diff --git a/make.sh b/make.sh index f22d185e91..d75c8fd94e 100755 --- a/make.sh +++ b/make.sh @@ -171,19 +171,10 @@ function process_args() help exit 0 ;; - ''|loader|trust|uboot|spl*|debug*|itb|env|EXT_DTB=*|nopack|fit*) ARG_SUBCMD=$1 shift 1 ;; - --boot_img|--rollback-index-boot|--rollback-index-uboot) - ARG_FIT_TOTAL="$ARG_FIT_TOTAL $1 $2 " - shift 2 - ;; - --spl-new|--no-check) - ARG_FIT_TOTAL="$ARG_FIT_TOTAL $1 " - shift 1 - ;; map|sym|elf*) ARG_SUBCMD=$1 if [ "$2" = "spl" -o "$2" = "tpl" ]; then @@ -192,8 +183,7 @@ function process_args() fi shift 1 ;; - - *.ini|*.INI) + *.ini) if [ ! -f $1 ]; then echo "ERROR: No $1" fi @@ -204,11 +194,18 @@ function process_args() fi shift 1 ;; - *) + # out scripts args + NUM=$(./scripts/fit-mkimg.sh --p-check $1) + if [ $NUM -ne 0 ]; then + [ $NUM -eq 1 ] && ARG_FIT="${ARG_FIT} $1" + [ $NUM -eq 2 ] && ARG_FIT="${ARG_FIT} $1 $2" + shift ${NUM} + continue # FUNC address - if [ -z $(echo $1 | sed 's/[0-9,a-f,A-F,x,X,-]//g') ]; then + elif [ -z $(echo $1 | sed 's/[0-9,a-f,A-F,x,X,-]//g') ]; then ARG_FUNCADDR=$1 + # xxx_defconfig else ARG_BOARD=$1 if [ ! -f configs/${ARG_BOARD}_defconfig ]; then @@ -300,7 +297,7 @@ function sub_commands() fit) if [ "$opt" = "ns" ]; then - ./scripts/fit-vboot.sh --no-vboot $ARG_FIT_TOTAL + ./scripts/fit-mkimg.sh --uboot --boot --no-vboot ${ARG_FIT} fi exit 0 ;; @@ -346,7 +343,7 @@ function sub_commands() ;; --rollback-index*) - pack_fit_image $ARG_FIT_TOTAL + pack_fit_image ${ARG_FIT} exit 0 ;; @@ -508,7 +505,7 @@ function select_ini_file() function handle_args_late() { - ARG_FIT_TOTAL="$ARG_FIT_TOTAL --ini-trust $INI_TRUST --ini-loader $INI_LOADER" + ARG_FIT="${ARG_FIT} --ini-trust $INI_TRUST --ini-loader $INI_LOADER" } function pack_uboot_image() @@ -729,11 +726,11 @@ function pack_trust_image() function pack_fit_image() { if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then - ./scripts/fit-vboot.sh $ARG_FIT_TOTAL + ./scripts/fit-mkimg.sh --uboot --boot ${ARG_FIT} else rm uboot.img trust*.img -rf - ./scripts/fit-vboot-uboot.sh --no-vboot --no-rebuild $ARG_FIT_TOTAL - echo "pack uboot.img (with uboot trust) okay! Input: $INI_TRUST" + ./scripts/fit-mkimg.sh --uboot --no-vboot --no-rebuild ${ARG_FIT} + echo "pack uboot.img okay! Input: $INI_TRUST" fi } @@ -745,7 +742,7 @@ function pack_images() pack_trust_image pack_loader_image elif [ "$IMAGE_FORMAT" = "FIT" ]; then - pack_fit_image $ARG_ROLLBACK_IDX_UBOOT $ARG_ROLLBACK_IDX_BOOT $ARG_FIT_TOTAL + pack_fit_image ${ARG_FIT} fi fi } @@ -787,3 +784,4 @@ clean_files make CROSS_COMPILE=${TOOLCHAIN_GCC} ${OPTION} all --jobs=${JOB} pack_images finish + diff --git a/scripts/fit-base.sh b/scripts/fit-base.sh deleted file mode 100755 index b41ef8ffd8..0000000000 --- a/scripts/fit-base.sh +++ /dev/null @@ -1,518 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2020 Fuzhou Rockchip Electronics Co., Ltd -# -# SPDX-License-Identifier: GPL-2.0 -# -set -e - -KEY_DIR="keys" -FIT_DIR="fit" -FIT_DIR_UNPACK="$FIT_DIR/unpack" -# offset -FIT_NS_OFFS_UBOOT="0xa00" -FIT_NS_OFFS_BOOT="0x800" -FIT_S_OFFS_UBOOT="0xc00" -FIT_S_OFFS_BOOT="0xc00" -# itb -FIT_ITB_UBOOT="$FIT_DIR/uboot.itb" -FIT_ITB_BOOT="$FIT_DIR/boot.itb" -# resign -FIT_ITB_RESIG="$FIT_DIR/sig-new.itb" -FIT_ITB_RESIG_BACKUP="$FIT_DIR/sig-backup.itb" -FIT_SIG_P1="$FIT_DIR/sig.p1" -FIT_SIG_P2="$FIT_DIR/sig.p2.sig" -FIT_SIG_P3="$FIT_DIR/sig.p3" -# data to sign -FIT_DATA2SIG_UBOOT="$FIT_DIR/uboot.data2sign" -FIT_DATA2SIG_BOOT="$FIT_DIR/boot.data2sign" -# unmap -FIT_UNMAP_ITB_UBOOT="$FIT_DIR/uboot_unmap_itb.its" -FIT_UNMAP_KEY_UBOOT="$FIT_DIR/uboot_unmap_key.its" -FIT_UNMAP_ITB_BOOT="$FIT_DIR/boot_unmap_itb.its" -FIT_UNMAP_KEY_BOOT="$FIT_DIR/boot_unmap_key.its" -# file -CHIP_FILE="arch/arm/lib/.asm-offsets.s.cmd" -# placeholder address -FIT_FDT_ADDR_PLACEHOLDER="0xffffff00" -FIT_KERNEL_ADDR_PLACEHOLDER="0xffffff01" -FIT_RAMDISK_ADDR_PLACEHOLDER="0xffffff02" -# output -FIT_IMG_UBOOT="uboot.img" -FIT_IMG_BOOT="boot.img" - -function usage_pack() -{ - echo - echo "usage:" - echo " $0 [args]" - echo - echo "args:" - if [[ "$0" = *fit-vboot-boot.sh ]]; then - echo " --rollback-index-boot " - elif [[ "$0" = *fit-vboot-uboot.sh ]]; then - echo " --rollback-index-uboot " - else - echo " --rollback-index-boot " - echo " --rollback-index-uboot " - fi - echo " --no-vboot" - echo " --no-check" - echo " --spl-new" - echo -} - -function arg_check_decimal() -{ - if [ -z $1 ]; then - echo "ERROR: $1 is not a decimal integer" - usage_pack - exit 1 - fi - - decimal=`echo $1 |sed 's/[0-9]//g'` - if [ ! -z $decimal ]; then - echo "ERROR: $1 is not a decimal integer" - usage_pack - exit 1 - fi -} - -function fit_process_args() -{ - while [ $# -gt 0 ]; do - case $1 in - --no-vboot) # Force to build non-vboot image - ARG_NO_VBOOT="y" - shift 1 - ;; - --no-rebuild) # No rebuild with "./make.sh" - ARG_NO_REBUILD="y" - shift 1 - ;; - --no-check) # No hostcc fit signature check - ARG_NO_CHECK="y" - shift 1 - ;; - --ini-trust) # Assign trust ini file - ARG_INI_TRUST=$2 - shift 2 - ;; - --ini-loader) # Assign loader ini file - ARG_INI_LOADER=$2 - shift 2 - ;; - --spl-new) # Use current build u-boot-spl.bin to pack loader - ARG_SPL_NEW="y" - shift 1 - ;; - --rollback-index-boot) - ARG_ROLLBACK_IDX_BOOT=$2 - arg_check_decimal $2 - shift 2 - ;; - --rollback-index-uboot) - ARG_ROLLBACK_IDX_UBOOT=$2 - arg_check_decimal $2 - shift 2 - ;; - --boot_img) - ARGS_EXT_BOOT_IMG=$2 - shift 2 - ;; - *) - usage_pack - exit 1 - ;; - esac - done -} - -function its_file_check() -{ - cat $1 | while read line - do - image=`echo $line | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '` - if [ ! -f $image ]; then - echo "ERROR: No $image" - exit 1 - fi - done -} - -function fit_rebuild() -{ - if [ "$ARG_NO_REBUILD" != "y" ]; then - ./make.sh nopack - fi - - if [ -d $FIT_DIR ]; then - rm $FIT_DIR -rf - fi - - mkdir -p $FIT_DIR - mkdir -p $FIT_DIR_UNPACK -} - -function fit_uboot_make_itb() -{ - ./make.sh itb $ARG_INI_TRUST - its_file_check u-boot.its - - # output uboot.itb - if [ "$ARG_NO_VBOOT" = "y" ]; then - SIGN_MSG="no-signed" - ./tools/mkimage -f u-boot.its -E -p $FIT_NS_OFFS_UBOOT $FIT_ITB_UBOOT - if [ "$ARG_SPL_NEW" = "y" ]; then - ./make.sh spl-s $ARG_INI_LOADER - echo "pack loader with: spl/u-boot-spl.bin" - else - ./make.sh loader $ARG_INI_LOADER - fi - else - SIGN_MSG="signed" - if [ ! -f $KEY_DIR/dev.key ]; then - echo "ERROR: No $KEY_DIR/dev.key" - exit 1 - elif [ ! -f $KEY_DIR/dev.crt ]; then - echo "ERROR: No $KEY_DIR/dev.crt" - exit 1 - fi - - if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' .config ; then - echo "ERROR: CONFIG_SPL_FIT_SIGNATURE is disabled" - exit 1 - fi - - if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' .config ; then - SPL_ROLLBACK_PROTECT="y" - if [ -z $ARG_ROLLBACK_IDX_UBOOT ]; then - echo "ERROR: No args \"--rollback-index-uboot \"" - exit 1 - fi - fi - - if [ "$SPL_ROLLBACK_PROTECT" = "y" ]; then - version=`grep 'rollback-index' u-boot.its | awk -F '=' '{ printf $2 }' ` - sed -i "s/$version/ <$ARG_ROLLBACK_IDX_UBOOT>;/g" u-boot.its - fi - - # We need a u-boot.dtb with RSA pub-key insert - if ! fdtget -l u-boot.dtb /signature >/dev/null 2>&1 ; then - ./tools/mkimage -f u-boot.its -k $KEY_DIR/ -K u-boot.dtb -E -p $FIT_S_OFFS_UBOOT -r $FIT_ITB_UBOOT - echo "Insert RSA pub into u-boot.dtb" - fi - - # Pack - ./tools/mkimage -f u-boot.its -k $KEY_DIR/ -K spl/u-boot-spl.dtb -E -p $FIT_S_OFFS_UBOOT -r $FIT_ITB_UBOOT - mv data2sign.bin $FIT_DATA2SIG_UBOOT - - # rollback-index read back check - if [ "$SPL_ROLLBACK_PROTECT" = "y" ]; then - ROLLBACK_IDX_UBOOT=`fdtget -ti $FIT_ITB_UBOOT /configurations/conf@1 rollback-index` - if [ "$ROLLBACK_IDX_UBOOT" != "$ARG_ROLLBACK_IDX_UBOOT" ]; then - echo "ERROR: Failed to set rollback-index for $FIT_ITB_UBOOT"; - exit 1 - fi - fi - - if [ "$ARG_NO_CHECK" != "y" ]; then - if [ "$ARG_SPL_NEW" = "y" ]; then - ./tools/fit_check_sign -f $FIT_ITB_UBOOT -k spl/u-boot-spl.dtb -s - else - # unpack legacy u-boot-spl.dtb - spl_file="../rkbin/"`sed -n "/FlashBoot=/s/FlashBoot=//p" $ARG_INI_LOADER |tr -d '\r'` - offs=`fdtdump -s $spl_file | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset //g" | tr -d " "` - if [ -z $offs ]; then - echo "ERROR: invalid $spl_file, unable to find fdt blob" - fi - offs=`printf %d $offs` # hex -> dec - dd if=$spl_file of=spl/u-boot-spl-legacy.dtb bs=$offs skip=1 >/dev/null 2>&1 - - # check - ./tools/fit_check_sign -f $FIT_ITB_UBOOT -k spl/u-boot-spl-legacy.dtb -s - fi - fi - - # minimize spl dtb - if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then - fdtput -tx spl/u-boot-spl.dtb /signature/key-dev rsa,r-squared 0x0 - if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' .config ; then - fdtput -tx spl/u-boot-spl.dtb /signature/key-dev rsa,np 0x0 - else - fdtput -tx spl/u-boot-spl.dtb /signature/key-dev rsa,c 0x0 - fi - else - fdtput -tx spl/u-boot-spl.dtb /signature/key-dev rsa,c 0x0 - fdtput -tx spl/u-boot-spl.dtb /signature/key-dev rsa,np 0x0 - fdtput -tx spl/u-boot-spl.dtb /signature/key-dev rsa,exponent-BN 0x0 - fi - - # repack spl which has rsa pub-key insert - rm *_loader_*.bin -rf - if [ "$ARG_SPL_NEW" = "y" ]; then - cat spl/u-boot-spl-nodtb.bin > spl/u-boot-spl.bin - if ! grep -q '^CONFIG_SPL_SEPARATE_BSS=y' .config ; then - cat spl/u-boot-spl-pad.bin >> spl/u-boot-spl.bin - fi - cat spl/u-boot-spl.dtb >> spl/u-boot-spl.bin - - ./make.sh spl-s $ARG_INI_LOADER - echo "pack loader with: spl/u-boot-spl.bin" - else - ./make.sh loader $ARG_INI_LOADER - fi - fi - - # clean - mv u-boot.its $FIT_DIR - cp tee.bin $FIT_DIR - cp u-boot-nodtb.bin $FIT_DIR - cp u-boot.dtb $FIT_DIR - cp spl/u-boot-spl.bin $FIT_DIR - cp spl/u-boot-spl.dtb $FIT_DIR - rm u-boot.itb u-boot.img u-boot-dtb.img -rf - ./scripts/dtc/dtc -I dtb -O dts $FIT_ITB_UBOOT -o $FIT_UNMAP_ITB_UBOOT >/dev/null 2>&1 - ./scripts/dtc/dtc -I dtb -O dts spl/u-boot-spl.dtb -o $FIT_UNMAP_KEY_UBOOT >/dev/null 2>&1 -} - -function fit_boot_make_itb() -{ - if [ ! -z $ARGS_EXT_BOOT_IMG ]; then - ./scripts/fit-unpack.sh -f $ARGS_EXT_BOOT_IMG -o $FIT_DIR/unpack - FIT_ITS_BOOT="$FIT_DIR/unpack/image.its" - else - FIT_ITS_BOOT="kernel_arm.its" - cp arch/arm/mach-rockchip/$FIT_ITS_BOOT ./ - its_file_check $FIT_ITS_BOOT - fi - - # output boot.itb - if [ "$ARG_NO_VBOOT" = "y" ]; then - SIGN_MSG="no-signed" - ./tools/mkimage -f $FIT_ITS_BOOT -E -p $FIT_NS_OFFS_BOOT $FIT_ITB_BOOT - else - SIGN_MSG="signed" - - if [ ! -f $KEY_DIR/dev.key ]; then - echo "ERROR: No $KEY_DIR/dev.key" - exit 1 - elif [ ! -f $KEY_DIR/dev.crt ]; then - echo "ERROR: No $KEY_DIR/dev.crt" - exit 1 - fi - - if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then - echo "ERROR: CONFIG_FIT_SIGNATURE is disabled" - exit 1 - fi - - if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then - ROLLBACK_PROTECT="y" - if [ -z $ARG_ROLLBACK_IDX_BOOT ]; then - echo "ERROR: No args \"--rollback-index-boot \"" - exit 1 - fi - fi - - # fixup entry and load address - COMM_FILE=`sed -n "/_common.h/p" $CHIP_FILE | awk '{ print $1 }'` - FDT_ADDR_R=`awk /fdt_addr_r/ $COMM_FILE | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'` - KERNEL_ADDR_R=`awk /kernel_addr_r/ $COMM_FILE | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'` - RMADISK_ADDR_R=`awk /ramdisk_addr_r/ $COMM_FILE | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'` - sed -i "s/$FIT_FDT_ADDR_PLACEHOLDER/$FDT_ADDR_R/g" $FIT_ITS_BOOT - sed -i "s/$FIT_KERNEL_ADDR_PLACEHOLDER/$KERNEL_ADDR_R/g" $FIT_ITS_BOOT - sed -i "s/$FIT_RAMDISK_ADDR_PLACEHOLDER/$RMADISK_ADDR_R/g" $FIT_ITS_BOOT - - if grep -q '^CONFIG_ARM64=y' .config ; then - sed -i 's/arch = "arm";/arch = "arm64";/g' $FIT_ITS_BOOT - fi - - if [ "$ROLLBACK_PROTECT" = "y" ]; then - version=`grep 'rollback-index' $FIT_ITS_BOOT | awk -F '=' '{ printf $2 }' ` - sed -i "s/$version/ <$ARG_ROLLBACK_IDX_BOOT>;/g" $FIT_ITS_BOOT - fi - - ./tools/mkimage -f $FIT_ITS_BOOT -k $KEY_DIR/ -K u-boot.dtb -E -p $FIT_S_OFFS_BOOT -r $FIT_ITB_BOOT - mv data2sign.bin $FIT_DATA2SIG_BOOT - - # rollback-index read back check - if [ "$ROLLBACK_PROTECT" = "y" ]; then - ROLLBACK_IDX_BOOT=`fdtget -ti $FIT_ITB_BOOT /configurations/conf@1 rollback-index` - if [ "$ROLLBACK_IDX_BOOT" != "$ARG_ROLLBACK_IDX_BOOT" ]; then - echo "ERROR: Failed to set rollback-index for $FIT_ITB_BOOT"; - exit 1 - fi - fi - - if [ "$ARG_NO_CHECK" != "y" ]; then - ./tools/fit_check_sign -f $FIT_ITB_BOOT -k u-boot.dtb - fi - - # minimize u-boot dtb - if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then - fdtput -tx u-boot.dtb /signature/key-dev rsa,r-squared 0x0 - if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then - fdtput -tx u-boot.dtb /signature/key-dev rsa,np 0x0 - else - fdtput -tx u-boot.dtb /signature/key-dev rsa,c 0x0 - fi - else - fdtput -tx u-boot.dtb /signature/key-dev rsa,c 0x0 - fdtput -tx u-boot.dtb /signature/key-dev rsa,np 0x0 - fdtput -tx u-boot.dtb /signature/key-dev rsa,exponent-BN 0x0 - fi - fi - - # clean - mv $FIT_ITS_BOOT $FIT_DIR - ./scripts/dtc/dtc -I dtb -O dts $FIT_ITB_BOOT -o $FIT_UNMAP_ITB_BOOT >/dev/null 2>&1 - ./scripts/dtc/dtc -I dtb -O dts u-boot.dtb -o $FIT_UNMAP_KEY_BOOT >/dev/null 2>&1 -} - -function fit_uboot_make_img() -{ - ITB_FILE=$1 - - if [ -z $ITB_FILE ]; then - ITB_FILE=$FIT_ITB_UBOOT - fi - - ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'` - ITB_MAX_KB=`sed -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'` - ITB_MAX_BS=$((ITB_MAX_KB*1024)) - FIT_MAX_BS=$((ITB_MAX_BS*ITB_MAX_NUM)) - THIS_BS=`ls -l $ITB_FILE | awk '{print $5}'` - - if [ $THIS_BS -eq $FIT_MAX_BS ]; then - echo - echo "ERROR: $ITB_FILE is too big, maybe it's not a .itb ?" - exit 1 - elif [ $THIS_BS -gt $ITB_MAX_BS ]; then - echo - echo "ERROR: pack $FIT_IMG_UBOOT failed! $ITB_FILE actual: $THIS_BS bytes, max limit: $ITB_MAX_BS bytes" - exit 1 - fi - - # multiple backup - rm $FIT_IMG_UBOOT -rf - for ((i = 0; i < $ITB_MAX_NUM; i++)); - do - cat $ITB_FILE >> $FIT_IMG_UBOOT - truncate -s %${ITB_MAX_KB}K $FIT_IMG_UBOOT - done -} - -function fit_boot_make_img() -{ - ITB_FILE=$1 - - if [ -z $ITB_FILE ]; then - ITB_FILE=$FIT_ITB_BOOT - fi - - if [ "$ITB_FILE" != "$FIT_IMG_BOOT" ]; then - cp $ITB_FILE $FIT_IMG_BOOT -f - fi -} - -function usage_resign() -{ - echo - echo "usage:" - echo " $0 -f [itb_image] -s [sig]" - echo -} - -function fit_resign() -{ - if [ $# -ne 4 ]; then - usage_resign - exit 1 - fi - - while [ $# -gt 0 ]; do - case $1 in - -f) - FIT_ITB=$2 - shift 2 - ;; - -s) - FIT_SIG=$2 - shift 2 - ;; - *) - usage_resign - exit 1 - ;; - esac - done - - # check - if [ ! -f $FIT_ITB ]; then - echo "ERROR: No $FIT_ITB" - exit 1 - elif [ ! -f $FIT_SIG ]; then - echo "ERROR: No $FIT_SIG" - exit 1 - fi - - # confirm location - SIG_SZ=`ls -l ${FIT_SIG} | awk '{ print $5 }'` - LEN=`./tools/fit_info -f $FIT_ITB -n /configurations/conf@1/signature@1 -p value | sed -n "/LEN:/p" | awk '{ print $2 }'` - OFF=`./tools/fit_info -f $FIT_ITB -n /configurations/conf@1/signature@1 -p value | sed -n "/OFF:/p" | awk '{ print $2 }'` - END=`./tools/fit_info -f $FIT_ITB -n /configurations/conf@1/signature@1 -p value | sed -n "/END:/p" | awk '{ print $2 }'` - - if [ -z $LEN ]; then - echo "ERROR: No valid signature in $FIT_ITB" - exit 1 - elif [ "$SIG_SZ" -ne "$LEN" ]; then - echo "ERROR: $FIT_SIG size $SIG_SZ != $FIT_ITB Signature size $LEN" - exit 1 - fi - - # backup - cp $FIT_ITB $FIT_ITB_RESIG_BACKUP - cp $FIT_SIG $FIT_SIG_P2 - - # generate .itb - dd if=$FIT_ITB of=$FIT_SIG_P1 count=1 bs=$OFF - dd if=$FIT_ITB of=$FIT_SIG_P3 skip=1 ibs=$END - cat $FIT_SIG_P1 > $FIT_ITB - cat $FIT_SIG >> $FIT_ITB - cat $FIT_SIG_P3 >> $FIT_ITB - - # generate - echo - if fdtget -l $FIT_ITB /images/uboot@1 >/dev/null 2>&1 ; then - fit_uboot_make_img $FIT_ITB - echo "Image(re-signed): $FIT_IMG_UBOOT is ready" - else - fit_boot_make_img $FIT_ITB - echo "Image(re-signed): $FIT_IMG_BOOT is ready" - fi -} - -function fit_verbose_uboot() -{ - if [ "$SPL_ROLLBACK_PROTECT" = "y" ]; then - echo "Image($SIGN_MSG, rollback-index=$ROLLBACK_IDX_UBOOT): $FIT_IMG_UBOOT (with uboot trust) is ready" - else - echo "Image($SIGN_MSG): $FIT_IMG_UBOOT (with uboot trust) is ready" - fi -} - -function fit_verbose_boot() -{ - if [ "$ROLLBACK_PROTECT" = "y" ]; then - echo "Image($SIGN_MSG, rollback-index=$ROLLBACK_IDX_BOOT): $FIT_IMG_BOOT (with kernel dtb ramdisk resource) is ready" - else - echo "Image($SIGN_MSG): $FIT_IMG_BOOT (with kernel dtb ramdisk resource) is ready" - fi -} - -function fit_verbose_loader() -{ - LOADER=`ls *loader*.bin` - echo "Image(no-signed): $LOADER (with spl, ddr, usbplug) is ready" -} diff --git a/scripts/fit-mkimg.sh b/scripts/fit-mkimg.sh new file mode 100755 index 0000000000..9618dcf993 --- /dev/null +++ b/scripts/fit-mkimg.sh @@ -0,0 +1,493 @@ +#!/bin/bash +# +# Copyright (c) 2020 Fuzhou Rockchip Electronics Co., Ltd +# +# SPDX-License-Identifier: GPL-2.0 +# +set -e + +FIT_DIR="fit" +IMG_UBOOT="uboot.img" +IMG_BOOT="boot.img" +ITB_UBOOT="${FIT_DIR}/uboot.itb" +ITB_BOOT="${FIT_DIR}/boot.itb" +SIG_UBOOT="${FIT_DIR}/uboot.data2sign" +SIG_BOOT="${FIT_DIR}/boot.data2sign" +# offs +OFFS_NS_UBOOT="0xa00" +OFFS_S_UBOOT="0xc00" +OFFS_NS_BOOT="0x800" +OFFS_S_BOOT="0xc00" +# file +CHIP_FILE="arch/arm/lib/.asm-offsets.s.cmd" +# placeholder address +FDT_ADDR_PLACEHOLDER="0xffffff00" +KERNEL_ADDR_PLACEHOLDER="0xffffff01" +RAMDISK_ADDR_PLACEHOLDER="0xffffff02" +# tools +MKIMAGE="./tools/mkimage" +FIT_UNPACK="./scripts/fit-unpack.sh" +CHECK_SIGN="./tools/fit_check_sign" +# key +KEY_DIR="keys/" +RSA_PRI_KEY="keys/dev.key" +RSA_PUB_KEY="keys/dev.crt" +SIGNATURE_KEY_NODE="/signature/key-dev" +SPL_DTB="spl/u-boot-spl.dtb" +UBOOT_DTB="u-boot.dtb" +# its +ITS_UBOOT="u-boot.its" + +function help() +{ + echo + echo "usage:" + echo " $0 [args]" + echo + echo "args:" + echo " --rollback-index-boot " + echo " --rollback-index-uboot " + echo " --ini-trust" + echo " --ini-loader" + echo " --no-vboot" + echo " --no-check" + echo " --no-rebuild" + echo " --spl-new" + echo " --uboot" + echo " --boot" + echo " --boot_img" + echo " --p-check" + echo +} + +function arg_check_decimal() +{ + if [ -z $1 ]; then + help + exit 1 + fi + + decimal=`echo $1 |sed 's/[0-9]//g'` + if [ ! -z ${decimal} ]; then + echo "ERROR: $1 is not decimal integer" + help + exit 1 + fi +} + +function check_its() +{ + cat $1 | while read line + do + file=`echo ${line} | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '` + if [ ! -f ${file} ]; then + echo "ERROR: No ${file}" + exit 1 + fi + done +} + +function validate_arg() +{ + case $1 in + --uboot|--boot|--no-vboot|--no-rebuild|--no-check|--spl-new) + shift=1 + ;; + --ini-trust|--ini-loader|--rollback-index-boot|--rollback-index-uboot|--boot_img) + shift=2 + ;; + *) + shift=0 + ;; + esac + echo ${shift} +} + +function fit_process_args() +{ + if [ $# -eq 0 ]; then + help + exit 0 + fi + + while [ $# -gt 0 ]; do + case $1 in + --p-check) + ARG_VALIDATE=$2 + shift 2 + ;; + --uboot) + ARG_PACK_UBOOT="y" + shift 1 + ;; + --boot) + ARG_PACK_BOOT="y" + shift 1 + ;; + --no-vboot) # Force to build non-vboot image + ARG_NO_VBOOT="y" + shift 1 + ;; + --no-rebuild) # No rebuild with "./make.sh" + ARG_NO_REBUILD="y" + shift 1 + ;; + --no-check) # No hostcc fit signature check + ARG_NO_CHECK="y" + shift 1 + ;; + --ini-trust) # Assign trust ini file + ARG_INI_TRUST=$2 + shift 2 + ;; + --ini-loader) # Assign loader ini file + ARG_INI_LOADER=$2 + shift 2 + ;; + --spl-new) # Use current build u-boot-spl.bin to pack loader + ARG_SPL_NEW="y" + shift 1 + ;; + --rollback-index-boot) + ARG_ROLLBACK_IDX_BOOT=$2 + arg_check_decimal $2 + shift 2 + ;; + --rollback-index-uboot) + ARG_ROLLBACK_IDX_UBOOT=$2 + arg_check_decimal $2 + shift 2 + ;; + --boot_img) # external boot.img + ARG_EXT_BOOT=$2 + shift 2 + ;; + *) + help + exit 1 + ;; + esac + done +} + +function fit_rebuild() +{ + if [ "${ARG_NO_REBUILD}" != "y" ]; then + ./make.sh nopack # Always no pack + fi + + rm ${FIT_DIR} -rf + mkdir -p ${FIT_DIR} +} + +function fit_gen_uboot_itb() +{ + ./make.sh itb ${ARG_INI_TRUST} + check_its ${ITS_UBOOT} + + if [ "${ARG_NO_VBOOT}" == "y" ]; then + ${MKIMAGE} -f ${ITS_UBOOT} -E -p ${OFFS_NS_UBOOT} ${ITB_UBOOT} + if [ "${ARG_SPL_NEW}" == "y" ]; then + ./make.sh spl-s ${ARG_INI_LOADER} + echo "pack loader with new: spl/u-boot-spl.bin" + else + ./make.sh loader ${ARG_INI_LOADER} + fi + else + if [ ! -f ${RSA_PRI_KEY} ]; then + echo "ERROR: No ${RSA_PRI_KEY} " + exit 1 + elif [ ! -f ${RSA_PUB_KEY} ]; then + echo "ERROR: No ${RSA_PUB_KEY} " + exit 1 + fi + + if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' .config ; then + echo "ERROR: CONFIG_SPL_FIT_SIGNATURE is disabled" + exit 1 + fi + + if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' .config ; then + ARG_SPL_ROLLBACK_PROTECT="y" + if [ -z ${ARG_ROLLBACK_IDX_UBOOT} ]; then + echo "ERROR: No arg \"--rollback-index-uboot \"" + exit 1 + fi + fi + + if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then + VERSION=`grep 'rollback-index' ${ITS_UBOOT} | awk -F '=' '{ printf $2 }' ` + sed -i "s/${VERSION}/ <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT} + fi + + # u-boot.dtb must contains rsa key + if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then + ${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_S_UBOOT} -r ${ITB_UBOOT} + echo "Adding RSA public key into ${UBOOT_DTB}" + fi + + # Pack + ${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${SPL_DTB} -E -p ${OFFS_S_UBOOT} -r ${ITB_UBOOT} + mv data2sign.bin ${SIG_UBOOT} + + # rollback-index read back check + if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then + VERSION=`fdtget -ti ${ITB_UBOOT} /configurations/conf rollback-index` + if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_UBOOT}" ]; then + echo "ERROR: Failed to set rollback-index for ${ITB_UBOOT}"; + exit 1 + fi + fi + + # host check signature + if [ "${ARG_NO_CHECK}" != "y" ]; then + if [ "${ARG_SPL_NEW}" == "y" ]; then + ${CHECK_SIGN} -f ${ITB_UBOOT} -k ${SPL_DTB} -s + else + spl_file="../rkbin/"`sed -n "/FlashBoot=/s/FlashBoot=//p" ${ARG_INI_LOADER} |tr -d '\r'` + offs=`fdtdump -s ${spl_file} | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset //g" | tr -d " "` + if [ -z ${offs} ]; then + echo "ERROR: invalid ${spl_file} , unable to find fdt blob" + fi + offs=`printf %d ${offs} ` # hex -> dec + dd if=${spl_file} of=spl/u-boot-spl-old.dtb bs=${offs} skip=1 >/dev/null 2>&1 + ${CHECK_SIGN} -f ${ITB_UBOOT} -k spl/u-boot-spl-old.dtb -s + fi + fi + + # minimize u-boot-spl.dtb + if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then + fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0 + if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' .config ; then + fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 + else + fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 + fi + else + fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 + fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 + fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0 + fi + + # repack spl + rm -f *_loader_*.bin + if [ "${ARG_SPL_NEW}" == "y" ]; then + cat spl/u-boot-spl-nodtb.bin > spl/u-boot-spl.bin + if ! grep -q '^CONFIG_SPL_SEPARATE_BSS=y' .config ; then + cat spl/u-boot-spl-pad.bin >> spl/u-boot-spl.bin + fi + cat ${SPL_DTB} >> spl/u-boot-spl.bin + + ./make.sh spl-s ${ARG_INI_LOADER} + echo "pack loader with new: spl/u-boot-spl.bin" + else + ./make.sh loader ${ARG_INI_LOADER} + fi + fi + + rm -f u-boot.itb u-boot.img u-boot-dtb.img +} + +function fit_gen_boot_itb() +{ + if [ ! -z ${ARG_EXT_BOOT} ]; then + ${FIT_UNPACK} -f ${ARG_EXT_BOOT} -o ${FIT_DIR}/unpack + ITS_BOOT="${FIT_DIR}/unpack/image.its" + else + ITS_BOOT="kernel_arm.its" + cp arch/arm/mach-rockchip/${ITS_BOOT} ./ + check_its ${ITS_BOOT} + fi + + if [ "${ARG_NO_VBOOT}" == "y" ]; then + ${MKIMAGE} -f ${ITS_BOOT} -E -p ${OFFS_NS_BOOT} ${ITB_BOOT} + else + if [ ! -f ${RSA_PRI_KEY} ]; then + echo "ERROR: No ${RSA_PRI_KEY}" + exit 1 + elif [ ! -f ${RSA_PUB_KEY} ]; then + echo "ERROR: No ${RSA_PUB_KEY}" + exit 1 + fi + + if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then + echo "ERROR: CONFIG_FIT_SIGNATURE is disabled" + exit 1 + fi + + if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then + ARG_ROLLBACK_PROTECT="y" + if [ -z ${ARG_ROLLBACK_IDX_BOOT} ]; then + echo "ERROR: No arg \"--rollback-index-boot \"" + exit 1 + fi + fi + + # fixup + COMMON_FILE=`sed -n "/_common.h/p" ${CHIP_FILE} | awk '{ print $1 }'` + FDT_ADDR_R=`awk /fdt_addr_r/ ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'` + KERNEL_ADDR_R=`awk /kernel_addr_r/ ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'` + RMADISK_ADDR_R=`awk /ramdisk_addr_r/ ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'` + sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g" ${ITS_BOOT} + sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g" ${ITS_BOOT} + sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_BOOT} + if grep -q '^CONFIG_ARM64=y' .config ; then + sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_BOOT} + fi + + if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then + VERSION=`grep 'rollback-index' ${ITS_BOOT} | awk -F '=' '{ printf $2 }' ` + sed -i "s/${VERSION}/ <${ARG_ROLLBACK_IDX_BOOT}>;/g" ${ITS_BOOT} + fi + + ${MKIMAGE} -f ${ITS_BOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_S_BOOT} -r ${ITB_BOOT} + mv data2sign.bin ${SIG_BOOT} + + # rollback-index read back check + if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then + VERSION=`fdtget -ti ${ITB_BOOT} /configurations/conf rollback-index` + if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_BOOT}" ]; then + echo "ERROR: Failed to set rollback-index for ${ITB_BOOT}"; + exit 1 + fi + fi + + if [ "${ARG_NO_CHECK}" != "y" ]; then + ${CHECK_SIGN} -f ${ITB_BOOT} -k ${UBOOT_DTB} + fi + + # minimize u-boot.dtb + if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then + fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0 + if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then + fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 + else + fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 + fi + else + fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 + fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 + fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0 + fi + fi +} + +function fit_gen_uboot_img() +{ + ITB=$1 + + if [ -z ${ITB} ]; then + ITB=${ITB_UBOOT} + fi + + ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'` + ITB_MAX_KB=`sed -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'` + ITB_MAX_BS=$((ITB_MAX_KB*1024)) + ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'` + + if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then + echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes" + exit 1 + fi + + rm -f ${IMG_UBOOT} + for ((i = 0; i < ${ITB_MAX_NUM}; i++)); + do + cat ${ITB} >> ${IMG_UBOOT} + truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT} + done +} + +function fit_gen_boot_img() +{ + ITB=$1 + + if [ -z ${ITB} ]; then + ITB=${ITB_BOOT} + fi + + if [ "${ITB}" != "${IMG_BOOT}" ]; then + cp ${ITB} ${IMG_BOOT} -f + fi +} + +function fit_msg_uboot() +{ + if [ "${ARG_NO_VBOOT}" == "y" ]; then + MSG="no-signed" + else + MSG="signed" + fi + + if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then + echo "Image(${MSG}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT}): ${IMG_UBOOT} (with uboot trust) is ready" + else + echo "Image(${MSG}): ${IMG_UBOOT} (FIT with uboot, trust) is ready" + fi +} + +function fit_msg_boot() +{ + if [ "${ARG_NO_VBOOT}" == "y" ]; then + MSG="no-signed" + else + MSG="signed" + fi + + if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then + echo "Image(${MSG}, rollback-index=${ARG_ROLLBACK_IDX_BOOT}): ${IMG_BOOT} is ready" + else + echo "Image(${MSG}): ${IMG_BOOT} (FIT with kernel, fdt, resource...) is ready" + fi +} + +function fit_msg_loader() +{ + LOADER=`ls *loader*.bin` + echo "Image(no-signed): ${LOADER} (with spl, ddr, usbplug) is ready" +} + +function fit_vboot_uboot() +{ + fit_rebuild + fit_gen_uboot_itb + fit_gen_uboot_img + echo + fit_msg_uboot +} + +function fit_vboot_boot() +{ + fit_rebuild + fit_boot_make_itb + fit_boot_make_img + echo + fit_verbose_boot +} + +function fit_vboot() +{ + fit_rebuild + fit_gen_boot_itb + fit_gen_boot_img + fit_gen_uboot_itb + fit_gen_uboot_img + echo + + fit_msg_uboot + fit_msg_boot + fit_msg_loader + echo +} + +fit_process_args $* +if [ ! -z "${ARG_VALIDATE}" ]; then + validate_arg ${ARG_VALIDATE} +elif [ "${ARG_PACK_UBOOT}${ARG_PACK_BOOT}" == "yy" ]; then + fit_vboot +elif [ "${ARG_PACK_UBOOT}" == "y" ]; then + fit_vboot_uboot +elif [ "${ARG_PACK_BOOT}" == "y" ]; then + fit_vboot_boot +fi + diff --git a/scripts/fit-repack.sh b/scripts/fit-repack.sh deleted file mode 100755 index 11fa2e8ff7..0000000000 --- a/scripts/fit-repack.sh +++ /dev/null @@ -1,84 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2020 Fuzhou Rockchip Electronics Co., Ltd -# -# SPDX-License-Identifier: GPL-2.0 -# - -set -e - -IMAGE_OFFS="0x800" -IMAGE_ITS="image.its" -IMAGE_ITB="image.itb" - -function usage() -{ - echo - echo "usage:" - echo " $0 -f [fit/itb] -o [output]" - echo -} - -function args_process() -{ - if [ $# -ne 4 -a $# -ne 2 ]; then - usage - exit 1 - fi - - while [ $# -gt 0 ]; do - case $1 in - -f) - IMAGE_ORG=$2 - shift 2 - ;; - -o) - IMAGE_DIR=$2 - shift 2 - ;; - *) - usage - exit 1 - ;; - esac - done - - if [ ! -f $IMAGE_ORG ]; then - echo "ERROR: No $IMAGE_ORG" - exit 1 - fi - - if [ -z $IMAGE_DIR ]; then - IMAGE_DIR="out" - fi - - mkdir -p $IMAGE_DIR -} - -function fit_repack() -{ - ./scripts/fit-unpack.sh -f $IMAGE_ORG -o $IMAGE_DIR - FIT_IMAGE_ITS=$IMAGE_DIR/$IMAGE_ITS - - if grep -q 'hashed-nodes' $FIT_IMAGE_ITS ; then - echo "ERROR: $IMAGE_ORG was signed, unsupport to repack it!" - exit 1 - fi - - if grep -q 'uboot@1' $FIT_IMAGE_ITS ; then - IMAGE_NAME="uboot.img" - else - IMAGE_NAME="boot.img" - fi - - rm -rf IMAGE_NAME - ./tools/mkimage -f $FIT_IMAGE_ITS -E -p $IMAGE_OFFS $IMAGE_NAME - - echo - echo "Image: $IMAGE_NAME is ready." - echo -} - -args_process $* -fit_repack - diff --git a/scripts/fit-resign.sh b/scripts/fit-resign.sh index b09805cb83..752f6ea8df 100755 --- a/scripts/fit-resign.sh +++ b/scripts/fit-resign.sh @@ -6,7 +6,109 @@ # set -e -# openssl dgst -sha256 -sign keys/dev.key -out sha256-rsa2048.sign fit/boot.data2sign +# [Keys] +# mkdir -p keys +# openssl genpkey -algorithm RSA -out keys/dev.key -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 +# openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt +# [Sign] +# openssl dgst -sha256 -sign keys/dev.key -out sha256-rsa2048.sign fit/boot.data2sign + +IMG_UBOOT="uboot.img" +IMG_BOOT="boot.img" + +function usage_resign() +{ + echo + echo "usage:" + echo " $0 -f [itb] -s [sig]" + echo +} + +function fit_resign() +{ + if [ $# -ne 4 ]; then + usage_resign + exit 1 + fi + + while [ $# -gt 0 ]; do + case $1 in + -f) + ITB=$2 + shift 2 + ;; + -s) + SIG=$2 + shift 2 + ;; + *) + usage_resign + exit 1 + ;; + esac + done + + if [ ! -f ${ITB} ]; then + echo "ERROR: No ${ITB}" + exit 1 + elif [ ! -f ${SIG} ]; then + echo "ERROR: No ${SIG}" + exit 1 + fi + + copies=`strings ${ITB} | grep "signer-version" | wc -l` + if [ ${copies} -ne 1 ]; then + echo "ERROR: ${ITB} seems not a itb but a image, ${copies}" + exit 1 + fi + + SIG_SZ=`ls -l ${SIG} | awk '{ print $5 }'` + LEN=`./tools/fit_info -f ${ITB} -n /configurations/conf/signature -p value | sed -n "/LEN:/p" | awk '{ print $2 }'` + OFF=`./tools/fit_info -f ${ITB} -n /configurations/conf/signature -p value | sed -n "/OFF:/p" | awk '{ print $2 }'` + END=`./tools/fit_info -f ${ITB} -n /configurations/conf/signature -p value | sed -n "/END:/p" | awk '{ print $2 }'` + + if [ -z ${LEN} ]; then + echo "ERROR: No signature in ${ITB}" + exit 1 + strings uboot.img | grep "rollback-index" | wc -l + elif [ "${SIG_SZ}" -ne "${LEN}" ]; then + echo "ERROR: ${SIG} size ${SIG_SZ} != ${ITB} Signature size ${LEN}" + exit 1 + fi + + dd if=${ITB} of=${ITB}.half1 count=1 bs=${OFF} + dd if=${ITB} of=${ITB}.half2 skip=1 ibs=${END} + + ITB_RESIGN="${ITB}.resign" + cat ${ITB}.half1 > ${ITB_RESIGN} + cat ${SIG} >> ${ITB_RESIGN} + cat ${ITB}.half2 >> ${ITB_RESIGN} + echo + + if fdtget -l ${ITB_RESIGN} /images/uboot >/dev/null 2>&1 ; then + ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'` + ITB_MAX_KB=`sed -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'` + ITB_MAX_BS=$((ITB_MAX_KB*1024)) + ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'` + if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then + echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes" + exit 1 + fi + + rm -f ${IMG_UBOOT} + for ((i = 0; i < ${ITB_MAX_NUM}; i++)); + do + cat ${ITB_RESIGN} >> ${IMG_UBOOT} + truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT} + done + echo "Image(re-signed): ${IMG_UBOOT} is ready" + else + cp ${ITB_RESIGN} ${IMG_BOOT} + echo "Image(re-signed): ${IMG_BOOT} is ready" + fi + + rm -f ${ITB}.half1 ${ITB}.half2 ${ITB_RESIGN} +} -source scripts/fit-base.sh fit_resign $* + diff --git a/scripts/fit-unpack.sh b/scripts/fit-unpack.sh index f3771c7287..e29c314681 100755 --- a/scripts/fit-unpack.sh +++ b/scripts/fit-unpack.sh @@ -6,13 +6,11 @@ # set -e -IMAGE_ITS="image.its" - function usage() { echo echo "usage:" - echo " $0 -f [fit/itb] -o [output]" + echo " $0 -f [fit/itb] -o [out]" echo } @@ -26,11 +24,11 @@ function args_process() while [ $# -gt 0 ]; do case $1 in -f) - IMAGE=$2 + ITB=$2 shift 2 ;; -o) - IMAGE_DIR=$2 + OUT=$2 shift 2 ;; *) @@ -40,105 +38,98 @@ function args_process() esac done - if [ ! -f $IMAGE ]; then - echo "ERROR: No $IMAGE" + if [ ! -f ${ITB} ]; then + echo "ERROR: No ${ITB}" exit 1 fi - if [ -z $IMAGE_DIR ]; then - IMAGE_DIR="out" + if [ -z ${OUT} ]; then + OUT="out" fi - - mkdir -p $IMAGE_DIR } -function gen_images() +unpack_itb() { - printf "\n# Unpack $IMAGE to directory $IMAGE_DIR/\n" - fdtget -l $IMAGE /images > $IMAGE_DIR/unpack.txt - cat $IMAGE_DIR/unpack.txt | while read line + mkdir -p ${OUT} + echo "Unpack to directory ${OUT}:" + + for NAME in `fdtget -l ${ITB} /images` do - # generate image - NODE="/images/${line}" - NAME=`fdtget -ts $IMAGE $NODE image` - OFFS=`fdtget -ti $IMAGE $NODE data-position` - SIZE=`fdtget -ti $IMAGE $NODE data-size` - if [ -z $OFFS ]; then + # generate ITB + NODE="/images/${NAME}" + OFFS=`fdtget -ti ${ITB} ${NODE} data-position` + SIZE=`fdtget -ti ${ITB} ${NODE} data-size` + if [ -z ${OFFS} ]; then continue; fi - if [ $SIZE -ne 0 ]; then - dd if=$IMAGE of=$IMAGE_DIR/dd.tmp bs=$OFFS skip=1 >/dev/null 2>&1 - dd if=$IMAGE_DIR/dd.tmp of=$IMAGE_DIR/$NAME bs=$SIZE count=1 >/dev/null 2>&1 - rm $IMAGE_DIR/dd.tmp + if [ ${SIZE} -ne 0 ]; then + dd if=${ITB} of=${OUT}/${NAME} bs=${SIZE} count=1 skip=${OFFS} iflag=skip_bytes >/dev/null 2>&1 else - touch $IMAGE_DIR/$NAME + touch ${OUT}/${NAME} fi # hash verify - algo=`fdtget -ts $IMAGE $NODE/hash@1 algo` - if [ -z $algo ]; then - printf " %-20s: %d bytes" $NAME $SIZE - continue; - fi - - data=`fdtget -tx $IMAGE $NODE/hash@1 value` - data=`echo " "$data | sed "s/ / 0x/g"` - csum=`"$algo"sum $IMAGE_DIR/$NAME | awk '{ print $1}'` - - hash="" - for((i=1;;i++)); - do - hex=`echo $data | awk -v idx=$i '{ print $idx }'` - if [ -z $hex ]; then - break; - fi - - hex=`printf "%08x" $hex` # align !! - hash="$hash$hex" - done - - printf " %-20s: %d bytes... %s" $NAME $SIZE $algo - if [ "$csum" = "$hash" -o $SIZE -eq 0 ]; then - echo "+" + ALGO=`fdtget -ts ${ITB} ${NODE}/hash algo` + if [ -z ${ALGO} ]; then + printf " %-20s: %d bytes" ${NAME} ${SIZE} else - echo "-" + VALUE=`fdtget -tx ${ITB} ${NODE}/hash value` + VALUE=`echo " "${VALUE} | sed "s/ / 0x/g"` + CSUM=`"${ALGO}"sum ${OUT}/${NAME} | awk '{ print $1}'` + + HASH="" + for((i=1;;i++)); + do + HEX=`echo ${VALUE} | awk -v idx=$i '{ print $idx }'` + if [ -z ${HEX} ]; then + break; + fi + + HEX=`printf "%08x" ${HEX}` + HASH="${HASH}${HEX}" + done + + printf " %-20s: %d bytes... %s" ${NAME} ${SIZE} ${ALGO} + if [ "${CSUM}" == "${HASH}" -o ${SIZE} -eq 0 ]; then + echo "+" + else + echo "-" + fi fi done - echo } function gen_its() { - ./scripts/dtc/dtc -I dtb -O dts $IMAGE -o $IMAGE_DIR/$IMAGE_ITS >/dev/null 2>&1 - - FIT_IMAGE_ITS=$IMAGE_DIR/$IMAGE_ITS - - # remove - sed -i "/memreserve/d" $FIT_IMAGE_ITS - sed -i "/data-size/d" $FIT_IMAGE_ITS - sed -i "/data-position/d" $FIT_IMAGE_ITS - sed -i "/value/d" $FIT_IMAGE_ITS - sed -i "/hashed-strings/d" $FIT_IMAGE_ITS - sed -i "/hashed-nodes/d" $FIT_IMAGE_ITS - sed -i "/signer-version/d" $FIT_IMAGE_ITS - sed -i "/signer-name/d" $FIT_IMAGE_ITS - sed -i "/timestamp/d" $FIT_IMAGE_ITS + ITS=${OUT}/image.its + TMP_ITB=${OUT}/image.tmp # add placeholder - sed -i '/image = /a\ \ \ data = /incbin/("IMAGE_PATH");' $FIT_IMAGE_ITS - - # fixup placeholder: "data = /incbin/("...");" - num=`grep 'image =' $FIT_IMAGE_ITS | wc -l` - for ((i = 1; i <= $num; i++)); - do - NAME=`grep 'image =' $FIT_IMAGE_ITS | sed -n ''${i}p'' | awk '{ printf $3 }' | tr -d '";'` - sed -i ''$i',/IMAGE_PATH/{s/IMAGE_PATH/.\/'$NAME'/}' $FIT_IMAGE_ITS + cp -a ${ITB} ${TMP_ITB} + for NAME in `fdtget -l ${ITB} /images`; do + fdtput -t s ${TMP_ITB} /images/${NAME} data "/INCBIN/(${NAME})" done + dtc -I dtb -O dts ${TMP_ITB} -o ${ITS} + rm -f ${TMP_ITB} + + # fixup placeholder: data = "/INCBIN/(...)"; -> data = /incbin/("..."); + sed -i "s/\"\/INCBIN\/(\(.*\))\"/\/incbin\/(\"\1\")/" ${ITS} + + # remove + sed -i "/memreserve/d" ${ITS} + sed -i "/timestamp/d" ${ITS} + sed -i "/data-size/d" ${ITS} + sed -i "/data-position/d" ${ITS} + sed -i "/value/d" ${ITS} + sed -i "/hashed-strings/d" ${ITS} + sed -i "/hashed-nodes/d" ${ITS} + sed -i "/signer-version/d" ${ITS} + sed -i "/signer-name/d" ${ITS} } args_process $* -gen_images +unpack_itb gen_its diff --git a/scripts/fit-vboot-boot.sh b/scripts/fit-vboot-boot.sh deleted file mode 100755 index e9fa2d0324..0000000000 --- a/scripts/fit-vboot-boot.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2020 Fuzhou Rockchip Electronics Co., Ltd -# -# SPDX-License-Identifier: GPL-2.0 -# - -source scripts/fit-base.sh - -fit_process_args $* -fit_rebuild -fit_boot_make_itb -fit_boot_make_img -echo -fit_verbose_boot diff --git a/scripts/fit-vboot-kernel.sh b/scripts/fit-vboot-kernel.sh deleted file mode 100755 index 20e1e2f745..0000000000 --- a/scripts/fit-vboot-kernel.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2020 Fuzhou Rockchip Electronics Co., Ltd -# -# SPDX-License-Identifier: GPL-2.0 -# - -source scripts/fit-base.sh - -fit_process_args $* -fit_rebuild -fit_kernel_make_itb -fit_kernel_make_img -echo -fit_verbose_kernel diff --git a/scripts/fit-vboot-uboot.sh b/scripts/fit-vboot-uboot.sh deleted file mode 100755 index cb80e658ef..0000000000 --- a/scripts/fit-vboot-uboot.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2020 Fuzhou Rockchip Electronics Co., Ltd -# -# SPDX-License-Identifier: GPL-2.0 -# - -source scripts/fit-base.sh - -fit_process_args $* -fit_rebuild -fit_uboot_make_itb -fit_uboot_make_img -echo -fit_verbose_uboot diff --git a/scripts/fit-vboot.sh b/scripts/fit-vboot.sh deleted file mode 100755 index 36958112c1..0000000000 --- a/scripts/fit-vboot.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2020 Fuzhou Rockchip Electronics Co., Ltd -# -# SPDX-License-Identifier: GPL-2.0 -# - -source scripts/fit-base.sh -fit_process_args $* -fit_rebuild -fit_boot_make_itb -fit_boot_make_img -fit_uboot_make_itb -fit_uboot_make_img - -echo -fit_verbose_uboot -fit_verbose_boot -fit_verbose_loader -echo