]> Git Repo - J-u-boot.git/blobdiff - tools/image-host.c
projects / J-u-boot.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
tools: kwbimage: Set BOOT_FROM by default to SPI
[J-u-boot.git] / tools / image-host.c
diff --git a/tools/image-host.c b/tools/image-host.c
index 5e4d690714160dcd68932f8eb6cf728640532ea6..a6b0a9442059d4c901ec4cdec2ec880149e0b13e 100644 (file)
--- a/tools/image-host.c
+++ b/tools/image-host.c
@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0+
 /*
  * Copyright (c) 2013, Google Inc.
  *
@@ -5,12 +6,11 @@
  *
  * (C) Copyright 2000-2006
  * Wolfgang Denk, DENX Software Engineering, [email protected].
- *
- * SPDX-License-Identifier:    GPL-2.0+
  */
 
 #include "mkimage.h"
 #include <bootm.h>
+#include <fdt_region.h>
 #include <image.h>
 #include <version.h>
 
@@ -107,7 +107,7 @@ static int fit_image_process_hash(void *fit, const char *image_name,
  */
 static int fit_image_write_sig(void *fit, int noffset, uint8_t *value,
                int value_len, const char *comment, const char *region_prop,
-               int region_proplen)
+               int region_proplen, const char *cmdname)
 {
        int string_size;
        int ret;
@@ -129,13 +129,20 @@ static int fit_image_write_sig(void *fit, int noffset, uint8_t *value,
        }
        if (comment && !ret)
                ret = fdt_setprop_string(fit, noffset, "comment", comment);
-       if (!ret)
-               ret = fit_set_timestamp(fit, noffset, time(NULL));
+       if (!ret) {
+               time_t timestamp = imagetool_get_source_date(cmdname,
+                                                            time(NULL));
+               uint32_t t = cpu_to_uimage(timestamp);
+
+               ret = fdt_setprop(fit, noffset, FIT_TIMESTAMP_PROP, &t,
+                       sizeof(uint32_t));
+       }
        if (region_prop && !ret) {
                uint32_t strdata[2];
 
                ret = fdt_setprop(fit, noffset, "hashed-nodes",
                                   region_prop, region_proplen);
+               /* This is a legacy offset, it is unused, and must remain 0. */
                strdata[0] = 0;
                strdata[1] = cpu_to_fdt32(string_size);
                if (!ret) {
@@ -148,11 +155,13 @@ static int fit_image_write_sig(void *fit, int noffset, uint8_t *value,
 }
 
 static int fit_image_setup_sig(struct image_sign_info *info,
-               const char *keydir, void *fit, const char *image_name,
-               int noffset, const char *require_keys, const char *engine_id)
+               const char *keydir, const char *keyfile, void *fit,
+               const char *image_name, int noffset, const char *require_keys,
+               const char *engine_id)
 {
        const char *node_name;
        char *algo_name;
+       const char *padding_name;
 
        node_name = fit_get_name(fit, noffset, NULL);
        if (fit_image_hash_get_algo(fit, noffset, &algo_name)) {
@@ -161,14 +170,18 @@ static int fit_image_setup_sig(struct image_sign_info *info,
                return -1;
        }
 
+       padding_name = fdt_getprop(fit, noffset, "padding", NULL);
+
        memset(info, '\0', sizeof(*info));
        info->keydir = keydir;
-       info->keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
+       info->keyfile = keyfile;
+       info->keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL);
        info->fit = fit;
        info->node_offset = noffset;
-       info->name = algo_name;
+       info->name = strdup(algo_name);
        info->checksum = image_get_checksum_algo(algo_name);
        info->crypto = image_get_crypto_algo(algo_name);
+       info->padding = image_get_padding_algo(padding_name);
        info->require_keys = require_keys;
        info->engine_id = engine_id;
        if (!info->checksum || !info->crypto) {
@@ -198,10 +211,11 @@ static int fit_image_setup_sig(struct image_sign_info *info,
  * @engine_id: Engine to use for signing
  * @return 0 if ok, -1 on error
  */
-static int fit_image_process_sig(const char *keydir, void *keydest,
-               void *fit, const char *image_name,
+static int fit_image_process_sig(const char *keydir, const char *keyfile,
+               void *keydest, void *fit, const char *image_name,
                int noffset, const void *data, size_t size,
-               const char *comment, int require_keys, const char *engine_id)
+               const char *comment, int require_keys, const char *engine_id,
+               const char *cmdname)
 {
        struct image_sign_info info;
        struct image_region region;
@@ -210,8 +224,9 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
        uint value_len;
        int ret;
 
-       if (fit_image_setup_sig(&info, keydir, fit, image_name, noffset,
-                               require_keys ? "image" : NULL, engine_id))
+       if (fit_image_setup_sig(&info, keydir, keyfile, fit, image_name,
+                               noffset, require_keys ? "image" : NULL,
+                               engine_id))
                return -1;
 
        node_name = fit_get_name(fit, noffset, NULL);
@@ -229,7 +244,7 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
        }
 
        ret = fit_image_write_sig(fit, noffset, value, value_len, comment,
-                       NULL, 0);
+                       NULL, 0, cmdname);
        if (ret) {
                if (ret == -FDT_ERR_NOSPACE)
                        return -ENOSPC;
@@ -240,22 +255,317 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
        free(value);
 
        /* Get keyname again, as FDT has changed and invalidated our pointer */
-       info.keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
+       info.keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL);
 
-       if (keydest)
+       /*
+        * Write the public key into the supplied FDT file; this might fail
+        * several times, since we try signing with successively increasing
+        * size values
+        */
+       if (keydest) {
                ret = info.crypto->add_verify_data(&info, keydest);
-       else
+               if (ret) {
+                       printf("Failed to add verification data for '%s' signature node in '%s' image node\n",
+                              node_name, image_name);
+                       return ret;
+               }
+       }
+
+       return 0;
+}
+
+static int fit_image_read_data(char *filename, unsigned char *data,
+                              int expected_size)
+{
+       struct stat sbuf;
+       int fd, ret = -1;
+       ssize_t n;
+
+       /* Open file */
+       fd = open(filename, O_RDONLY | O_BINARY);
+       if (fd < 0) {
+               printf("Can't open file %s (err=%d => %s)\n",
+                      filename, errno, strerror(errno));
                return -1;
+       }
+
+       /* Compute file size */
+       if (fstat(fd, &sbuf) < 0) {
+               printf("Can't fstat file %s (err=%d => %s)\n",
+                      filename, errno, strerror(errno));
+               goto err;
+       }
+
+       /* Check file size */
+       if (sbuf.st_size != expected_size) {
+               printf("File %s don't have the expected size (size=%lld, expected=%d)\n",
+                      filename, (long long)sbuf.st_size, expected_size);
+               goto err;
+       }
+
+       /* Read data */
+       n = read(fd, data, sbuf.st_size);
+       if (n < 0) {
+               printf("Can't read file %s (err=%d => %s)\n",
+                      filename, errno, strerror(errno));
+               goto err;
+       }
+
+       /* Check that we have read all the file */
+       if (n != sbuf.st_size) {
+               printf("Can't read all file %s (read %zd bytes, expected %lld)\n",
+                      filename, n, (long long)sbuf.st_size);
+               goto err;
+       }
+
+       ret = 0;
+
+err:
+       close(fd);
+       return ret;
+}
+
+static int get_random_data(void *data, int size)
+{
+       unsigned char *tmp = data;
+       struct timespec date;
+       int i, ret;
+
+       if (!tmp) {
+               printf("%s: pointer data is NULL\n", __func__);
+               ret = -1;
+               goto out;
+       }
+
+       ret = clock_gettime(CLOCK_MONOTONIC, &date);
+       if (ret) {
+               printf("%s: clock_gettime has failed (%s)\n", __func__,
+                      strerror(errno));
+               goto out;
+       }
+
+       srandom(date.tv_nsec);
+
+       for (i = 0; i < size; i++) {
+               *tmp = random() & 0xff;
+               tmp++;
+       }
+
+ out:
+       return ret;
+}
+
+static int fit_image_setup_cipher(struct image_cipher_info *info,
+                                 const char *keydir, void *fit,
+                                 const char *image_name, int image_noffset,
+                                 int noffset)
+{
+       char *algo_name;
+       char filename[128];
+       int ret = -1;
+
+       if (fit_image_cipher_get_algo(fit, noffset, &algo_name)) {
+               printf("Can't get algo name for cipher in image '%s'\n",
+                      image_name);
+               goto out;
+       }
+
+       info->keydir = keydir;
+
+       /* Read the key name */
+       info->keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL);
+       if (!info->keyname) {
+               printf("Can't get key name for cipher in image '%s'\n",
+                      image_name);
+               goto out;
+       }
+
+       /*
+        * Read the IV name
+        *
+        * If this property is not provided then mkimage will generate
+        * a random IV and store it in the FIT image
+        */
+       info->ivname = fdt_getprop(fit, noffset, "iv-name-hint", NULL);
+
+       info->fit = fit;
+       info->node_noffset = noffset;
+       info->name = algo_name;
+
+       info->cipher = image_get_cipher_algo(algo_name);
+       if (!info->cipher) {
+               printf("Can't get algo for cipher '%s'\n", image_name);
+               goto out;
+       }
+
+       /* Read the key in the file */
+       snprintf(filename, sizeof(filename), "%s/%s%s",
+                info->keydir, info->keyname, ".bin");
+       info->key = malloc(info->cipher->key_len);
+       if (!info->key) {
+               printf("Can't allocate memory for key\n");
+               ret = -1;
+               goto out;
+       }
+       ret = fit_image_read_data(filename, (unsigned char *)info->key,
+                                 info->cipher->key_len);
+       if (ret < 0)
+               goto out;
+
+       info->iv = malloc(info->cipher->iv_len);
+       if (!info->iv) {
+               printf("Can't allocate memory for iv\n");
+               ret = -1;
+               goto out;
+       }
+
+       if (info->ivname) {
+               /* Read the IV in the file */
+               snprintf(filename, sizeof(filename), "%s/%s%s",
+                        info->keydir, info->ivname, ".bin");
+               ret = fit_image_read_data(filename, (unsigned char *)info->iv,
+                                         info->cipher->iv_len);
+       } else {
+               /* Generate an ramdom IV */
+               ret = get_random_data((void *)info->iv, info->cipher->iv_len);
+       }
+
+ out:
+       return ret;
+}
+
+int fit_image_write_cipher(void *fit, int image_noffset, int noffset,
+                          const void *data, size_t size,
+                          unsigned char *data_ciphered, int data_ciphered_len)
+{
+       int ret = -1;
+
+       /* Replace data with ciphered data */
+       ret = fdt_setprop(fit, image_noffset, FIT_DATA_PROP,
+                         data_ciphered, data_ciphered_len);
+       if (ret == -FDT_ERR_NOSPACE) {
+               ret = -ENOSPC;
+               goto out;
+       }
+       if (ret) {
+               printf("Can't replace data with ciphered data (err = %d)\n", ret);
+               goto out;
+       }
+
+       /* add non ciphered data size */
+       ret = fdt_setprop_u32(fit, image_noffset, "data-size-unciphered", size);
+       if (ret == -FDT_ERR_NOSPACE) {
+               ret = -ENOSPC;
+               goto out;
+       }
+       if (ret) {
+               printf("Can't add unciphered data size (err = %d)\n", ret);
+               goto out;
+       }
+
+ out:
+       return ret;
+}
+
+static int
+fit_image_process_cipher(const char *keydir, void *keydest, void *fit,
+                        const char *image_name, int image_noffset,
+                        int node_noffset, const void *data, size_t size,
+                        const char *cmdname)
+{
+       struct image_cipher_info info;
+       unsigned char *data_ciphered = NULL;
+       int data_ciphered_len;
+       int ret;
+
+       memset(&info, 0, sizeof(info));
+
+       ret = fit_image_setup_cipher(&info, keydir, fit, image_name,
+                                    image_noffset, node_noffset);
+       if (ret)
+               goto out;
+
+       ret = info.cipher->encrypt(&info, data, size,
+                                   &data_ciphered, &data_ciphered_len);
+       if (ret)
+               goto out;
 
        /*
         * Write the public key into the supplied FDT file; this might fail
         * several times, since we try signing with successively increasing
         * size values
+        * And, if needed, write the iv in the FIT file
         */
-       if (keydest && ret)
-               return ret;
+       if (keydest) {
+               ret = info.cipher->add_cipher_data(&info, keydest, fit, node_noffset);
+               if (ret) {
+                       printf("Failed to add verification data for cipher '%s' in image '%s'\n",
+                              info.keyname, image_name);
+                       goto out;
+               }
+       }
 
-       return 0;
+       ret = fit_image_write_cipher(fit, image_noffset, node_noffset,
+                                    data, size,
+                                    data_ciphered, data_ciphered_len);
+
+ out:
+       free(data_ciphered);
+       free((void *)info.key);
+       free((void *)info.iv);
+       return ret;
+}
+
+int fit_image_cipher_data(const char *keydir, void *keydest,
+                         void *fit, int image_noffset, const char *comment,
+                         int require_keys, const char *engine_id,
+                         const char *cmdname)
+{
+       const char *image_name;
+       const void *data;
+       size_t size;
+       int cipher_node_offset, len;
+
+       /* Get image name */
+       image_name = fit_get_name(fit, image_noffset, NULL);
+       if (!image_name) {
+               printf("Can't get image name\n");
+               return -1;
+       }
+
+       /* Get image data and data length */
+       if (fit_image_get_data(fit, image_noffset, &data, &size)) {
+               printf("Can't get image data/size\n");
+               return -1;
+       }
+
+       /*
+        * Don't cipher ciphered data.
+        *
+        * If the data-size-unciphered property is present the data for this
+        * image is already encrypted. This is important as 'mkimage -F' can be
+        * run multiple times on a FIT image.
+        */
+       if (fdt_getprop(fit, image_noffset, "data-size-unciphered", &len))
+               return 0;
+       if (len != -FDT_ERR_NOTFOUND) {
+               printf("Failure testing for data-size-unciphered\n");
+               return -1;
+       }
+
+       /* Process cipher node if present */
+       cipher_node_offset = fdt_subnode_offset(fit, image_noffset,
+                                               FIT_CIPHER_NODENAME);
+       if (cipher_node_offset == -FDT_ERR_NOTFOUND)
+               return 0;
+       if (cipher_node_offset < 0) {
+               printf("Failure getting cipher node\n");
+               return -1;
+       }
+       if (!IMAGE_ENABLE_ENCRYPT || !keydir)
+               return 0;
+       return fit_image_process_cipher(keydir, keydest, fit, image_name,
+               image_noffset, cipher_node_offset, data, size, cmdname);
 }
 
 /**
@@ -269,16 +579,16 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
  *
  * Input component image node structure:
  *
- * o image@1 (at image_noffset)
+ * o image-1 (at image_noffset)
  *   | - data = [binary data]
- *   o hash@1
+ *   o hash-1
  *     |- algo = "sha1"
  *
  * Output component image node structure:
  *
- * o image@1 (at image_noffset)
+ * o image-1 (at image_noffset)
  *   | - data = [binary data]
- *   o hash@1
+ *   o hash-1
  *     |- algo = "sha1"
  *     |- value = sha1(data)
  *
@@ -293,9 +603,10 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
  * @engine_id: Engine to use for signing
  * @return: 0 on success, <0 on failure
  */
-int fit_image_add_verification_data(const char *keydir, void *keydest,
-               void *fit, int image_noffset, const char *comment,
-               int require_keys, const char *engine_id)
+int fit_image_add_verification_data(const char *keydir, const char *keyfile,
+               void *keydest, void *fit, int image_noffset,
+               const char *comment, int require_keys, const char *engine_id,
+               const char *cmdname)
 {
        const char *image_name;
        const void *data;
@@ -320,19 +631,19 @@ int fit_image_add_verification_data(const char *keydir, void *keydest,
                /*
                 * Check subnode name, must be equal to "hash" or "signature".
                 * Multiple hash nodes require unique unit node
-                * names, e.g. hash@1, hash@2, signature@1, etc.
+                * names, e.g. hash-1, hash-2, signature-1, etc.
                 */
                node_name = fit_get_name(fit, noffset, NULL);
                if (!strncmp(node_name, FIT_HASH_NODENAME,
                             strlen(FIT_HASH_NODENAME))) {
                        ret = fit_image_process_hash(fit, image_name, noffset,
                                                data, size);
-               } else if (IMAGE_ENABLE_SIGN && keydir &&
+               } else if (IMAGE_ENABLE_SIGN && (keydir || keyfile) &&
                           !strncmp(node_name, FIT_SIG_NODENAME,
                                strlen(FIT_SIG_NODENAME))) {
-                       ret = fit_image_process_sig(keydir, keydest,
+                       ret = fit_image_process_sig(keydir, keyfile, keydest,
                                fit, image_name, noffset, data, size,
-                               comment, require_keys, engine_id);
+                               comment, require_keys, engine_id, cmdname);
                }
                if (ret)
                        return ret;
@@ -395,13 +706,84 @@ static const char *fit_config_get_image_list(void *fit, int noffset,
        return default_list;
 }
 
+static int fit_config_add_hash(void *fit, const char *conf_name, const char *sig_name,
+                              struct strlist *node_inc, const char *iname, int image_noffset)
+{
+       char name[200], path[200];
+       int noffset;
+       int hash_count;
+       int ret;
+
+       ret = fdt_get_path(fit, image_noffset, path, sizeof(path));
+       if (ret < 0)
+               goto err_path;
+       if (strlist_add(node_inc, path))
+               goto err_mem;
+
+       snprintf(name, sizeof(name), "%s/%s", FIT_CONFS_PATH,
+                conf_name);
+
+       /* Add all this image's hashes */
+       hash_count = 0;
+       for (noffset = fdt_first_subnode(fit, image_noffset);
+            noffset >= 0;
+            noffset = fdt_next_subnode(fit, noffset)) {
+               const char *name = fit_get_name(fit, noffset, NULL);
+
+               if (strncmp(name, FIT_HASH_NODENAME,
+                           strlen(FIT_HASH_NODENAME)))
+                       continue;
+               ret = fdt_get_path(fit, noffset, path, sizeof(path));
+               if (ret < 0)
+                       goto err_path;
+               if (strlist_add(node_inc, path))
+                       goto err_mem;
+               hash_count++;
+       }
+
+       if (!hash_count) {
+               printf("Failed to find any hash nodes in configuration '%s/%s' image '%s' - without these it is not possible to verify this image\n",
+                      conf_name, sig_name, iname);
+               return -ENOMSG;
+       }
+
+       /* Add this image's cipher node if present */
+       noffset = fdt_subnode_offset(fit, image_noffset,
+                                    FIT_CIPHER_NODENAME);
+       if (noffset != -FDT_ERR_NOTFOUND) {
+               if (noffset < 0) {
+                       printf("Failed to get cipher node in configuration '%s/%s' image '%s': %s\n",
+                              conf_name, sig_name, iname,
+                              fdt_strerror(noffset));
+                       return -EIO;
+               }
+               ret = fdt_get_path(fit, noffset, path, sizeof(path));
+               if (ret < 0)
+                       goto err_path;
+               if (strlist_add(node_inc, path))
+                       goto err_mem;
+       }
+
+       return 0;
+
+err_mem:
+       printf("Out of memory processing configuration '%s/%s'\n", conf_name,
+              sig_name);
+       return -ENOMEM;
+
+err_path:
+       printf("Failed to get path for image '%s' in configuration '%s/%s': %s\n",
+              iname, conf_name, sig_name, fdt_strerror(ret));
+       return -ENOENT;
+}
+
 static int fit_config_get_hash_list(void *fit, int conf_noffset,
                                    int sig_offset, struct strlist *node_inc)
 {
        int allow_missing;
        const char *prop, *iname, *end;
        const char *conf_name, *sig_name;
-       char name[200], path[200];
+       char name[200];
        int image_count;
        int ret, len;
 
@@ -428,55 +810,32 @@ static int fit_config_get_hash_list(void *fit, int conf_noffset,
        end = prop + len;
        image_count = 0;
        for (iname = prop; iname < end; iname += strlen(iname) + 1) {
-               int noffset;
                int image_noffset;
-               int hash_count;
+               int index, max_index;
 
-               image_noffset = fit_conf_get_prop_node(fit, conf_noffset,
-                                                      iname);
-               if (image_noffset < 0) {
-                       printf("Failed to find image '%s' in  configuration '%s/%s'\n",
-                              iname, conf_name, sig_name);
-                       if (allow_missing)
-                               continue;
+               max_index = fdt_stringlist_count(fit, conf_noffset, iname);
 
-                       return -ENOENT;
-               }
+               for (index = 0; index < max_index; index++) {
+                       image_noffset = fit_conf_get_prop_node_index(fit, conf_noffset,
+                                                                    iname, index);
 
-               ret = fdt_get_path(fit, image_noffset, path, sizeof(path));
-               if (ret < 0)
-                       goto err_path;
-               if (strlist_add(node_inc, path))
-                       goto err_mem;
-
-               snprintf(name, sizeof(name), "%s/%s", FIT_CONFS_PATH,
-                        conf_name);
+                       if (image_noffset < 0) {
+                               printf("Failed to find image '%s' in  configuration '%s/%s'\n",
+                                      iname, conf_name, sig_name);
+                               if (allow_missing)
+                                       continue;
 
-               /* Add all this image's hashes */
-               hash_count = 0;
-               for (noffset = fdt_first_subnode(fit, image_noffset);
-                    noffset >= 0;
-                    noffset = fdt_next_subnode(fit, noffset)) {
-                       const char *name = fit_get_name(fit, noffset, NULL);
+                               return -ENOENT;
+                       }
 
-                       if (strncmp(name, FIT_HASH_NODENAME,
-                                   strlen(FIT_HASH_NODENAME)))
-                               continue;
-                       ret = fdt_get_path(fit, noffset, path, sizeof(path));
+                       ret = fit_config_add_hash(fit, conf_name,
+                                                 sig_name, node_inc,
+                                                 iname, image_noffset);
                        if (ret < 0)
-                               goto err_path;
-                       if (strlist_add(node_inc, path))
-                               goto err_mem;
-                       hash_count++;
-               }
+                               return ret;
 
-               if (!hash_count) {
-                       printf("Failed to find any hash nodes in configuration '%s/%s' image '%s' - without these it is not possible to verify this image\n",
-                              conf_name, sig_name, iname);
-                       return -ENOMSG;
+                       image_count++;
                }
-
-               image_count++;
        }
 
        if (!image_count) {
@@ -491,11 +850,6 @@ err_mem:
        printf("Out of memory processing configuration '%s/%s'\n", conf_name,
               sig_name);
        return -ENOMEM;
-
-err_path:
-       printf("Failed to get path for image '%s' in configuration '%s/%s': %s\n",
-              iname, conf_name, sig_name, fdt_strerror(ret));
-       return -ENOENT;
 }
 
 static int fit_config_get_data(void *fit, int conf_noffset, int noffset,
@@ -513,7 +867,7 @@ static int fit_config_get_data(void *fit, int conf_noffset, int noffset,
        int ret, len;
 
        conf_name = fit_get_name(fit, conf_noffset, NULL);
-       sig_name = fit_get_name(fit, conf_noffset, NULL);
+       sig_name = fit_get_name(fit, noffset, NULL);
        debug("%s: conf='%s', sig='%s'\n", __func__, conf_name, sig_name);
 
        /* Get a list of nodes we want to hash */
@@ -570,10 +924,10 @@ static int fit_config_get_data(void *fit, int conf_noffset, int noffset,
        return 0;
 }
 
-static int fit_config_process_sig(const char *keydir, void *keydest,
-               void *fit, const char *conf_name, int conf_noffset,
-               int noffset, const char *comment, int require_keys,
-               const char *engine_id)
+static int fit_config_process_sig(const char *keydir, const char *keyfile,
+               void *keydest,  void *fit, const char *conf_name,
+               int conf_noffset, int noffset, const char *comment,
+               int require_keys, const char *engine_id, const char *cmdname)
 {
        struct image_sign_info info;
        const char *node_name;
@@ -590,7 +944,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
                                &region_count, &region_prop, &region_proplen))
                return -1;
 
-       if (fit_image_setup_sig(&info, keydir, fit, conf_name, noffset,
+       if (fit_image_setup_sig(&info, keydir, keyfile, fit, conf_name, noffset,
                                require_keys ? "conf" : NULL, engine_id))
                return -1;
 
@@ -608,7 +962,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
        }
 
        ret = fit_image_write_sig(fit, noffset, value, value_len, comment,
-                               region_prop, region_proplen);
+                               region_prop, region_proplen, cmdname);
        if (ret) {
                if (ret == -FDT_ERR_NOSPACE)
                        return -ENOSPC;
@@ -620,15 +974,13 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
        free(region_prop);
 
        /* Get keyname again, as FDT has changed and invalidated our pointer */
-       info.keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
+       info.keyname = fdt_getprop(fit, noffset, FIT_KEY_HINT, NULL);
 
        /* Write the public key into the supplied FDT file */
        if (keydest) {
                ret = info.crypto->add_verify_data(&info, keydest);
-               if (ret == -ENOSPC)
-                       return -ENOSPC;
                if (ret) {
-                       printf("Failed to add verification data for '%s' signature node in '%s' image node\n",
+                       printf("Failed to add verification data for '%s' signature node in '%s' configuration node\n",
                               node_name, conf_name);
                }
                return ret;
@@ -637,9 +989,10 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
        return 0;
 }
 
-static int fit_config_add_verification_data(const char *keydir, void *keydest,
-               void *fit, int conf_noffset, const char *comment,
-               int require_keys, const char *engine_id)
+static int fit_config_add_verification_data(const char *keydir,
+               const char *keyfile, void *keydest, void *fit, int conf_noffset,
+               const char *comment, int require_keys, const char *engine_id,
+               const char *cmdname)
 {
        const char *conf_name;
        int noffset;
@@ -656,9 +1009,9 @@ static int fit_config_add_verification_data(const char *keydir, void *keydest,
                node_name = fit_get_name(fit, noffset, NULL);
                if (!strncmp(node_name, FIT_SIG_NODENAME,
                             strlen(FIT_SIG_NODENAME))) {
-                       ret = fit_config_process_sig(keydir, keydest,
+                       ret = fit_config_process_sig(keydir, keyfile, keydest,
                                fit, conf_name, conf_noffset, noffset, comment,
-                               require_keys, engine_id);
+                               require_keys, engine_id, cmdname);
                }
                if (ret)
                        return ret;
@@ -667,9 +1020,45 @@ static int fit_config_add_verification_data(const char *keydir, void *keydest,
        return 0;
 }
 
-int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
-                             const char *comment, int require_keys,
-                             const char *engine_id)
+int fit_cipher_data(const char *keydir, void *keydest, void *fit,
+                   const char *comment, int require_keys,
+                   const char *engine_id, const char *cmdname)
+{
+       int images_noffset;
+       int noffset;
+       int ret;
+
+       /* Find images parent node offset */
+       images_noffset = fdt_path_offset(fit, FIT_IMAGES_PATH);
+       if (images_noffset < 0) {
+               printf("Can't find images parent node '%s' (%s)\n",
+                      FIT_IMAGES_PATH, fdt_strerror(images_noffset));
+               return images_noffset;
+       }
+
+       /* Process its subnodes, print out component images details */
+       for (noffset = fdt_first_subnode(fit, images_noffset);
+            noffset >= 0;
+            noffset = fdt_next_subnode(fit, noffset)) {
+               /*
+                * Direct child node of the images parent node,
+                * i.e. component image node.
+                */
+               ret = fit_image_cipher_data(keydir, keydest,
+                                           fit, noffset, comment,
+                                           require_keys, engine_id,
+                                           cmdname);
+               if (ret)
+                       return ret;
+       }
+
+       return 0;
+}
+
+int fit_add_verification_data(const char *keydir, const char *keyfile,
+                             void *keydest, void *fit, const char *comment,
+                             int require_keys, const char *engine_id,
+                             const char *cmdname)
 {
        int images_noffset, confs_noffset;
        int noffset;
@@ -691,14 +1080,15 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
                 * Direct child node of the images parent node,
                 * i.e. component image node.
                 */
-               ret = fit_image_add_verification_data(keydir, keydest,
-                               fit, noffset, comment, require_keys, engine_id);
+               ret = fit_image_add_verification_data(keydir, keyfile, keydest,
+                               fit, noffset, comment, require_keys, engine_id,
+                               cmdname);
                if (ret)
                        return ret;
        }
 
        /* If there are no keys, we can't sign configurations */
-       if (!IMAGE_ENABLE_SIGN || !keydir)
+       if (!IMAGE_ENABLE_SIGN || !(keydir || keyfile))
                return 0;
 
        /* Find configurations parent node offset */
@@ -713,10 +1103,10 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
        for (noffset = fdt_first_subnode(fit, confs_noffset);
             noffset >= 0;
             noffset = fdt_next_subnode(fit, noffset)) {
-               ret = fit_config_add_verification_data(keydir, keydest,
+               ret = fit_config_add_verification_data(keydir, keyfile, keydest,
                                                       fit, noffset, comment,
                                                       require_keys,
-                                                      engine_id);
+                                                      engine_id, cmdname);
                if (ret)
                        return ret;
        }
@@ -725,19 +1115,22 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
 }
 
 #ifdef CONFIG_FIT_SIGNATURE
-int fit_check_sign(const void *fit, const void *key)
+int fit_check_sign(const void *fit, const void *key,
+                  const char *fit_uname_config)
 {
        int cfg_noffset;
        int ret;
 
-       cfg_noffset = fit_conf_get_node(fit, NULL);
+       cfg_noffset = fit_conf_get_node(fit, fit_uname_config);
        if (!cfg_noffset)
                return -1;
 
-       printf("Verifying Hash Integrity ... ");
+       printf("Verifying Hash Integrity for node '%s'... ",
+              fdt_get_name(fit, cfg_noffset, NULL));
        ret = fit_config_verify(fit, cfg_noffset);
        if (ret)
                return ret;
+       printf("Verified OK, loading images\n");
        ret = bootm_host_load_images(fit, cfg_noffset);
 
        return ret;
Empty description
This page took 0.052018 seconds and 4 git commands to generate.