1#!/bin/bash 2# 3# Copyright (c) 2022 Rockchip Electronics Co., Ltd 4# 5# SPDX-License-Identifier: GPL-2.0 6# 7set -e 8 9FIT_DIR="fit" 10IMG_UBOOT="uboot.img" 11IMG_BOOT="boot.img" 12IMG_RECOVERY="recovery.img" 13ITB_UBOOT="${FIT_DIR}/uboot.itb" 14ITB_BOOT="${FIT_DIR}/boot.itb" 15ITB_RECOVERY="${FIT_DIR}/recovery.itb" 16SIG_BIN="data2sign.bin" 17SIG_UBOOT="${FIT_DIR}/uboot.data2sign" 18SIG_BOOT="${FIT_DIR}/boot.data2sign" 19SIG_RECOVERY="${FIT_DIR}/recovery.data2sign" 20# offs 21if grep -q '^CONFIG_FIT_ENABLE_RSA4096_SUPPORT=y' .config ; then 22 OFFS_DATA="0x1200" 23else 24 OFFS_DATA="0x1000" 25fi 26# placeholder address 27FDT_ADDR_PLACEHOLDER="0xffffff00" 28KERNEL_ADDR_PLACEHOLDER="0xffffff01" 29RAMDISK_ADDR_PLACEHOLDER="0xffffff02" 30# tools 31MKIMAGE="./tools/mkimage" 32RK_SIGN_TOOL="../rkbin/tools/rk_sign_tool" 33FIT_UNPACK="./scripts/fit-unpack.sh" 34CHECK_SIGN="./tools/fit_check_sign" 35# key 36KEY_DIR="keys/" 37RSA_PRI_KEY="keys/dev.key" 38RSA_PUB_KEY="keys/dev.pubkey" 39RSA_CRT_KEY="keys/dev.crt" 40SIGNATURE_KEY_NODE="/signature/key-dev" 41SPL_DTB="spl/u-boot-spl.dtb" 42UBOOT_DTB="u-boot.dtb" 43# its 44ITS_UBOOT="u-boot.its" 45ITS_BOOT="boot.its" 46ITS_RECOVERY="recovery.its" 47ARG_VER_UBOOT="0" 48ARG_VER_BOOT="0" 49ARG_VER_RECOVERY="0" 50 51function help() 52{ 53 echo 54 echo "usage:" 55 echo " $0 [args]" 56 echo 57 echo "args:" 58 echo " --rollback-index-recovery <decimal integer>" 59 echo " --rollback-index-boot <decimal integer>" 60 echo " --rollback-index-uboot <decimal integer>" 61 echo " --version-recovery <decimal integer>" 62 echo " --version-boot <decimal integer>" 63 echo " --version-uboot <decimal integer>" 64 echo " --boot_img <boot image>" 65 echo " --recovery_img <recovery image>" 66 echo " --args <arg>" 67 echo " --ini-loader <loader ini file>" 68 echo " --ini-trust <trust ini file>" 69 echo " --no-check" 70 echo " --spl-new" 71 echo 72} 73 74function arg_check_decimal() 75{ 76 if [ -z $1 ]; then 77 help 78 exit 1 79 fi 80 81 decimal=`echo $1 |sed 's/[0-9]//g'` 82 if [ ! -z ${decimal} ]; then 83 echo "ERROR: $1 is not decimal integer" 84 help 85 exit 1 86 fi 87} 88 89function check_its() 90{ 91 cat $1 | while read line 92 do 93 file=`echo ${line} | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '` 94 if [ ! -f ${file} ]; then 95 echo "ERROR: No ${file}" 96 exit 1 97 fi 98 done 99} 100 101function check_rsa_keys() 102{ 103 if [ ! -f ${RSA_PRI_KEY} ]; then 104 echo "ERROR: No ${RSA_PRI_KEY} " 105 exit 1 106 elif [ ! -f ${RSA_PUB_KEY} ]; then 107 echo "ERROR: No ${RSA_PUB_KEY} " 108 exit 1 109 elif [ ! -f ${RSA_CRT_KEY} ]; then 110 echo "ERROR: No ${RSA_CRT_KEY} " 111 exit 1 112 fi 113} 114 115function validate_arg() 116{ 117 case $1 in 118 --no-check|--spl-new|--burn-key-hash) 119 shift=1 120 ;; 121 --ini-trust|--ini-loader|--rollback-index-boot|--rollback-index-recovery|--rollback-index-uboot|--boot_img|--recovery_img|--version-uboot|--version-boot|--version-recovery|--chip) 122 shift=2 123 ;; 124 *) 125 shift=0 126 ;; 127 esac 128 echo ${shift} 129} 130 131function fit_process_args() 132{ 133 if [ $# -eq 0 ]; then 134 help 135 exit 0 136 fi 137 138 while [ $# -gt 0 ]; do 139 case $1 in 140 --args) 141 ARG_VALIDATE=$2 142 shift 2 143 ;; 144 --boot_img) # boot.img 145 ARG_BOOT_IMG=$2 146 shift 2 147 ;; 148 --chip) 149 ARG_CHIP=$2 150 shift 2 151 ;; 152 --recovery_img) # recovery.img 153 ARG_RECOVERY_IMG=$2 154 shift 2 155 ;; 156 --boot_img_dir) # boot.img components directory 157 ARG_BOOT_IMG_DIR=$2 158 shift 2 159 ;; 160 --no-check) # No hostcc fit signature check 161 ARG_NO_CHECK="y" 162 shift 1 163 ;; 164 --ini-trust) # Assign trust ini file 165 ARG_INI_TRUST=$2 166 shift 2 167 ;; 168 --ini-loader) # Assign loader ini file 169 ARG_INI_LOADER=$2 170 shift 2 171 ;; 172 --spl-new) # Use current build u-boot-spl.bin to pack loader 173 ARG_SPL_NEW="y" 174 shift 1 175 ;; 176 --rollback-index-boot) 177 ARG_ROLLBACK_IDX_BOOT=$2 178 arg_check_decimal $2 179 shift 2 180 ;; 181 --rollback-index-recovery) 182 ARG_ROLLBACK_IDX_RECOVERY=$2 183 arg_check_decimal $2 184 shift 2 185 ;; 186 --rollback-index-uboot) 187 ARG_ROLLBACK_IDX_UBOOT=$2 188 arg_check_decimal $2 189 shift 2 190 ;; 191 --version-uboot) 192 ARG_VER_UBOOT=$2 193 arg_check_decimal $2 194 shift 2 195 ;; 196 --version-boot) 197 ARG_VER_BOOT=$2 198 arg_check_decimal $2 199 shift 2 200 ;; 201 --version-recovery) 202 ARG_VER_RECOVERY=$2 203 arg_check_decimal $2 204 shift 2 205 ;; 206 --burn-key-hash) 207 ARG_BURN_KEY_HASH="y" 208 shift 1 209 ;; 210 *) 211 help 212 exit 1 213 ;; 214 esac 215 done 216 217 if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then 218 ARG_SIGN="y" 219 fi 220} 221 222function fit_raw_compile() 223{ 224 # Verified-boot: should rebuild code but don't need to repack images. 225 if [ "${ARG_SIGN}" == "y" ]; then 226 ./make.sh --raw-compile 227 fi 228 rm ${FIT_DIR} -rf && mkdir -p ${FIT_DIR} 229} 230 231function fit_gen_uboot_itb() 232{ 233 # generate u-boot.its file 234 ./make.sh itb ${ARG_INI_TRUST} 235 236 # check existance of file in its 237 check_its ${ITS_UBOOT} 238 239 if [ "${ARG_SIGN}" != "y" ]; then 240 ${MKIMAGE} -f ${ITS_UBOOT} -E -p ${OFFS_DATA} ${ITB_UBOOT} -v ${ARG_VER_UBOOT} 241 if [ "${ARG_SPL_NEW}" == "y" ]; then 242 ./make.sh --spl ${ARG_INI_LOADER} 243 echo "pack loader with new: spl/u-boot-spl.bin" 244 else 245 ./make.sh loader ${ARG_INI_LOADER} 246 fi 247 else 248 check_rsa_keys 249 250 if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' .config ; then 251 echo "ERROR: CONFIG_SPL_FIT_SIGNATURE is disabled" 252 exit 1 253 fi 254 255 # rollback-index 256 if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' .config ; then 257 ARG_SPL_ROLLBACK_PROTECT="y" 258 if [ -z ${ARG_ROLLBACK_IDX_UBOOT} ]; then 259 echo "ERROR: No arg \"--rollback-index-uboot <n>\"" 260 exit 1 261 fi 262 fi 263 264 if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then 265 VERSION=`grep 'rollback-index' ${ITS_UBOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '` 266 sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT} 267 fi 268 269 # Generally, boot.img is signed before uboot.img, so the ras key can be found 270 # in u-boot.dtb. If not found, let's insert rsa key anyway. 271 if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then 272 ${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT} 273 echo "## Adding RSA public key into ${UBOOT_DTB}" 274 fi 275 276 # Pack 277 ${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${SPL_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT} 278 mv ${SIG_BIN} ${SIG_UBOOT} 279 280 # burn-key-hash 281 if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then 282 if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then 283 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash 0x1 284 else 285 echo "ERROR: --burn-key-hash requires CONFIG_SPL_FIT_HW_CRYPTO=y" 286 exit 1 287 fi 288 fi 289 290 # rollback-index read back check 291 if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then 292 VERSION=`fdtget -ti ${ITB_UBOOT} /configurations/conf rollback-index` 293 if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_UBOOT}" ]; then 294 echo "ERROR: Failed to set rollback-index for ${ITB_UBOOT}"; 295 exit 1 296 fi 297 fi 298 299 # burn-key-hash read back check 300 if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then 301 if [ "`fdtget -ti ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash`" != "1" ]; then 302 echo "ERROR: Failed to set burn-key-hash for ${SPL_DTB}"; 303 exit 1 304 fi 305 fi 306 307 # host check signature 308 if [ "${ARG_NO_CHECK}" != "y" ]; then 309 if [ "${ARG_SPL_NEW}" == "y" ]; then 310 ${CHECK_SIGN} -f ${ITB_UBOOT} -k ${SPL_DTB} -s 311 else 312 spl_file="../rkbin/"`sed -n "/FlashBoot=/s/FlashBoot=//p" ${ARG_INI_LOADER} |tr -d '\r'` 313 offs=`fdtdump -s ${spl_file} | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset //g" | tr -d " "` 314 if [ -z ${offs} ]; then 315 echo "ERROR: invalid ${spl_file} , unable to find fdt blob" 316 fi 317 offs=`printf %d ${offs} ` # hex -> dec 318 dd if=${spl_file} of=spl/u-boot-spl-old.dtb bs=${offs} skip=1 >/dev/null 2>&1 319 ${CHECK_SIGN} -f ${ITB_UBOOT} -k spl/u-boot-spl-old.dtb -s 320 fi 321 fi 322 323 # minimize u-boot-spl.dtb: clear as 0 but not remove property. 324 if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then 325 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0 326 if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' .config ; then 327 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 328 fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np 329 else 330 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 331 fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c 332 fi 333 else 334 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 335 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 336 fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0 337 fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c 338 fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np 339 fi 340 341 # repack spl 342 if [ "${ARG_SPL_NEW}" == "y" ]; then 343 cat spl/u-boot-spl-nodtb.bin > spl/u-boot-spl.bin 344 if ! grep -q '^CONFIG_SPL_SEPARATE_BSS=y' .config ; then 345 cat spl/u-boot-spl-pad.bin >> spl/u-boot-spl.bin 346 fi 347 cat ${SPL_DTB} >> spl/u-boot-spl.bin 348 349 ./make.sh --spl ${ARG_INI_LOADER} 350 echo "## pack loader with new: spl/u-boot-spl.bin" 351 else 352 ./make.sh loader ${ARG_INI_LOADER} 353 fi 354 355 if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then 356 echo "## ${SPL_DTB}: burn-key-hash=1" 357 fi 358 fi 359 360 rm -f u-boot.itb u-boot.img u-boot-dtb.img 361 mv ${ITS_UBOOT} ${FIT_DIR} 362} 363 364function fit_gen_boot_itb() 365{ 366 if [ ! -z ${ARG_BOOT_IMG} ]; then 367 ${FIT_UNPACK} -f ${ARG_BOOT_IMG} -o ${FIT_DIR}/unpack 368 ITS_BOOT="${FIT_DIR}/unpack/image.its" 369 else 370 compression=`awk -F"," '/COMPRESSION=/ { printf $1 }' ${ARG_INI_TRUST} | tr -d ' ' | cut -c 13-` 371 if [ -z "${compression}" ]; then 372 compression="none" 373 fi 374 ./arch/arm/mach-rockchip/make_fit_boot.sh -c ${compression} > ${ITS_BOOT} 375 check_its ${ITS_BOOT} 376 fi 377 378 if [ "${ARG_SIGN}" != "y" ]; then 379 ${MKIMAGE} -f ${ITS_BOOT} -E -p ${OFFS_DATA} ${ITB_BOOT} -v ${ARG_VER_BOOT} 380 else 381 check_rsa_keys 382 383 if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then 384 echo "ERROR: CONFIG_FIT_SIGNATURE is disabled" 385 exit 1 386 fi 387 388 if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then 389 ARG_ROLLBACK_PROTECT="y" 390 if [ -z ${ARG_ROLLBACK_IDX_BOOT} ]; then 391 echo "ERROR: No arg \"--rollback-index-boot <n>\"" 392 exit 1 393 fi 394 if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then 395 echo "ERROR: Don't support \"--rollback-index-boot <n>\"" 396 exit 1 397 fi 398 fi 399 400 # fixup 401 FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'` 402 KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'` 403 RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'` 404 sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g" ${ITS_BOOT} 405 sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g" ${ITS_BOOT} 406 sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_BOOT} 407 if grep -q '^CONFIG_ARM64=y' .config ; then 408 sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_BOOT} 409 fi 410 411 if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then 412 VERSION=`grep 'rollback-index' ${ITS_BOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '` 413 sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_BOOT}>;/g" ${ITS_BOOT} 414 fi 415 416 ${MKIMAGE} -f ${ITS_BOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_BOOT} -v ${ARG_VER_BOOT} 417 mv ${SIG_BIN} ${SIG_BOOT} 418 419 # rollback-index read back check 420 if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then 421 VERSION=`fdtget -ti ${ITB_BOOT} /configurations/conf rollback-index` 422 if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_BOOT}" ]; then 423 echo "ERROR: Failed to set rollback-index for ${ITB_BOOT}"; 424 exit 1 425 fi 426 fi 427 428 # host check signature 429 if [ "${ARG_NO_CHECK}" != "y" ]; then 430 ${CHECK_SIGN} -f ${ITB_BOOT} -k ${UBOOT_DTB} 431 fi 432 433 # minimize u-boot.dtb: clearn as 0 but not remove property. 434 if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then 435 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0 436 if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then 437 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 438 else 439 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 440 fi 441 else 442 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 443 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 444 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0 445 fi 446 fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c 447 fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np 448 fi 449 450 mv ${ITS_BOOT} ${FIT_DIR} 451} 452 453function fit_gen_recovery_itb() 454{ 455 if [ ! -z ${ARG_RECOVERY_IMG} ]; then 456 ${FIT_UNPACK} -f ${ARG_RECOVERY_IMG} -o ${FIT_DIR}/unpack 457 ITS_RECOVERY="${FIT_DIR}/unpack/image.its" 458 else 459 echo "ERROR: No recovery.img" 460 exit 1 461 fi 462 463 if [ "${ARG_SIGN}" != "y" ]; then 464 ${MKIMAGE} -f ${ITS_RECOVERY} -E -p ${OFFS_DATA} ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY} 465 else 466 check_rsa_keys 467 468 if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then 469 echo "ERROR: CONFIG_FIT_SIGNATURE is disabled" 470 exit 1 471 fi 472 473 if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then 474 ARG_ROLLBACK_PROTECT="y" 475 if [ -z ${ARG_ROLLBACK_IDX_RECOVERY} ]; then 476 echo "ERROR: No arg \"--rollback-index-recovery <n>\"" 477 exit 1 478 fi 479 if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then 480 echo "ERROR: Don't support \"--rollback-index-recovery <n>\"" 481 exit 1 482 fi 483 fi 484 485 # fixup 486 FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'` 487 KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'` 488 RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'` 489 sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g" ${ITS_RECOVERY} 490 sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g" ${ITS_RECOVERY} 491 sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_RECOVERY} 492 if grep -q '^CONFIG_ARM64=y' .config ; then 493 sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_RECOVERY} 494 fi 495 496 if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then 497 VERSION=`grep 'rollback-index' ${ITS_RECOVERY} | awk -F '=' '{ printf $2 }' | tr -d ' '` 498 sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_RECOVERY}>;/g" ${ITS_RECOVERY} 499 fi 500 501 ${MKIMAGE} -f ${ITS_RECOVERY} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY} 502 mv ${SIG_BIN} ${SIG_RECOVERY} 503 504 # rollback-index read back check 505 if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then 506 VERSION=`fdtget -ti ${ITB_RECOVERY} /configurations/conf rollback-index` 507 if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_RECOVERY}" ]; then 508 echo "ERROR: Failed to set rollback-index for ${ITB_RECOVERY}"; 509 exit 1 510 fi 511 fi 512 513 # host check signature 514 if [ "${ARG_NO_CHECK}" != "y" ]; then 515 ${CHECK_SIGN} -f ${ITB_RECOVERY} -k ${UBOOT_DTB} 516 fi 517 518 # minimize u-boot.dtb: clearn as 0 but not remove property. 519 if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then 520 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0 521 if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then 522 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 523 else 524 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 525 fi 526 else 527 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0 528 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0 529 fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0 530 fi 531 fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c 532 fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np 533 fi 534 535 mv ${ITS_RECOVERY} ${FIT_DIR} 536} 537 538function fit_gen_uboot_img() 539{ 540 ITB=$1 541 542 if [ -z ${ITB} ]; then 543 ITB=${ITB_UBOOT} 544 fi 545 546 ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'` 547 ITB_MAX_KB=`sed -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'` 548 ITB_MAX_BS=$((ITB_MAX_KB*1024)) 549 ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'` 550 551 if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then 552 echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes" 553 exit 1 554 fi 555 556 rm -f ${IMG_UBOOT} 557 for ((i = 0; i < ${ITB_MAX_NUM}; i++)); 558 do 559 cat ${ITB} >> ${IMG_UBOOT} 560 truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT} 561 done 562} 563 564function fit_gen_boot_img() 565{ 566 ITB=$1 567 568 if [ -z ${ITB} ]; then 569 ITB=${ITB_BOOT} 570 fi 571 572 if [ "${ITB}" != "${IMG_BOOT}" ]; then 573 cp ${ITB} ${IMG_BOOT} -f 574 fi 575} 576 577function fit_gen_recovery_img() 578{ 579 ITB=$1 580 581 if [ -z ${ITB} ]; then 582 ITB=${ITB_RECOVERY} 583 fi 584 585 if [ "${ITB}" != "${IMG_RECOVERY}" ]; then 586 cp ${ITB} ${IMG_RECOVERY} -f 587 fi 588} 589 590function fit_gen_loader() 591{ 592 if grep -Eq '^CONFIG_FIT_SIGNATURE=y' .config ; then 593 ${RK_SIGN_TOOL} cc --chip ${ARG_CHIP: 2: 6} 594 ${RK_SIGN_TOOL} lk --key ${RSA_PRI_KEY} --pubkey ${RSA_PUB_KEY} 595 if ls *loader*.bin >/dev/null 2>&1 ; then 596 ${RK_SIGN_TOOL} sl --loader *loader*.bin 597 fi 598 if ls *download*.bin >/dev/null 2>&1 ; then 599 ${RK_SIGN_TOOL} sl --loader *download*.bin 600 fi 601 if ls *idblock*.img >/dev/null 2>&1 ; then 602 ${RK_SIGN_TOOL} sb --idb *idblock*.img 603 fi 604 fi 605} 606 607function fit_msg_uboot() 608{ 609 if [ "${ARG_SIGN}" != "y" ]; then 610 MSG_SIGN="no-signed" 611 else 612 MSG_SIGN="signed" 613 fi 614 615 VERSION=`fdtget -ti ${ITB_UBOOT} / version` 616 if [ "${VERSION}" != "" ]; then 617 MSG_VER=", version=${VERSION}" 618 fi 619 620 if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then 621 echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT}): ${IMG_UBOOT} (with uboot, trust...) is ready" 622 else 623 echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_UBOOT} (FIT with uboot, trust...) is ready" 624 fi 625} 626 627function fit_msg_boot() 628{ 629 if [ -z "${ARG_BOOT_IMG}" ]; then 630 return; 631 fi 632 633 if [ "${ARG_SIGN}" != "y" ]; then 634 MSG_SIGN="no-signed" 635 else 636 MSG_SIGN="signed" 637 fi 638 639 VERSION=`fdtget -ti ${ITB_BOOT} / version` 640 if [ "${VERSION}" != "" ]; then 641 MSG_VER=", version=${VERSION}" 642 fi 643 644 if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then 645 echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_BOOT}): ${IMG_BOOT} is ready" 646 else 647 echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_BOOT} (FIT with kernel, fdt, resource...) is ready" 648 fi 649} 650 651function fit_msg_recovery() 652{ 653 if [ -z "${ARG_RECOVERY_IMG}" ]; then 654 return; 655 fi 656 657 if [ "${ARG_SIGN}" != "y" ]; then 658 MSG_SIGN="no-signed" 659 else 660 MSG_SIGN="signed" 661 fi 662 663 VERSION=`fdtget -ti ${ITB_RECOVERY} / version` 664 if [ "${VERSION}" != "" ]; then 665 MSG_VER=", version=${VERSION}" 666 fi 667 668 if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then 669 echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_RECOVERY}): ${IMG_RECOVERY} is ready" 670 else 671 echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_RECOVERY} (FIT with kernel, fdt, resource...) is ready" 672 fi 673} 674 675function fit_msg_loader() 676{ 677 if ls *loader*.bin >/dev/null 2>&1 ; then 678 LOADER=`ls *loader*.bin` 679 fi 680 681 if ls *idblock*.img >/dev/null 2>&1 ; then 682 LOADER=`ls *idblock*.img` 683 fi 684 685 if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then 686 echo "Image(signed): ${LOADER} (with spl, ddr...) is ready" 687 else 688 echo "Image(no-signed): ${LOADER} (with spl, ddr...) is ready" 689 fi 690} 691 692function fit_msg_u_boot_loader() 693{ 694 if ls *loader*.bin >/dev/null 2>&1 ; then 695 LOADER=`ls *loader*.bin` 696 fi 697 698 if ls *idblock*.img >/dev/null 2>&1 ; then 699 LOADER=`ls *idblock*.img` 700 fi 701 702 if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then 703 echo "Image(signed): ${LOADER} (with u-boot, ddr...) is ready" 704 else 705 echo "Image(no-signed): ${LOADER} (with u-boot, ddr...) is ready" 706 fi 707} 708