aboutsummaryrefslogtreecommitdiff
path: root/tools/fit_image.c
AgeCommit message (Collapse)Author
2022-09-29treewide: Drop image_header_t typedefSimon Glass
This is not needed and we should avoid typedefs. Use the struct instead and rename it to indicate that it really is a legacy struct. Signed-off-by: Simon Glass <sjg@chromium.org>
2022-06-06mkimage: Support signing 'auto' FITsSean Anderson
This adds support for signing images in auto-generated FITs. To do this, we need to add a signature node. The algorithm name property already has its own option, but we need one for the key name hint. We could have gone the -G route and added an explicit name for the public key (like what is done for the private key). However, many places assume the public key can be constructed from the key dir and hint, and I don't want to do the refactoring necessary. As a consequence of this, it is now easier to add public keys to an existing image without signing something. This could be done all along, but now you don't have to create an its just to do it. Ideally, we wouldn't create a FIT at the end. This could be done by calling fit_image_setup_sig/info.crypto->add_verify_data directly. Signed-off-by: Sean Anderson <sean.anderson@seco.com>
2022-03-31mkimage: add public key for image pre-load stagePhilippe Reynes
This commit enhances mkimage to update the node /image/pre-load/sig with the public key. Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
2022-01-26tools: mkimage: Show where signatures/keys are writtenSimon Glass
At present mkimage displays the node information but it is not clear what signing action was taken. Add a message that shows it. For now it only supports showing a single signing action, since that is the common case. Sample: Signature written to 'sha1-basic/test.fit', node '/configurations/conf-1/signature' Public key written to 'sha1-basic/sandbox-u-boot.dtb', node '/signature/key-dev' Signed-off-by: Simon Glass <sjg@chromium.org>
2022-01-26tools: Move copyfile() into a common fileSimon Glass
This function is useful in other places. Move it to a common file. Signed-off-by: Simon Glass <sjg@chromium.org>
2022-01-25mkimage: Show the external-offset errorSimon Glass
This is a debug message at present, which is not very helpful. Print out the error so that action can be taken. Signed-off-by: Simon Glass <sjg@chromium.org>
2022-01-24mkimage: Allow to specify the signature algorithm on the command lineJan Kiszka
This permits to prepare FIT image description that do not hard-code the final choice of the signature algorithm, possibly requiring the user to patch the sources. When -o <algo> is specified, this information is used in favor of the 'algo' property in the signature node. Furthermore, that property is set accordingly when writing the image. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2022-01-24tools/fitimage: remove redundant format checkStefan Eichenberger
fit_extract_contents does a fit_check_format even thought it was already checked during imagetool_verify_print_header. Therefore, this check is not necessary. This commit removes the redundancy. Signed-off-by: Stefan Eichenberger <eichest@gmail.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2021-07-14tools/fitimage: add missing linebreak for some messagesSven Roederer
Add a linebreak to two messages and fix punctuation. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2021-04-14mkimage: Add a 'keyfile' argument for image signingAlexandru Gagniuc
It's not always desirable to use 'keydir' and some ad-hoc heuristics to get the filename of the signing key. More often, just passing the filename is the simpler, easier, and logical thing to do. Since mkimage doesn't use long options, we're slowly running out of letters. I've chosen '-G' because it was available. Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-15image: Adjust the workings of fit_check_format()Simon Glass
At present this function does not accept a size for the FIT. This means that it must be read from the FIT itself, introducing potential security risk. Update the function to include a size parameter, which can be invalid, in which case fit_check_format() calculates it. For now no callers pass the size, but this can be updated later. Also adjust the return value to an error code so that all the different types of problems can be distinguished by the user. Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Bruce Monroe <bruce.monroe@intel.com> Reported-by: Arie Haenel <arie.haenel@intel.com> Reported-by: Julien Lenoir <julien.lenoir@intel.com>
2020-08-07mkimage: fit: fix import of external dataPatrick Oppenlander
The external data is located after the mmapped FDT pointed to by 'old_fdt', not in the newly created FDT we are importing into at 'fdt'. Signed-off-by: Patrick Oppenlander <patrick.oppenlander@gmail.com>
2020-08-05fit_image: Use calloc() to fix reproducibility issueFabio Estevam
Vagrant Cascadian reported that mx6cuboxi target no longer builds reproducibility on Debian. One example of builds mismatches: 00096680: 696e 6700 736f 756e 642d 6461 6900 6465 ing.sound-dai.de -00096690: 7465 6374 2d67 7069 6f73 0000 tect-gpios.. +00096690: 7465 6374 2d67 7069 6f73 0061 tect-gpios.a This problem happens because all the buffers in fit_image.c are allocated via malloc(), which does not zero out the allocated buffer. Using calloc() fixes this unpredictable behaviour as it guarantees that the allocated buffer are zero initialized. Reported-by: Vagrant Cascadian <vagrant@reproducible-builds.org> Suggested-by: Tom Rini <trini@konsulko.com> Signed-off-by: Fabio Estevam <festevam@gmail.com> Tested-by: Vagrant Cascadian <vagrant@reproducible-builds.org>
2020-07-25mkimage: Allow updating the FIT timestampSimon Glass
Normally the FIT timestamp is created the first time mkimage is run on a FIT, when converting the source .its to the binary .fit file. This corresponds to using the -f flag. But if the original input to mkimage is a binary file (already compiled) then the timestamp is assumed to have been set previously. Add a -t flag to allow setting the timestamp in this case. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
2020-07-24Revert "Merge tag 'dm-pull-20jul20' of git://git.denx.de/u-boot-dm"Tom Rini
This reverts commit 5d3a21df6694ebd66d5c34c9d62a26edc7456fc7, reversing changes made to 56d37f1c564107e27d873181d838571b7d7860e7. Unfortunately this is causing CI failures: https://travis-ci.org/github/trini/u-boot/jobs/711313649 Signed-off-by: Tom Rini <trini@konsulko.com>
2020-07-20mkimage: Allow updating the FIT timestampSimon Glass
Normally the FIT timestamp is created the first time mkimage is run on a FIT, when converting the source .its to the binary .fit file. This corresponds to using the -f flag. But if the original input to mkimage is a binary file (already compiled) then the timestamp is assumed to have been set previously. Add a -t flag to allow setting the timestamp in this case. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
2020-06-02mkimage: Default to adding a crc32 hash with '-f auto'Simon Glass
This option currently does not add any sort of hash to the images in the FIT. Add a hash node requesting a crc32 checksum, which at least provides some protection. The crc32 value is easily ignored (e.g. in SPL) if not needed. and takes up only about 48 bytes per image, including overhead. Suggested-by: Wolfgang Denk <wd@denx.de> Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Wolfgang Denk <wd@denx.de>
2020-05-07Revert "mkimage: fit: Do not tail-pad fitImage with external data"Tom Rini
This has been reported to break booting of U-Boot from SPL on a number of platforms due to a lack of alignment of the external data. The issues this commit is addressing will need to be resolved another way. Re-introduce a data leak in the padding for now. This reverts commit 20a154f95bfe0a3b5bfba90bea7f001c58217536. Reported-by: Alex Kiernan <alex.kiernan@gmail.com> Reported-by: Michael Walle <michael@walle.cc> Tested-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Tom Rini <trini@konsulko.com>
2020-05-04mkimage: fit: Do not tail-pad fitImage with external dataMarek Vasut
There is no reason to tail-pad fitImage with external data to 4-bytes, while fitImage without external data does not have any such padding and is often unaligned. DT spec also does not mandate any such padding. Moreover, the tail-pad fills the last few bytes with uninitialized data, which could lead to a potential information leak. $ echo -n xy > /tmp/data ; \ ./tools/mkimage -E -f auto -d /tmp/data /tmp/fitImage ; \ hexdump -vC /tmp/fitImage | tail -n 3 before: 00000260 61 2d 6f 66 66 73 65 74 00 64 61 74 61 2d 73 69 |a-offset.data-si| 00000270 7a 65 00 00 78 79 64 64 |ze..xydd| ^^ ^^ ^^ after: 00000260 61 2d 6f 66 66 73 65 74 00 64 61 74 61 2d 73 69 |a-offset.data-si| 00000270 7a 65 00 78 79 |ze.xy| Signed-off-by: Marek Vasut <marex@denx.de> Reviewed-by: Simon Glass <sjg@chromium.org> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de> Cc: Tom Rini <trini@konsulko.com>
2020-05-01tools/fit-image: print a warning when cmd-line for dtc might be truncatedSven Roederer
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2020-04-24mkimage: fit: Free buf directly in fit_extract_data()Bin Meng
If given ptr to free() is NULL, no operation is performed. Hence we can just free buf directly in fit_extract_data(). Signed-off-by: Bin Meng <bin.meng@windriver.com>
2020-04-24mkimage: fit: Unmmap the memory before closing fd in fit_import_data()Lihua Zhao
Without calling munmap(), the follow-up call to open() the same file with a flag O_TRUNC seems not to cause any issue on Linux, but it fails on Windows with error like below: Can't open kernel_fdt.itb.tmp: Permission denied Fix this by unmapping the memory before closing fd in fit_import_data(). Signed-off-by: Lihua Zhao <lihua.zhao@windriver.com> Signed-off-by: Bin Meng <bin.meng@windriver.com>
2020-04-24mkimage: fit_image: Add option to make fit header alignKever Yang
The image is usually stored in block device like emmc, SD card, make the offset of image data aligned to block(512 byte) can avoid data copy during boot process. eg. SPL boot from FIT image with external data: - SPL read the first block of FIT image, and then parse the header; - SPL read image data separately; - The first image offset is the base_offset which is the header size; - The second image offset is just after the first image; - If the offset of imge does not aligned, SPL will do memcpy; The header size is a ramdon number, which is very possible not aligned, so add '-B size'to specify the align size in hex for better performance. example usage: ./tools/mkimage -E -f u-boot.its -B 0x200 u-boot.itb Signed-off-by: Kever Yang <kever.yang@rock-chips.com> Reviewed-by: Punit Agrawal <punit1.agrawal@toshiba.co.jp> Reviewed-by: Tom Rini <trini@konsulko.com>
2020-04-24tool: use ALIGN() to align the sizeKever Yang
Use the ALIGN() for size align so that the code is more readable. Signed-off-by: Kever Yang <kever.yang@rock-chips.com> Reviewed-by: Punit Agrawal <punit1.agrawal@toshiba.co.jp> Reviewed-by: Tom Rini <trini@konsulko.com> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-04-17mkimage: fit: don't create image with 0700 permissionsThomas Hebb
commit 7298e422504e ("mkimage: fit: add support to encrypt image with aes") added a new copyfile() function as part of the FIT image creation flow. This function as currently written creates the final image with a mode of 0700 (before umask), differing from the old behavior of 0666. Since there doesn't seem to be any reason to make the image executable or non-group, non-other readable, change the mask to 0666 to preserve the old behavior. Fixes: 7298e422504e ("mkimage: fit: add support to encrypt image with aes") Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
2020-01-17mkimage: fit: add support to encrypt image with aesPhilippe Reynes
This commit add the support of encrypting image with aes in mkimage. To enable the ciphering, a node cipher with a reference to a key and IV (Initialization Vector) must be added to the its file. Then mkimage add the encrypted image to the FIT and add the key and IV to the u-boot device tree. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
2020-01-10mkimage: simplify fit_check_params()Heinrich Schuchardt
fit_check_params() wants at least two of dflag, fflag, and lflag set. Simplify the logical constraint checking this. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-01-07tools: fit_image: Use fit_image_get_data_and_size for getting offset/sizeAndrew F. Davis
This is very similar to fit_image_get_data but has the benefit of working on FIT images with external data unlike fit_image_get_data. This is useful for extracting sub-images from type of FIT image as this would previously just silently fail. Add an error message also so if this still fails it is easier to find out why. Signed-off-by: Andrew F. Davis <afd@ti.com> Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>
2019-10-31mkimage: Set correct FDT type and ramdisk architecture in FIT auto modeMichal Sojka
When running the following command mkimage -f auto -A arm -O linux -T kernel -C none -a 0x8000 -e 0x8000 \ -d zImage -b zynq-microzed.dtb -i initramfs.cpio image.ub the type of fdt subimage is the same as of the main kernel image and the architecture of the initramfs image is not set. Such an image is refused by U-Boot when booting. This commits sets the mentioned attributes, allowing to use the "-f auto" mode in this case instead of writing full .its file. Following is the diff of mkimage output without and with this commit: FIT description: Kernel Image image with one or more FDT blobs Created: Thu Sep 12 23:23:16 2019 Image 0 (kernel-1) Description: Created: Thu Sep 12 23:23:16 2019 Type: Kernel Image Compression: uncompressed Data Size: 4192744 Bytes = 4094.48 KiB = 4.00 MiB Architecture: ARM OS: Linux Load Address: 0x00008000 Entry Point: 0x00008000 Image 1 (fdt-1) Description: zynq-microzed Created: Thu Sep 12 23:23:16 2019 - Type: Kernel Image + Type: Flat Device Tree Compression: uncompressed Data Size: 9398 Bytes = 9.18 KiB = 0.01 MiB Architecture: ARM - OS: Unknown OS - Load Address: unavailable - Entry Point: unavailable Image 2 (ramdisk-1) Description: unavailable Created: Thu Sep 12 23:23:16 2019 Type: RAMDisk Image Compression: Unknown Compression Data Size: 760672 Bytes = 742.84 KiB = 0.73 MiB - Architecture: Unknown Architecture + Architecture: ARM OS: Linux Load Address: unavailable Entry Point: unavailable Default Configuration: 'conf-1' Configuration 0 (conf-1) Description: zynq-microzed Kernel: kernel-1 Init Ramdisk: ramdisk-1 FDT: fdt-1 Loadables: kernel-1 Signed-off-by: Michal Sojka <michal.sojka@cvut.cz>
2019-05-18tools: use read-only mmap in fit_check_signLuca Boccassi
Add an option to open files in read-only mode in mmap_fdt so that fit_check_sign can be used to inspect files on read-only filesystems. For example, this is useful when a key is shipped in a read-only rootfs or squashfs. Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
2019-03-22tools: fit_image: Add the loadable property to configsAbel Vesa
When running mkimage with "-f auto", the loadable property needs to be set in order to allow SPL FIT support to boot. Signed-off-by: Abel Vesa <abel.vesa@nxp.com> Tested-by: Fabio Estevam <festevam@gmail.com>
2018-07-24mkimage: fit_image: Use macros from image.hMichal Simek
There is no reason not to use macros which are already defined. It is also much easier for grepping. Signed-off-by: Michal Simek <michal.simek@xilinx.com> Reviewed-by: Simon Glass <sjg@chromium.org>
2018-07-10mkimage: fit_image: Add support for SOURCE_DATE_EPOCH in signaturesAlex Kiernan
When generating timestamps in signatures, use imagetool_get_source_date() so we can be overridden by SOURCE_DATE_EPOCH to generate reproducible images. Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> Reviewed-by: Simon Glass <sjg@chromum.org>
2018-07-10mkimage: Refactor imagetool_get_source_date to take command nameAlex Kiernan
So we can use imagetool_get_source_date() from callers who do not have the image tool params struct, just pass in the command name for the error message. Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> Reviewed-by: Simon Glass <sjg@chromum.org>
2018-05-07SPDX: Convert all of our single license tags to Linux Kernel styleTom Rini
When U-Boot started using SPDX tags we were among the early adopters and there weren't a lot of other examples to borrow from. So we picked the area of the file that usually had a full license text and replaced it with an appropriate SPDX-License-Identifier: entry. Since then, the Linux Kernel has adopted SPDX tags and they place it as the very first line in a file (except where shebangs are used, then it's second line) and with slightly different comment styles than us. In part due to community overlap, in part due to better tag visibility and in part for other minor reasons, switch over to that style. This commit changes all instances where we have a single declared license in the tag as both the before and after are identical in tag contents. There's also a few places where I found we did not have a tag and have introduced one. Signed-off-by: Tom Rini <trini@konsulko.com>
2018-03-09tools/mkimage: Use proper output parameter in dtc-system callStefan Theil
The system call used by mkimage to run dtc redirects stdout to a temporary file. This can cause problems on Windows (with a MinGW cross-compiled version). Using the "-o" dtc parameter avoids this problem. Signed-off-by: Stefan Theil <stefan.theil@mixed-mode.de> Reviewed-by: Tom Rini <trini@konsulko.com>
2018-01-15tools: fix incorrect usage of DT node unit addressAndre Przywara
The DT spec demands a unit-address in a node name to match the "reg" property in that node. Newer dtc versions will throw warnings if this is not the case. Correct the generated unit names when U-Boot's mkimage creates a FIT image. Signed-off-by: Andre Przywara <andre.przywara@arm.com>
2017-10-16tools/mkimage: Fix DTC run command to handle file names with spaceMirza, Taimoor
fit_handle_file function does not quote input and output files while preparing command to run DTC to convert .its to .itb. This results in a failure if input or output files contain spaces in their names. Quote input and output files in DTC command to avoid this failure. Signed-off-by: Mirza, Taimoor <Taimoor_Mirza@mentor.com>
2017-10-07cmd/gpt.c, cmd/nvedit.c, tools/fit_image.c: Rework recent fixes for CoverityTom Rini
The recent changes to these files did not completely fix the previous issues, or introduced different (minor) issues. In cmd/gpt.c we need to dereference str_disk_guid to be sure that malloc worked. In cmd/nvedit.c we need to be careful that we can also fit in that leading space when adding to the string. And in tools/fit_image.c we need to re-work the error handling slightly in fit_import_data() so that we only call munmap() once. We have two error paths here, one where we have an fd to close and one where we do not. Adjust labels to match this. Reported-by: Coverity (CID: 167366, 167367, 167370) Signed-off-by: Tom Rini <trini@konsulko.com>
2017-10-06tools/fit_image.c: Update some return code pathsTom Rini
Coverity has found some problems with the return paths in parts of this code. We have a case where we were going to the wrong part of the unwind (open() failed so we cannot close the fd), a case where we were only free()ing our buf on the error path and finally a case where we did not munmap in the failure path. Reported-by: Coverity (CID: 138492, 138495, 143064) Signed-off-by: Tom Rini <trini@konsulko.com>
2017-01-14mkimage: Add support for signing with pkcs11George McCollister
Add support for signing with the pkcs11 engine. This allows FIT images to be signed with keys securely stored on a smartcard, hardware security module, etc without exposing the keys. Support for other engines can be added in the future by modifying rsa_engine_get_pub_key() and rsa_engine_get_priv_key() to construct correct key_id strings. Signed-off-by: George McCollister <george.mccollister@gmail.com>
2016-11-06mkimage: Allow including a ramdisk in FIT auto modeTomeu Vizoso
Adds -i option that allows specifying a ramdisk file to be added to the FIT image when we are using the automatic FIT mode (no ITS file). This makes adding Depthcharge support to LAVA much more convenient, as no additional configuration files need to be kept around in the machine that dispatches jobs to the boards. Signed-off-by: Tomeu Vizoso <tomeu.vizoso@collabora.com> Cc: Simon Glass <sjg@chromium.org> Cc: Matt Hart <matthew.hart@linaro.org> Cc: Neil Williams <codehelp@debian.org> Reviewed-by: Simon Glass <sjg@chromium.org>
2016-07-14tools: Add an error code when fit_handle_file() failsSimon Glass
The error code may provide useful information for debugging. Add it to the error string. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Teddy Reed <teddy.reed@gmail.com>
2016-07-14image: Correct auto-fit architecture property nameSimon Glass
The fit_write_images() function incorrectly uses the long name for the architecture. This cannot be parsed with the FIT is read. Fix this by using the short name instead. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Tom Rini <trini@konsulko.com>
2016-06-24Respect SOURCE_DATE_EPOCH when building FIT images.Vagrant Cascadian
Embedding timestamps in FIT images results in unreproducible builds for targets that generate a fit image, such as dra7xx_evm. This patch uses the SOURCE_DATE_EPOCH environment variable, when set, to use specified value for the date. Thanks to HW42 for debugging the issue and providing the patch: https://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20160606/005722.html For more information about reproducible builds and the SOURCE_DATE_EPOCH specification: https://reproducible-builds.org/specs/source-date-epoch/ https://reproducible-builds.org/ Signed-off-by: Vagrant Cascadian <vagrant@debian.org> Reviewed-by: Simon Glass <sjg@chromium.org>
2016-06-24mkimage: fit: spl: Add an optional static offset for external dataTeddy Reed
When building a FIT with external data (-E), U-Boot proper may require absolute positioning for executing the external firmware. To acheive this use the (-p) switch, which will replace the amended 'data-offset' with 'data-position' indicating the absolute position of external data. It is considered an error if the requested absolute position overlaps with the initial data required for the compact FIT. Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
2016-05-02fit_image: Fix a double close() on the error pathSimon Glass
There is an extra close() call which is not needed. Reported-by: Coverity (CID: 143065) Signed-off-by: Simon Glass <sjg@chromium.org>
2016-03-22mkimage: Don't close the file if it wasn't openedSimon Glass
The error path for fit_import_data() is incorrect if the second open() call fails. Reported-by: Coverity (CID: 138489) Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Tom Rini <trini@konsulko.com>
2016-03-22mkimage: Ensure file is closed in fdt_property_file()Simon Glass
The file that is opened is not closed in all cases. Fix it. Reported-by: Coverity (CID: 138490) Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Tom Rini <trini@konsulko.com>
2016-03-22mkimage: Fix missing free() and close() in fit_build()Simon Glass
Make sure that both the error path and normal return free the buffer and close the file. Reported-by: Coverity (CID: 138491) Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Tom Rini <trini@konsulko.com>