xref: /rk3399_rockchip-uboot/scripts/fit-core.sh (revision 39d40ad54eb2274a86419000e0e087673f86508a) 
1#!/bin/bash
2#
3# Copyright (c) 2022 Rockchip Electronics Co., Ltd
4#
5# SPDX-License-Identifier: GPL-2.0
6#
7set -e
8
9FIT_DIR="fit"
10IMG_UBOOT="uboot.img"
11IMG_BOOT="boot.img"
12IMG_RECOVERY="recovery.img"
13ITB_UBOOT="${FIT_DIR}/uboot.itb"
14ITB_BOOT="${FIT_DIR}/boot.itb"
15ITB_RECOVERY="${FIT_DIR}/recovery.itb"
16SIG_BIN="data2sign.bin"
17SIG_UBOOT="${FIT_DIR}/uboot.data2sign"
18SIG_BOOT="${FIT_DIR}/boot.data2sign"
19SIG_RECOVERY="${FIT_DIR}/recovery.data2sign"
20SIG_CFG_DIR="${FIT_DIR}/fit_signcfg"
21SIG_CONFIG="${SIG_CFG_DIR}/sign.readonly_config"
22MINIALL_INI="${SIG_CFG_DIR}/MINIALL.ini"
23# offs
24OFFS_DATA="0x1200"
25# placeholder address
26FDT_ADDR_PLACEHOLDER="0xffffff00"
27KERNEL_ADDR_PLACEHOLDER="0xffffff01"
28RAMDISK_ADDR_PLACEHOLDER="0xffffff02"
29# tools
30MKIMAGE="./tools/mkimage"
31RK_SIGN_TOOL="../rkbin/tools/rk_sign_tool"
32FIT_UNPACK="./scripts/fit-unpack.sh"
33CHECK_SIGN="./tools/fit_check_sign"
34# key
35KEY_DIR="keys/"
36RSA_PRI_KEY="keys/dev.key"
37RSA_PUB_KEY="keys/dev.pubkey"
38RSA_CRT_KEY="keys/dev.crt"
39SIGNATURE_KEY_NODE="/signature/key-dev"
40SPL_DTB="spl/u-boot-spl.dtb"
41UBOOT_DTB="u-boot.dtb"
42# its
43ITS_UBOOT="u-boot.its"
44ITS_BOOT="boot.its"
45ITS_RECOVERY="recovery.its"
46ARG_VER_UBOOT="0"
47ARG_VER_BOOT="0"
48ARG_VER_RECOVERY="0"
49
50function help()
51{
52	echo
53	echo "usage:"
54	echo "    $0 [args]"
55	echo
56	echo "args:"
57	echo "    --rollback-index-recovery  <decimal integer>"
58	echo "    --rollback-index-boot      <decimal integer>"
59	echo "    --rollback-index-uboot     <decimal integer>"
60	echo "    --version-recovery         <decimal integer>"
61	echo "    --version-boot             <decimal integer>"
62	echo "    --version-uboot            <decimal integer>"
63	echo "    --boot_img                 <boot image>"
64	echo "    --recovery_img             <recovery image>"
65	echo "    --args                     <arg>"
66	echo "    --ini-loader               <loader ini file>"
67	echo "    --ini-trust                <trust ini file>"
68	echo "    --no-check"
69	echo "    --no-sign"
70	echo "    --spl-new"
71	echo
72}
73
74function arg_check_decimal()
75{
76	if [ -z $1 ]; then
77		help
78		exit 1
79	fi
80
81	decimal=`echo $1 |sed 's/[0-9]//g'`
82	if [ ! -z ${decimal} ]; then
83		echo "ERROR: $1 is not decimal integer"
84		help
85		exit 1
86	fi
87}
88
89function check_its()
90{
91	cat $1 | while read line
92	do
93		file=`echo ${line} | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '`
94		if [ ! -f ${file} ]; then
95			echo "ERROR: No ${file}"
96			exit 1
97		fi
98	done
99}
100
101function check_rsa_algo()
102{
103	if grep -q '^CONFIG_FIT_ENABLE_RSA4096_SUPPORT=y' .config ; then
104		rsa_algo="rsa4096"
105	else
106		rsa_algo="rsa2048"
107	fi
108	if ! grep -qr ${rsa_algo} $1 ; then
109		echo "ERROR: Wrong rsa_algo in its file. It should be ${rsa_algo}."
110		exit 1
111	fi
112}
113
114function check_rsa_keys()
115{
116	if [ ! -f ${RSA_PRI_KEY} ]; then
117		echo "ERROR: No ${RSA_PRI_KEY} "
118		exit 1
119	elif [ ! -f ${RSA_PUB_KEY} ]; then
120		echo "ERROR: No ${RSA_PUB_KEY} "
121		exit 1
122	elif [ ! -f ${RSA_CRT_KEY} ]; then
123		echo "ERROR: No ${RSA_CRT_KEY} "
124		exit 1
125	fi
126}
127
128function validate_arg()
129{
130	case $1 in
131		--no-check|--no-sign|--spl-new|--burn-key-hash)
132			shift=1
133			;;
134		--ini-trust|--ini-loader|--rollback-index-boot|--rollback-index-recovery|--rollback-index-uboot|--boot_img|--recovery_img|--version-uboot|--version-boot|--version-recovery|--chip)
135			shift=2
136			;;
137		*)
138			shift=0
139			;;
140	esac
141	echo ${shift}
142}
143
144function fit_process_args()
145{
146	if [ $# -eq 0 ]; then
147		help
148		exit 0
149	fi
150
151	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
152		ARG_SIGN="y"
153	fi
154
155	while [ $# -gt 0 ]; do
156		case $1 in
157			--args)
158				ARG_VALIDATE=$2
159				shift 2
160				;;
161			--boot_img)     # boot.img
162				ARG_BOOT_IMG=$2
163				shift 2
164				;;
165			--chip)
166				ARG_CHIP=$2
167				shift 2
168				;;
169			--recovery_img) # recovery.img
170				ARG_RECOVERY_IMG=$2
171				shift 2
172				;;
173			--boot_img_dir) # boot.img components directory
174				ARG_BOOT_IMG_DIR=$2
175				shift 2
176				;;
177			--no-check)     # No hostcc fit signature check
178				ARG_NO_CHECK="y"
179				shift 1
180				;;
181			--no-sign)
182				ARG_NO_SIGN="y"
183				ARG_SIGN="n"
184				shift 1
185				;;
186			--ini-trust)    # Assign trust ini file
187				ARG_INI_TRUST=$2
188				shift 2
189				;;
190			--ini-loader)   # Assign loader ini file
191				ARG_INI_LOADER=$2
192				shift 2
193				;;
194			--spl-new)      # Use current build u-boot-spl.bin to pack loader
195				ARG_SPL_NEW="y"
196				# Whether aarch32 or not, spl only support 64 bits version.
197				if grep -q '^CONFIG_ARM64_BOOT_AARCH32=y' .config ; then
198					echo "ERROR: SPL doesn't support 32-bit. Please build 64-bit defconfig and update u-boot-spl.bin to rkbin first."
199					exit 1
200				fi
201				shift 1
202				;;
203			--rollback-index-boot)
204				ARG_ROLLBACK_IDX_BOOT=$2
205				arg_check_decimal $2
206				shift 2
207				;;
208			--rollback-index-recovery)
209				ARG_ROLLBACK_IDX_RECOVERY=$2
210				arg_check_decimal $2
211				shift 2
212				;;
213			--rollback-index-uboot)
214				ARG_ROLLBACK_IDX_UBOOT=$2
215				arg_check_decimal $2
216				shift 2
217				;;
218			--version-uboot)
219				ARG_VER_UBOOT=$2
220				arg_check_decimal $2
221				shift 2
222				;;
223			--version-boot)
224				ARG_VER_BOOT=$2
225				arg_check_decimal $2
226				shift 2
227				;;
228			--version-recovery)
229				ARG_VER_RECOVERY=$2
230				arg_check_decimal $2
231				shift 2
232				;;
233			--burn-key-hash)
234				ARG_BURN_KEY_HASH="y"
235				shift 1
236				;;
237			--spl-fwver)
238				ARG_FIT_FWVER="${ARG_FIT_FWVER} --spl-fwver $2"
239				shift 2
240				;;
241			--fwver)
242				ARG_FIT_FWVER="${ARG_FIT_FWVER} --fwver $2"
243				shift 2
244				;;
245			*)
246				help
247				exit 1
248				;;
249		esac
250	done
251}
252
253function fit_raw_compile()
254{
255	# Verified-boot: should rebuild code but don't need to repack images.
256	if [ "${ARG_SIGN}" == "y" ]; then
257		./make.sh --raw-compile ${ARG_FIT_FWVER}
258	fi
259	rm ${FIT_DIR} -rf && mkdir -p ${FIT_DIR} && mkdir -p ${SIG_CFG_DIR}
260}
261
262function fit_gen_uboot_itb()
263{
264	# generate u-boot.its file
265	./make.sh itb ${ARG_INI_TRUST}
266
267	# check existance of file in its
268	check_its ${ITS_UBOOT}
269
270	if [ "${ARG_SIGN}" != "y" ]; then
271		${MKIMAGE} -f ${ITS_UBOOT} -E -p ${OFFS_DATA} ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
272		if [ "${ARG_SPL_NEW}" == "y" ]; then
273			./make.sh --spl ${ARG_INI_LOADER}
274			echo "pack loader with new: spl/u-boot-spl.bin"
275		else
276			./make.sh loader ${ARG_INI_LOADER}
277		fi
278	else
279		check_rsa_keys
280
281		if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' .config ; then
282			echo "ERROR: CONFIG_SPL_FIT_SIGNATURE is disabled"
283			exit 1
284		fi
285
286		# rollback-index
287		if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' .config ; then
288			ARG_SPL_ROLLBACK_PROTECT="y"
289			if [ -z ${ARG_ROLLBACK_IDX_UBOOT} ]; then
290				echo "ERROR: No arg \"--rollback-index-uboot <n>\""
291				exit 1
292			fi
293		fi
294
295		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
296			VERSION=`grep 'rollback-index' ${ITS_UBOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
297			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT}
298		fi
299
300		# Generally, boot.img is signed before uboot.img, so the ras key can be found
301		# in u-boot.dtb. If not found, let's insert rsa key anyway.
302		if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then
303			${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
304			echo "## Adding RSA public key into ${UBOOT_DTB}"
305		fi
306
307		# Pack
308		${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${SPL_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
309		mv ${SIG_BIN} ${SIG_UBOOT}
310
311		# burn-key-hash
312		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
313			if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
314				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash 0x1
315			else
316				echo "ERROR: --burn-key-hash requires CONFIG_SPL_FIT_HW_CRYPTO=y"
317				exit 1
318			fi
319		fi
320
321		# rollback-index read back check
322		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
323			VERSION=`fdtget -ti ${ITB_UBOOT} /configurations/conf rollback-index`
324			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_UBOOT}" ]; then
325				echo "ERROR: Failed to set rollback-index for ${ITB_UBOOT}";
326				exit 1
327			fi
328		fi
329
330		# burn-key-hash read back check
331		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
332			if [ "`fdtget -ti ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash`" != "1" ]; then
333				echo "ERROR: Failed to set burn-key-hash for ${SPL_DTB}";
334				exit 1
335			fi
336		fi
337
338		# host check signature
339		if [ "${ARG_NO_CHECK}" != "y" ]; then
340			if [ "${ARG_SPL_NEW}" == "y" ]; then
341				 ${CHECK_SIGN} -f ${ITB_UBOOT} -k ${SPL_DTB} -s
342			else
343				spl_file="../rkbin/"`sed -n "/FlashBoot=/s/FlashBoot=//p" ${ARG_INI_LOADER}  |tr -d '\r'`
344				offs=`fdtdump -s ${spl_file} | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset //g" | tr -d " "`
345				if [ -z ${offs}  ]; then
346					echo "ERROR: invalid ${spl_file} , unable to find fdt blob"
347				fi
348				offs=`printf %d ${offs} ` # hex -> dec
349				dd if=${spl_file} of=spl/u-boot-spl-old.dtb bs=${offs} skip=1 >/dev/null 2>&1
350				${CHECK_SIGN} -f ${ITB_UBOOT} -k spl/u-boot-spl-old.dtb -s
351			fi
352		fi
353
354		# minimize u-boot-spl.dtb: clear as 0 but not remove property.
355		if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
356			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
357			if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' .config ; then
358				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
359				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
360			else
361				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
362				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
363			fi
364		else
365			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
366			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
367			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
368			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
369			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
370		fi
371
372		# repack spl
373		if [ "${ARG_SPL_NEW}" == "y" ]; then
374			cat spl/u-boot-spl-nodtb.bin > spl/u-boot-spl.bin
375			if ! grep -q '^CONFIG_SPL_SEPARATE_BSS=y' .config ; then
376				cat spl/u-boot-spl-pad.bin >> spl/u-boot-spl.bin
377			fi
378			cat ${SPL_DTB} >> spl/u-boot-spl.bin
379
380			./make.sh --spl ${ARG_INI_LOADER}
381			echo "## pack loader with new: spl/u-boot-spl.bin"
382		else
383			./make.sh loader ${ARG_INI_LOADER}
384		fi
385
386		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
387			echo "## ${SPL_DTB}: burn-key-hash=1"
388		fi
389	fi
390
391	rm -f u-boot.itb u-boot.img u-boot-dtb.img
392	mv ${ITS_UBOOT} ${FIT_DIR}
393}
394
395function fit_gen_boot_itb()
396{
397	if [ ! -z ${ARG_BOOT_IMG} ]; then
398		${FIT_UNPACK} -f ${ARG_BOOT_IMG} -o ${FIT_DIR}/unpack
399		ITS_BOOT="${FIT_DIR}/unpack/image.its"
400	else
401		compression=`awk -F"," '/COMPRESSION=/  { printf $1 }' ${ARG_INI_TRUST} | tr -d ' ' | cut -c 13-`
402		if [ -z "${compression}" ]; then
403			compression="none"
404		fi
405		./arch/arm/mach-rockchip/make_fit_boot.sh -c ${compression} > ${ITS_BOOT}
406		check_its ${ITS_BOOT}
407	fi
408
409	if [ "${ARG_SIGN}" != "y" ]; then
410		${MKIMAGE} -f ${ITS_BOOT} -E -p ${OFFS_DATA} ${ITB_BOOT} -v ${ARG_VER_BOOT}
411	else
412		check_rsa_keys
413
414		check_rsa_algo ${ITS_BOOT}
415
416		if [ "${ARG_SIGN}" != "y" ]; then
417			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
418			exit 1
419		fi
420
421		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
422			ARG_ROLLBACK_PROTECT="y"
423			if [ -z ${ARG_ROLLBACK_IDX_BOOT} ]; then
424				echo "ERROR: No arg \"--rollback-index-boot <n>\""
425				exit 1
426			fi
427			if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then
428				echo "ERROR: Don't support \"--rollback-index-boot <n>\""
429				exit 1
430			fi
431		fi
432
433		# fixup
434		FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'`
435		KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'`
436		RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'`
437		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_BOOT}
438		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_BOOT}
439		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_BOOT}
440		if grep -q '^CONFIG_ARM64=y' .config ; then
441			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_BOOT}
442		fi
443
444		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
445			VERSION=`grep 'rollback-index' ${ITS_BOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
446			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_BOOT}>;/g" ${ITS_BOOT}
447		fi
448
449		${MKIMAGE} -f ${ITS_BOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_BOOT} -v ${ARG_VER_BOOT}
450		mv ${SIG_BIN} ${SIG_BOOT}
451
452		# rollback-index read back check
453		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
454			VERSION=`fdtget -ti ${ITB_BOOT} /configurations/conf rollback-index`
455			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_BOOT}" ]; then
456				echo "ERROR: Failed to set rollback-index for ${ITB_BOOT}";
457				exit 1
458			fi
459		fi
460
461		# host check signature
462		if [ "${ARG_NO_CHECK}" != "y" ]; then
463			 ${CHECK_SIGN} -f ${ITB_BOOT} -k ${UBOOT_DTB}
464		fi
465
466		# minimize u-boot.dtb: clearn as 0 but not remove property.
467		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
468			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
469			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
470				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
471			else
472				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
473			fi
474		else
475			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
476			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
477			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
478		fi
479		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
480		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
481	fi
482
483	mv ${ITS_BOOT} ${FIT_DIR}
484}
485
486function fit_gen_recovery_itb()
487{
488	if [ ! -z ${ARG_RECOVERY_IMG} ]; then
489		${FIT_UNPACK} -f ${ARG_RECOVERY_IMG} -o ${FIT_DIR}/unpack
490		ITS_RECOVERY="${FIT_DIR}/unpack/image.its"
491	else
492		echo "ERROR: No recovery.img"
493		exit 1
494	fi
495
496	if [ "${ARG_SIGN}" != "y" ]; then
497		${MKIMAGE} -f ${ITS_RECOVERY} -E -p ${OFFS_DATA} ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
498	else
499		check_rsa_keys
500
501		check_rsa_algo ${ITS_RECOVERY}
502
503		if [ "${ARG_SIGN}" != "y" ]; then
504			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
505			exit 1
506		fi
507
508		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
509			ARG_ROLLBACK_PROTECT="y"
510			if [ -z ${ARG_ROLLBACK_IDX_RECOVERY} ]; then
511				echo "ERROR: No arg \"--rollback-index-recovery <n>\""
512				exit 1
513			fi
514			if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then
515				echo "ERROR: Don't support \"--rollback-index-recovery <n>\""
516				exit 1
517			fi
518		fi
519
520		# fixup
521		FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'`
522		KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'`
523		RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'`
524		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_RECOVERY}
525		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_RECOVERY}
526		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_RECOVERY}
527		if grep -q '^CONFIG_ARM64=y' .config ; then
528			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_RECOVERY}
529		fi
530
531		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
532			VERSION=`grep 'rollback-index' ${ITS_RECOVERY} | awk -F '=' '{ printf $2 }' | tr -d ' '`
533			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_RECOVERY}>;/g" ${ITS_RECOVERY}
534		fi
535
536		${MKIMAGE} -f ${ITS_RECOVERY} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
537		mv ${SIG_BIN} ${SIG_RECOVERY}
538
539		# rollback-index read back check
540		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
541			VERSION=`fdtget -ti ${ITB_RECOVERY} /configurations/conf rollback-index`
542			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_RECOVERY}" ]; then
543				echo "ERROR: Failed to set rollback-index for ${ITB_RECOVERY}";
544				exit 1
545			fi
546		fi
547
548		# host check signature
549		if [ "${ARG_NO_CHECK}" != "y" ]; then
550			 ${CHECK_SIGN} -f ${ITB_RECOVERY} -k ${UBOOT_DTB}
551		fi
552
553		# minimize u-boot.dtb: clearn as 0 but not remove property.
554		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
555			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
556			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
557				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
558			else
559				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
560			fi
561		else
562			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
563			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
564			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
565		fi
566		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
567		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
568	fi
569
570	mv ${ITS_RECOVERY} ${FIT_DIR}
571}
572
573function fit_gen_uboot_img()
574{
575	ITB=$1
576
577	if [ -z ${ITB} ]; then
578		ITB=${ITB_UBOOT}
579	fi
580
581	ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'`
582	ITB_MAX_KB=`sed  -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'`
583	ITB_MAX_BS=$((ITB_MAX_KB*1024))
584	ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'`
585
586	if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then
587		echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes"
588		exit 1
589	fi
590
591	rm -f ${IMG_UBOOT}
592	for ((i = 0; i < ${ITB_MAX_NUM}; i++));
593	do
594		cat ${ITB} >> ${IMG_UBOOT}
595		truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT}
596	done
597}
598
599function fit_gen_boot_img()
600{
601	ITB=$1
602
603	if [ -z ${ITB} ]; then
604		ITB=${ITB_BOOT}
605	fi
606
607	if [ "${ITB}" != "${IMG_BOOT}" ]; then
608		cp ${ITB} ${IMG_BOOT} -f
609	fi
610}
611
612function fit_gen_recovery_img()
613{
614	ITB=$1
615
616	if [ -z ${ITB} ]; then
617		ITB=${ITB_RECOVERY}
618	fi
619
620	if [ "${ITB}" != "${IMG_RECOVERY}" ]; then
621		cp ${ITB} ${IMG_RECOVERY} -f
622	fi
623}
624
625function fit_gen_loader()
626{
627	if [ "${ARG_SIGN}" == "y" ]; then
628		${RK_SIGN_TOOL} cc --chip ${ARG_CHIP: 2: 6}
629		${RK_SIGN_TOOL} lk --key ${RSA_PRI_KEY} --pubkey ${RSA_PUB_KEY}
630		if ls *loader*.bin >/dev/null 2>&1 ; then
631			${RK_SIGN_TOOL} sl --loader *loader*.bin
632		fi
633		if ls *download*.bin >/dev/null 2>&1 ; then
634			${RK_SIGN_TOOL} sl --loader *download*.bin
635		fi
636		if ls *idblock*.img >/dev/null 2>&1 ; then
637			${RK_SIGN_TOOL} sb --idb *idblock*.img
638		fi
639	fi
640}
641
642function fit_msg_uboot()
643{
644	if [ "${ARG_SIGN}" != "y" ]; then
645		MSG_SIGN="no-signed"
646	else
647		MSG_SIGN="signed"
648	fi
649
650	VERSION=`fdtget -ti ${ITB_UBOOT} / version`
651	if [ "${VERSION}" != "" ]; then
652		MSG_VER=", version=${VERSION}"
653	fi
654
655	if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
656		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT}): ${IMG_UBOOT} (with uboot, trust...) is ready"
657	else
658		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_UBOOT} (FIT with uboot, trust...) is ready"
659	fi
660}
661
662function fit_msg_boot()
663{
664	if [ -z "${ARG_BOOT_IMG}" ]; then
665		return;
666	fi
667
668	if [ "${ARG_SIGN}" != "y" ]; then
669		MSG_SIGN="no-signed"
670	else
671		MSG_SIGN="signed"
672	fi
673
674	VERSION=`fdtget -ti ${ITB_BOOT} / version`
675	if [ "${VERSION}" != "" ]; then
676		MSG_VER=", version=${VERSION}"
677	fi
678
679	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
680		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_BOOT}): ${IMG_BOOT} is ready"
681	else
682		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_BOOT} (FIT with kernel, fdt, resource...) is ready"
683	fi
684}
685
686function fit_msg_recovery()
687{
688	if [ -z "${ARG_RECOVERY_IMG}" ]; then
689		return;
690	fi
691
692	if [ "${ARG_SIGN}" != "y" ]; then
693		MSG_SIGN="no-signed"
694	else
695		MSG_SIGN="signed"
696	fi
697
698	VERSION=`fdtget -ti ${ITB_RECOVERY} / version`
699	if [ "${VERSION}" != "" ]; then
700		MSG_VER=", version=${VERSION}"
701	fi
702
703	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
704		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_RECOVERY}): ${IMG_RECOVERY} is ready"
705	else
706		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_RECOVERY} (FIT with kernel, fdt, resource...) is ready"
707	fi
708}
709
710function fit_msg_loader()
711{
712	if ls *loader*.bin >/dev/null 2>&1 ; then
713		LOADER=`ls *loader*.bin`
714	fi
715
716	if ls *idblock*.img >/dev/null 2>&1 ; then
717		LOADER=`ls *idblock*.img`
718	fi
719
720	if [ "${ARG_SIGN}" == "y" ]; then
721		echo "Image(signed): ${LOADER} (with spl, ddr...) is ready"
722	else
723		echo "Image(no-signed): ${LOADER} (with spl, ddr...) is ready"
724	fi
725}
726
727function fit_msg_u_boot_loader()
728{
729	if ls *loader*.bin >/dev/null 2>&1 ; then
730		LOADER=`ls *loader*.bin`
731	fi
732
733	if ls *idblock*.img >/dev/null 2>&1 ; then
734		LOADER=`ls *idblock*.img`
735	fi
736
737	if [ "${ARG_SIGN}" == "y" ]; then
738		echo "Image(signed): ${LOADER} (with u-boot, ddr...) is ready"
739	else
740		echo "Image(no-signed): ${LOADER} (with u-boot, ddr...) is ready"
741	fi
742}
743
744function fit_signcfg_export()
745{
746	if [ "${ARG_NO_SIGN}" == "y" ]; then
747		if ls *loader*.bin >/dev/null 2>&1 ; then
748			LOADER=`ls *loader*.bin`
749		elif ls *download*.bin >/dev/null 2>&1 ; then
750			LOADER=`ls *download*.bin`
751		else
752			echo "ERROR: No loader found"
753			exit 1
754		fi
755		cp ${ARG_INI_LOADER} ${MINIALL_INI}
756		cp .config ${SIG_CONFIG}
757
758		mkdir -p ${SIG_CFG_DIR}/test_images/
759		cp uboot.img ${SIG_CFG_DIR}/test_images/
760		cp ${LOADER} ${SIG_CFG_DIR}/test_images/
761		tar zcvf ${SIG_CFG_DIR}/test_images.tar.gz ${SIG_CFG_DIR}/test_images >/dev/null 2>&1
762		rm -rf ${SIG_CFG_DIR}/test_images/
763
764		FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'`
765		KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'`
766		RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'`
767		echo "fdt_addr_r=${FDT_ADDR_R}" >> ${SIG_CONFIG}
768		echo "kernel_addr_r=${KERNEL_ADDR_R}" >> ${SIG_CONFIG}
769		echo "ramdisk_addr_r=${RMADISK_ADDR_R}" >> ${SIG_CONFIG}
770
771		CSUM=`sha256sum u-boot-nodtb.bin  | awk '{ print $1 }'`
772		echo "uboot_sha256sum=${CSUM}" >> ${SIG_CONFIG}
773		CSUM=`sha256sum spl/u-boot-spl-nodtb.bin  | awk '{ print $1 }'`
774		echo "spl_sha256sum=${CSUM}" >> ${SIG_CONFIG}
775		SIZE=`ls -l  spl/u-boot-spl-nodtb.bin | awk '{ print $5 }'`
776		echo "spl_size=${SIZE}" >> ${SIG_CONFIG}
777
778		BUILD_MAIL=`git config --get user.email`
779		BUILD_HOST=`hostname`
780		BUILD_USER=${USER}
781		BUILD_DATE=`date`
782		echo "BUILD: ${BUILD_MAIL} # ${BUILD_USER}@${BUILD_HOST} # ${BUILD_DATE}" >> ${SIG_CONFIG}
783	fi
784}
785