Add the test which provides sequence of actions:
1. create the image from binman dts
2. create public and private keys
3. add public key into dtb with fdt_add_pubkey
4. 1. sign FIT container with new sign option with extracting from
image
2. sign exact FIT container with replacing of it in image
5. check with fit_check_sign
Signed-off-by: Ivan Mikhaylov <fr0st61te@gmail.com>
Renumber test file from 277 to 280;
Move UpdateSignatures() to Entry base class;
Don't allow missing mkimage as it doesn't make sense;
Propagate --toolpath for CI;
Call mark_build_done() to avoid regenerating FIT:
Signed-off-by: Simon Glass <sjg@chromium.org>
Introduce proof of concept for binman's new option which provides sign
and replace FIT containers in binary images.
Usage as example:
from:
mkimage -G privateky -r -o sha256,rsa4096 -F fit
binman replace -i flash.bin -f fit.fit fit
to:
binman sign -i flash.bin -k privatekey -a sha256,rsa4096 -f fit.fit fit
and to this one if it's need to be extracted, signed with key and put it
back in image:
binman sign -i flash.bin -k privatekey -a sha256,rsa4096 fit
Signed-off-by: Ivan Mikhaylov <fr0st61te@gmail.com>
And a new entry type which supports generation of x509 certificates.
This uses a new 'openssl' btool with just one operation so far.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present these are handled as if they are allowed to be missing, but
this is only true if the -M flag is provided. Fix this and add a test.
Signed-off-by: Simon Glass <sjg@chromium.org>
The patman directory has a number of modules which are used by other tools
in U-Boot. This makes it hard to package the tools using pypi since the
common files must be copied along with the tool that uses them.
To address this, move these files into a new u_boot_pylib library. This
can be packaged separately and listed as a dependency of each tool.
Signed-off-by: Simon Glass <sjg@chromium.org>
Entry_blob_ext contains an implementation of SetAllowFakeBlob that is
identical to the one in the base Entry class, remove it.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add an entry flag called 'preserve' to indicate that an entry should be
preserved by firmware updates. Propagate this to FMAP too.
Signed-off-by: Simon Glass <sjg@chromium.org>
Using the mkimage entry with the multiple-data-files prop and having a
missing external blob result in an unexpected ValueError exception using
the --allow-missing flag.
ValueError: Filename 'missing.bin' not found in input path (...)
Fix this by using _pathname that is resolved by ObtainContents for blob
entries, ObtainContents also handles allow missing for external blobs.
Mark mkimage entry as missing and return without running mkimage when
missing entries is reported by CheckMissing.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
In some cases it is desired for SPL to start TF-A instead of U-Boot
proper. Add support for a new property fit,firmware that picks a
valid entry and prepends the remaining valid entries to the
loadables list generated by the split-elf generator.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Special nodes, hash and signature, is not being added to the nodes
generated for each segment in split-elf operation.
Copy the subnode logic used in _gen_fdt_nodes to _gen_split_elf to
ensure special nodes are added to the generated nodes.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add support to indicate what alignment to use for the FIT and its
external data. Pass the alignment to mkimage via the -B flag.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Simon Glass <sjg@chromium.org>
The current support for updating variables in a binary is hard-coded to
work with U-Boot:
- It assumes the image starts at __image_copy_start
- It uses the existing U-Boot-specific entry types
It is useful for other projects to use these feature.
Add properties to enable writing symbols for any blob, a way of specifying
the base symbol and a way of providing the ELF filename to allow symbol
lookup to take place.
With this it is possible to update a Zephyr image, such as zephyr.bin
after it has been built.
Signed-off-by: Simon Glass <sjg@chromium.org>
In some cases it is useful to have an entry overlap with another in a
section, either to update the contents within a blob, or to add an entry
to the fdtmap that covers only part of the blob.
Add support for this.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is sometimes useful to define an entry which does not have its own
contents but does appear in the image. The contents are set by the section
which contains it, even though it appears as an entry in the fdtmap.
Add support for this.
Signed-off-by: Simon Glass <sjg@chromium.org>
Some blobs are actually not necessary for the board to work correctly. Add
a property to allow this to be indicated. Missing optional blobs do not
cause a build failure.
Signed-off-by: Simon Glass <sjg@chromium.org>
OP-TEE has a format with a binary header that can be used instead of the
ELF file. With newer versions of OP-TEE this may be required on some
platforms.
Add support for this in binman. First, add a method to obtain the ELF
sections from an entry, then use that in the FIT support. We then end up
with the ability to support both types of OP-TEE files, depending on which
one is passed in with the entry argument (TEE=xxx in the U-Boot build).
Signed-off-by: Simon Glass <sjg@chromium.org>
Support entries which can be optional depending on their contents. This
allows special entry types which appear in the image only when needed.
Signed-off-by: Simon Glass <sjg@chromium.org>
Several etypes have this reference in their documentation. Now that we are
using rST, link to the section directly.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
At present only the image (which is a section) has a filename. Move this
implementation to the entry_Section class so that any section can have a
filename. With this, the section data is written to a file.
This allows parts of an image to be written, along with the entire image.
Make a note that this can be used to include the contents of a section in
one image in another (later) image.
Signed-off-by: Simon Glass <sjg@chromium.org>
In some cases the ELF version of SPL builds may be packaged, rather
than a binary .bin file. Add support for this.
Signed-off-by: Simon Glass <sjg@chromium.org>
This feature is used by several etypes and we plan to add more that use
it. Make symbol writing a feature of the base class to reduce the code
duplication.
Signed-off-by: Simon Glass <sjg@chromium.org>
The current name is inconsistent with SPL which uses CONFIG_SPL_TEXT_BASE
and this makes it imposible to use CONFIG_VAL().
Rename it to resolve this problem.
Signed-off-by: Simon Glass <sjg@chromium.org>
mkimage entry currently creates a file whose name is derived from the
section name containing said entry.
Let's allow the user to define a filename for the mkimage-generated
binary by using the 'filename' DT property.
Cc: Quentin Schulz <foss+uboot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Some image types handled by mkimage require the datafiles to be passed
independently (-d data1:data2) for specific handling of each. A
concatenation of datafiles prior to passing them to mkimage wouldn't
work.
That is the case for rkspi for example which requires page alignment
and only writing 2KB every 4KB.
This adds the ability to tell binman to pass the datafiles without
prior concatenation to mkimage, by adding the multiple-data-files
boolean property to the mkimage node.
Cc: Quentin Schulz <foss+uboot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add an optional length header attribute to the device tree blob entry
class based on the compressed data header from the utilities to compress
and decompress data.
If needed the header could be enabled with the following
attribute beside the compress attribute:
prepend = "length";
The header was introduced as part of commit eb0f4a4cb4 ("binman:
Support replacing data in a cbfs") to allow device tree entries to be
larger than the compressed contents. Regarding the commit "this is
necessary to cope with a compressed device tree being updated in such a
way that it shrinks after the entry size is already set (an obscure
case)". This case need to be fixed without influence any compressed data
by itself.
Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a DecompressData function to entry class to allow override in child
classes and to centralize the compress and decompress in a single class.
Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
At present the collections etype only works with entries in the same
section. This can be limiting, since in some cases the data may be inside
a subsection, e.g. if there are alignment constraints.
Add a function to find the entries in an etype and have it search
recursively. Make use of this for mkimage also.
Signed-off-by: Simon Glass <sjg@chromium.org>
Also control over what goes in the file passed with -n using a separate
imagename subnode. This can include a section or any other entry type.
Signed-off-by: Simon Glass <sjg@chromium.org>
Some image types use the -n parameter to pass in the data file. Add
support for this, with a new property.
Signed-off-by: Simon Glass <sjg@chromium.org>
Expand this a little to make things clearer. Also drop the invalid
entry arg.
Series-changes 2
- Make it clear that -d data is concatenated/collected by binman
- Fix mulitple typoe
- Reword a sentence for grammar
Signed-off-by: Simon Glass <sjg@chromium.org>
Since this is implemented as a section, it should really be split into
several functions, one to read the node and one to read the entries. Do
this so that it matches how Entry_section works.
Signed-off-by: Simon Glass <sjg@chromium.org>
Some new entries are likely to have required properties. Support this in a
standard way, with a list of required properties which can be set up by
base classes. Check for missing properties when the entry is read.
Signed-off-by: Simon Glass <sjg@chromium.org>
Currently the fitImage data area is resized in 1 kiB steps. This works
when bundling smaller images below some 1 MiB, but when bundling large
images into the fitImage, this make binman spend extreme amount of time
and CPU just spinning in pylibfdt FdtSw.check_space() until the size
grows enough for the large image to fit into the data area. Increase
the default step to 64 kiB, which is a reasonable compromise -- the
U-Boot blobs are somewhere in the 64kiB...1MiB range, DT blob are just
short of 64 kiB, and so are the other blobs. This reduces binman runtime
with 32 MiB blob from 2.3 minutes to 5 seconds.
The following can be used to trigger the problem if rand.bin is some 32 MiB.
"
/ {
itb {
fit {
images {
test {
compression = "none";
description = "none";
type = "flat_dt";
blob {
filename = "rand.bin";
type = "blob-ext";
};
};
};
};
};
configurations {
binman_configuration: config {
loadables = "test";
};
};
};
"
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Alper Nebi Yasak <alpernebiyasak@gmail.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Binman interfaces allow attempts to replace any entry in the image with
arbitrary data. When trying to replace sections, the changes in the
section entry's data are not propagated to its child entries. This,
combined with how sections rebuild their contents from its children,
eventually causes the replaced contents to be silently overwritten by
rebuilt contents equivalent to the original data.
Add a simple test for replacing a section that is currently failing due
to this behaviour, and mark it as an expected failure. Also, raise an
error when replacing a section instead of silently pretending it was
replaced.
Signed-off-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
