mkimage: Add -r option to specify keys that must be verified

Normally, multiple public keys can be provided and U-Boot is not
required to use all of them for verification. This is because some
images may not be signed, or may be optionally signed.

But we still need a mechanism to determine when a key must be used.
This feature cannot be implemented in the FIT itself, since anyone
could change it to mark a key as optional. The requirement for
key verification must go in with the public keys, in a place that
is protected from modification.

Add a -r option which tells mkimage to mark all keys that it uses
for signing as 'required'.

If some keys are optional and some are required, run mkimage several
times (perhaps with different key directories if some keys are very
secret) using the -F flag to update an existing FIT.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>

diff --git a/doc/mkimage.1 b/doc/mkimage.1
index b67a35178a0fec45521e27e8242216213df1f0a5..14374da88af0fff839ce105f5e25e9849e7baec9 100644 (file)
--- a/doc/mkimage.1
+++ b/doc/mkimage.1
@@ -133,6 +133,12 @@ the corresponding public key is written into this file for for run-time
 verification. Typically the file here is the device tree binary used by
 CONFIG_OF_CONTROL in U-Boot.
 
+.TP
+.BI "\-r
+Specifies that keys used to sign the FIT are required. This means that they
+must be verified for the image to boot. Without this option, the verification
+will be optional (useful for testing but not for release).
+
 .SH EXAMPLES
 
 List image information:

diff --git a/tools/fit_image.c b/tools/fit_image.c
index d48f571b0f961b8ef27e8f21c4b501a3501adfc8..281c2bda13a26e6a73dbd8619feccee869344b2e 100644 (file)
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -152,10 +152,11 @@ static int fit_handle_file (struct mkimage_params *params)
                goto err_mmap;
 
        /* set hashes for images in the blob */
-       if (fit_add_verification_data(params->keydir, dest_blob, ptr,
-                                     params->comment, 0)) {
-               fprintf (stderr, "%s Can't add hashes to FIT blob",
-                        params->cmdname);
+       if (fit_add_verification_data(params->keydir,
+                                     dest_blob, ptr, params->comment,
+                                     params->require_keys)) {
+               fprintf(stderr, "%s Can't add hashes to FIT blob\n",
+                       params->cmdname);
                goto err_add_hashes;
        }
 

diff --git a/tools/mkimage.c b/tools/mkimage.c
index b3b45a47a3f14e79c9f5213ad57e9d800ec19965..d312844e9c303abf66592ff3b4e1aa7b5efa2533 100644 (file)
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -270,6 +270,9 @@ main (int argc, char **argv)
                                        usage ();
                                params.imagename = *++argv;
                                goto NXTARG;
+                       case 'r':
+                               params.require_keys = 1;
+                               break;
                        case 'R':
                                if (--argc <= 0)
                                        usage();
@@ -645,11 +648,12 @@ usage ()
        fprintf(stderr, "          -D => set options for device tree compiler\n"
                        "          -f => input filename for FIT source\n");
 #ifdef CONFIG_FIT_SIGNATURE
-       fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>]\n"
+       fprintf(stderr, "Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-r]\n"
                        "          -k => set directory containing private keys\n"
                        "          -K => write public keys to this .dtb file\n"
                        "          -c => add comment in signature node\n"
-                       "          -F => re-sign existing FIT image\n");
+                       "          -F => re-sign existing FIT image\n"
+                       "          -r => mark keys used as 'required' in dtb\n");
 #else
        fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
 #endif

diff --git a/tools/mkimage.h b/tools/mkimage.h
index ab8baf8f056fdde53fe107feb16d2127c4366a4b..1d9984e1a3dd36c9e3f9ea147a641c79ede128f2 100644 (file)
--- a/tools/mkimage.h
+++ b/tools/mkimage.h
@@ -90,6 +90,7 @@ struct mkimage_params {
        const char *keydir;     /* Directory holding private keys */
        const char *keydest;    /* Destination .dtb for public key */
        const char *comment;    /* Comment to add to signature node */
+       int require_keys;       /* 1 to mark signing keys as 'required' */
 };
 
 /*