Lines Matching +full:boot +full:- +full:loader
5 # SPDX-License-Identifier: GPL-2.0
7 set -e
11 IMG_BOOT="boot.img"
14 ITB_BOOT="${FIT_DIR}/boot.itb"
18 SIG_BOOT="${FIT_DIR}/boot.data2sign"
21 if grep -q '^CONFIG_FIT_ENABLE_RSA4096_SUPPORT=y' .config ; then
33 FIT_UNPACK="./scripts/fit-unpack.sh"
40 SIGNATURE_KEY_NODE="/signature/key-dev"
41 SPL_DTB="spl/u-boot-spl.dtb"
42 UBOOT_DTB="u-boot.dtb"
44 ITS_UBOOT="u-boot.its"
45 ITS_BOOT="boot.its"
58 echo " --rollback-index-recovery <decimal integer>"
59 echo " --rollback-index-boot <decimal integer>"
60 echo " --rollback-index-uboot <decimal integer>"
61 echo " --version-recovery <decimal integer>"
62 echo " --version-boot <decimal integer>"
63 echo " --version-uboot <decimal integer>"
64 echo " --boot_img <boot image>"
65 echo " --recovery_img <recovery image>"
66 echo " --args <arg>"
67 echo " --ini-loader <loader ini file>"
68 echo " --ini-trust <trust ini file>"
69 echo " --no-check"
70 echo " --spl-new"
76 if [ -z $1 ]; then
81 decimal=`echo $1 |sed 's/[0-9]//g'`
82 if [ ! -z ${decimal} ]; then
93 file=`echo ${line} | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '`
94 if [ ! -f ${file} ]; then
103 if grep -q '^CONFIG_FIT_ENABLE_RSA4096_SUPPORT=y' .config ; then
108 if ! grep -qr ${rsa_algo} $1 ; then
116 if [ ! -f ${RSA_PRI_KEY} ]; then
119 elif [ ! -f ${RSA_PUB_KEY} ]; then
122 elif [ ! -f ${RSA_CRT_KEY} ]; then
131 --no-check|--spl-new|--burn-key-hash)
134 …--ini-trust|--ini-loader|--rollback-index-boot|--rollback-index-recovery|--rollback-index-uboot|--…
146 if [ $# -eq 0 ]; then
151 while [ $# -gt 0 ]; do
153 --args)
157 --boot_img) # boot.img
161 --chip)
165 --recovery_img) # recovery.img
169 --boot_img_dir) # boot.img components directory
173 --no-check) # No hostcc fit signature check
177 --ini-trust) # Assign trust ini file
181 --ini-loader) # Assign loader ini file
185 --spl-new) # Use current build u-boot-spl.bin to pack loader
189 --rollback-index-boot)
194 --rollback-index-recovery)
199 --rollback-index-uboot)
204 --version-uboot)
209 --version-boot)
214 --version-recovery)
219 --burn-key-hash)
230 if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
237 # Verified-boot: should rebuild code but don't need to repack images.
239 ./make.sh --raw-compile
241 rm ${FIT_DIR} -rf && mkdir -p ${FIT_DIR}
246 # generate u-boot.its file
253 ${MKIMAGE} -f ${ITS_UBOOT} -E -p ${OFFS_DATA} ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
255 ./make.sh --spl ${ARG_INI_LOADER}
256 echo "pack loader with new: spl/u-boot-spl.bin"
258 ./make.sh loader ${ARG_INI_LOADER}
263 if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' .config ; then
268 # rollback-index
269 if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' .config ; then
271 if [ -z ${ARG_ROLLBACK_IDX_UBOOT} ]; then
272 echo "ERROR: No arg \"--rollback-index-uboot <n>\""
278 VERSION=`grep 'rollback-index' ${ITS_UBOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
279 …sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT}
282 # Generally, boot.img is signed before uboot.img, so the ras key can be found
283 # in u-boot.dtb. If not found, let's insert rsa key anyway.
284 if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then
285 …${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${A…
290 …${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${SPL_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG…
293 # burn-key-hash
295 if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
296 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash 0x1
298 echo "ERROR: --burn-key-hash requires CONFIG_SPL_FIT_HW_CRYPTO=y"
303 # rollback-index read back check
305 VERSION=`fdtget -ti ${ITB_UBOOT} /configurations/conf rollback-index`
307 echo "ERROR: Failed to set rollback-index for ${ITB_UBOOT}";
312 # burn-key-hash read back check
314 if [ "`fdtget -ti ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash`" != "1" ]; then
315 echo "ERROR: Failed to set burn-key-hash for ${SPL_DTB}";
323 ${CHECK_SIGN} -f ${ITB_UBOOT} -k ${SPL_DTB} -s
325 spl_file="../rkbin/"`sed -n "/FlashBoot=/s/FlashBoot=//p" ${ARG_INI_LOADER} |tr -d '\r'`
326 …offs=`fdtdump -s ${spl_file} | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset /…
327 if [ -z ${offs} ]; then
330 offs=`printf %d ${offs} ` # hex -> dec
331 dd if=${spl_file} of=spl/u-boot-spl-old.dtb bs=${offs} skip=1 >/dev/null 2>&1
332 ${CHECK_SIGN} -f ${ITB_UBOOT} -k spl/u-boot-spl-old.dtb -s
336 # minimize u-boot-spl.dtb: clear as 0 but not remove property.
337 if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
338 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
339 if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' .config ; then
340 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
341 fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
343 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
344 fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
347 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
348 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
349 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
350 fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
351 fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
356 cat spl/u-boot-spl-nodtb.bin > spl/u-boot-spl.bin
357 if ! grep -q '^CONFIG_SPL_SEPARATE_BSS=y' .config ; then
358 cat spl/u-boot-spl-pad.bin >> spl/u-boot-spl.bin
360 cat ${SPL_DTB} >> spl/u-boot-spl.bin
362 ./make.sh --spl ${ARG_INI_LOADER}
363 echo "## pack loader with new: spl/u-boot-spl.bin"
365 ./make.sh loader ${ARG_INI_LOADER}
369 echo "## ${SPL_DTB}: burn-key-hash=1"
373 rm -f u-boot.itb u-boot.img u-boot-dtb.img
379 if [ ! -z ${ARG_BOOT_IMG} ]; then
380 ${FIT_UNPACK} -f ${ARG_BOOT_IMG} -o ${FIT_DIR}/unpack
383 compression=`awk -F"," '/COMPRESSION=/ { printf $1 }' ${ARG_INI_TRUST} | tr -d ' ' | cut -c 13-`
384 if [ -z "${compression}" ]; then
387 ./arch/arm/mach-rockchip/make_fit_boot.sh -c ${compression} > ${ITS_BOOT}
392 ${MKIMAGE} -f ${ITS_BOOT} -E -p ${OFFS_DATA} ${ITB_BOOT} -v ${ARG_VER_BOOT}
398 if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
403 if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
405 if [ -z ${ARG_ROLLBACK_IDX_BOOT} ]; then
406 echo "ERROR: No arg \"--rollback-index-boot <n>\""
409 if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then
410 echo "ERROR: Don't support \"--rollback-index-boot <n>\""
416 FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'`
417 KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'`
418 RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'`
419 sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g" ${ITS_BOOT}
420 sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g" ${ITS_BOOT}
421 sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_BOOT}
422 if grep -q '^CONFIG_ARM64=y' .config ; then
423 sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_BOOT}
427 VERSION=`grep 'rollback-index' ${ITS_BOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
428 sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_BOOT}>;/g" ${ITS_BOOT}
431 …${MKIMAGE} -f ${ITS_BOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_BOOT} -v ${ARG…
434 # rollback-index read back check
436 VERSION=`fdtget -ti ${ITB_BOOT} /configurations/conf rollback-index`
438 echo "ERROR: Failed to set rollback-index for ${ITB_BOOT}";
445 ${CHECK_SIGN} -f ${ITB_BOOT} -k ${UBOOT_DTB}
448 # minimize u-boot.dtb: clearn as 0 but not remove property.
449 if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
450 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
451 if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
452 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
454 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
457 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
458 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
459 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
461 fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
462 fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
470 if [ ! -z ${ARG_RECOVERY_IMG} ]; then
471 ${FIT_UNPACK} -f ${ARG_RECOVERY_IMG} -o ${FIT_DIR}/unpack
479 ${MKIMAGE} -f ${ITS_RECOVERY} -E -p ${OFFS_DATA} ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
485 if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
490 if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
492 if [ -z ${ARG_ROLLBACK_IDX_RECOVERY} ]; then
493 echo "ERROR: No arg \"--rollback-index-recovery <n>\""
496 if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then
497 echo "ERROR: Don't support \"--rollback-index-recovery <n>\""
503 FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'`
504 KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'`
505 RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'`
506 sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g" ${ITS_RECOVERY}
507 sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g" ${ITS_RECOVERY}
508 sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_RECOVERY}
509 if grep -q '^CONFIG_ARM64=y' .config ; then
510 sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_RECOVERY}
514 VERSION=`grep 'rollback-index' ${ITS_RECOVERY} | awk -F '=' '{ printf $2 }' | tr -d ' '`
515 …sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_RECOVERY}>;/g" ${ITS_RE…
518 …${MKIMAGE} -f ${ITS_RECOVERY} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_RECOVERY} …
521 # rollback-index read back check
523 VERSION=`fdtget -ti ${ITB_RECOVERY} /configurations/conf rollback-index`
525 echo "ERROR: Failed to set rollback-index for ${ITB_RECOVERY}";
532 ${CHECK_SIGN} -f ${ITB_RECOVERY} -k ${UBOOT_DTB}
535 # minimize u-boot.dtb: clearn as 0 but not remove property.
536 if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
537 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
538 if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
539 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
541 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
544 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
545 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
546 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
548 fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
549 fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
559 if [ -z ${ITB} ]; then
563 ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'`
564 ITB_MAX_KB=`sed -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'`
566 ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'`
568 if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then
573 rm -f ${IMG_UBOOT}
577 truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT}
585 if [ -z ${ITB} ]; then
590 cp ${ITB} ${IMG_BOOT} -f
598 if [ -z ${ITB} ]; then
603 cp ${ITB} ${IMG_RECOVERY} -f
609 if grep -Eq '^CONFIG_FIT_SIGNATURE=y' .config ; then
610 ${RK_SIGN_TOOL} cc --chip ${ARG_CHIP: 2: 6}
611 ${RK_SIGN_TOOL} lk --key ${RSA_PRI_KEY} --pubkey ${RSA_PUB_KEY}
612 if ls *loader*.bin >/dev/null 2>&1 ; then
613 ${RK_SIGN_TOOL} sl --loader *loader*.bin
616 ${RK_SIGN_TOOL} sl --loader *download*.bin
619 ${RK_SIGN_TOOL} sb --idb *idblock*.img
627 MSG_SIGN="no-signed"
632 VERSION=`fdtget -ti ${ITB_UBOOT} / version`
638 …echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT}): ${IMG_UBOOT} (with u…
646 if [ -z "${ARG_BOOT_IMG}" ]; then
651 MSG_SIGN="no-signed"
656 VERSION=`fdtget -ti ${ITB_BOOT} / version`
662 echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_BOOT}): ${IMG_BOOT} is ready"
670 if [ -z "${ARG_RECOVERY_IMG}" ]; then
675 MSG_SIGN="no-signed"
680 VERSION=`fdtget -ti ${ITB_RECOVERY} / version`
686 …echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_RECOVERY}): ${IMG_RECOVERY} i…
694 if ls *loader*.bin >/dev/null 2>&1 ; then
695 LOADER=`ls *loader*.bin`
699 LOADER=`ls *idblock*.img`
702 if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
703 echo "Image(signed): ${LOADER} (with spl, ddr...) is ready"
705 echo "Image(no-signed): ${LOADER} (with spl, ddr...) is ready"
711 if ls *loader*.bin >/dev/null 2>&1 ; then
712 LOADER=`ls *loader*.bin`
716 LOADER=`ls *idblock*.img`
719 if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
720 echo "Image(signed): ${LOADER} (with u-boot, ddr...) is ready"
722 echo "Image(no-signed): ${LOADER} (with u-boot, ddr...) is ready"