xref: /rk3399_rockchip-uboot/scripts/fit-resign.sh (revision 1a9d1d0db00bb2fdb5cd966f648297faabe92fe4)

#!/bin/bash
#
# Copyright (c) 2020 Fuzhou Rockchip Electronics Co., Ltd
#
# SPDX-License-Identifier: GPL-2.0
#
set -e

# [Keys]
#	mkdir -p keys
#	openssl genpkey -algorithm RSA -out keys/dev.key -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
#	openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
#	openssl rsa -in keys/dev.key -pubout -out keys/dev.pubkey
# [Sign]
#	openssl dgst -sha256 -sign keys/dev.key -sigopt rsa_padding_mode:pss -out sha256-rsa2048.sign fit/boot.data2sign

IMG_UBOOT="uboot.img"
IMG_BOOT="boot.img"
IMG_RECOVERY="recovery.img"

function usage_resign()
{
	echo
	echo "usage:"
	echo "    $0 -f [itb] -s [sig] -n [num of U-Boot copies] -k [KB of each U-Boot copy]"
	echo
}

function arg_check_decimal()
{
	if [ -z $1 ]; then
		usage_resign
		exit 1
	fi

	decimal=`echo $1 |sed 's/[0-9]//g'`
	if [ ! -z ${decimal} ]; then
		echo "ERROR: $1 is not decimal integer"
		usage_resign
		exit 1
	fi
}

function fit_resign()
{
	if [ $# -ne 4 -a $# -ne 8 ]; then
		usage_resign
		exit 1
	fi

	while [ $# -gt 0 ]; do
		case $1 in
			-f)
				ITB=$2
				shift 2
				;;
			-s)
				SIG=$2
				shift 2
				;;
			-n)
				ITB_MAX_NUM=$2
				arg_check_decimal $2
				shift 2
				;;
			-k)
				ITB_MAX_KB=$2
				arg_check_decimal $2
				shift 2
				;;
			*)
				usage_resign
				exit 1
				;;
		esac
	done

	if [ ! -f ${ITB} ]; then
		echo "ERROR: No ${ITB}"
		exit 1
	elif ! file ${ITB} | grep 'Device Tree Blob' ; then
		echo "ERROR: ${ITB} is not FIT image"
		exit 1
	elif [ ! -f ${SIG} ]; then
		echo "ERROR: No ${SIG}"
		exit 1
	fi

	copies=`strings ${ITB} | grep "signer-version"  | wc -l`
	if [ ${copies} -ne 1 ]; then
		echo "ERROR: ${ITB} seems not a itb but a image, ${copies}"
		exit 1
	fi

	SIG_SZ=`ls -l ${SIG} | awk '{ print $5 }'`
	LEN=`./tools/fit_info -f ${ITB} -n /configurations/conf/signature -p value | sed -n "/LEN:/p" | awk '{ print $2 }'`
	OFF=`./tools/fit_info -f ${ITB} -n /configurations/conf/signature -p value | sed -n "/OFF:/p" | awk '{ print $2 }'`
	END=`./tools/fit_info -f ${ITB} -n /configurations/conf/signature -p value | sed -n "/END:/p" | awk '{ print $2 }'`

	if [ -z ${LEN} ]; then
		echo "ERROR: No signature in ${ITB}"
		exit 1
		strings uboot.img | grep "rollback-index" | wc -l
	elif [ "${SIG_SZ}" -ne "${LEN}" ]; then
		echo "ERROR: ${SIG} size ${SIG_SZ} != ${ITB} Signature size ${LEN}"
		exit 1
	fi

	dd if=${ITB} of=${ITB}.half1 count=1 bs=${OFF}
	dd if=${ITB} of=${ITB}.half2 skip=1 ibs=${END}

	ITB_RESIGN="${ITB}.resign"
	cat ${ITB}.half1  >  ${ITB_RESIGN}
	cat ${SIG}        >> ${ITB_RESIGN}
	cat ${ITB}.half2  >> ${ITB_RESIGN}
	echo

	if fdtget -l ${ITB_RESIGN} /images/uboot >/dev/null 2>&1 ; then
		if [ -z ${ITB_MAX_NUM} ]; then
			ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'`
		fi
		if [ -z ${ITB_MAX_KB} ]; then
			ITB_MAX_KB=`sed  -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'`
		fi
		ITB_MAX_BS=$((ITB_MAX_KB*1024))
		ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'`
		if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then
			echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes"
			exit 1
		fi

		rm -f ${IMG_UBOOT}
		for ((i = 0; i < ${ITB_MAX_NUM}; i++));
		do
			cat ${ITB_RESIGN} >> ${IMG_UBOOT}
			truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT}
		done
		echo "Image(re-signed):  ${IMG_UBOOT} is ready"
	elif [ "${ITB}" == "boot.itb" ]; then
		cp ${ITB_RESIGN} ${IMG_BOOT}
		echo "Image(re-signed):  ${IMG_BOOT} is ready"
	elif [ "${ITB}" == "recovery.itb" ]; then
		cp ${ITB_RESIGN} ${IMG_RECOVERY}
		echo "Image(re-signed):  ${IMG_RECOVERY} is ready"
	else
		usage_resign
		exit 1
	fi

	rm -f ${ITB}.half1 ${ITB}.half2 ${ITB_RESIGN}
}

fit_resign $*