xref: /rk3399_rockchip-uboot/scripts/fit-core.sh (revision 7e044b9aeceaa3c07ba4dd8939761bd87f4c8300) 
1#!/bin/bash
2#
3# Copyright (c) 2022 Rockchip Electronics Co., Ltd
4#
5# SPDX-License-Identifier: GPL-2.0
6#
7set -e
8
9FIT_DIR="fit"
10IMG_UBOOT="uboot.img"
11IMG_BOOT="boot.img"
12IMG_RECOVERY="recovery.img"
13ITB_UBOOT="${FIT_DIR}/uboot.itb"
14ITB_BOOT="${FIT_DIR}/boot.itb"
15ITB_RECOVERY="${FIT_DIR}/recovery.itb"
16SIG_BIN="data2sign.bin"
17SIG_UBOOT="${FIT_DIR}/uboot.data2sign"
18SIG_BOOT="${FIT_DIR}/boot.data2sign"
19SIG_RECOVERY="${FIT_DIR}/recovery.data2sign"
20# offs
21OFFS_DATA="0x1000"
22# file
23CHIP_FILE="arch/arm/lib/.asm-offsets.s.cmd"
24# placeholder address
25FDT_ADDR_PLACEHOLDER="0xffffff00"
26KERNEL_ADDR_PLACEHOLDER="0xffffff01"
27RAMDISK_ADDR_PLACEHOLDER="0xffffff02"
28# tools
29MKIMAGE="./tools/mkimage"
30RK_SIGN_TOOL="../rkbin/tools/rk_sign_tool"
31FIT_UNPACK="./scripts/fit-unpack.sh"
32CHECK_SIGN="./tools/fit_check_sign"
33# key
34KEY_DIR="keys/"
35RSA_PRI_KEY="keys/dev.key"
36RSA_PUB_KEY="keys/dev.pubkey"
37RSA_CRT_KEY="keys/dev.crt"
38SIGNATURE_KEY_NODE="/signature/key-dev"
39SPL_DTB="spl/u-boot-spl.dtb"
40UBOOT_DTB="u-boot.dtb"
41# its
42ITS_UBOOT="u-boot.its"
43ITS_BOOT="boot.its"
44ITS_RECOVERY="recovery.its"
45ARG_VER_UBOOT="0"
46ARG_VER_BOOT="0"
47ARG_VER_RECOVERY="0"
48
49function help()
50{
51	echo
52	echo "usage:"
53	echo "    $0 [args]"
54	echo
55	echo "args:"
56	echo "    --rollback-index-recovery  <decimal integer>"
57	echo "    --rollback-index-boot      <decimal integer>"
58	echo "    --rollback-index-uboot     <decimal integer>"
59	echo "    --version-recovery         <decimal integer>"
60	echo "    --version-boot             <decimal integer>"
61	echo "    --version-uboot            <decimal integer>"
62	echo "    --boot_img                 <boot image>"
63	echo "    --recovery_img             <recovery image>"
64	echo "    --args                     <arg>"
65	echo "    --ini-loader               <loader ini file>"
66	echo "    --ini-trust                <trust ini file>"
67	echo "    --no-check"
68	echo "    --spl-new"
69	echo
70}
71
72function arg_check_decimal()
73{
74	if [ -z $1 ]; then
75		help
76		exit 1
77	fi
78
79	decimal=`echo $1 |sed 's/[0-9]//g'`
80	if [ ! -z ${decimal} ]; then
81		echo "ERROR: $1 is not decimal integer"
82		help
83		exit 1
84	fi
85}
86
87function check_its()
88{
89	cat $1 | while read line
90	do
91		file=`echo ${line} | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '`
92		if [ ! -f ${file} ]; then
93			echo "ERROR: No ${file}"
94			exit 1
95		fi
96	done
97}
98
99function check_rsa_keys()
100{
101	if [ ! -f ${RSA_PRI_KEY} ]; then
102		echo "ERROR: No ${RSA_PRI_KEY} "
103		exit 1
104	elif [ ! -f ${RSA_PUB_KEY} ]; then
105		echo "ERROR: No ${RSA_PUB_KEY} "
106		exit 1
107	elif [ ! -f ${RSA_CRT_KEY} ]; then
108		echo "ERROR: No ${RSA_CRT_KEY} "
109		exit 1
110	fi
111}
112
113function validate_arg()
114{
115	case $1 in
116		--no-check|--spl-new|--burn-key-hash)
117			shift=1
118			;;
119		--ini-trust|--ini-loader|--rollback-index-boot|--rollback-index-recovery|--rollback-index-uboot|--boot_img|--recovery_img|--version-uboot|--version-boot|--version-recovery|--chip)
120			shift=2
121			;;
122		*)
123			shift=0
124			;;
125	esac
126	echo ${shift}
127}
128
129function fit_process_args()
130{
131	if [ $# -eq 0 ]; then
132		help
133		exit 0
134	fi
135
136	while [ $# -gt 0 ]; do
137		case $1 in
138			--args)
139				ARG_VALIDATE=$2
140				shift 2
141				;;
142			--boot_img)     # boot.img
143				ARG_BOOT_IMG=$2
144				shift 2
145				;;
146			--chip)
147				ARG_CHIP=$2
148				shift 2
149				;;
150			--recovery_img) # recovery.img
151				ARG_RECOVERY_IMG=$2
152				shift 2
153				;;
154			--boot_img_dir) # boot.img components directory
155				ARG_BOOT_IMG_DIR=$2
156				shift 2
157				;;
158			--no-check)     # No hostcc fit signature check
159				ARG_NO_CHECK="y"
160				shift 1
161				;;
162			--ini-trust)    # Assign trust ini file
163				ARG_INI_TRUST=$2
164				shift 2
165				;;
166			--ini-loader)   # Assign loader ini file
167				ARG_INI_LOADER=$2
168				shift 2
169				;;
170			--spl-new)      # Use current build u-boot-spl.bin to pack loader
171				ARG_SPL_NEW="y"
172				shift 1
173				;;
174			--rollback-index-boot)
175				ARG_ROLLBACK_IDX_BOOT=$2
176				arg_check_decimal $2
177				shift 2
178				;;
179			--rollback-index-recovery)
180				ARG_ROLLBACK_IDX_RECOVERY=$2
181				arg_check_decimal $2
182				shift 2
183				;;
184			--rollback-index-uboot)
185				ARG_ROLLBACK_IDX_UBOOT=$2
186				arg_check_decimal $2
187				shift 2
188				;;
189			--version-uboot)
190				ARG_VER_UBOOT=$2
191				arg_check_decimal $2
192				shift 2
193				;;
194			--version-boot)
195				ARG_VER_BOOT=$2
196				arg_check_decimal $2
197				shift 2
198				;;
199			--version-recovery)
200				ARG_VER_RECOVERY=$2
201				arg_check_decimal $2
202				shift 2
203				;;
204			--burn-key-hash)
205				ARG_BURN_KEY_HASH="y"
206				shift 1
207				;;
208			*)
209				help
210				exit 1
211				;;
212		esac
213	done
214
215	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
216		ARG_SIGN="y"
217	fi
218}
219
220function fit_raw_compile()
221{
222	# Verified-boot: should rebuild code but don't need to repack images.
223	if [ "${ARG_SIGN}" == "y" ]; then
224		./make.sh --raw-compile
225	fi
226	rm ${FIT_DIR} -rf && mkdir -p ${FIT_DIR}
227}
228
229function fit_gen_uboot_itb()
230{
231	# generate u-boot.its file
232	./make.sh itb ${ARG_INI_TRUST}
233
234	# check existance of file in its
235	check_its ${ITS_UBOOT}
236
237	if [ "${ARG_SIGN}" != "y" ]; then
238		${MKIMAGE} -f ${ITS_UBOOT} -E -p ${OFFS_DATA} ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
239		if [ "${ARG_SPL_NEW}" == "y" ]; then
240			./make.sh --spl ${ARG_INI_LOADER}
241			echo "pack loader with new: spl/u-boot-spl.bin"
242		else
243			./make.sh loader ${ARG_INI_LOADER}
244		fi
245	else
246		check_rsa_keys
247
248		if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' .config ; then
249			echo "ERROR: CONFIG_SPL_FIT_SIGNATURE is disabled"
250			exit 1
251		fi
252
253		# rollback-index
254		if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' .config ; then
255			ARG_SPL_ROLLBACK_PROTECT="y"
256			if [ -z ${ARG_ROLLBACK_IDX_UBOOT} ]; then
257				echo "ERROR: No arg \"--rollback-index-uboot <n>\""
258				exit 1
259			fi
260		fi
261
262		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
263			VERSION=`grep 'rollback-index' ${ITS_UBOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
264			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT}
265		fi
266
267		# Generally, boot.img is signed before uboot.img, so the ras key can be found
268		# in u-boot.dtb. If not found, let's insert rsa key anyway.
269		if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then
270			${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
271			echo "## Adding RSA public key into ${UBOOT_DTB}"
272		fi
273
274		# Pack
275		${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${SPL_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
276		mv ${SIG_BIN} ${SIG_UBOOT}
277
278		# burn-key-hash
279		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
280			if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
281				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash 0x1
282			else
283				echo "ERROR: --burn-key-hash requires CONFIG_SPL_FIT_HW_CRYPTO=y"
284				exit 1
285			fi
286		fi
287
288		# rollback-index read back check
289		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
290			VERSION=`fdtget -ti ${ITB_UBOOT} /configurations/conf rollback-index`
291			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_UBOOT}" ]; then
292				echo "ERROR: Failed to set rollback-index for ${ITB_UBOOT}";
293				exit 1
294			fi
295		fi
296
297		# burn-key-hash read back check
298		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
299			if [ "`fdtget -ti ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash`" != "1" ]; then
300				echo "ERROR: Failed to set burn-key-hash for ${SPL_DTB}";
301				exit 1
302			fi
303		fi
304
305		# host check signature
306		if [ "${ARG_NO_CHECK}" != "y" ]; then
307			if [ "${ARG_SPL_NEW}" == "y" ]; then
308				 ${CHECK_SIGN} -f ${ITB_UBOOT} -k ${SPL_DTB} -s
309			else
310				spl_file="../rkbin/"`sed -n "/FlashBoot=/s/FlashBoot=//p" ${ARG_INI_LOADER}  |tr -d '\r'`
311				offs=`fdtdump -s ${spl_file} | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset //g" | tr -d " "`
312				if [ -z ${offs}  ]; then
313					echo "ERROR: invalid ${spl_file} , unable to find fdt blob"
314				fi
315				offs=`printf %d ${offs} ` # hex -> dec
316				dd if=${spl_file} of=spl/u-boot-spl-old.dtb bs=${offs} skip=1 >/dev/null 2>&1
317				${CHECK_SIGN} -f ${ITB_UBOOT} -k spl/u-boot-spl-old.dtb -s
318			fi
319		fi
320
321		# minimize u-boot-spl.dtb: clear as 0 but not remove property.
322		if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
323			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
324			if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' .config ; then
325				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
326				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
327			else
328				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
329				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
330			fi
331		else
332			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
333			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
334			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
335			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
336			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
337		fi
338
339		# repack spl
340		if [ "${ARG_SPL_NEW}" == "y" ]; then
341			cat spl/u-boot-spl-nodtb.bin > spl/u-boot-spl.bin
342			if ! grep -q '^CONFIG_SPL_SEPARATE_BSS=y' .config ; then
343				cat spl/u-boot-spl-pad.bin >> spl/u-boot-spl.bin
344			fi
345			cat ${SPL_DTB} >> spl/u-boot-spl.bin
346
347			./make.sh --spl ${ARG_INI_LOADER}
348			echo "## pack loader with new: spl/u-boot-spl.bin"
349		else
350			./make.sh loader ${ARG_INI_LOADER}
351		fi
352
353		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
354			echo "## ${SPL_DTB}: burn-key-hash=1"
355		fi
356	fi
357
358	rm -f u-boot.itb u-boot.img u-boot-dtb.img
359	mv ${ITS_UBOOT} ${FIT_DIR}
360}
361
362function fit_gen_boot_itb()
363{
364	if [ ! -z ${ARG_BOOT_IMG} ]; then
365		${FIT_UNPACK} -f ${ARG_BOOT_IMG} -o ${FIT_DIR}/unpack
366		ITS_BOOT="${FIT_DIR}/unpack/image.its"
367	else
368		compression=`awk -F"," '/COMPRESSION=/  { printf $1 }' ${ARG_INI_TRUST} | tr -d ' ' | cut -c 13-`
369		if [ -z "${compression}" ]; then
370			compression="none"
371		fi
372		./arch/arm/mach-rockchip/make_fit_boot.sh -c ${compression} > ${ITS_BOOT}
373		check_its ${ITS_BOOT}
374	fi
375
376	if [ "${ARG_SIGN}" != "y" ]; then
377		${MKIMAGE} -f ${ITS_BOOT} -E -p ${OFFS_DATA} ${ITB_BOOT} -v ${ARG_VER_BOOT}
378	else
379		check_rsa_keys
380
381		if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
382			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
383			exit 1
384		fi
385
386		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
387			ARG_ROLLBACK_PROTECT="y"
388			if [ -z ${ARG_ROLLBACK_IDX_BOOT} ]; then
389				echo "ERROR: No arg \"--rollback-index-boot <n>\""
390				exit 1
391			fi
392			if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then
393				echo "ERROR: Don't support \"--rollback-index-boot <n>\""
394				exit 1
395			fi
396		fi
397
398		# fixup
399		COMMON_FILE=`sed -n "/_common.h/p" ${CHIP_FILE} | awk '{ print $1 }'`
400		FDT_ADDR_R=`awk /fdt_addr_r/         ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
401		KERNEL_ADDR_R=`awk /kernel_addr_r/   ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
402		RMADISK_ADDR_R=`awk /ramdisk_addr_r/ ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
403		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_BOOT}
404		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_BOOT}
405		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_BOOT}
406		if grep -q '^CONFIG_ARM64=y' .config ; then
407			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_BOOT}
408		fi
409
410		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
411			VERSION=`grep 'rollback-index' ${ITS_BOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
412			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_BOOT}>;/g" ${ITS_BOOT}
413		fi
414
415		${MKIMAGE} -f ${ITS_BOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_BOOT} -v ${ARG_VER_BOOT}
416		mv ${SIG_BIN} ${SIG_BOOT}
417
418		# rollback-index read back check
419		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
420			VERSION=`fdtget -ti ${ITB_BOOT} /configurations/conf rollback-index`
421			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_BOOT}" ]; then
422				echo "ERROR: Failed to set rollback-index for ${ITB_BOOT}";
423				exit 1
424			fi
425		fi
426
427		# host check signature
428		if [ "${ARG_NO_CHECK}" != "y" ]; then
429			 ${CHECK_SIGN} -f ${ITB_BOOT} -k ${UBOOT_DTB}
430		fi
431
432		# minimize u-boot.dtb: clearn as 0 but not remove property.
433		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
434			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
435			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
436				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
437			else
438				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
439			fi
440		else
441			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
442			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
443			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
444		fi
445		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
446		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
447	fi
448
449	mv ${ITS_BOOT} ${FIT_DIR}
450}
451
452function fit_gen_recovery_itb()
453{
454	if [ ! -z ${ARG_RECOVERY_IMG} ]; then
455		${FIT_UNPACK} -f ${ARG_RECOVERY_IMG} -o ${FIT_DIR}/unpack
456		ITS_RECOVERY="${FIT_DIR}/unpack/image.its"
457	else
458		echo "ERROR: No recovery.img"
459		exit 1
460	fi
461
462	if [ "${ARG_SIGN}" != "y" ]; then
463		${MKIMAGE} -f ${ITS_RECOVERY} -E -p ${OFFS_DATA} ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
464	else
465		check_rsa_keys
466
467		if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
468			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
469			exit 1
470		fi
471
472		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
473			ARG_ROLLBACK_PROTECT="y"
474			if [ -z ${ARG_ROLLBACK_IDX_RECOVERY} ]; then
475				echo "ERROR: No arg \"--rollback-index-recovery <n>\""
476				exit 1
477			fi
478			if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then
479				echo "ERROR: Don't support \"--rollback-index-recovery <n>\""
480				exit 1
481			fi
482		fi
483
484		# fixup
485		COMMON_FILE=`sed -n "/_common.h/p" ${CHIP_FILE} | awk '{ print $1 }'`
486		FDT_ADDR_R=`awk /fdt_addr_r/         ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
487		KERNEL_ADDR_R=`awk /kernel_addr_r/   ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
488		RMADISK_ADDR_R=`awk /ramdisk_addr_r/ ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
489		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_RECOVERY}
490		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_RECOVERY}
491		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_RECOVERY}
492		if grep -q '^CONFIG_ARM64=y' .config ; then
493			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_RECOVERY}
494		fi
495
496		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
497			VERSION=`grep 'rollback-index' ${ITS_RECOVERY} | awk -F '=' '{ printf $2 }' | tr -d ' '`
498			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_RECOVERY}>;/g" ${ITS_RECOVERY}
499		fi
500
501		${MKIMAGE} -f ${ITS_RECOVERY} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
502		mv ${SIG_BIN} ${SIG_RECOVERY}
503
504		# rollback-index read back check
505		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
506			VERSION=`fdtget -ti ${ITB_RECOVERY} /configurations/conf rollback-index`
507			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_RECOVERY}" ]; then
508				echo "ERROR: Failed to set rollback-index for ${ITB_RECOVERY}";
509				exit 1
510			fi
511		fi
512
513		# host check signature
514		if [ "${ARG_NO_CHECK}" != "y" ]; then
515			 ${CHECK_SIGN} -f ${ITB_RECOVERY} -k ${UBOOT_DTB}
516		fi
517
518		# minimize u-boot.dtb: clearn as 0 but not remove property.
519		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
520			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
521			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
522				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
523			else
524				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
525			fi
526		else
527			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
528			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
529			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
530		fi
531		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
532		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
533	fi
534
535	mv ${ITS_RECOVERY} ${FIT_DIR}
536}
537
538function fit_gen_uboot_img()
539{
540	ITB=$1
541
542	if [ -z ${ITB} ]; then
543		ITB=${ITB_UBOOT}
544	fi
545
546	ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'`
547	ITB_MAX_KB=`sed  -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'`
548	ITB_MAX_BS=$((ITB_MAX_KB*1024))
549	ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'`
550
551	if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then
552		echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes"
553		exit 1
554	fi
555
556	rm -f ${IMG_UBOOT}
557	for ((i = 0; i < ${ITB_MAX_NUM}; i++));
558	do
559		cat ${ITB} >> ${IMG_UBOOT}
560		truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT}
561	done
562}
563
564function fit_gen_boot_img()
565{
566	ITB=$1
567
568	if [ -z ${ITB} ]; then
569		ITB=${ITB_BOOT}
570	fi
571
572	if [ "${ITB}" != "${IMG_BOOT}" ]; then
573		cp ${ITB} ${IMG_BOOT} -f
574	fi
575}
576
577function fit_gen_recovery_img()
578{
579	ITB=$1
580
581	if [ -z ${ITB} ]; then
582		ITB=${ITB_RECOVERY}
583	fi
584
585	if [ "${ITB}" != "${IMG_RECOVERY}" ]; then
586		cp ${ITB} ${IMG_RECOVERY} -f
587	fi
588}
589
590function fit_gen_loader()
591{
592	if grep -Eq '^CONFIG_FIT_SIGNATURE=y' .config ; then
593		${RK_SIGN_TOOL} cc --chip ${ARG_CHIP: 2: 6}
594		${RK_SIGN_TOOL} lk --key ${RSA_PRI_KEY} --pubkey ${RSA_PUB_KEY}
595		if ls *loader*.bin >/dev/null 2>&1 ; then
596			${RK_SIGN_TOOL} sl --loader *loader*.bin
597		fi
598		if ls *download*.bin >/dev/null 2>&1 ; then
599			${RK_SIGN_TOOL} sl --loader *download*.bin
600		fi
601		if ls *idblock*.img >/dev/null 2>&1 ; then
602			${RK_SIGN_TOOL} sb --idb *idblock*.img
603		fi
604	fi
605}
606
607function fit_msg_uboot()
608{
609	if [ "${ARG_SIGN}" != "y" ]; then
610		MSG_SIGN="no-signed"
611	else
612		MSG_SIGN="signed"
613	fi
614
615	VERSION=`fdtget -ti ${ITB_UBOOT} / version`
616	if [ "${VERSION}" != "" ]; then
617		MSG_VER=", version=${VERSION}"
618	fi
619
620	if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
621		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT}): ${IMG_UBOOT} (with uboot, trust...) is ready"
622	else
623		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_UBOOT} (FIT with uboot, trust...) is ready"
624	fi
625}
626
627function fit_msg_boot()
628{
629	if [ -z "${ARG_BOOT_IMG}" ]; then
630		return;
631	fi
632
633	if [ "${ARG_SIGN}" != "y" ]; then
634		MSG_SIGN="no-signed"
635	else
636		MSG_SIGN="signed"
637	fi
638
639	VERSION=`fdtget -ti ${ITB_BOOT} / version`
640	if [ "${VERSION}" != "" ]; then
641		MSG_VER=", version=${VERSION}"
642	fi
643
644	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
645		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_BOOT}): ${IMG_BOOT} is ready"
646	else
647		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_BOOT} (FIT with kernel, fdt, resource...) is ready"
648	fi
649}
650
651function fit_msg_recovery()
652{
653	if [ -z "${ARG_RECOVERY_IMG}" ]; then
654		return;
655	fi
656
657	if [ "${ARG_SIGN}" != "y" ]; then
658		MSG_SIGN="no-signed"
659	else
660		MSG_SIGN="signed"
661	fi
662
663	VERSION=`fdtget -ti ${ITB_RECOVERY} / version`
664	if [ "${VERSION}" != "" ]; then
665		MSG_VER=", version=${VERSION}"
666	fi
667
668	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
669		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_RECOVERY}): ${IMG_RECOVERY} is ready"
670	else
671		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_RECOVERY} (FIT with kernel, fdt, resource...) is ready"
672	fi
673}
674
675function fit_msg_loader()
676{
677	if ls *loader*.bin >/dev/null 2>&1 ; then
678		LOADER=`ls *loader*.bin`
679	fi
680
681	if ls *idblock*.img >/dev/null 2>&1 ; then
682		LOADER=`ls *idblock*.img`
683	fi
684
685	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
686		echo "Image(signed): ${LOADER} (with spl, ddr...) is ready"
687	else
688		echo "Image(no-signed): ${LOADER} (with spl, ddr...) is ready"
689	fi
690}
691
692function fit_msg_u_boot_loader()
693{
694	if ls *loader*.bin >/dev/null 2>&1 ; then
695		LOADER=`ls *loader*.bin`
696	fi
697
698	if ls *idblock*.img >/dev/null 2>&1 ; then
699		LOADER=`ls *idblock*.img`
700	fi
701
702	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
703		echo "Image(signed): ${LOADER} (with u-boot, ddr...) is ready"
704	else
705		echo "Image(no-signed): ${LOADER} (with u-boot, ddr...) is ready"
706	fi
707}
708