xref: /rk3399_rockchip-uboot/scripts/fit-core.sh (revision d1627df0fa4b7571b1dca79334a4a3572f08d20e) 
1#!/bin/bash
2#
3# Copyright (c) 2022 Rockchip Electronics Co., Ltd
4#
5# SPDX-License-Identifier: GPL-2.0
6#
7set -e
8
9FIT_DIR="fit"
10IMG_UBOOT="uboot.img"
11IMG_BOOT="boot.img"
12IMG_RECOVERY="recovery.img"
13ITB_UBOOT="${FIT_DIR}/uboot.itb"
14ITB_BOOT="${FIT_DIR}/boot.itb"
15ITB_RECOVERY="${FIT_DIR}/recovery.itb"
16SIG_BIN="data2sign.bin"
17SIG_UBOOT="${FIT_DIR}/uboot.data2sign"
18SIG_BOOT="${FIT_DIR}/boot.data2sign"
19SIG_RECOVERY="${FIT_DIR}/recovery.data2sign"
20# offs
21OFFS_DATA="0x1000"
22# placeholder address
23FDT_ADDR_PLACEHOLDER="0xffffff00"
24KERNEL_ADDR_PLACEHOLDER="0xffffff01"
25RAMDISK_ADDR_PLACEHOLDER="0xffffff02"
26# tools
27MKIMAGE="./tools/mkimage"
28RK_SIGN_TOOL="../rkbin/tools/rk_sign_tool"
29FIT_UNPACK="./scripts/fit-unpack.sh"
30CHECK_SIGN="./tools/fit_check_sign"
31# key
32KEY_DIR="keys/"
33RSA_PRI_KEY="keys/dev.key"
34RSA_PUB_KEY="keys/dev.pubkey"
35RSA_CRT_KEY="keys/dev.crt"
36SIGNATURE_KEY_NODE="/signature/key-dev"
37SPL_DTB="spl/u-boot-spl.dtb"
38UBOOT_DTB="u-boot.dtb"
39# its
40ITS_UBOOT="u-boot.its"
41ITS_BOOT="boot.its"
42ITS_RECOVERY="recovery.its"
43ARG_VER_UBOOT="0"
44ARG_VER_BOOT="0"
45ARG_VER_RECOVERY="0"
46
47function help()
48{
49	echo
50	echo "usage:"
51	echo "    $0 [args]"
52	echo
53	echo "args:"
54	echo "    --rollback-index-recovery  <decimal integer>"
55	echo "    --rollback-index-boot      <decimal integer>"
56	echo "    --rollback-index-uboot     <decimal integer>"
57	echo "    --version-recovery         <decimal integer>"
58	echo "    --version-boot             <decimal integer>"
59	echo "    --version-uboot            <decimal integer>"
60	echo "    --boot_img                 <boot image>"
61	echo "    --recovery_img             <recovery image>"
62	echo "    --args                     <arg>"
63	echo "    --ini-loader               <loader ini file>"
64	echo "    --ini-trust                <trust ini file>"
65	echo "    --no-check"
66	echo "    --spl-new"
67	echo
68}
69
70function arg_check_decimal()
71{
72	if [ -z $1 ]; then
73		help
74		exit 1
75	fi
76
77	decimal=`echo $1 |sed 's/[0-9]//g'`
78	if [ ! -z ${decimal} ]; then
79		echo "ERROR: $1 is not decimal integer"
80		help
81		exit 1
82	fi
83}
84
85function check_its()
86{
87	cat $1 | while read line
88	do
89		file=`echo ${line} | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '`
90		if [ ! -f ${file} ]; then
91			echo "ERROR: No ${file}"
92			exit 1
93		fi
94	done
95}
96
97function check_rsa_keys()
98{
99	if [ ! -f ${RSA_PRI_KEY} ]; then
100		echo "ERROR: No ${RSA_PRI_KEY} "
101		exit 1
102	elif [ ! -f ${RSA_PUB_KEY} ]; then
103		echo "ERROR: No ${RSA_PUB_KEY} "
104		exit 1
105	elif [ ! -f ${RSA_CRT_KEY} ]; then
106		echo "ERROR: No ${RSA_CRT_KEY} "
107		exit 1
108	fi
109}
110
111function validate_arg()
112{
113	case $1 in
114		--no-check|--spl-new|--burn-key-hash)
115			shift=1
116			;;
117		--ini-trust|--ini-loader|--rollback-index-boot|--rollback-index-recovery|--rollback-index-uboot|--boot_img|--recovery_img|--version-uboot|--version-boot|--version-recovery|--chip)
118			shift=2
119			;;
120		*)
121			shift=0
122			;;
123	esac
124	echo ${shift}
125}
126
127function fit_process_args()
128{
129	if [ $# -eq 0 ]; then
130		help
131		exit 0
132	fi
133
134	while [ $# -gt 0 ]; do
135		case $1 in
136			--args)
137				ARG_VALIDATE=$2
138				shift 2
139				;;
140			--boot_img)     # boot.img
141				ARG_BOOT_IMG=$2
142				shift 2
143				;;
144			--chip)
145				ARG_CHIP=$2
146				shift 2
147				;;
148			--recovery_img) # recovery.img
149				ARG_RECOVERY_IMG=$2
150				shift 2
151				;;
152			--boot_img_dir) # boot.img components directory
153				ARG_BOOT_IMG_DIR=$2
154				shift 2
155				;;
156			--no-check)     # No hostcc fit signature check
157				ARG_NO_CHECK="y"
158				shift 1
159				;;
160			--ini-trust)    # Assign trust ini file
161				ARG_INI_TRUST=$2
162				shift 2
163				;;
164			--ini-loader)   # Assign loader ini file
165				ARG_INI_LOADER=$2
166				shift 2
167				;;
168			--spl-new)      # Use current build u-boot-spl.bin to pack loader
169				ARG_SPL_NEW="y"
170				shift 1
171				;;
172			--rollback-index-boot)
173				ARG_ROLLBACK_IDX_BOOT=$2
174				arg_check_decimal $2
175				shift 2
176				;;
177			--rollback-index-recovery)
178				ARG_ROLLBACK_IDX_RECOVERY=$2
179				arg_check_decimal $2
180				shift 2
181				;;
182			--rollback-index-uboot)
183				ARG_ROLLBACK_IDX_UBOOT=$2
184				arg_check_decimal $2
185				shift 2
186				;;
187			--version-uboot)
188				ARG_VER_UBOOT=$2
189				arg_check_decimal $2
190				shift 2
191				;;
192			--version-boot)
193				ARG_VER_BOOT=$2
194				arg_check_decimal $2
195				shift 2
196				;;
197			--version-recovery)
198				ARG_VER_RECOVERY=$2
199				arg_check_decimal $2
200				shift 2
201				;;
202			--burn-key-hash)
203				ARG_BURN_KEY_HASH="y"
204				shift 1
205				;;
206			*)
207				help
208				exit 1
209				;;
210		esac
211	done
212
213	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
214		ARG_SIGN="y"
215	fi
216}
217
218function fit_raw_compile()
219{
220	# Verified-boot: should rebuild code but don't need to repack images.
221	if [ "${ARG_SIGN}" == "y" ]; then
222		./make.sh --raw-compile
223	fi
224	rm ${FIT_DIR} -rf && mkdir -p ${FIT_DIR}
225}
226
227function fit_gen_uboot_itb()
228{
229	# generate u-boot.its file
230	./make.sh itb ${ARG_INI_TRUST}
231
232	# check existance of file in its
233	check_its ${ITS_UBOOT}
234
235	if [ "${ARG_SIGN}" != "y" ]; then
236		${MKIMAGE} -f ${ITS_UBOOT} -E -p ${OFFS_DATA} ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
237		if [ "${ARG_SPL_NEW}" == "y" ]; then
238			./make.sh --spl ${ARG_INI_LOADER}
239			echo "pack loader with new: spl/u-boot-spl.bin"
240		else
241			./make.sh loader ${ARG_INI_LOADER}
242		fi
243	else
244		check_rsa_keys
245
246		if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' .config ; then
247			echo "ERROR: CONFIG_SPL_FIT_SIGNATURE is disabled"
248			exit 1
249		fi
250
251		# rollback-index
252		if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' .config ; then
253			ARG_SPL_ROLLBACK_PROTECT="y"
254			if [ -z ${ARG_ROLLBACK_IDX_UBOOT} ]; then
255				echo "ERROR: No arg \"--rollback-index-uboot <n>\""
256				exit 1
257			fi
258		fi
259
260		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
261			VERSION=`grep 'rollback-index' ${ITS_UBOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
262			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT}
263		fi
264
265		# Generally, boot.img is signed before uboot.img, so the ras key can be found
266		# in u-boot.dtb. If not found, let's insert rsa key anyway.
267		if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then
268			${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
269			echo "## Adding RSA public key into ${UBOOT_DTB}"
270		fi
271
272		# Pack
273		${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${SPL_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
274		mv ${SIG_BIN} ${SIG_UBOOT}
275
276		# burn-key-hash
277		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
278			if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
279				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash 0x1
280			else
281				echo "ERROR: --burn-key-hash requires CONFIG_SPL_FIT_HW_CRYPTO=y"
282				exit 1
283			fi
284		fi
285
286		# rollback-index read back check
287		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
288			VERSION=`fdtget -ti ${ITB_UBOOT} /configurations/conf rollback-index`
289			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_UBOOT}" ]; then
290				echo "ERROR: Failed to set rollback-index for ${ITB_UBOOT}";
291				exit 1
292			fi
293		fi
294
295		# burn-key-hash read back check
296		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
297			if [ "`fdtget -ti ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash`" != "1" ]; then
298				echo "ERROR: Failed to set burn-key-hash for ${SPL_DTB}";
299				exit 1
300			fi
301		fi
302
303		# host check signature
304		if [ "${ARG_NO_CHECK}" != "y" ]; then
305			if [ "${ARG_SPL_NEW}" == "y" ]; then
306				 ${CHECK_SIGN} -f ${ITB_UBOOT} -k ${SPL_DTB} -s
307			else
308				spl_file="../rkbin/"`sed -n "/FlashBoot=/s/FlashBoot=//p" ${ARG_INI_LOADER}  |tr -d '\r'`
309				offs=`fdtdump -s ${spl_file} | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset //g" | tr -d " "`
310				if [ -z ${offs}  ]; then
311					echo "ERROR: invalid ${spl_file} , unable to find fdt blob"
312				fi
313				offs=`printf %d ${offs} ` # hex -> dec
314				dd if=${spl_file} of=spl/u-boot-spl-old.dtb bs=${offs} skip=1 >/dev/null 2>&1
315				${CHECK_SIGN} -f ${ITB_UBOOT} -k spl/u-boot-spl-old.dtb -s
316			fi
317		fi
318
319		# minimize u-boot-spl.dtb: clear as 0 but not remove property.
320		if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
321			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
322			if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' .config ; then
323				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
324				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
325			else
326				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
327				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
328			fi
329		else
330			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
331			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
332			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
333			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
334			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
335		fi
336
337		# repack spl
338		if [ "${ARG_SPL_NEW}" == "y" ]; then
339			cat spl/u-boot-spl-nodtb.bin > spl/u-boot-spl.bin
340			if ! grep -q '^CONFIG_SPL_SEPARATE_BSS=y' .config ; then
341				cat spl/u-boot-spl-pad.bin >> spl/u-boot-spl.bin
342			fi
343			cat ${SPL_DTB} >> spl/u-boot-spl.bin
344
345			./make.sh --spl ${ARG_INI_LOADER}
346			echo "## pack loader with new: spl/u-boot-spl.bin"
347		else
348			./make.sh loader ${ARG_INI_LOADER}
349		fi
350
351		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
352			echo "## ${SPL_DTB}: burn-key-hash=1"
353		fi
354	fi
355
356	rm -f u-boot.itb u-boot.img u-boot-dtb.img
357	mv ${ITS_UBOOT} ${FIT_DIR}
358}
359
360function fit_gen_boot_itb()
361{
362	if [ ! -z ${ARG_BOOT_IMG} ]; then
363		${FIT_UNPACK} -f ${ARG_BOOT_IMG} -o ${FIT_DIR}/unpack
364		ITS_BOOT="${FIT_DIR}/unpack/image.its"
365	else
366		compression=`awk -F"," '/COMPRESSION=/  { printf $1 }' ${ARG_INI_TRUST} | tr -d ' ' | cut -c 13-`
367		if [ -z "${compression}" ]; then
368			compression="none"
369		fi
370		./arch/arm/mach-rockchip/make_fit_boot.sh -c ${compression} > ${ITS_BOOT}
371		check_its ${ITS_BOOT}
372	fi
373
374	if [ "${ARG_SIGN}" != "y" ]; then
375		${MKIMAGE} -f ${ITS_BOOT} -E -p ${OFFS_DATA} ${ITB_BOOT} -v ${ARG_VER_BOOT}
376	else
377		check_rsa_keys
378
379		if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
380			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
381			exit 1
382		fi
383
384		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
385			ARG_ROLLBACK_PROTECT="y"
386			if [ -z ${ARG_ROLLBACK_IDX_BOOT} ]; then
387				echo "ERROR: No arg \"--rollback-index-boot <n>\""
388				exit 1
389			fi
390			if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then
391				echo "ERROR: Don't support \"--rollback-index-boot <n>\""
392				exit 1
393			fi
394		fi
395
396		# fixup
397		FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'`
398		KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'`
399		RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'`
400		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_BOOT}
401		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_BOOT}
402		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_BOOT}
403		if grep -q '^CONFIG_ARM64=y' .config ; then
404			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_BOOT}
405		fi
406
407		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
408			VERSION=`grep 'rollback-index' ${ITS_BOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
409			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_BOOT}>;/g" ${ITS_BOOT}
410		fi
411
412		${MKIMAGE} -f ${ITS_BOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_BOOT} -v ${ARG_VER_BOOT}
413		mv ${SIG_BIN} ${SIG_BOOT}
414
415		# rollback-index read back check
416		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
417			VERSION=`fdtget -ti ${ITB_BOOT} /configurations/conf rollback-index`
418			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_BOOT}" ]; then
419				echo "ERROR: Failed to set rollback-index for ${ITB_BOOT}";
420				exit 1
421			fi
422		fi
423
424		# host check signature
425		if [ "${ARG_NO_CHECK}" != "y" ]; then
426			 ${CHECK_SIGN} -f ${ITB_BOOT} -k ${UBOOT_DTB}
427		fi
428
429		# minimize u-boot.dtb: clearn as 0 but not remove property.
430		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
431			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
432			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
433				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
434			else
435				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
436			fi
437		else
438			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
439			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
440			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
441		fi
442		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
443		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
444	fi
445
446	mv ${ITS_BOOT} ${FIT_DIR}
447}
448
449function fit_gen_recovery_itb()
450{
451	if [ ! -z ${ARG_RECOVERY_IMG} ]; then
452		${FIT_UNPACK} -f ${ARG_RECOVERY_IMG} -o ${FIT_DIR}/unpack
453		ITS_RECOVERY="${FIT_DIR}/unpack/image.its"
454	else
455		echo "ERROR: No recovery.img"
456		exit 1
457	fi
458
459	if [ "${ARG_SIGN}" != "y" ]; then
460		${MKIMAGE} -f ${ITS_RECOVERY} -E -p ${OFFS_DATA} ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
461	else
462		check_rsa_keys
463
464		if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
465			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
466			exit 1
467		fi
468
469		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
470			ARG_ROLLBACK_PROTECT="y"
471			if [ -z ${ARG_ROLLBACK_IDX_RECOVERY} ]; then
472				echo "ERROR: No arg \"--rollback-index-recovery <n>\""
473				exit 1
474			fi
475			if ! grep -q '^CONFIG_OPTEE_CLIENT=y' .config ; then
476				echo "ERROR: Don't support \"--rollback-index-recovery <n>\""
477				exit 1
478			fi
479		fi
480
481		# fixup
482		FDT_ADDR_R=`strings env/built-in.o | grep 'fdt_addr_r=' | awk -F "=" '{ print $2 }'`
483		KERNEL_ADDR_R=`strings env/built-in.o | grep 'kernel_addr_r=' | awk -F "=" '{ print $2 }'`
484		RMADISK_ADDR_R=`strings env/built-in.o | grep 'ramdisk_addr_r=' | awk -F "=" '{ print $2 }'`
485		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_RECOVERY}
486		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_RECOVERY}
487		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_RECOVERY}
488		if grep -q '^CONFIG_ARM64=y' .config ; then
489			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_RECOVERY}
490		fi
491
492		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
493			VERSION=`grep 'rollback-index' ${ITS_RECOVERY} | awk -F '=' '{ printf $2 }' | tr -d ' '`
494			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_RECOVERY}>;/g" ${ITS_RECOVERY}
495		fi
496
497		${MKIMAGE} -f ${ITS_RECOVERY} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
498		mv ${SIG_BIN} ${SIG_RECOVERY}
499
500		# rollback-index read back check
501		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
502			VERSION=`fdtget -ti ${ITB_RECOVERY} /configurations/conf rollback-index`
503			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_RECOVERY}" ]; then
504				echo "ERROR: Failed to set rollback-index for ${ITB_RECOVERY}";
505				exit 1
506			fi
507		fi
508
509		# host check signature
510		if [ "${ARG_NO_CHECK}" != "y" ]; then
511			 ${CHECK_SIGN} -f ${ITB_RECOVERY} -k ${UBOOT_DTB}
512		fi
513
514		# minimize u-boot.dtb: clearn as 0 but not remove property.
515		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
516			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
517			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
518				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
519			else
520				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
521			fi
522		else
523			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
524			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
525			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
526		fi
527		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
528		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
529	fi
530
531	mv ${ITS_RECOVERY} ${FIT_DIR}
532}
533
534function fit_gen_uboot_img()
535{
536	ITB=$1
537
538	if [ -z ${ITB} ]; then
539		ITB=${ITB_UBOOT}
540	fi
541
542	ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'`
543	ITB_MAX_KB=`sed  -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'`
544	ITB_MAX_BS=$((ITB_MAX_KB*1024))
545	ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'`
546
547	if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then
548		echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes"
549		exit 1
550	fi
551
552	rm -f ${IMG_UBOOT}
553	for ((i = 0; i < ${ITB_MAX_NUM}; i++));
554	do
555		cat ${ITB} >> ${IMG_UBOOT}
556		truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT}
557	done
558}
559
560function fit_gen_boot_img()
561{
562	ITB=$1
563
564	if [ -z ${ITB} ]; then
565		ITB=${ITB_BOOT}
566	fi
567
568	if [ "${ITB}" != "${IMG_BOOT}" ]; then
569		cp ${ITB} ${IMG_BOOT} -f
570	fi
571}
572
573function fit_gen_recovery_img()
574{
575	ITB=$1
576
577	if [ -z ${ITB} ]; then
578		ITB=${ITB_RECOVERY}
579	fi
580
581	if [ "${ITB}" != "${IMG_RECOVERY}" ]; then
582		cp ${ITB} ${IMG_RECOVERY} -f
583	fi
584}
585
586function fit_gen_loader()
587{
588	if grep -Eq '^CONFIG_FIT_SIGNATURE=y' .config ; then
589		${RK_SIGN_TOOL} cc --chip ${ARG_CHIP: 2: 6}
590		${RK_SIGN_TOOL} lk --key ${RSA_PRI_KEY} --pubkey ${RSA_PUB_KEY}
591		if ls *loader*.bin >/dev/null 2>&1 ; then
592			${RK_SIGN_TOOL} sl --loader *loader*.bin
593		fi
594		if ls *download*.bin >/dev/null 2>&1 ; then
595			${RK_SIGN_TOOL} sl --loader *download*.bin
596		fi
597		if ls *idblock*.img >/dev/null 2>&1 ; then
598			${RK_SIGN_TOOL} sb --idb *idblock*.img
599		fi
600	fi
601}
602
603function fit_msg_uboot()
604{
605	if [ "${ARG_SIGN}" != "y" ]; then
606		MSG_SIGN="no-signed"
607	else
608		MSG_SIGN="signed"
609	fi
610
611	VERSION=`fdtget -ti ${ITB_UBOOT} / version`
612	if [ "${VERSION}" != "" ]; then
613		MSG_VER=", version=${VERSION}"
614	fi
615
616	if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
617		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT}): ${IMG_UBOOT} (with uboot, trust...) is ready"
618	else
619		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_UBOOT} (FIT with uboot, trust...) is ready"
620	fi
621}
622
623function fit_msg_boot()
624{
625	if [ -z "${ARG_BOOT_IMG}" ]; then
626		return;
627	fi
628
629	if [ "${ARG_SIGN}" != "y" ]; then
630		MSG_SIGN="no-signed"
631	else
632		MSG_SIGN="signed"
633	fi
634
635	VERSION=`fdtget -ti ${ITB_BOOT} / version`
636	if [ "${VERSION}" != "" ]; then
637		MSG_VER=", version=${VERSION}"
638	fi
639
640	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
641		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_BOOT}): ${IMG_BOOT} is ready"
642	else
643		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_BOOT} (FIT with kernel, fdt, resource...) is ready"
644	fi
645}
646
647function fit_msg_recovery()
648{
649	if [ -z "${ARG_RECOVERY_IMG}" ]; then
650		return;
651	fi
652
653	if [ "${ARG_SIGN}" != "y" ]; then
654		MSG_SIGN="no-signed"
655	else
656		MSG_SIGN="signed"
657	fi
658
659	VERSION=`fdtget -ti ${ITB_RECOVERY} / version`
660	if [ "${VERSION}" != "" ]; then
661		MSG_VER=", version=${VERSION}"
662	fi
663
664	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
665		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_RECOVERY}): ${IMG_RECOVERY} is ready"
666	else
667		echo "Image(${MSG_SIGN}${MSG_VER}): ${IMG_RECOVERY} (FIT with kernel, fdt, resource...) is ready"
668	fi
669}
670
671function fit_msg_loader()
672{
673	if ls *loader*.bin >/dev/null 2>&1 ; then
674		LOADER=`ls *loader*.bin`
675	fi
676
677	if ls *idblock*.img >/dev/null 2>&1 ; then
678		LOADER=`ls *idblock*.img`
679	fi
680
681	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
682		echo "Image(signed): ${LOADER} (with spl, ddr...) is ready"
683	else
684		echo "Image(no-signed): ${LOADER} (with spl, ddr...) is ready"
685	fi
686}
687
688function fit_msg_u_boot_loader()
689{
690	if ls *loader*.bin >/dev/null 2>&1 ; then
691		LOADER=`ls *loader*.bin`
692	fi
693
694	if ls *idblock*.img >/dev/null 2>&1 ; then
695		LOADER=`ls *idblock*.img`
696	fi
697
698	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
699		echo "Image(signed): ${LOADER} (with u-boot, ddr...) is ready"
700	else
701		echo "Image(no-signed): ${LOADER} (with u-boot, ddr...) is ready"
702	fi
703}
704