[v2,7/7] rockchip: make_fit_atf: add signature handling

From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>

If the newly added fit-generator key-options are found, append needed
signature nodes to all generated image blocks, so that they can get
signed when mkimage later compiles the .itb from the generated .its.

Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
---
 arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++-
 1 file changed, 50 insertions(+), 1 deletion(-)

Hi Heiko,

On Mon, 20 Apr 2020 at 18:23, Heiko Stuebner <heiko at sntech.de> wrote:
>
> From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
>
> If the newly added fit-generator key-options are found, append needed
> signature nodes to all generated image blocks, so that they can get
> signed when mkimage later compiles the .itb from the generated .its.
>
> Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
> ---
>  arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++-
>  1 file changed, 50 insertions(+), 1 deletion(-)
>

Can this move to binman?

Regards,
Simon

On 2020/4/21 ??8:23, Heiko Stuebner wrote:
> From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
>
> If the newly added fit-generator key-options are found, append needed
> signature nodes to all generated image blocks, so that they can get
> signed when mkimage later compiles the .itb from the generated .its.
>
> Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>

Reviewed-by: Kever Yang <kever.yang at rock-chips.com>

Thanks,
- Kever
> ---
>   arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++-
>   1 file changed, 50 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py
> index d15c32b303..5b353f9d0a 100755
> --- a/arch/arm/mach-rockchip/make_fit_atf.py
> +++ b/arch/arm/mach-rockchip/make_fit_atf.py
> @@ -14,6 +14,8 @@ import sys
>   import getopt
>   import logging
>   import struct
> +import Crypto
> +from Crypto.PublicKey import RSA
>   
>   DT_HEADER = """
>   /*
> @@ -37,7 +39,9 @@ DT_UBOOT = """
>   			arch = "arm64";
>   			compression = "none";
>   			load = <0x%08x>;
> -		};
> +"""
> +
> +DT_UBOOT_NODE_END = """		};
>   
>   """
>   
> @@ -47,6 +51,46 @@ DT_IMAGES_NODE_END = """	};
>   
>   DT_END = "};"
>   
> +def append_signature(file):
> +    if not os.path.exists("u-boot.cfg"):
> +        return
> +
> +    config = {}
> +    with open("u-boot.cfg") as fd:
> +        for line in fd:
> +            line = line.strip()
> +            values = line[8:].split(' ', 1)
> +            if len(values) > 1:
> +                key, value = values
> +                value = value.strip('"')
> +            else:
> +                key = values[0]
> +                value = '1'
> +            if not key.startswith('CONFIG_'):
> +                continue
> +            config[key] = value
> +
> +    try:
> +        keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"]
> +    except KeyError:
> +        return
> +
> +    try:
> +        keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint)
> +    except KeyError:
> +        keyfile = keyhint
> +
> +    if not os.path.exists('%s.key' % keyfile):
> +        return
> +
> +    f = open('%s.key' % keyfile,'r')
> +    key = RSA.importKey(f.read())
> +
> +    file.write('\t\t\tsignature {\n')
> +    file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length())
> +    file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint)
> +    file.write('\t\t\t};\n')
> +
>   def append_bl31_node(file, atf_index, phy_addr, elf_entry):
>       # Append BL31 DT node to input FIT dts file.
>       data = 'bl31_0x%08x.bin' % phy_addr
> @@ -60,6 +104,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry):
>       file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
>       if atf_index == 1:
>           file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
> +    append_signature(file);
>       file.write('\t\t};\n')
>       file.write('\n')
>   
> @@ -75,6 +120,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry):
>       file.write('\t\t\tcompression = "none";\n')
>       file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
>       file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
> +    append_signature(file);
>       file.write('\t\t};\n')
>       file.write('\n')
>   
> @@ -88,6 +134,7 @@ def append_fdt_node(file, dtbs):
>           file.write('\t\t\tdata = /incbin/("%s");\n' % dtb)
>           file.write('\t\t\ttype = "flat_dt";\n')
>           file.write('\t\t\tcompression = "none";\n')
> +        append_signature(file);
>           file.write('\t\t};\n')
>           file.write('\n')
>           cnt = cnt + 1
> @@ -129,6 +176,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name):
>           raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name)
>       index, entry, p_paddr, data = segments[0]
>       fit_file.write(DT_UBOOT % p_paddr)
> +    append_signature(fit_file)
> +    fit_file.write(DT_UBOOT_NODE_END)
>   
>   def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name):
>       segments = unpack_elf(bl31_file_name)

On 2020/4/21 ??8:23, Heiko Stuebner wrote:
> From: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
>
> If the newly added fit-generator key-options are found, append needed
> signature nodes to all generated image blocks, so that they can get
> signed when mkimage later compiles the .itb from the generated .its.
>
> Signed-off-by: Heiko Stuebner <heiko.stuebner at theobroma-systems.com>
> ---
>   arch/arm/mach-rockchip/make_fit_atf.py | 51 +++++++++++++++++++++++++-
>   1 file changed, 50 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm/mach-rockchip/make_fit_atf.py b/arch/arm/mach-rockchip/make_fit_atf.py
> index d15c32b303..5b353f9d0a 100755
> --- a/arch/arm/mach-rockchip/make_fit_atf.py
> +++ b/arch/arm/mach-rockchip/make_fit_atf.py
> @@ -14,6 +14,8 @@ import sys
>   import getopt
>   import logging
>   import struct
> +import Crypto
> +from Crypto.PublicKey import RSA
>   

+Traceback (most recent call last):
1395 
<https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1395>+ 
File "arch/arm/mach-rockchip/make_fit_atf.py", line 17, in <module>
1396 
<https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1396>+ 
import Crypto
1397 
<https://gitlab.denx.de/u-boot/custodians/u-boot-rockchip/-/jobs/86952#L1397>+ModuleNotFoundError: 
No module named 'Crypto'


Please help to update .gitlab-ci.yml, or else it will report the error.


Thanks,

- Kever

>   DT_HEADER = """
>   /*
> @@ -37,7 +39,9 @@ DT_UBOOT = """
>   			arch = "arm64";
>   			compression = "none";
>   			load = <0x%08x>;
> -		};
> +"""
> +
> +DT_UBOOT_NODE_END = """		};
>   
>   """
>   
> @@ -47,6 +51,46 @@ DT_IMAGES_NODE_END = """	};
>   
>   DT_END = "};"
>   
> +def append_signature(file):
> +    if not os.path.exists("u-boot.cfg"):
> +        return
> +
> +    config = {}
> +    with open("u-boot.cfg") as fd:
> +        for line in fd:
> +            line = line.strip()
> +            values = line[8:].split(' ', 1)
> +            if len(values) > 1:
> +                key, value = values
> +                value = value.strip('"')
> +            else:
> +                key = values[0]
> +                value = '1'
> +            if not key.startswith('CONFIG_'):
> +                continue
> +            config[key] = value
> +
> +    try:
> +        keyhint = config["CONFIG_SPL_FIT_GENERATOR_KEY_HINT"]
> +    except KeyError:
> +        return
> +
> +    try:
> +        keyfile = os.path.join(config["CONFIG_SPL_FIT_SIGNATURE_KEY_DIR"], keyhint)
> +    except KeyError:
> +        keyfile = keyhint
> +
> +    if not os.path.exists('%s.key' % keyfile):
> +        return
> +
> +    f = open('%s.key' % keyfile,'r')
> +    key = RSA.importKey(f.read())
> +
> +    file.write('\t\t\tsignature {\n')
> +    file.write('\t\t\t\talgo = "sha256,rsa%s";\n' % key.n.bit_length())
> +    file.write('\t\t\t\tkey-name-hint = "%s";\n' % keyhint)
> +    file.write('\t\t\t};\n')
> +
>   def append_bl31_node(file, atf_index, phy_addr, elf_entry):
>       # Append BL31 DT node to input FIT dts file.
>       data = 'bl31_0x%08x.bin' % phy_addr
> @@ -60,6 +104,7 @@ def append_bl31_node(file, atf_index, phy_addr, elf_entry):
>       file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
>       if atf_index == 1:
>           file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
> +    append_signature(file);
>       file.write('\t\t};\n')
>       file.write('\n')
>   
> @@ -75,6 +120,7 @@ def append_tee_node(file, atf_index, phy_addr, elf_entry):
>       file.write('\t\t\tcompression = "none";\n')
>       file.write('\t\t\tload = <0x%08x>;\n' % phy_addr)
>       file.write('\t\t\tentry = <0x%08x>;\n' % elf_entry)
> +    append_signature(file);
>       file.write('\t\t};\n')
>       file.write('\n')
>   
> @@ -88,6 +134,7 @@ def append_fdt_node(file, dtbs):
>           file.write('\t\t\tdata = /incbin/("%s");\n' % dtb)
>           file.write('\t\t\ttype = "flat_dt";\n')
>           file.write('\t\t\tcompression = "none";\n')
> +        append_signature(file);
>           file.write('\t\t};\n')
>           file.write('\n')
>           cnt = cnt + 1
> @@ -129,6 +176,8 @@ def generate_atf_fit_dts_uboot(fit_file, uboot_file_name):
>           raise ValueError("Invalid u-boot ELF image '%s'" % uboot_file_name)
>       index, entry, p_paddr, data = segments[0]
>       fit_file.write(DT_UBOOT % p_paddr)
> +    append_signature(fit_file)
> +    fit_file.write(DT_UBOOT_NODE_END)
>   
>   def generate_atf_fit_dts_bl31(fit_file, bl31_file_name, tee_file_name, dtbs_file_name):
>       segments = unpack_elf(bl31_file_name)