diff options
| -rw-r--r-- | doc/mkimage.1 | 16 | ||||
| -rw-r--r-- | tools/fit_image.c | 21 | ||||
| -rw-r--r-- | tools/mkimage.c | 10 | ||||
| -rw-r--r-- | tools/mkimage.h | 1 |
4 files changed, 44 insertions, 4 deletions
diff --git a/doc/mkimage.1 b/doc/mkimage.1 index 6740fb106..8185ff564 100644 --- a/doc/mkimage.1 +++ b/doc/mkimage.1 @@ -109,6 +109,14 @@ Specifies the directory containing keys to use for signing. This directory should contain a private key file <name>.key for use with signing and a certificate <name>.crt (containing the public key) for use with verification. +.TP +.BI "\-K [" "key_destination" "]" +Specifies a compiled device tree binary file (typically .dtb) to write +public key information into. When a private key is used to sign an image, +the corresponding public key is written into this file for for run-time +verification. Typically the file here is the device tree binary used by +CONFIG_OF_CONTROL in U-Boot. + .SH EXAMPLES List image information: @@ -127,6 +135,14 @@ Create FIT image with compressed PowerPC Linux kernel: .nf .B mkimage -f kernel.its kernel.itb .fi +.P +Create FIT image with compressed kernel and sign it with keys in the +/public/signing-keys directory. Add corresponding public keys into u-boot.dtb, +skipping those for which keys cannot be found. Also add a comment. +.nf +.B mkimage -f kernel.its -k /public/signing-keys -K u-boot.dtb \\\\ +-c "Kernel 3.8 image for production devices" kernel.itb +.fi .SH HOMEPAGE http://www.denx.de/wiki/U-Boot/WebHome diff --git a/tools/fit_image.c b/tools/fit_image.c index 339e0f8df..b17fa2d6c 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -105,9 +105,11 @@ static int fit_handle_file (struct mkimage_params *params) { char tmpfile[MKIMAGE_MAX_TMPFILE_LEN]; char cmd[MKIMAGE_MAX_DTC_CMDLINE_LEN]; - int tfd; + int tfd, destfd = 0; + void *dest_blob = NULL; struct stat sbuf; void *ptr; + off_t destfd_size = 0; /* Flattened Image Tree (FIT) format handling */ debug ("FIT format handling\n"); @@ -132,12 +134,20 @@ static int fit_handle_file (struct mkimage_params *params) goto err_system; } + if (params->keydest) { + destfd = mmap_fdt(params, params->keydest, &dest_blob, &sbuf); + if (destfd < 0) + goto err_keydest; + destfd_size = sbuf.st_size; + } + tfd = mmap_fdt(params, tmpfile, &ptr, &sbuf); if (tfd < 0) goto err_mmap; /* set hashes for images in the blob */ - if (fit_add_verification_data(params->keydir, NULL, ptr, NULL, 0)) { + if (fit_add_verification_data(params->keydir, dest_blob, ptr, + NULL, 0)) { fprintf (stderr, "%s Can't add hashes to FIT blob", params->cmdname); goto err_add_hashes; @@ -153,6 +163,10 @@ static int fit_handle_file (struct mkimage_params *params) munmap ((void *)ptr, sbuf.st_size); close (tfd); + if (dest_blob) { + munmap(dest_blob, destfd_size); + close(destfd); + } if (rename (tmpfile, params->imagefile) == -1) { fprintf (stderr, "%s: Can't rename %s to %s: %s\n", @@ -168,6 +182,9 @@ err_add_timestamp: err_add_hashes: munmap(ptr, sbuf.st_size); err_mmap: + if (dest_blob) + munmap(dest_blob, destfd_size); +err_keydest: err_system: unlink(tmpfile); return -1; diff --git a/tools/mkimage.c b/tools/mkimage.c index def7df250..376039228 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -253,6 +253,11 @@ main (int argc, char **argv) usage(); params.keydir = *++argv; goto NXTARG; + case 'K': + if (--argc <= 0) + usage(); + params.keydest = *++argv; + goto NXTARG; case 'n': if (--argc <= 0) usage (); @@ -633,8 +638,9 @@ usage () fprintf(stderr, " -D => set options for device tree compiler\n" " -f => input filename for FIT source\n"); #ifdef CONFIG_FIT_SIGNATURE - fprintf(stderr, "Signing / verified boot options: [-k keydir]\n" - " -k => set directory containing private keys\n"); + fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb]\n" + " -k => set directory containing private keys\n" + " -K => write public keys to this .dtb file\n"); #else fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n"); #endif diff --git a/tools/mkimage.h b/tools/mkimage.h index 059e12439..63b9b4f8b 100644 --- a/tools/mkimage.h +++ b/tools/mkimage.h @@ -88,6 +88,7 @@ struct mkimage_params { char *imagefile; char *cmdname; const char *keydir; /* Directory holding private keys */ + const char *keydest; /* Destination .dtb for public key */ }; /* |