Signed-off-by: Simon Glass <sjg@chromium.org>
The component st_size of struct stat is of type off_t. Depending on the
system printing it using %ld leads to a warning:
tools/mkimage.c:438:54: warning: format '%ld' expects argument of type
'long int', but argument 5 has type
'off_t' {aka 'long long int'} [-Wformat=]
438 | "%s: Bad size: \"%s\" is not valid image: size %ld < %u\n",
| ~~^
| |
| long int
| %lld
When comparing an off_t value to a 32bit integer we should not convert to
uint32_t but to off_t which may be wider.
Reported-by: Milan P. Stanić <mps@arvanta.net>
Fixes: 331f0800f1 ("mkimage: allow -l to work on block devices on Linux")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
This permits to prepare FIT image description that do not hard-code the
final choice of the signature algorithm, possibly requiring the user to
patch the sources.
When -o <algo> is specified, this information is used in favor of the
'algo' property in the signature node. Furthermore, that property is set
accordingly when writing the image.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The actual opt string is inlined - and different. Seems this was a
left-over from older versions of 603e26f763.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Currently, an empty imput file causes `mmap()` to fail, and you get an
error like "mkimage: Can't read file.img: Invalid argument", which is
extremely unintuitive and hard to diagnose if you don't know what to
look for. Add an explicit check for an empty file and provide a clear
error message instead.
We already bounds check the image size when listing and re-signing
existing images, so we only need this check here, when opening data
files going into a image.
Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When "mkimage -l" was run on a block device it would fail with
erroneous message, because fstat reports a size of zero for those:
mkimage: Bad size: "/dev/sdb4" is not valid image
This patch identifies the "is a block device" case and reports it as
such, and if it knows how to determine the size of a block device on
the current OS, proceeds.
As shown in
http://www.mit.edu/afs.new/sipb/user/tytso/e2fsprogs/lib/blkid/getsize.c
this is no portable task, and I only handled the case of a modern
Linux kernel, which is what I can test.
Signed-off-by: Yann Dirson <yann@blade-group.com>
It's not always desirable to use 'keydir' and some ad-hoc heuristics
to get the filename of the signing key. More often, just passing the
filename is the simpler, easier, and logical thing to do.
Since mkimage doesn't use long options, we're slowly running out of
letters. I've chosen '-G' because it was available.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
These commands were disabled when CONFIG_FIT_SIGNATURE is disabled, but
they do not depend on crypto support so they can be unconditionally
enabled.
Signed-off-by: Joel Stanley <joel@jms.id.au>
In show_valid_options(), this patch introduces checking whether
a category has an entry ID. If not, adding it to a list for output
is skipped before calling qsort().
This patch will affect all kinds of image header categories
(-A, -C, -O and -T flags).
Signed-off-by: Naoki Hayama <naoki.hayama@lineo.co.jp>
Reviewed-by: Simon Glass <sjg@chromium.org>
Normally the FIT timestamp is created the first time mkimage is run on a
FIT, when converting the source .its to the binary .fit file. This
corresponds to using the -f flag. But if the original input to mkimage is
a binary file (already compiled) then the timestamp is assumed to have
been set previously.
Add a -t flag to allow setting the timestamp in this case.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Normally the FIT timestamp is created the first time mkimage is run on a
FIT, when converting the source .its to the binary .fit file. This
corresponds to using the -f flag. But if the original input to mkimage is
a binary file (already compiled) then the timestamp is assumed to have
been set previously.
Add a -t flag to allow setting the timestamp in this case.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Add a new error message in case the size of data written
are shorter than the one expected.
Currently, it will lead to the following error message:
"mkimage: Write error on uImage: Success"
This is not explicit when the error is because the device
doesn't have enough space. Let's use a more understandable message:
"mkimage: Write only 4202432/4682240 bytes, probably no space left on the device"
Signed-off-by: Mylène Josserand <mylene.josserand@collabora.com>
Reviewed-by: Walter Lozano <walter.lozano@collabora.com>
GCC recognizes /* fallthrough */ if -Wimplicit-fallthrough=3 is enabled.
Let's use it consistently.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The image is usually stored in block device like emmc, SD card, make the
offset of image data aligned to block(512 byte) can avoid data copy
during boot process.
eg. SPL boot from FIT image with external data:
- SPL read the first block of FIT image, and then parse the header;
- SPL read image data separately;
- The first image offset is the base_offset which is the header size;
- The second image offset is just after the first image;
- If the offset of imge does not aligned, SPL will do memcpy;
The header size is a ramdon number, which is very possible not aligned, so
add '-B size'to specify the align size in hex for better performance.
example usage:
./tools/mkimage -E -f u-boot.its -B 0x200 u-boot.itb
Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
Reviewed-by: Punit Agrawal <punit1.agrawal@toshiba.co.jp>
Reviewed-by: Tom Rini <trini@konsulko.com>
The ALIGN() is now available at imagetool.h, migrate to use it.
Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
Reviewed-by: Punit Agrawal <punit1.agrawal@toshiba.co.jp>
Reviewed-by: Tom Rini <trini@konsulko.com>
There are multiple other openssl engines used by HSMs that can be used to
sign FIT images instead of forcing users to use pkcs11 type of service.
Relax engine selection so that other openssl engines can be specified and
use generic key id definition formula.
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Cc: Tom Rini <trini@konsulko.com>
FIT header verification in mkimage was treating a return code as a boolean,
which meant that failures in validating the fit were seen as successes.
Additionally, mkimage was checking all formats to find a header which
passes validation, rather than using the image type specified to
mkimage.
checkpatch.pl checks for lines ending with '(' and alignment matching
open parentheses are ignored to keep with existing coding style.
Signed-off-by: Jordan Hand <jorhand@microsoft.com>
i.MX8M bootable image type is like i.MX6/7, but there is signed HDMI
firmware image in front of A53 bootable image, which is also has an IVT
header.
Here we also include fit image to generate a bootable image.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Stefano Babic <sbabic@denx.de>
i.MX8/8X bootable image type is container type.
The bootable image, containers a container set which supports two
container. The 1st container is for SECO firmware, the 2nd container
needs to include scfw, m4_0/1 image, ACore images per your requirement.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
The set_header call in kwbimage.c adds a checksum to the end of the
image in addition to setting up the header. It 'helpfully' updates the
st_size to match the fact that the file is now longer. However, mkimage
uses this length in the munmap call. This can lead to unmapping an extra
page, of perhaps required data. When this happens, a SEGV can occur.
To prevent this from happening, the munmap call now uses the same length
that was passed to mmap. This could also have been fixed by not changing
the length in kwbimage.c, however changing it in the main file means
that other plugins will also not fall for the same trap.
Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
Signed-off-by: Chris Packham <judge.packham@gmail.com>
[cp: resolve checkpatch complaints]
Tested-by: Chris Packham <judge.packham@gmail.com>
The officially described way to generate boot.bin files for ZynqMP is to
describe the contents of the target binary using a file of the "bif"
format. This file then links to other files that all get packed into a
bootable image.
This patch adds support to read such a .bif file and generate a respective
ZynqMP boot.bin file that can include the normal image and pmu files, but
also supports image partitions now. This makes it a handy replacement for
the proprietary "bootgen" utility that is currently used to generate
boot.bin files with FSBL.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <trini@konsulko.com>
If generating a script image and no datafile has been passed in, mkimage
dies with SIGSEGV:
#0 __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
#1 0x0000000000403818 in main
at tools/mkimage.c:503
Add explicit test for datafile to fix this.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Commit 253c60a breaks the exit value of 'mkimage -T rkimage'
and print the following error:
mkimage: Can't print header for Rockchip Boot Image support: Success
It is not a failure to not print headers, so just display the warning message,
and finish the function properly.
Signed-off-by: Guillaume GARDET <guillaume.gardet@free.fr>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Since commit 5b9d44df23 (mkimage: Display a better list of available image
types) mkimage usage text suggest to "use -T to see a list of available image
types". Unfortunately, commit 02221f29deb8 (mkimage: Convert to use getopt())
broke that feature, because getopt() fails when -T has no option argument.
Add a pseudo image type name 'list' that lists all image types. Update the
usage text accordingly.
Cc: Simon Glass <sjg@chromium.org>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Add support for signing with the pkcs11 engine. This allows FIT images
to be signed with keys securely stored on a smartcard, hardware security
module, etc without exposing the keys.
Support for other engines can be added in the future by modifying
rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct
correct key_id strings.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
When we want to use Secure Boot with HAB from SPL over U-Boot.img,
we need to append the IVT to the image and leave space for the CSF.
Images generated as firmware_ivt can directly be signed using the
Freescale code signing tool. For creation of a CSF, mkimage outputs
the correct HAB Blocks for the image.
The changes to the usual firmware image class are quite small,
that is why I implemented that directly into the default_image.
Cc: sbabic@denx.de
v2-Changes: None
Signed-off-by: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Reviewed-by: George McCollister <george.mccollister@gmail.com>
Tested-by: George McCollister <george.mccollister@gmail.com>
Adds -i option that allows specifying a ramdisk file to be added to the
FIT image when we are using the automatic FIT mode (no ITS file).
This makes adding Depthcharge support to LAVA much more convenient, as
no additional configuration files need to be kept around in the machine
that dispatches jobs to the boards.
Signed-off-by: Tomeu Vizoso <tomeu.vizoso@collabora.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Matt Hart <matthew.hart@linaro.org>
Cc: Neil Williams <codehelp@debian.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
The allocated memory should be freed. Fix it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Coverity (CID: 150963)
Reviewed-by: Tom Rini <trini@konsulko.com>
Inform getopt that '-c' requires a parameter.
Fixes: a02221f29d ("mkimage: Convert to use getopt()")
Signed-off-by: Karl Beldan <kbeldan@baylibre.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Update the error-handling code for -A, -C and -O to show a list of valid
options when an invalid one is provided.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Vinoth Eswaran <evinoth1206@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
The existing error code only displays image types which are claimed by a
particular U_BOOT_IMAGE_TYPE() driver. But this does not seem correct. The
mkimage tool should support all image types, so it makes sense to allow
creation of images of any type with the tool.
When an incorrect image type is provided, use generic code to display the
error.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Add a generic function which can display a list of items in any category.
This will allow displaying of images for the -A, -C, -O and -T flags. At
present only -T is supported.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>