xref: /rk3399_rockchip-uboot/scripts/fit-core.sh (revision cb458c93a053d0e7961600834a62e0d6303522d4) 
1#!/bin/bash
2#
3# Copyright (c) 2022 Rockchip Electronics Co., Ltd
4#
5# SPDX-License-Identifier: GPL-2.0
6#
7set -e
8
9FIT_DIR="fit"
10IMG_UBOOT="uboot.img"
11IMG_BOOT="boot.img"
12IMG_RECOVERY="recovery.img"
13ITB_UBOOT="${FIT_DIR}/uboot.itb"
14ITB_BOOT="${FIT_DIR}/boot.itb"
15ITB_RECOVERY="${FIT_DIR}/recovery.itb"
16SIG_BIN="data2sign.bin"
17SIG_UBOOT="${FIT_DIR}/uboot.data2sign"
18SIG_BOOT="${FIT_DIR}/boot.data2sign"
19SIG_RECOVERY="${FIT_DIR}/recovery.data2sign"
20# offs
21OFFS_DATA="0x1200"
22# placeholder address
23FDT_ADDR_PLACEHOLDER="0xffffff00"
24KERNEL_ADDR_PLACEHOLDER="0xffffff01"
25RAMDISK_ADDR_PLACEHOLDER="0xffffff02"
26# tools
27MKIMAGE="./tools/mkimage"
28RK_SIGN_TOOL="../rkbin/tools/rk_sign_tool"
29FIT_UNPACK="./scripts/fit-unpack.sh"
30CHECK_SIGN="./tools/fit_check_sign"
31# key
32KEY_DIR="keys/"
33RSA_PRI_KEY="keys/dev.key"
34RSA_PUB_KEY="keys/dev.pubkey"
35RSA_CRT_KEY="keys/dev.crt"
36SIGNATURE_KEY_NODE="/signature/key-dev"
37SPL_DTB="spl/u-boot-spl.dtb"
38UBOOT_DTB="u-boot.dtb"
39# its
40ITS_UBOOT="u-boot.its"
41ITS_BOOT="boot.its"
42ITS_RECOVERY="recovery.its"
43ARG_VER_UBOOT="0"
44ARG_VER_BOOT="0"
45ARG_VER_RECOVERY="0"
46
47function help()
48{
49	echo
50	echo "usage:"
51	echo "    $0 [args]"
52	echo
53	echo "args:"
54	echo "    --rollback-index-recovery  <decimal integer>"
55	echo "    --rollback-index-boot      <decimal integer>"
56	echo "    --rollback-index-uboot     <decimal integer>"
57	echo "    --version-recovery         <decimal integer>"
58	echo "    --version-boot             <decimal integer>"
59	echo "    --version-uboot            <decimal integer>"
60	echo "    --boot_img                 <boot image>"
61	echo "    --recovery_img             <recovery image>"
62	echo "    --args                     <arg>"
63	echo "    --ini-loader               <loader ini file>"
64	echo "    --ini-trust                <trust ini file>"
65	echo "    --no-check"
66	echo "    --no-sign"
67	echo "    --spl-new"
68	echo
69}
70
71function arg_check_decimal()
72{
73	if [ -z $1 ]; then
74		help
75		exit 1
76	fi
77
78	decimal=`echo $1 |sed 's/[0-9]//g'`
79	if [ ! -z ${decimal} ]; then
80		echo "ERROR: $1 is not decimal integer"
81		help
82		exit 1
83	fi
84}
85
86function check_its()
87{
88	cat $1 | while read line
89	do
90		file=`echo ${line} | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '`
91		if [ ! -f ${file} ]; then
92			echo "ERROR: No ${file}"
93			exit 1
94		fi
95	done
96}
97
98function check_rsa_algo()
99{
100	if grep -q '^CONFIG_FIT_ENABLE_RSA4096_SUPPORT=y' .config ; then
101		rsa_algo="rsa4096"
102	else
103		rsa_algo="rsa2048"
104	fi
105	if ! grep -qr ${rsa_algo} $1 ; then
106		echo "ERROR: Wrong rsa_algo in its file. It should be ${rsa_algo}."
107		exit 1
108	fi
109}
110
111function check_rsa_keys()
112{
113	if [ ! -f ${RSA_PRI_KEY} ]; then
114		echo "ERROR: No ${RSA_PRI_KEY} "
115		exit 1
116	elif [ ! -f ${RSA_PUB_KEY} ]; then
117		echo "ERROR: No ${RSA_PUB_KEY} "
118		exit 1
119	elif [ ! -f ${RSA_CRT_KEY} ]; then
120		echo "ERROR: No ${RSA_CRT_KEY} "
121		exit 1
122	fi
123}
124
125function validate_arg()
126{
127	case $1 in
128		--no-check|--no-sign|--spl-new|--burn-key-hash)
129			shift=1
130			;;
131		--ini-trust|--ini-loader|--rollback-index-boot|--rollback-index-recovery|--rollback-index-uboot|--boot_img|--recovery_img|--version-uboot|--version-boot|--version-recovery|--chip)
132			shift=2
133			;;
134		*)
135			shift=0
136			;;
137	esac
138	echo ${shift}
139}
140
141function fit_process_args()
142{
143	if [ $# -eq 0 ]; then
144		help
145		exit 0
146	fi
147
148	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
149		ARG_SIGN="y"
150	fi
151
152	while [ $# -gt 0 ]; do
153		case $1 in
154			--args)
155				ARG_VALIDATE=$2
156				shift 2
157				;;
158			--boot_img)     # boot.img
159				ARG_BOOT_IMG=$2
160				shift 2
161				;;
162			--chip)
163				ARG_CHIP=$2
164				shift 2
165				;;
166			--recovery_img) # recovery.img
167				ARG_RECOVERY_IMG=$2
168				shift 2
169				;;
170			--boot_img_dir) # boot.img components directory
171				ARG_BOOT_IMG_DIR=$2
172				shift 2
173				;;
174			--no-check)     # No hostcc fit signature check
175				ARG_NO_CHECK="y"
176				shift 1
177				;;
178			--no-sign)
179				ARG_NO_SIGN="y"
180				ARG_SIGN="n"
181				shift 1
182				;;
183			--ini-trust)    # Assign trust ini file
184				ARG_INI_TRUST=$2
185				shift 2
186				;;
187			--ini-loader)   # Assign loader ini file
188				ARG_INI_LOADER=$2
189				shift 2
190				;;
191			--spl-new)      # Use current build u-boot-spl.bin to pack loader
192				ARG_SPL_NEW="y"
193				shift 1
194				;;
195			--rollback-index-boot)
196				ARG_ROLLBACK_IDX_BOOT=$2
197				arg_check_decimal $2
198				shift 2
199				;;
200			--rollback-index-recovery)
201				ARG_ROLLBACK_IDX_RECOVERY=$2
202				arg_check_decimal $2
203				shift 2
204				;;
205			--rollback-index-uboot)
206				ARG_ROLLBACK_IDX_UBOOT=$2
207				arg_check_decimal $2
208				shift 2
209				;;
210			--version-uboot)
211				ARG_VER_UBOOT=$2
212				arg_check_decimal $2
213				shift 2
214				;;
215			--version-boot)
216				ARG_VER_BOOT=$2
217				arg_check_decimal $2
218				shift 2
219				;;
220			--version-recovery)
221				ARG_VER_RECOVERY=$2
222				arg_check_decimal $2
223				shift 2
224				;;
225			--burn-key-hash)
226				ARG_BURN_KEY_HASH="y"
227				shift 1
228				;;
229			*)
230				help
231				exit 1
232				;;
233		esac
234	done
235}
236
237function fit_raw_compile()
238{
239	# Verified-boot: should rebuild code but don't need to repack images.
240	if [ "${ARG_SIGN}" == "y" ]; then
241		./make.sh --raw-compile
242	fi
243	rm ${FIT_DIR} -rf && mkdir -p ${FIT_DIR}
244}
245
246function fit_gen_uboot_itb()
247{
248	# generate u-boot.its file
249	./make.sh itb ${ARG_INI_TRUST}
250
251	# check existance of file in its
252	check_its ${ITS_UBOOT}
253
254	if [ "${ARG_SIGN}" != "y" ]; then
255		${MKIMAGE} -f ${ITS_UBOOT} -E -p ${OFFS_DATA} ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
256		if [ "${ARG_SPL_NEW}" == "y" ]; then
257			./make.sh --spl ${ARG_INI_LOADER}
258			echo "pack loader with new: spl/u-boot-spl.bin"
259		else
260			./make.sh loader ${ARG_INI_LOADER}
261		fi
262	else
263		check_rsa_keys
264
265		if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' .config ; then
266			echo "ERROR: CONFIG_SPL_FIT_SIGNATURE is disabled"
267			exit 1
268		fi
269
270		# rollback-index
271		if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' .config ; then
272			ARG_SPL_ROLLBACK_PROTECT="y"
273			if [ -z ${ARG_ROLLBACK_IDX_UBOOT} ]; then
274				echo "ERROR: No arg \"--rollback-index-uboot <n>\""
275				exit 1
276			fi
277		fi
278
279		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
280			VERSION=`grep 'rollback-index' ${ITS_UBOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
281			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT}
282		fi
283
284		# Generally, boot.img is signed before uboot.img, so the ras key can be found
285		# in u-boot.dtb. If not found, let's insert rsa key anyway.
286		if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then
287			${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
288			echo "## Adding RSA public key into ${UBOOT_DTB}"
289		fi
290
291		# Pack
292		${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${SPL_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
293		mv ${SIG_BIN} ${SIG_UBOOT}
294
295		# burn-key-hash
296		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
297			if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
298				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash 0x1
299			else
300				echo "ERROR: --burn-key-hash requires CONFIG_SPL_FIT_HW_CRYPTO=y"
301				exit 1
302			fi
303		fi
304
305		# rollback-index read back check
306		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
307			VERSION=`fdtget -ti ${ITB_UBOOT} /configurations/conf rollback-index`
308			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_UBOOT}" ]; then
309				echo "ERROR: Failed to set rollback-index for ${ITB_UBOOT}";
310				exit 1
311			fi
312		fi
313
314		# burn-key-hash read back check
315		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
316			if [ "`fdtget -ti ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash`" != "1" ]; then
317				echo "ERROR: Failed to set burn-key-hash for ${SPL_DTB}";
318				exit 1
319			fi
320		fi
321
322		# host check signature
323		if [ "${ARG_NO_CHECK}" != "y" ]; then
324			if [ "${ARG_SPL_NEW}" == "y" ]; then
325				 ${CHECK_SIGN} -f ${ITB_UBOOT} -k ${SPL_DTB} -s
326			else
327				spl_file="../rkbin/"`sed -n "/FlashBoot=/s/FlashBoot=//p" ${ARG_INI_LOADER}  |tr -d '\r'`
328				offs=`fdtdump -s ${spl_file} | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset //g" | tr -d " "`
329				if [ -z ${offs}  ]; then
330					echo "ERROR: invalid ${spl_file} , unable to find fdt blob"
331				fi
332				offs=`printf %d ${offs} ` # hex -> dec
333				dd if=${spl_file} of=spl/u-boot-spl-old.dtb bs=${offs} skip=1 >/dev/null 2>&1
334				${CHECK_SIGN} -f ${ITB_UBOOT} -k spl/u-boot-spl-old.dtb -s
335			fi
336		fi
337
338		# minimize u-boot-spl.dtb: clear as 0 but not remove property.
339		if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
340			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
341			if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' .config ; then
342				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
343				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
344			else
345				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
346				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
347			fi
348		else
349			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
350			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
351			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
352			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
353			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
354		fi
355
356		# repack spl
357		if [ "${ARG_SPL_NEW}" == "y" ]; then
358			cat spl/u-boot-spl-nodtb.bin > spl/u-boot-spl.bin
359			if ! grep -q '^CONFIG_SPL_SEPARATE_BSS=y' .config ; then
360				cat spl/u-boot-spl-pad.bin >> spl/u-boot-spl.bin
361			fi
362			cat ${SPL_DTB} >> spl/u-boot-spl.bin
363
364			./make.sh --spl ${ARG_INI_LOADER}
365			echo "## pack loader with new: spl/u-boot-spl.bin"
366		else
367			./make.sh loader ${ARG_INI_LOADER}
368		fi
369
370		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
371			echo "## ${SPL_DTB}: burn-key-hash=1"
372		fi
373	fi
374
375	rm -f u-boot.itb u-boot.img u-boot-dtb.img
376	mv ${ITS_UBOOT} ${FIT_DIR}
377}
378
379function fit_gen_boot_itb()
380{
381	if [ ! -z ${ARG_BOOT_IMG} ]; then
382		${FIT_UNPACK} -f ${ARG_BOOT_IMG} -o ${FIT_DIR}/unpack
383		ITS_BOOT="${FIT_DIR}/unpack/image.its"
384	else
385		compression=`awk -F"," '/COMPRESSION=/  { printf $1 }' ${ARG_INI_TRUST} | tr -d ' ' | cut -c 13-`
386		if [ -z "${compression}" ]; then
387			compression="none"
388		fi
389		./arch/arm/mach-rockchip/make_fit_boot.sh -c ${compression} > ${ITS_BOOT}
390		check_its ${ITS_BOOT}
391	fi
392
393	if [ "${ARG_SIGN}" != "y" ]; then
394		${MKIMAGE} -f ${ITS_BOOT} -E -p ${OFFS_DATA} ${ITB_BOOT} -v ${ARG_VER_BOOT}
395	else
396		check_rsa_keys
397
398		check_rsa_algo ${ITS_BOOT}
399
400		if [ "${ARG_SIGN}" != "y" ]; then
401			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
402			exit 1
403		fi
404
405		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
406			ARG_ROLLBACK_PROTECT="y"
407			if [ -z ${ARG_ROLLBACK_IDX_BOOT} ]; then
408				echo "ERROR: No arg \"--rollback-index-boot <n>\""
409				exit 1
410			fi
411			if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then
412				echo "ERROR: Don't support \"--rollback-index-boot <n>\""
413				exit 1
414			fi
415		fi
416
417		# fixup
418		FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'`
419		KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'`
420		RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'`
421		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_BOOT}
422		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_BOOT}
423		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_BOOT}
424		if grep -q '^CONFIG_ARM64=y' .config ; then
425			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_BOOT}
426		fi
427
428		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
429			VERSION=`grep 'rollback-index' ${ITS_BOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
430			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_BOOT}>;/g" ${ITS_BOOT}
431		fi
432
433		${MKIMAGE} -f ${ITS_BOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_BOOT} -v ${ARG_VER_BOOT}
434		mv ${SIG_BIN} ${SIG_BOOT}
435
436		# rollback-index read back check
437		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
438			VERSION=`fdtget -ti ${ITB_BOOT} /configurations/conf rollback-index`
439			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_BOOT}" ]; then
440				echo "ERROR: Failed to set rollback-index for ${ITB_BOOT}";
441				exit 1
442			fi
443		fi
444
445		# host check signature
446		if [ "${ARG_NO_CHECK}" != "y" ]; then
447			 ${CHECK_SIGN} -f ${ITB_BOOT} -k ${UBOOT_DTB}
448		fi
449
450		# minimize u-boot.dtb: clearn as 0 but not remove property.
451		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
452			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
453			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
454				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
455			else
456				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
457			fi
458		else
459			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
460			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
461			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
462		fi
463		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
464		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
465	fi
466
467	mv ${ITS_BOOT} ${FIT_DIR}
468}
469
470function fit_gen_recovery_itb()
471{
472	if [ ! -z ${ARG_RECOVERY_IMG} ]; then
473		${FIT_UNPACK} -f ${ARG_RECOVERY_IMG} -o ${FIT_DIR}/unpack
474		ITS_RECOVERY="${FIT_DIR}/unpack/image.its"
475	else
476		echo "ERROR: No recovery.img"
477		exit 1
478	fi
479
480	if [ "${ARG_SIGN}" != "y" ]; then
481		${MKIMAGE} -f ${ITS_RECOVERY} -E -p ${OFFS_DATA} ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
482	else
483		check_rsa_keys
484
485		check_rsa_algo ${ITS_RECOVERY}
486
487		if [ "${ARG_SIGN}" != "y" ]; then
488			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
489			exit 1
490		fi
491
492		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
493			ARG_ROLLBACK_PROTECT="y"
494			if [ -z ${ARG_ROLLBACK_IDX_RECOVERY} ]; then
495				echo "ERROR: No arg \"--rollback-index-recovery <n>\""
496				exit 1
497			fi
498			if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then
499				echo "ERROR: Don't support \"--rollback-index-recovery <n>\""
500				exit 1
501			fi
502		fi
503
504		# fixup
505		FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'`
506		KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'`
507		RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'`
508		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_RECOVERY}
509		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_RECOVERY}
510		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_RECOVERY}
511		if grep -q '^CONFIG_ARM64=y' .config ; then
512			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_RECOVERY}
513		fi
514
515		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
516			VERSION=`grep 'rollback-index' ${ITS_RECOVERY} | awk -F '=' '{ printf $2 }' | tr -d ' '`
517			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_RECOVERY}>;/g" ${ITS_RECOVERY}
518		fi
519
520		${MKIMAGE} -f ${ITS_RECOVERY} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
521		mv ${SIG_BIN} ${SIG_RECOVERY}
522
523		# rollback-index read back check
524		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
525			VERSION=`fdtget -ti ${ITB_RECOVERY} /configurations/conf rollback-index`
526			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_RECOVERY}" ]; then
527				echo "ERROR: Failed to set rollback-index for ${ITB_RECOVERY}";
528				exit 1
529			fi
530		fi
531
532		# host check signature
533		if [ "${ARG_NO_CHECK}" != "y" ]; then
534			 ${CHECK_SIGN} -f ${ITB_RECOVERY} -k ${UBOOT_DTB}
535		fi
536
537		# minimize u-boot.dtb: clearn as 0 but not remove property.
538		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
539			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
540			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
541				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
542			else
543				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
544			fi
545		else
546			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
547			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
548			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
549		fi
550		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
551		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
552	fi
553
554	mv ${ITS_RECOVERY} ${FIT_DIR}
555}
556
557function fit_gen_uboot_img()
558{
559	ITB=$1
560
561	if [ -z ${ITB} ]; then
562		ITB=${ITB_UBOOT}
563	fi
564
565	ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'`
566	ITB_MAX_KB=`sed  -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'`
567	ITB_MAX_BS=$((ITB_MAX_KB*1024))
568	ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'`
569
570	if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then
571		echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes"
572		exit 1
573	fi
574
575	rm -f ${IMG_UBOOT}
576	for ((i = 0; i < ${ITB_MAX_NUM}; i++));
577	do
578		cat ${ITB} >> ${IMG_UBOOT}
579		truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT}
580	done
581}
582
583function fit_gen_boot_img()
584{
585	ITB=$1
586
587	if [ -z ${ITB} ]; then
588		ITB=${ITB_BOOT}
589	fi
590
591	if [ "${ITB}" != "${IMG_BOOT}" ]; then
592		cp ${ITB} ${IMG_BOOT} -f
593	fi
594}
595
596function fit_gen_recovery_img()
597{
598	ITB=$1
599
600	if [ -z ${ITB} ]; then
601		ITB=${ITB_RECOVERY}
602	fi
603
604	if [ "${ITB}" != "${IMG_RECOVERY}" ]; then
605		cp ${ITB} ${IMG_RECOVERY} -f
606	fi
607}
608
609function fit_gen_loader()
610{
611	if [ "${ARG_SIGN}" == "y" ]; then
612		${RK_SIGN_TOOL} cc --chip ${ARG_CHIP: 2: 6}
613		${RK_SIGN_TOOL} lk --key ${RSA_PRI_KEY} --pubkey ${RSA_PUB_KEY}
614		if ls *loader*.bin >/dev/null 2>&1 ; then
615			${RK_SIGN_TOOL} sl --loader *loader*.bin
616		fi
617		if ls *download*.bin >/dev/null 2>&1 ; then
618			${RK_SIGN_TOOL} sl --loader *download*.bin
619		fi
620		if ls *idblock*.img >/dev/null 2>&1 ; then
621			${RK_SIGN_TOOL} sb --idb *idblock*.img
622		fi
623	fi
624}
625
626function fit_msg_uboot()
627{
628	if [ "${ARG_SIGN}" != "y" ]; then
629		MSG_SIGN="no-signed"
630	else
631		MSG_SIGN="signed"
632	fi
633
634	VERSION=`fdtget -ti ${ITB_UBOOT} / version`
635	if [ "${VERSION}" != "" ]; then
636		MSG_VER=", version=${VERSION}"
637	fi
638
639	if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
640		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT}): ${IMG_UBOOT} (with uboot, trust...) is ready"
641	else
642		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_UBOOT} (FIT with uboot, trust...) is ready"
643	fi
644}
645
646function fit_msg_boot()
647{
648	if [ -z "${ARG_BOOT_IMG}" ]; then
649		return;
650	fi
651
652	if [ "${ARG_SIGN}" != "y" ]; then
653		MSG_SIGN="no-signed"
654	else
655		MSG_SIGN="signed"
656	fi
657
658	VERSION=`fdtget -ti ${ITB_BOOT} / version`
659	if [ "${VERSION}" != "" ]; then
660		MSG_VER=", version=${VERSION}"
661	fi
662
663	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
664		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_BOOT}): ${IMG_BOOT} is ready"
665	else
666		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_BOOT} (FIT with kernel, fdt, resource...) is ready"
667	fi
668}
669
670function fit_msg_recovery()
671{
672	if [ -z "${ARG_RECOVERY_IMG}" ]; then
673		return;
674	fi
675
676	if [ "${ARG_SIGN}" != "y" ]; then
677		MSG_SIGN="no-signed"
678	else
679		MSG_SIGN="signed"
680	fi
681
682	VERSION=`fdtget -ti ${ITB_RECOVERY} / version`
683	if [ "${VERSION}" != "" ]; then
684		MSG_VER=", version=${VERSION}"
685	fi
686
687	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
688		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_RECOVERY}): ${IMG_RECOVERY} is ready"
689	else
690		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_RECOVERY} (FIT with kernel, fdt, resource...) is ready"
691	fi
692}
693
694function fit_msg_loader()
695{
696	if ls *loader*.bin >/dev/null 2>&1 ; then
697		LOADER=`ls *loader*.bin`
698	fi
699
700	if ls *idblock*.img >/dev/null 2>&1 ; then
701		LOADER=`ls *idblock*.img`
702	fi
703
704	if [ "${ARG_SIGN}" == "y" ]; then
705		echo "Image(signed): ${LOADER} (with spl, ddr...) is ready"
706	else
707		echo "Image(no-signed): ${LOADER} (with spl, ddr...) is ready"
708	fi
709}
710
711function fit_msg_u_boot_loader()
712{
713	if ls *loader*.bin >/dev/null 2>&1 ; then
714		LOADER=`ls *loader*.bin`
715	fi
716
717	if ls *idblock*.img >/dev/null 2>&1 ; then
718		LOADER=`ls *idblock*.img`
719	fi
720
721	if [ "${ARG_SIGN}" == "y" ]; then
722		echo "Image(signed): ${LOADER} (with u-boot, ddr...) is ready"
723	else
724		echo "Image(no-signed): ${LOADER} (with u-boot, ddr...) is ready"
725	fi
726}
727