rockchip: make_fit_atf.py: add components for verified boot

Require sha256 and rsa2048 for all images to be signed. Use u-boot.dtb to be included as fdt component since the u-boot.dtb contains the "/signature" information of U-Boot proper. Signed-off-by: Joseph Chen <chenjh@rock-chips.com> Change-Id: I1a3ac5f323730b7ef52afd883110d41179740f4f
2020-03-09 17:15:24 +08:00 · 2020-03-09 17:15:24 +08:00 · 53f956c218
parent 583377c459
commit 53f956c218
1 changed files with 16 additions and 2 deletions
--- a/arch/arm/mach-rockchip/make_fit_atf.py
+++ b/arch/arm/mach-rockchip/make_fit_atf.py
@ -45,6 +45,9 @@ DT_HEADER="""/*
 			arch = "arm64";
 			compression = "none";
 			load = <0x%08x>;
+			hash@1 {
+				algo = "sha256";
+			};
 		};
 """

@ -71,6 +74,9 @@ def append_atf_node(file, atf_index, phy_addr):
    print >> file, '\t\t\tload = <0x%08x>;' % phy_addr
    if atf_index == 1:
        print >> file, '\t\t\tentry = <0x%08x>;' % phy_addr
+    print >> file, '\t\t\thash@1 {'
+    print >> file, '\t\t\t\talgo = "sha256";'
+    print >> file, '\t\t\t};'
    print >> file, '\t\t};'
    print >> file, ''

@ -82,10 +88,13 @@ def append_fdt_node(file, dtbs):
    for dtb in dtbs:
        dtname = os.path.basename(dtb)
        print >> file, '\t\tfdt@%d {' % cnt
-        print >> file, '\t\t\tdescription = "%s";' % dtname
-        print >> file, '\t\t\tdata = /incbin/("%s");' % dtb
+        print >> file, '\t\t\tdescription = "U-Boot device tree blob";'
+        print >> file, '\t\t\tdata = /incbin/("u-boot.dtb");'
        print >> file, '\t\t\ttype = "flat_dt";'
        print >> file, '\t\t\tcompression = "none";'
+        print >> file, '\t\t\thash@1 {'
+        print >> file, '\t\t\t\talgo = "sha256";'
+        print >> file, '\t\t\t};'
        print >> file, '\t\t};'
        print >> file, ''
        cnt = cnt + 1
@ -102,6 +111,11 @@ def append_conf_section(file, cnt, dtname, atf_cnt):
        else:
            print >> file, ';'
    print >> file, '\t\t\tfdt = "fdt@1";'
+    print >> file, '\t\t\tsignature@1 {'
+    print >> file, '\t\t\t\talgo = "sha256,rsa2048";'
+    print >> file, '\t\t\t\tkey-name-hint = "dev";'
+    print >> file, '\t\t\t\tsign-images = "fdt", "firmware", "loadables";'
+    print >> file, '\t\t\t};'
    print >> file, '\t\t};'
    print >> file, ''