xref: /OK3568_Linux_fs/u-boot/scripts/fit-resign.sh (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1#!/bin/bash
2#
3# Copyright (c) 2020 Fuzhou Rockchip Electronics Co., Ltd
4#
5# SPDX-License-Identifier: GPL-2.0
6#
7set -e
8
9# [Keys]
10#	mkdir -p keys
11#	openssl genpkey -algorithm RSA -out keys/dev.key -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
12#	openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
13#	openssl rsa -in keys/dev.key -pubout -out keys/dev.pubkey
14# [Sign]
15#	openssl dgst -sha256 -sign keys/dev.key -sigopt rsa_padding_mode:pss -out sha256-rsa2048.sign fit/boot.data2sign
16
17IMG_UBOOT="uboot.img"
18IMG_BOOT="boot.img"
19
20function usage_resign()
21{
22	echo
23	echo "usage:"
24	echo "    $0 -f [itb] -s [sig]"
25	echo
26}
27
28function fit_resign()
29{
30	if [ $# -ne 4 ]; then
31		usage_resign
32		exit 1
33	fi
34
35	while [ $# -gt 0 ]; do
36		case $1 in
37			-f)
38				ITB=$2
39				shift 2
40				;;
41			-s)
42				SIG=$2
43				shift 2
44				;;
45			*)
46				usage_resign
47				exit 1
48				;;
49		esac
50	done
51
52	if [ ! -f ${ITB} ]; then
53		echo "ERROR: No ${ITB}"
54		exit 1
55	elif ! file ${ITB} | grep 'Device Tree Blob' ; then
56		echo "ERROR: ${ITB} is not FIT image"
57		exit 1
58	elif [ ! -f ${SIG} ]; then
59		echo "ERROR: No ${SIG}"
60		exit 1
61	fi
62
63	copies=`strings ${ITB} | grep "signer-version"  | wc -l`
64	if [ ${copies} -ne 1 ]; then
65		echo "ERROR: ${ITB} seems not a itb but a image, ${copies}"
66		exit 1
67	fi
68
69	SIG_SZ=`ls -l ${SIG} | awk '{ print $5 }'`
70	LEN=`./tools/fit_info -f ${ITB} -n /configurations/conf/signature -p value | sed -n "/LEN:/p" | awk '{ print $2 }'`
71	OFF=`./tools/fit_info -f ${ITB} -n /configurations/conf/signature -p value | sed -n "/OFF:/p" | awk '{ print $2 }'`
72	END=`./tools/fit_info -f ${ITB} -n /configurations/conf/signature -p value | sed -n "/END:/p" | awk '{ print $2 }'`
73
74	if [ -z ${LEN} ]; then
75		echo "ERROR: No signature in ${ITB}"
76		exit 1
77		strings uboot.img | grep "rollback-index" | wc -l
78	elif [ "${SIG_SZ}" -ne "${LEN}" ]; then
79		echo "ERROR: ${SIG} size ${SIG_SZ} != ${ITB} Signature size ${LEN}"
80		exit 1
81	fi
82
83	dd if=${ITB} of=${ITB}.half1 count=1 bs=${OFF}
84	dd if=${ITB} of=${ITB}.half2 skip=1 ibs=${END}
85
86	ITB_RESIGN="${ITB}.resign"
87	cat ${ITB}.half1  >  ${ITB_RESIGN}
88	cat ${SIG}        >> ${ITB_RESIGN}
89	cat ${ITB}.half2  >> ${ITB_RESIGN}
90	echo
91
92	if fdtget -l ${ITB_RESIGN} /images/uboot >/dev/null 2>&1 ; then
93		ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'`
94		ITB_MAX_KB=`sed  -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'`
95		ITB_MAX_BS=$((ITB_MAX_KB*1024))
96		ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'`
97		if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then
98			echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes"
99			exit 1
100		fi
101
102		rm -f ${IMG_UBOOT}
103		for ((i = 0; i < ${ITB_MAX_NUM}; i++));
104		do
105			cat ${ITB_RESIGN} >> ${IMG_UBOOT}
106			truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT}
107		done
108		echo "Image(re-signed):  ${IMG_UBOOT} is ready"
109	else
110		cp ${ITB_RESIGN} ${IMG_BOOT}
111		echo "Image(re-signed):  ${IMG_BOOT} is ready"
112	fi
113
114	rm -f ${ITB}.half1 ${ITB}.half2 ${ITB_RESIGN}
115}
116
117fit_resign $*
118
119