xref: /rk3399_rockchip-uboot/scripts/fit-core.sh (revision 8d6469cd312d1a3fc9be75da54ec1070f7ba5089) 
1#!/bin/bash
2#
3# Copyright (c) 2022 Rockchip Electronics Co., Ltd
4#
5# SPDX-License-Identifier: GPL-2.0
6#
7set -e
8
9FIT_DIR="fit"
10IMG_UBOOT="uboot.img"
11IMG_BOOT="boot.img"
12IMG_RECOVERY="recovery.img"
13ITB_UBOOT="${FIT_DIR}/uboot.itb"
14ITB_BOOT="${FIT_DIR}/boot.itb"
15ITB_RECOVERY="${FIT_DIR}/recovery.itb"
16SIG_BIN="data2sign.bin"
17SIG_UBOOT="${FIT_DIR}/uboot.data2sign"
18SIG_BOOT="${FIT_DIR}/boot.data2sign"
19SIG_RECOVERY="${FIT_DIR}/recovery.data2sign"
20# offs
21OFFS_DATA="0x1200"
22# placeholder address
23FDT_ADDR_PLACEHOLDER="0xffffff00"
24KERNEL_ADDR_PLACEHOLDER="0xffffff01"
25RAMDISK_ADDR_PLACEHOLDER="0xffffff02"
26# tools
27MKIMAGE="./tools/mkimage"
28RK_SIGN_TOOL="../rkbin/tools/rk_sign_tool"
29FIT_UNPACK="./scripts/fit-unpack.sh"
30CHECK_SIGN="./tools/fit_check_sign"
31# key
32KEY_DIR="keys/"
33RSA_PRI_KEY="keys/dev.key"
34RSA_PUB_KEY="keys/dev.pubkey"
35RSA_CRT_KEY="keys/dev.crt"
36SIGNATURE_KEY_NODE="/signature/key-dev"
37SPL_DTB="spl/u-boot-spl.dtb"
38UBOOT_DTB="u-boot.dtb"
39# its
40ITS_UBOOT="u-boot.its"
41ITS_BOOT="boot.its"
42ITS_RECOVERY="recovery.its"
43ARG_VER_UBOOT="0"
44ARG_VER_BOOT="0"
45ARG_VER_RECOVERY="0"
46
47function help()
48{
49	echo
50	echo "usage:"
51	echo "    $0 [args]"
52	echo
53	echo "args:"
54	echo "    --rollback-index-recovery  <decimal integer>"
55	echo "    --rollback-index-boot      <decimal integer>"
56	echo "    --rollback-index-uboot     <decimal integer>"
57	echo "    --version-recovery         <decimal integer>"
58	echo "    --version-boot             <decimal integer>"
59	echo "    --version-uboot            <decimal integer>"
60	echo "    --boot_img                 <boot image>"
61	echo "    --recovery_img             <recovery image>"
62	echo "    --args                     <arg>"
63	echo "    --ini-loader               <loader ini file>"
64	echo "    --ini-trust                <trust ini file>"
65	echo "    --no-check"
66	echo "    --spl-new"
67	echo
68}
69
70function arg_check_decimal()
71{
72	if [ -z $1 ]; then
73		help
74		exit 1
75	fi
76
77	decimal=`echo $1 |sed 's/[0-9]//g'`
78	if [ ! -z ${decimal} ]; then
79		echo "ERROR: $1 is not decimal integer"
80		help
81		exit 1
82	fi
83}
84
85function check_its()
86{
87	cat $1 | while read line
88	do
89		file=`echo ${line} | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '`
90		if [ ! -f ${file} ]; then
91			echo "ERROR: No ${file}"
92			exit 1
93		fi
94	done
95}
96
97function check_rsa_algo()
98{
99	if grep -q '^CONFIG_FIT_ENABLE_RSA4096_SUPPORT=y' .config ; then
100		rsa_algo="rsa4096"
101	else
102		rsa_algo="rsa2048"
103	fi
104	if ! grep -qr ${rsa_algo} $1 ; then
105		echo "ERROR: Wrong rsa_algo in its file. It should be ${rsa_algo}."
106		exit 1
107	fi
108}
109
110function check_rsa_keys()
111{
112	if [ ! -f ${RSA_PRI_KEY} ]; then
113		echo "ERROR: No ${RSA_PRI_KEY} "
114		exit 1
115	elif [ ! -f ${RSA_PUB_KEY} ]; then
116		echo "ERROR: No ${RSA_PUB_KEY} "
117		exit 1
118	elif [ ! -f ${RSA_CRT_KEY} ]; then
119		echo "ERROR: No ${RSA_CRT_KEY} "
120		exit 1
121	fi
122}
123
124function validate_arg()
125{
126	case $1 in
127		--no-check|--spl-new|--burn-key-hash)
128			shift=1
129			;;
130		--ini-trust|--ini-loader|--rollback-index-boot|--rollback-index-recovery|--rollback-index-uboot|--boot_img|--recovery_img|--version-uboot|--version-boot|--version-recovery|--chip)
131			shift=2
132			;;
133		*)
134			shift=0
135			;;
136	esac
137	echo ${shift}
138}
139
140function fit_process_args()
141{
142	if [ $# -eq 0 ]; then
143		help
144		exit 0
145	fi
146
147	while [ $# -gt 0 ]; do
148		case $1 in
149			--args)
150				ARG_VALIDATE=$2
151				shift 2
152				;;
153			--boot_img)     # boot.img
154				ARG_BOOT_IMG=$2
155				shift 2
156				;;
157			--chip)
158				ARG_CHIP=$2
159				shift 2
160				;;
161			--recovery_img) # recovery.img
162				ARG_RECOVERY_IMG=$2
163				shift 2
164				;;
165			--boot_img_dir) # boot.img components directory
166				ARG_BOOT_IMG_DIR=$2
167				shift 2
168				;;
169			--no-check)     # No hostcc fit signature check
170				ARG_NO_CHECK="y"
171				shift 1
172				;;
173			--ini-trust)    # Assign trust ini file
174				ARG_INI_TRUST=$2
175				shift 2
176				;;
177			--ini-loader)   # Assign loader ini file
178				ARG_INI_LOADER=$2
179				shift 2
180				;;
181			--spl-new)      # Use current build u-boot-spl.bin to pack loader
182				ARG_SPL_NEW="y"
183				shift 1
184				;;
185			--rollback-index-boot)
186				ARG_ROLLBACK_IDX_BOOT=$2
187				arg_check_decimal $2
188				shift 2
189				;;
190			--rollback-index-recovery)
191				ARG_ROLLBACK_IDX_RECOVERY=$2
192				arg_check_decimal $2
193				shift 2
194				;;
195			--rollback-index-uboot)
196				ARG_ROLLBACK_IDX_UBOOT=$2
197				arg_check_decimal $2
198				shift 2
199				;;
200			--version-uboot)
201				ARG_VER_UBOOT=$2
202				arg_check_decimal $2
203				shift 2
204				;;
205			--version-boot)
206				ARG_VER_BOOT=$2
207				arg_check_decimal $2
208				shift 2
209				;;
210			--version-recovery)
211				ARG_VER_RECOVERY=$2
212				arg_check_decimal $2
213				shift 2
214				;;
215			--burn-key-hash)
216				ARG_BURN_KEY_HASH="y"
217				shift 1
218				;;
219			*)
220				help
221				exit 1
222				;;
223		esac
224	done
225
226	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
227		ARG_SIGN="y"
228	fi
229}
230
231function fit_raw_compile()
232{
233	# Verified-boot: should rebuild code but don't need to repack images.
234	if [ "${ARG_SIGN}" == "y" ]; then
235		./make.sh --raw-compile
236	fi
237	rm ${FIT_DIR} -rf && mkdir -p ${FIT_DIR}
238}
239
240function fit_gen_uboot_itb()
241{
242	# generate u-boot.its file
243	./make.sh itb ${ARG_INI_TRUST}
244
245	# check existance of file in its
246	check_its ${ITS_UBOOT}
247
248	if [ "${ARG_SIGN}" != "y" ]; then
249		${MKIMAGE} -f ${ITS_UBOOT} -E -p ${OFFS_DATA} ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
250		if [ "${ARG_SPL_NEW}" == "y" ]; then
251			./make.sh --spl ${ARG_INI_LOADER}
252			echo "pack loader with new: spl/u-boot-spl.bin"
253		else
254			./make.sh loader ${ARG_INI_LOADER}
255		fi
256	else
257		check_rsa_keys
258
259		if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' .config ; then
260			echo "ERROR: CONFIG_SPL_FIT_SIGNATURE is disabled"
261			exit 1
262		fi
263
264		# rollback-index
265		if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' .config ; then
266			ARG_SPL_ROLLBACK_PROTECT="y"
267			if [ -z ${ARG_ROLLBACK_IDX_UBOOT} ]; then
268				echo "ERROR: No arg \"--rollback-index-uboot <n>\""
269				exit 1
270			fi
271		fi
272
273		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
274			VERSION=`grep 'rollback-index' ${ITS_UBOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
275			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT}
276		fi
277
278		# Generally, boot.img is signed before uboot.img, so the ras key can be found
279		# in u-boot.dtb. If not found, let's insert rsa key anyway.
280		if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then
281			${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
282			echo "## Adding RSA public key into ${UBOOT_DTB}"
283		fi
284
285		# Pack
286		${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${SPL_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
287		mv ${SIG_BIN} ${SIG_UBOOT}
288
289		# burn-key-hash
290		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
291			if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
292				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash 0x1
293			else
294				echo "ERROR: --burn-key-hash requires CONFIG_SPL_FIT_HW_CRYPTO=y"
295				exit 1
296			fi
297		fi
298
299		# rollback-index read back check
300		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
301			VERSION=`fdtget -ti ${ITB_UBOOT} /configurations/conf rollback-index`
302			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_UBOOT}" ]; then
303				echo "ERROR: Failed to set rollback-index for ${ITB_UBOOT}";
304				exit 1
305			fi
306		fi
307
308		# burn-key-hash read back check
309		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
310			if [ "`fdtget -ti ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash`" != "1" ]; then
311				echo "ERROR: Failed to set burn-key-hash for ${SPL_DTB}";
312				exit 1
313			fi
314		fi
315
316		# host check signature
317		if [ "${ARG_NO_CHECK}" != "y" ]; then
318			if [ "${ARG_SPL_NEW}" == "y" ]; then
319				 ${CHECK_SIGN} -f ${ITB_UBOOT} -k ${SPL_DTB} -s
320			else
321				spl_file="../rkbin/"`sed -n "/FlashBoot=/s/FlashBoot=//p" ${ARG_INI_LOADER}  |tr -d '\r'`
322				offs=`fdtdump -s ${spl_file} | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset //g" | tr -d " "`
323				if [ -z ${offs}  ]; then
324					echo "ERROR: invalid ${spl_file} , unable to find fdt blob"
325				fi
326				offs=`printf %d ${offs} ` # hex -> dec
327				dd if=${spl_file} of=spl/u-boot-spl-old.dtb bs=${offs} skip=1 >/dev/null 2>&1
328				${CHECK_SIGN} -f ${ITB_UBOOT} -k spl/u-boot-spl-old.dtb -s
329			fi
330		fi
331
332		# minimize u-boot-spl.dtb: clear as 0 but not remove property.
333		if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
334			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
335			if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' .config ; then
336				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
337				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
338			else
339				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
340				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
341			fi
342		else
343			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
344			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
345			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
346			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
347			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
348		fi
349
350		# repack spl
351		if [ "${ARG_SPL_NEW}" == "y" ]; then
352			cat spl/u-boot-spl-nodtb.bin > spl/u-boot-spl.bin
353			if ! grep -q '^CONFIG_SPL_SEPARATE_BSS=y' .config ; then
354				cat spl/u-boot-spl-pad.bin >> spl/u-boot-spl.bin
355			fi
356			cat ${SPL_DTB} >> spl/u-boot-spl.bin
357
358			./make.sh --spl ${ARG_INI_LOADER}
359			echo "## pack loader with new: spl/u-boot-spl.bin"
360		else
361			./make.sh loader ${ARG_INI_LOADER}
362		fi
363
364		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
365			echo "## ${SPL_DTB}: burn-key-hash=1"
366		fi
367	fi
368
369	rm -f u-boot.itb u-boot.img u-boot-dtb.img
370	mv ${ITS_UBOOT} ${FIT_DIR}
371}
372
373function fit_gen_boot_itb()
374{
375	if [ ! -z ${ARG_BOOT_IMG} ]; then
376		${FIT_UNPACK} -f ${ARG_BOOT_IMG} -o ${FIT_DIR}/unpack
377		ITS_BOOT="${FIT_DIR}/unpack/image.its"
378	else
379		compression=`awk -F"," '/COMPRESSION=/  { printf $1 }' ${ARG_INI_TRUST} | tr -d ' ' | cut -c 13-`
380		if [ -z "${compression}" ]; then
381			compression="none"
382		fi
383		./arch/arm/mach-rockchip/make_fit_boot.sh -c ${compression} > ${ITS_BOOT}
384		check_its ${ITS_BOOT}
385	fi
386
387	if [ "${ARG_SIGN}" != "y" ]; then
388		${MKIMAGE} -f ${ITS_BOOT} -E -p ${OFFS_DATA} ${ITB_BOOT} -v ${ARG_VER_BOOT}
389	else
390		check_rsa_keys
391
392		check_rsa_algo ${ITS_BOOT}
393
394		if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
395			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
396			exit 1
397		fi
398
399		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
400			ARG_ROLLBACK_PROTECT="y"
401			if [ -z ${ARG_ROLLBACK_IDX_BOOT} ]; then
402				echo "ERROR: No arg \"--rollback-index-boot <n>\""
403				exit 1
404			fi
405			if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then
406				echo "ERROR: Don't support \"--rollback-index-boot <n>\""
407				exit 1
408			fi
409		fi
410
411		# fixup
412		FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'`
413		KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'`
414		RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'`
415		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_BOOT}
416		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_BOOT}
417		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_BOOT}
418		if grep -q '^CONFIG_ARM64=y' .config ; then
419			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_BOOT}
420		fi
421
422		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
423			VERSION=`grep 'rollback-index' ${ITS_BOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
424			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_BOOT}>;/g" ${ITS_BOOT}
425		fi
426
427		${MKIMAGE} -f ${ITS_BOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_BOOT} -v ${ARG_VER_BOOT}
428		mv ${SIG_BIN} ${SIG_BOOT}
429
430		# rollback-index read back check
431		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
432			VERSION=`fdtget -ti ${ITB_BOOT} /configurations/conf rollback-index`
433			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_BOOT}" ]; then
434				echo "ERROR: Failed to set rollback-index for ${ITB_BOOT}";
435				exit 1
436			fi
437		fi
438
439		# host check signature
440		if [ "${ARG_NO_CHECK}" != "y" ]; then
441			 ${CHECK_SIGN} -f ${ITB_BOOT} -k ${UBOOT_DTB}
442		fi
443
444		# minimize u-boot.dtb: clearn as 0 but not remove property.
445		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
446			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
447			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
448				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
449			else
450				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
451			fi
452		else
453			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
454			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
455			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
456		fi
457		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
458		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
459	fi
460
461	mv ${ITS_BOOT} ${FIT_DIR}
462}
463
464function fit_gen_recovery_itb()
465{
466	if [ ! -z ${ARG_RECOVERY_IMG} ]; then
467		${FIT_UNPACK} -f ${ARG_RECOVERY_IMG} -o ${FIT_DIR}/unpack
468		ITS_RECOVERY="${FIT_DIR}/unpack/image.its"
469	else
470		echo "ERROR: No recovery.img"
471		exit 1
472	fi
473
474	if [ "${ARG_SIGN}" != "y" ]; then
475		${MKIMAGE} -f ${ITS_RECOVERY} -E -p ${OFFS_DATA} ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
476	else
477		check_rsa_keys
478
479		check_rsa_algo ${ITS_RECOVERY}
480
481		if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
482			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
483			exit 1
484		fi
485
486		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
487			ARG_ROLLBACK_PROTECT="y"
488			if [ -z ${ARG_ROLLBACK_IDX_RECOVERY} ]; then
489				echo "ERROR: No arg \"--rollback-index-recovery <n>\""
490				exit 1
491			fi
492			if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then
493				echo "ERROR: Don't support \"--rollback-index-recovery <n>\""
494				exit 1
495			fi
496		fi
497
498		# fixup
499		FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'`
500		KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'`
501		RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'`
502		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_RECOVERY}
503		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_RECOVERY}
504		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_RECOVERY}
505		if grep -q '^CONFIG_ARM64=y' .config ; then
506			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_RECOVERY}
507		fi
508
509		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
510			VERSION=`grep 'rollback-index' ${ITS_RECOVERY} | awk -F '=' '{ printf $2 }' | tr -d ' '`
511			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_RECOVERY}>;/g" ${ITS_RECOVERY}
512		fi
513
514		${MKIMAGE} -f ${ITS_RECOVERY} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
515		mv ${SIG_BIN} ${SIG_RECOVERY}
516
517		# rollback-index read back check
518		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
519			VERSION=`fdtget -ti ${ITB_RECOVERY} /configurations/conf rollback-index`
520			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_RECOVERY}" ]; then
521				echo "ERROR: Failed to set rollback-index for ${ITB_RECOVERY}";
522				exit 1
523			fi
524		fi
525
526		# host check signature
527		if [ "${ARG_NO_CHECK}" != "y" ]; then
528			 ${CHECK_SIGN} -f ${ITB_RECOVERY} -k ${UBOOT_DTB}
529		fi
530
531		# minimize u-boot.dtb: clearn as 0 but not remove property.
532		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
533			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
534			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
535				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
536			else
537				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
538			fi
539		else
540			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
541			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
542			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
543		fi
544		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
545		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
546	fi
547
548	mv ${ITS_RECOVERY} ${FIT_DIR}
549}
550
551function fit_gen_uboot_img()
552{
553	ITB=$1
554
555	if [ -z ${ITB} ]; then
556		ITB=${ITB_UBOOT}
557	fi
558
559	ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'`
560	ITB_MAX_KB=`sed  -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'`
561	ITB_MAX_BS=$((ITB_MAX_KB*1024))
562	ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'`
563
564	if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then
565		echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes"
566		exit 1
567	fi
568
569	rm -f ${IMG_UBOOT}
570	for ((i = 0; i < ${ITB_MAX_NUM}; i++));
571	do
572		cat ${ITB} >> ${IMG_UBOOT}
573		truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT}
574	done
575}
576
577function fit_gen_boot_img()
578{
579	ITB=$1
580
581	if [ -z ${ITB} ]; then
582		ITB=${ITB_BOOT}
583	fi
584
585	if [ "${ITB}" != "${IMG_BOOT}" ]; then
586		cp ${ITB} ${IMG_BOOT} -f
587	fi
588}
589
590function fit_gen_recovery_img()
591{
592	ITB=$1
593
594	if [ -z ${ITB} ]; then
595		ITB=${ITB_RECOVERY}
596	fi
597
598	if [ "${ITB}" != "${IMG_RECOVERY}" ]; then
599		cp ${ITB} ${IMG_RECOVERY} -f
600	fi
601}
602
603function fit_gen_loader()
604{
605	if grep -Eq '^CONFIG_FIT_SIGNATURE=y' .config ; then
606		${RK_SIGN_TOOL} cc --chip ${ARG_CHIP: 2: 6}
607		${RK_SIGN_TOOL} lk --key ${RSA_PRI_KEY} --pubkey ${RSA_PUB_KEY}
608		if ls *loader*.bin >/dev/null 2>&1 ; then
609			${RK_SIGN_TOOL} sl --loader *loader*.bin
610		fi
611		if ls *download*.bin >/dev/null 2>&1 ; then
612			${RK_SIGN_TOOL} sl --loader *download*.bin
613		fi
614		if ls *idblock*.img >/dev/null 2>&1 ; then
615			${RK_SIGN_TOOL} sb --idb *idblock*.img
616		fi
617	fi
618}
619
620function fit_msg_uboot()
621{
622	if [ "${ARG_SIGN}" != "y" ]; then
623		MSG_SIGN="no-signed"
624	else
625		MSG_SIGN="signed"
626	fi
627
628	VERSION=`fdtget -ti ${ITB_UBOOT} / version`
629	if [ "${VERSION}" != "" ]; then
630		MSG_VER=", version=${VERSION}"
631	fi
632
633	if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
634		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT}): ${IMG_UBOOT} (with uboot, trust...) is ready"
635	else
636		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_UBOOT} (FIT with uboot, trust...) is ready"
637	fi
638}
639
640function fit_msg_boot()
641{
642	if [ -z "${ARG_BOOT_IMG}" ]; then
643		return;
644	fi
645
646	if [ "${ARG_SIGN}" != "y" ]; then
647		MSG_SIGN="no-signed"
648	else
649		MSG_SIGN="signed"
650	fi
651
652	VERSION=`fdtget -ti ${ITB_BOOT} / version`
653	if [ "${VERSION}" != "" ]; then
654		MSG_VER=", version=${VERSION}"
655	fi
656
657	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
658		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_BOOT}): ${IMG_BOOT} is ready"
659	else
660		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_BOOT} (FIT with kernel, fdt, resource...) is ready"
661	fi
662}
663
664function fit_msg_recovery()
665{
666	if [ -z "${ARG_RECOVERY_IMG}" ]; then
667		return;
668	fi
669
670	if [ "${ARG_SIGN}" != "y" ]; then
671		MSG_SIGN="no-signed"
672	else
673		MSG_SIGN="signed"
674	fi
675
676	VERSION=`fdtget -ti ${ITB_RECOVERY} / version`
677	if [ "${VERSION}" != "" ]; then
678		MSG_VER=", version=${VERSION}"
679	fi
680
681	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
682		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_RECOVERY}): ${IMG_RECOVERY} is ready"
683	else
684		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_RECOVERY} (FIT with kernel, fdt, resource...) is ready"
685	fi
686}
687
688function fit_msg_loader()
689{
690	if ls *loader*.bin >/dev/null 2>&1 ; then
691		LOADER=`ls *loader*.bin`
692	fi
693
694	if ls *idblock*.img >/dev/null 2>&1 ; then
695		LOADER=`ls *idblock*.img`
696	fi
697
698	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
699		echo "Image(signed): ${LOADER} (with spl, ddr...) is ready"
700	else
701		echo "Image(no-signed): ${LOADER} (with spl, ddr...) is ready"
702	fi
703}
704
705function fit_msg_u_boot_loader()
706{
707	if ls *loader*.bin >/dev/null 2>&1 ; then
708		LOADER=`ls *loader*.bin`
709	fi
710
711	if ls *idblock*.img >/dev/null 2>&1 ; then
712		LOADER=`ls *idblock*.img`
713	fi
714
715	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
716		echo "Image(signed): ${LOADER} (with u-boot, ddr...) is ready"
717	else
718		echo "Image(no-signed): ${LOADER} (with u-boot, ddr...) is ready"
719	fi
720}
721