1#!/bin/bash 2# 3# Copyright (c) 2022 Rockchip Electronics Co., Ltd 4# 5# SPDX-License-Identifier: GPL-2.0 6# 7set -e 8 9FIT_DIR="fit" 10IMG_UBOOT="uboot.img" 11IMG_BOOT="boot.img" 12IMG_RECOVERY="recovery.img" 13ITB_UBOOT="${FIT_DIR}/uboot.itb" 14ITB_BOOT="${FIT_DIR}/boot.itb" 15ITB_RECOVERY="${FIT_DIR}/recovery.itb" 16SIG_BIN="data2sign.bin" 17SIG_UBOOT="${FIT_DIR}/uboot.data2sign" 18SIG_BOOT="${FIT_DIR}/boot.data2sign" 19SIG_RECOVERY="${FIT_DIR}/recovery.data2sign" 20# offs 21if grep -q '^CONFIG_FIT_ENABLE_RSA4096_SUPPORT=y' .config ; then 22 OFFS_DATA="0x1200" 23else 24 OFFS_DATA="0x1000" 25fi 26# placeholder address 27FDT_ADDR_PLACEHOLDER="0xffffff00" 28KERNEL_ADDR_PLACEHOLDER="0xffffff01" 29RAMDISK_ADDR_PLACEHOLDER="0xffffff02" 30# tools 31MKIMAGE="./tools/mkimage" 32RK_SIGN_TOOL="../rkbin/tools/rk_sign_tool" 33FIT_UNPACK="./scripts/fit-unpack.sh" 34CHECK_SIGN="./tools/fit_check_sign" 35# key 36KEY_DIR="keys/" 37RSA_PRI_KEY="keys/dev.key" 38RSA_PUB_KEY="keys/dev.pubkey" 39RSA_CRT_KEY="keys/dev.crt" 40SIGNATURE_KEY_NODE="/signature/key-dev" 41SPL_DTB="spl/u-boot-spl.dtb" 42UBOOT_DTB="u-boot.dtb" 43# its 44ITS_UBOOT="u-boot.its" 45ITS_BOOT="boot.its" 46ITS_RECOVERY="recovery.its" 47ARG_VER_UBOOT="0" 48ARG_VER_BOOT="0" 49ARG_VER_RECOVERY="0" 50 51function help() 52{ 53 echo 54 echo "usage:" 55 echo " $0 [args]" 56 echo 57 echo "args:" 58 echo " --rollback-index-recovery <decimal integer>" 59 echo " --rollback-index-boot <decimal integer>" 60 echo " --rollback-index-uboot <decimal integer>" 61 echo " --version-recovery <decimal integer>" 62 echo " --version-boot <decimal integer>" 63 echo " --version-uboot <decimal integer>" 64 echo " --boot_img <boot image>" 65 echo " --recovery_img <recovery image>" 66 echo " --args <arg>" 67 echo " --ini-loader <loader ini file>" 68 echo " --ini-trust <trust ini file>" 69 echo " --no-check" 70 echo " --spl-new" 71 echo 72} 73 74function arg_check_decimal() 75{ 76 if [ -z $1 ]; then 77 help 78 exit 1 79 fi 80 81 decimal=`echo $1 |sed 's/[0-9]//g'` 82 if [ ! -z ${decimal} ]; then 83 echo "ERROR: $1 is not decimal integer" 84 help 85 exit 1 86 fi 87} 88 89function check_its() 90{ 91 cat $1 | while read line 92 do 93 file=`echo ${line} | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '` 94 if [ ! -f ${file} ]; then 95 echo "ERROR: No ${file}" 96 exit 1 97 fi 98 done 99} 100 101function check_rsa_algo() 102{ 103 if grep -q '^CONFIG_FIT_ENABLE_RSA4096_SUPPORT=y' .config ; then 104 rsa_algo="rsa4096" 105 else 106 rsa_algo="rsa2048" 107 fi 108 if ! grep -qr ${rsa_algo} $1 ; then 109 echo "ERROR: Wrong rsa_algo in its file. It should be ${rsa_algo}." 110 exit 1 111 fi 112} 113 114function check_rsa_keys() 115{ 116 if [ ! -f ${RSA_PRI_KEY} ]; then 117 echo "ERROR: No ${RSA_PRI_KEY} " 118 exit 1 119 elif [ ! -f ${RSA_PUB_KEY} ]; then 120 echo "ERROR: No ${RSA_PUB_KEY} " 121 exit 1 122 elif [ ! -f ${RSA_CRT_KEY} ]; then 123 echo "ERROR: No ${RSA_CRT_KEY} " 124 exit 1 125 fi 126} 127 128function validate_arg() 129{ 130 case $1 in 131 --no-check|--spl-new|--burn-key-hash) 132 shift=1 133 ;; 134 --ini-trust|--ini-loader|--rollback-index-boot|--rollback-index-recovery|--rollback-index-uboot|--boot_img|--recovery_img|--version-uboot|--version-boot|--version-recovery|--chip) 135 shift=2 136 ;; 137 *) 138 shift=0 139 ;; 140 esac 141 echo ${shift} 142} 143 144function fit_process_args() 145{ 146 if [ $# -eq 0 ]; then 147 help 148 exit 0 149 fi 150 151 while [ $# -gt 0 ]; do 152 case $1 in 153 --args) 154 ARG_VALIDATE=$2 155 shift 2 156 ;; 157 --boot_img) # boot.img 158 ARG_BOOT_IMG=$2 159 shift 2 160 ;; 161 --chip) 162 ARG_CHIP=$2 163 shift 2 164 ;; 165 --recovery_img) # recovery.img 166 ARG_RECOVERY_IMG=$2 167 shift 2 168 ;; 169 --boot_img_dir) # boot.img components directory 170 ARG_BOOT_IMG_DIR=$2 171 shift 2 172 ;; 173 --no-check) # No hostcc fit signature check 174 ARG_NO_CHECK="y" 175 shift 1 176 ;; 177 --ini-trust) # Assign trust ini file 178 ARG_INI_TRUST=$2 179 shift 2 180 ;; 181 --ini-loader) # Assign loader ini file 182 ARG_INI_LOADER=$2 183 shift 2 184 ;; 185 --spl-new) # Use current build u-boot-spl.bin to pack loader 186 ARG_SPL_NEW="y" 187 shift 1 188 ;; 189 --rollback-index-boot) 190 ARG_ROLLBACK_IDX_BOOT=$2 191 arg_check_decimal $2 192 shift 2 193 ;; 194 --rollback-index-recovery) 195 ARG_ROLLBACK_IDX_RECOVERY=$2 196 arg_check_decimal $2 197 shift 2 198 ;; 199 --rollback-index-uboot) 200 ARG_ROLLBACK_IDX_UBOOT=$2 201 arg_check_decimal $2 202 shift 2 203 ;; 204 --version-uboot) 205 ARG_VER_UBOOT=$2 206 arg_check_decimal $2 207 shift 2 208 ;; 209 --version-boot) 210 ARG_VER_BOOT=$2 211 arg_check_decimal $2 212 shift 2 213 ;; 214 --version-recovery) 215 ARG_VER_RECOVERY=$2 216 arg_check_decimal $2 217 shift 2 218 ;; 219 --burn-key-hash) 220 ARG_BURN_KEY_HASH="y" 221 shift 1 222 ;; 223 *) 224 help 225 exit 1 226 ;; 227 esac 228 done 229 230 if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then 231 ARG_SIGN="y" 232 fi 233} 234 235function fit_raw_compile() 236{ 237 # Verified-boot: should rebuild code but don't need to repack images. 238 if [ "${ARG_SIGN}" == "y" ]; then 239 ./make.sh --raw-compile 240 fi 241 rm ${FIT_DIR} -rf && mkdir -p ${FIT_DIR} 242} 243 244function fit_gen_uboot_itb() 245{ 246 # generate u-boot.its file 247 ./make.sh itb ${ARG_INI_TRUST} 248 249 # check existance of file in its 250 check_its ${ITS_UBOOT} 251 252 if [ "${ARG_SIGN}" != "y" ]; then 253 ${MKIMAGE} -f ${ITS_UBOOT} -E -p ${OFFS_DATA} ${ITB_UBOOT} -v ${ARG_VER_UBOOT} 254 if [ "${ARG_SPL_NEW}" == "y" ]; then 255 ./make.sh --spl ${ARG_INI_LOADER} 256 echo "pack loader with new: spl/u-boot-spl.bin" 257 else 258 ./make.sh loader ${ARG_INI_LOADER} 259 fi 260 else 261 check_rsa_keys 262 263 if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' .config ; then 264 echo "ERROR: CONFIG_SPL_FIT_SIGNATURE is disabled" 265 exit 1 266 fi 267 268 # rollback-index 269 if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' .config ; then 270 ARG_SPL_ROLLBACK_PROTECT="y" 271 if [ -z ${ARG_ROLLBACK_IDX_UBOOT} ]; then 272 echo "ERROR: No arg \"--rollback-index-uboot <n>\"" 273 exit 1 274 fi 275 fi 276 277 if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then 278 VERSION=`grep 'rollback-index' ${ITS_UBOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '` 279 sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT} 280 fi 281 282 # Generally, boot.img is signed before uboot.img, so the ras key can be found 283 # in u-boot.dtb. If not found, let's insert rsa key anyway. 284 if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then 285 ${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT} 286 echo "## Adding RSA public key into ${UBOOT_DTB}" 287 fi 288 289 # Pack 290 ${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${SPL_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT} 291 mv ${SIG_BIN} ${SIG_UBOOT} 292 293 # burn-key-hash 294 if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then 295 if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then 296 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash 0x1 297 else 298 echo "ERROR: --burn-key-hash requires CONFIG_SPL_FIT_HW_CRYPTO=y" 299 exit 1 300 fi 301 fi 302 303 # rollback-index read back check 304 if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then 305 VERSION=`fdtget -ti ${ITB_UBOOT} /configurations/conf rollback-index` 306 if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_UBOOT}" ]; then 307 echo "ERROR: Failed to set rollback-index for ${ITB_UBOOT}"; 308 exit 1 309 fi 310 fi 311 312 # burn-key-hash read back check 313 if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then 314 if [ "`fdtget -ti ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash`" != "1" ]; then 315 echo "ERROR: Failed to set burn-key-hash for ${SPL_DTB}"; 316 exit 1 317 fi 318 fi 319 320 # host check signature 321 if [ "${ARG_NO_CHECK}" != "y" ]; then 322 if [ "${ARG_SPL_NEW}" == "y" ]; then 323 ${CHECK_SIGN} -f ${ITB_UBOOT} -k ${SPL_DTB} -s 324 else 325 spl_file="../rkbin/"`sed -n "/FlashBoot=/s/FlashBoot=//p" ${ARG_INI_LOADER} |tr -d '\r'` 326 offs=`fdtdump -s ${spl_file} | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset //g" | tr -d " "` 327 if [ -z ${offs} ]; then 328 echo "ERROR: invalid ${spl_file} , unable to find fdt blob" 329 fi 330 offs=`printf %d ${offs} ` # hex -> dec 331 dd if=${spl_file} of=spl/u-boot-spl-old.dtb bs=${offs} skip=1 >/dev/null 2>&1 332 ${CHECK_SIGN} -f ${ITB_UBOOT} -k spl/u-boot-spl-old.dtb -s 333 fi 334 fi 335 336 # minimize u-boot-spl.dtb: clear as 0 but not remove property. 337 if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then 338 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0 339 if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' .config ; then 340 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 341 fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np 342 else 343 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 344 fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c 345 fi 346 else 347 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 348 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 349 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0 350 fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c 351 fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np 352 fi 353 354 # repack spl 355 if [ "${ARG_SPL_NEW}" == "y" ]; then 356 cat spl/u-boot-spl-nodtb.bin > spl/u-boot-spl.bin 357 if ! grep -q '^CONFIG_SPL_SEPARATE_BSS=y' .config ; then 358 cat spl/u-boot-spl-pad.bin >> spl/u-boot-spl.bin 359 fi 360 cat ${SPL_DTB} >> spl/u-boot-spl.bin 361 362 ./make.sh --spl ${ARG_INI_LOADER} 363 echo "## pack loader with new: spl/u-boot-spl.bin" 364 else 365 ./make.sh loader ${ARG_INI_LOADER} 366 fi 367 368 if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then 369 echo "## ${SPL_DTB}: burn-key-hash=1" 370 fi 371 fi 372 373 rm -f u-boot.itb u-boot.img u-boot-dtb.img 374 mv ${ITS_UBOOT} ${FIT_DIR} 375} 376 377function fit_gen_boot_itb() 378{ 379 if [ ! -z ${ARG_BOOT_IMG} ]; then 380 ${FIT_UNPACK} -f ${ARG_BOOT_IMG} -o ${FIT_DIR}/unpack 381 ITS_BOOT="${FIT_DIR}/unpack/image.its" 382 else 383 compression=`awk -F"," '/COMPRESSION=/ { printf $1 }' ${ARG_INI_TRUST} | tr -d ' ' | cut -c 13-` 384 if [ -z "${compression}" ]; then 385 compression="none" 386 fi 387 ./arch/arm/mach-rockchip/make_fit_boot.sh -c ${compression} > ${ITS_BOOT} 388 check_its ${ITS_BOOT} 389 fi 390 391 if [ "${ARG_SIGN}" != "y" ]; then 392 ${MKIMAGE} -f ${ITS_BOOT} -E -p ${OFFS_DATA} ${ITB_BOOT} -v ${ARG_VER_BOOT} 393 else 394 check_rsa_keys 395 396 check_rsa_algo ${ITS_BOOT} 397 398 if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then 399 echo "ERROR: CONFIG_FIT_SIGNATURE is disabled" 400 exit 1 401 fi 402 403 if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then 404 ARG_ROLLBACK_PROTECT="y" 405 if [ -z ${ARG_ROLLBACK_IDX_BOOT} ]; then 406 echo "ERROR: No arg \"--rollback-index-boot <n>\"" 407 exit 1 408 fi 409 if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then 410 echo "ERROR: Don't support \"--rollback-index-boot <n>\"" 411 exit 1 412 fi 413 fi 414 415 # fixup 416 FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'` 417 KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'` 418 RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'` 419 sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g" ${ITS_BOOT} 420 sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g" ${ITS_BOOT} 421 sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_BOOT} 422 if grep -q '^CONFIG_ARM64=y' .config ; then 423 sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_BOOT} 424 fi 425 426 if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then 427 VERSION=`grep 'rollback-index' ${ITS_BOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '` 428 sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_BOOT}>;/g" ${ITS_BOOT} 429 fi 430 431 ${MKIMAGE} -f ${ITS_BOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_BOOT} -v ${ARG_VER_BOOT} 432 mv ${SIG_BIN} ${SIG_BOOT} 433 434 # rollback-index read back check 435 if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then 436 VERSION=`fdtget -ti ${ITB_BOOT} /configurations/conf rollback-index` 437 if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_BOOT}" ]; then 438 echo "ERROR: Failed to set rollback-index for ${ITB_BOOT}"; 439 exit 1 440 fi 441 fi 442 443 # host check signature 444 if [ "${ARG_NO_CHECK}" != "y" ]; then 445 ${CHECK_SIGN} -f ${ITB_BOOT} -k ${UBOOT_DTB} 446 fi 447 448 # minimize u-boot.dtb: clearn as 0 but not remove property. 449 if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then 450 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0 451 if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then 452 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 453 else 454 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 455 fi 456 else 457 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 458 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 459 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0 460 fi 461 fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c 462 fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np 463 fi 464 465 mv ${ITS_BOOT} ${FIT_DIR} 466} 467 468function fit_gen_recovery_itb() 469{ 470 if [ ! -z ${ARG_RECOVERY_IMG} ]; then 471 ${FIT_UNPACK} -f ${ARG_RECOVERY_IMG} -o ${FIT_DIR}/unpack 472 ITS_RECOVERY="${FIT_DIR}/unpack/image.its" 473 else 474 echo "ERROR: No recovery.img" 475 exit 1 476 fi 477 478 if [ "${ARG_SIGN}" != "y" ]; then 479 ${MKIMAGE} -f ${ITS_RECOVERY} -E -p ${OFFS_DATA} ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY} 480 else 481 check_rsa_keys 482 483 check_rsa_algo ${ITS_RECOVERY} 484 485 if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then 486 echo "ERROR: CONFIG_FIT_SIGNATURE is disabled" 487 exit 1 488 fi 489 490 if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then 491 ARG_ROLLBACK_PROTECT="y" 492 if [ -z ${ARG_ROLLBACK_IDX_RECOVERY} ]; then 493 echo "ERROR: No arg \"--rollback-index-recovery <n>\"" 494 exit 1 495 fi 496 if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then 497 echo "ERROR: Don't support \"--rollback-index-recovery <n>\"" 498 exit 1 499 fi 500 fi 501 502 # fixup 503 FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'` 504 KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'` 505 RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'` 506 sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g" ${ITS_RECOVERY} 507 sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g" ${ITS_RECOVERY} 508 sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_RECOVERY} 509 if grep -q '^CONFIG_ARM64=y' .config ; then 510 sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_RECOVERY} 511 fi 512 513 if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then 514 VERSION=`grep 'rollback-index' ${ITS_RECOVERY} | awk -F '=' '{ printf $2 }' | tr -d ' '` 515 sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_RECOVERY}>;/g" ${ITS_RECOVERY} 516 fi 517 518 ${MKIMAGE} -f ${ITS_RECOVERY} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY} 519 mv ${SIG_BIN} ${SIG_RECOVERY} 520 521 # rollback-index read back check 522 if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then 523 VERSION=`fdtget -ti ${ITB_RECOVERY} /configurations/conf rollback-index` 524 if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_RECOVERY}" ]; then 525 echo "ERROR: Failed to set rollback-index for ${ITB_RECOVERY}"; 526 exit 1 527 fi 528 fi 529 530 # host check signature 531 if [ "${ARG_NO_CHECK}" != "y" ]; then 532 ${CHECK_SIGN} -f ${ITB_RECOVERY} -k ${UBOOT_DTB} 533 fi 534 535 # minimize u-boot.dtb: clearn as 0 but not remove property. 536 if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then 537 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0 538 if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then 539 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 540 else 541 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 542 fi 543 else 544 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 545 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 546 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0 547 fi 548 fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c 549 fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np 550 fi 551 552 mv ${ITS_RECOVERY} ${FIT_DIR} 553} 554 555function fit_gen_uboot_img() 556{ 557 ITB=$1 558 559 if [ -z ${ITB} ]; then 560 ITB=${ITB_UBOOT} 561 fi 562 563 ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'` 564 ITB_MAX_KB=`sed -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'` 565 ITB_MAX_BS=$((ITB_MAX_KB*1024)) 566 ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'` 567 568 if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then 569 echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes" 570 exit 1 571 fi 572 573 rm -f ${IMG_UBOOT} 574 for ((i = 0; i < ${ITB_MAX_NUM}; i++)); 575 do 576 cat ${ITB} >> ${IMG_UBOOT} 577 truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT} 578 done 579} 580 581function fit_gen_boot_img() 582{ 583 ITB=$1 584 585 if [ -z ${ITB} ]; then 586 ITB=${ITB_BOOT} 587 fi 588 589 if [ "${ITB}" != "${IMG_BOOT}" ]; then 590 cp ${ITB} ${IMG_BOOT} -f 591 fi 592} 593 594function fit_gen_recovery_img() 595{ 596 ITB=$1 597 598 if [ -z ${ITB} ]; then 599 ITB=${ITB_RECOVERY} 600 fi 601 602 if [ "${ITB}" != "${IMG_RECOVERY}" ]; then 603 cp ${ITB} ${IMG_RECOVERY} -f 604 fi 605} 606 607function fit_gen_loader() 608{ 609 if grep -Eq '^CONFIG_FIT_SIGNATURE=y' .config ; then 610 ${RK_SIGN_TOOL} cc --chip ${ARG_CHIP: 2: 6} 611 ${RK_SIGN_TOOL} lk --key ${RSA_PRI_KEY} --pubkey ${RSA_PUB_KEY} 612 if ls *loader*.bin >/dev/null 2>&1 ; then 613 ${RK_SIGN_TOOL} sl --loader *loader*.bin 614 fi 615 if ls *download*.bin >/dev/null 2>&1 ; then 616 ${RK_SIGN_TOOL} sl --loader *download*.bin 617 fi 618 if ls *idblock*.img >/dev/null 2>&1 ; then 619 ${RK_SIGN_TOOL} sb --idb *idblock*.img 620 fi 621 fi 622} 623 624function fit_msg_uboot() 625{ 626 if [ "${ARG_SIGN}" != "y" ]; then 627 MSG_SIGN="no-signed" 628 else 629 MSG_SIGN="signed" 630 fi 631 632 VERSION=`fdtget -ti ${ITB_UBOOT} / version` 633 if [ "${VERSION}" != "" ]; then 634 MSG_VER=", version=${VERSION}" 635 fi 636 637 if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then 638 echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT}): ${IMG_UBOOT} (with uboot, trust...) is ready" 639 else 640 echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_UBOOT} (FIT with uboot, trust...) is ready" 641 fi 642} 643 644function fit_msg_boot() 645{ 646 if [ -z "${ARG_BOOT_IMG}" ]; then 647 return; 648 fi 649 650 if [ "${ARG_SIGN}" != "y" ]; then 651 MSG_SIGN="no-signed" 652 else 653 MSG_SIGN="signed" 654 fi 655 656 VERSION=`fdtget -ti ${ITB_BOOT} / version` 657 if [ "${VERSION}" != "" ]; then 658 MSG_VER=", version=${VERSION}" 659 fi 660 661 if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then 662 echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_BOOT}): ${IMG_BOOT} is ready" 663 else 664 echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_BOOT} (FIT with kernel, fdt, resource...) is ready" 665 fi 666} 667 668function fit_msg_recovery() 669{ 670 if [ -z "${ARG_RECOVERY_IMG}" ]; then 671 return; 672 fi 673 674 if [ "${ARG_SIGN}" != "y" ]; then 675 MSG_SIGN="no-signed" 676 else 677 MSG_SIGN="signed" 678 fi 679 680 VERSION=`fdtget -ti ${ITB_RECOVERY} / version` 681 if [ "${VERSION}" != "" ]; then 682 MSG_VER=", version=${VERSION}" 683 fi 684 685 if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then 686 echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_RECOVERY}): ${IMG_RECOVERY} is ready" 687 else 688 echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_RECOVERY} (FIT with kernel, fdt, resource...) is ready" 689 fi 690} 691 692function fit_msg_loader() 693{ 694 if ls *loader*.bin >/dev/null 2>&1 ; then 695 LOADER=`ls *loader*.bin` 696 fi 697 698 if ls *idblock*.img >/dev/null 2>&1 ; then 699 LOADER=`ls *idblock*.img` 700 fi 701 702 if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then 703 echo "Image(signed): ${LOADER} (with spl, ddr...) is ready" 704 else 705 echo "Image(no-signed): ${LOADER} (with spl, ddr...) is ready" 706 fi 707} 708 709function fit_msg_u_boot_loader() 710{ 711 if ls *loader*.bin >/dev/null 2>&1 ; then 712 LOADER=`ls *loader*.bin` 713 fi 714 715 if ls *idblock*.img >/dev/null 2>&1 ; then 716 LOADER=`ls *idblock*.img` 717 fi 718 719 if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then 720 echo "Image(signed): ${LOADER} (with u-boot, ddr...) is ready" 721 else 722 echo "Image(no-signed): ${LOADER} (with u-boot, ddr...) is ready" 723 fi 724} 725