Re: [PATCH v3 2/3] tools: binman: Replace 'fit,sign' by 'fit,keys-directory'

Thu, 21 Nov 2024 02:18:03 -0800 

Hi Simon,

On 20/11/2024 14:35, Simon Glass wrote:

This Mail comes from Outside of SoftAtHome: Do not answer, click links or open 
attachments unless you recognize the sender and know the content is safe.

Hi Paul,

On Wed, 20 Nov 2024 at 03:09, Paul HENRYS
<paul.henrys_...@softathome.com> wrote:

mkimage can be used for both signing the FIT or encrypt its content and the
option '-k' can be used to pass a directory where both signing and encryption
keys can be retrieved.
_get_priv_keys_dir() is also renamed as _get_keys_dir() and adapted to support
both signing and encryption nodes in the FIT.

Signed-off-by: Paul HENRYS <paul.henrys_...@softathome.com>
---
Changes for v3:
  - Adapt the code after changes made in commit 133c000ca334
  - Rename property 'fit,sign' as 'fit,keys-directory' since this is not only
    about signing but passing a key directory to mkimage for both signing and
    encrypting
  - Update the tests and documentation accordingly

My initial changes proposed in v1 and v2 has been outdated by the changes
proposed in commit 133c000ca334.

  tools/binman/btool/mkimage.py           |  8 +++----
  tools/binman/entries.rst                | 13 ++++++-----
  tools/binman/etype/fit.py               | 31 ++++++++++++++-----------
  tools/binman/ftest.py                   |  2 +-
  tools/binman/test/340_fit_signature.dts |  2 +-
  tools/binman/test/341_fit_signature.dts |  2 +-
  tools/binman/test/342_fit_signature.dts |  2 +-
  7 files changed, 32 insertions(+), 28 deletions(-)

I think it is good to be able to specify the keys directory and not
just rely on Binman's input path. But do we need to remove the
fit,sign property? It is the signal that signing should be done.,
although I understand that there is a key directory too.

If we need to remove it, please do that in a separate patch.

Perhaps we also need a signal that encryption should be done?
Based on my understanding, we don't enable the signing by adding 'fit,sign' property but by having a signature node in the DTS passed to binman and thus also in the ITS passed to mkimage by binman (at least with the current implementation). In the current implementation, adding 'fit,sign property' in the DTS passed to binman only leads to add the argument '-k' with a directory where the private keys are stored and nothing more. The '-k' argument of mkimage is used to specify the keys directory for both signing and ciphering FIT data. That is why I thought the property could be shared for providing the keys directory for both signing and ciphering when generating the FIT. Then maybe your idea would be to use such a property, i.e. 'fit,sign' property, to be able to add more options related to the signature (key-name-hint, algo...) instead of having those information in the ITS in a signature node. In this case, I guess it would indeed make sense to have separate properties that could both set the '-k' argument passed to mkimage. The current signal for the encryption is to have a 'cipher' node in the ITS provided to mkimage. 


diff --git a/tools/binman/btool/mkimage.py b/tools/binman/btool/mkimage.py
index 78d3301bc1..3f84220fb1 100644
--- a/tools/binman/btool/mkimage.py
+++ b/tools/binman/btool/mkimage.py
@@ -22,7 +22,7 @@ class Bintoolmkimage(bintool.Bintool):

      # pylint: disable=R0913
      def run(self, reset_timestamp=False, output_fname=None, external=False,
-            pad=None, align=None, priv_keys_dir=None):
+            pad=None, align=None, keys_dir=None):
          """Run mkimage

          Args:
@@ -34,7 +34,7 @@ class Bintoolmkimage(bintool.Bintool):
                  other things to be easily added later, if required, such as
                  signatures
              align: Bytes to use for alignment of the FIT and its external data
-            priv_keys_dir: Path to directory containing private keys
+            keys_dir: Path to directory containing private and encryption keys
              version: True to get the mkimage version
          """
          args = []
@@ -46,8 +46,8 @@ class Bintoolmkimage(bintool.Bintool):
              args += ['-B', f'{align:x}']
          if reset_timestamp:
              args.append('-t')
-        if priv_keys_dir:
-            args += ['-k', f'{priv_keys_dir}']
+        if keys_dir:
+            args += ['-k', f'{keys_dir}']
          if output_fname:
              args += ['-F', output_fname]
          return self.run_cmd(*args)
diff --git a/tools/binman/entries.rst b/tools/binman/entries.rst
index e918162fb4..1b1d73ef17 100644
--- a/tools/binman/entries.rst
+++ b/tools/binman/entries.rst
@@ -864,12 +864,13 @@ The top-level 'fit' node supports the following special 
properties:

              fit,fdt-list-dir = "arch/arm/dts

-    fit,sign
-        Enable signing FIT images via mkimage as described in
-        verified-boot.rst. If the property is found, the private keys path is
-        detected among binman include directories and passed to mkimage via
-        -k flag. All the keys required for signing FIT must be available at
-        time of signing and must be located in single include directory.
+    fit,keys-directory
+        Look for a directory where signing and encryption keys are stored.
+        If the property is found, the keys path is detected among binman
+        include directories and passed to mkimage via  -k flag. All the keys
+        required for signing and encrypting the FIT must be available at the
+        time of signing and encrypting and must be located in a single
+        include directory.

  Substitutions
  ~~~~~~~~~~~~~
diff --git a/tools/binman/etype/fit.py b/tools/binman/etype/fit.py
index b5afbda41b..e0c1ac08d8 100644
--- a/tools/binman/etype/fit.py
+++ b/tools/binman/etype/fit.py
@@ -102,13 +102,13 @@ class Entry_fit(Entry_section):
              In this case the input directories are ignored and all devicetree
              files must be in that directory.

-        fit,sign
-            Enable signing FIT images via mkimage as described in
-            verified-boot.rst. If the property is found, the private keys path
-            is detected among binman include directories and passed to mkimage
-            via  -k flag. All the keys required for signing FIT must be
-            available at time of signing and must be located in single include
-            directory.
+        fit,keys-directory
+            Look for a directory where signing and encryption keys are stored.
+            If the property is found, the keys path is detected among binman
+            include directories and passed to mkimage via  -k flag. All the 
keys
+            required for signing and encrypting the FIT must be available at 
the
+            time of signing and encrypting and must be located in a single
+            include directory.

      Substitutions
      ~~~~~~~~~~~~~
@@ -518,14 +518,14 @@ class Entry_fit(Entry_section):
          # are removed from self._entries later.
          self._priv_entries = dict(self._entries)

-    def _get_priv_keys_dir(self, data):
-        """Detect private keys path among binman include directories
+    def _get_keys_dir(self, data):
+        """Detect private and encryption keys path among binman include 
directories

          Args:
              data: FIT image in binary format

          Returns:
-            str: Single path containing all private keys found or None
+            str: Single path containing all keys found or None

          Raises:
              ValueError: Filename 'rsa2048.key' not found in input path
@@ -533,11 +533,14 @@ class Entry_fit(Entry_section):
          """
          def _find_keys_dir(node):
              for subnode in node.subnodes:
-                if subnode.name.startswith('signature'):
+                if (subnode.name.startswith('signature') or
+                    subnode.name.startswith('cipher')):
                      if subnode.props.get('key-name-hint') is None:
                          continue
                      hint = subnode.props['key-name-hint'].value
-                    name = tools.get_input_filename(f"{hint}.key")
+                    name = tools.get_input_filename(
+                        f"{hint}.key" if subnode.name.startswith('signature')
+                        else f"{hint}.bin")
                      path = os.path.dirname(name)
                      if path not in paths:
                          paths.append(path)
@@ -587,8 +590,8 @@ class Entry_fit(Entry_section):
          align = self._fit_props.get('fit,align')
          if align is not None:
              args.update({'align': fdt_util.fdt32_to_cpu(align.value)})
-        if self._fit_props.get('fit,sign') is not None:
-            args.update({'priv_keys_dir': self._get_priv_keys_dir(data)})
+        if self._fit_props.get('fit,keys-directory') is not None:
+            args.update({'keys_dir': self._get_keys_dir(data)})
          if self.mkimage.run(reset_timestamp=True, output_fname=output_fname,
                              **args) is None:
              if not self.GetAllowMissing():
diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index 156567ace7..adab65e579 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -7885,7 +7885,7 @@ fdt         fdtmap                Extract the devicetree 
blob from the fdtmap
              str(e.exception))

      def testFitSignNoSingatureNodes(self):
-        """Test that fit,sign doens't raise error if no signature nodes 
found"""
+        """Test that fit,keys-directory doesn't raise error if no signature nodes 
found"""
          if not elf.ELF_TOOLS:
              self.skipTest('Python elftools not available')
          entry_args = {
diff --git a/tools/binman/test/340_fit_signature.dts 
b/tools/binman/test/340_fit_signature.dts
index 9dce62e52d..97c0cbd05e 100644
--- a/tools/binman/test/340_fit_signature.dts
+++ b/tools/binman/test/340_fit_signature.dts
@@ -11,7 +11,7 @@
                         description = "test desc";
                         #address-cells = <1>;
                         fit,fdt-list = "of-list";
-                       fit,sign;
+                       fit,keys-directory;

                         images {
                                 u-boot {
diff --git a/tools/binman/test/341_fit_signature.dts 
b/tools/binman/test/341_fit_signature.dts
index 77bec8df1e..4a4da7e589 100644
--- a/tools/binman/test/341_fit_signature.dts
+++ b/tools/binman/test/341_fit_signature.dts
@@ -11,7 +11,7 @@
                         description = "test desc";
                         #address-cells = <1>;
                         fit,fdt-list = "of-list";
-                       fit,sign;
+                       fit,keys-directory;

                         images {
                                 u-boot {
diff --git a/tools/binman/test/342_fit_signature.dts 
b/tools/binman/test/342_fit_signature.dts
index 267105d0f6..9c61aea044 100644
--- a/tools/binman/test/342_fit_signature.dts
+++ b/tools/binman/test/342_fit_signature.dts
@@ -11,7 +11,7 @@
                         description = "test desc";
                         #address-cells = <1>;
                         fit,fdt-list = "of-list";
-                       fit,sign;
+                       fit,keys-directory;

                         images {
                                 u-boot {
--
2.43.0

[..]

Regards,
Simon

Reply via email to