1#!/bin/bash 2# 3# Copyright (c) 2020 Fuzhou Rockchip Electronics Co., Ltd 4# 5# SPDX-License-Identifier: GPL-2.0 6# 7set -e 8 9# [Keys] 10# mkdir -p keys 11# openssl genpkey -algorithm RSA -out keys/dev.key -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 12# openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt 13# openssl rsa -in keys/dev.key -pubout -out keys/dev.pubkey 14# [Sign] 15# openssl dgst -sha256 -sign keys/dev.key -sigopt rsa_padding_mode:pss -out sha256-rsa2048.sign fit/boot.data2sign 16 17IMG_UBOOT="uboot.img" 18IMG_BOOT="boot.img" 19IMG_RECOVERY="recovery.img" 20 21function usage_resign() 22{ 23 echo 24 echo "usage:" 25 echo " $0 -f [itb] -s [sig] -n [num of U-Boot copies] -k [KB of each U-Boot copy]" 26 echo 27} 28 29function arg_check_decimal() 30{ 31 if [ -z $1 ]; then 32 usage_resign 33 exit 1 34 fi 35 36 decimal=`echo $1 |sed 's/[0-9]//g'` 37 if [ ! -z ${decimal} ]; then 38 echo "ERROR: $1 is not decimal integer" 39 usage_resign 40 exit 1 41 fi 42} 43 44function fit_resign() 45{ 46 if [ $# -ne 4 -a $# -ne 8 ]; then 47 usage_resign 48 exit 1 49 fi 50 51 while [ $# -gt 0 ]; do 52 case $1 in 53 -f) 54 ITB=$2 55 shift 2 56 ;; 57 -s) 58 SIG=$2 59 shift 2 60 ;; 61 -n) 62 ITB_MAX_NUM=$2 63 arg_check_decimal $2 64 shift 2 65 ;; 66 -k) 67 ITB_MAX_KB=$2 68 arg_check_decimal $2 69 shift 2 70 ;; 71 *) 72 usage_resign 73 exit 1 74 ;; 75 esac 76 done 77 78 if [ ! -f ${ITB} ]; then 79 echo "ERROR: No ${ITB}" 80 exit 1 81 elif ! file ${ITB} | grep 'Device Tree Blob' ; then 82 echo "ERROR: ${ITB} is not FIT image" 83 exit 1 84 elif [ ! -f ${SIG} ]; then 85 echo "ERROR: No ${SIG}" 86 exit 1 87 fi 88 89 copies=`strings ${ITB} | grep "signer-version" | wc -l` 90 if [ ${copies} -ne 1 ]; then 91 echo "ERROR: ${ITB} seems not a itb but a image, ${copies}" 92 exit 1 93 fi 94 95 SIG_SZ=`ls -l ${SIG} | awk '{ print $5 }'` 96 LEN=`./tools/fit_info -f ${ITB} -n /configurations/conf/signature -p value | sed -n "/LEN:/p" | awk '{ print $2 }'` 97 OFF=`./tools/fit_info -f ${ITB} -n /configurations/conf/signature -p value | sed -n "/OFF:/p" | awk '{ print $2 }'` 98 END=`./tools/fit_info -f ${ITB} -n /configurations/conf/signature -p value | sed -n "/END:/p" | awk '{ print $2 }'` 99 100 if [ -z ${LEN} ]; then 101 echo "ERROR: No signature in ${ITB}" 102 exit 1 103 strings uboot.img | grep "rollback-index" | wc -l 104 elif [ "${SIG_SZ}" -ne "${LEN}" ]; then 105 echo "ERROR: ${SIG} size ${SIG_SZ} != ${ITB} Signature size ${LEN}" 106 exit 1 107 fi 108 109 dd if=${ITB} of=${ITB}.half1 count=1 bs=${OFF} 110 dd if=${ITB} of=${ITB}.half2 skip=1 ibs=${END} 111 112 ITB_RESIGN="${ITB}.resign" 113 cat ${ITB}.half1 > ${ITB_RESIGN} 114 cat ${SIG} >> ${ITB_RESIGN} 115 cat ${ITB}.half2 >> ${ITB_RESIGN} 116 echo 117 118 if fdtget -l ${ITB_RESIGN} /images/uboot >/dev/null 2>&1 ; then 119 if [ -z ${ITB_MAX_NUM} ]; then 120 ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'` 121 fi 122 if [ -z ${ITB_MAX_KB} ]; then 123 ITB_MAX_KB=`sed -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'` 124 fi 125 ITB_MAX_BS=$((ITB_MAX_KB*1024)) 126 ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'` 127 if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then 128 echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes" 129 exit 1 130 fi 131 132 rm -f ${IMG_UBOOT} 133 for ((i = 0; i < ${ITB_MAX_NUM}; i++)); 134 do 135 cat ${ITB_RESIGN} >> ${IMG_UBOOT} 136 truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT} 137 done 138 echo "Image(re-signed): ${IMG_UBOOT} is ready" 139 elif [ "${ITB}" == "boot.itb" ]; then 140 cp ${ITB_RESIGN} ${IMG_BOOT} 141 echo "Image(re-signed): ${IMG_BOOT} is ready" 142 elif [ "${ITB}" == "recovery.itb" ]; then 143 cp ${ITB_RESIGN} ${IMG_RECOVERY} 144 echo "Image(re-signed): ${IMG_RECOVERY} is ready" 145 else 146 usage_resign 147 exit 1 148 fi 149 150 rm -f ${ITB}.half1 ${ITB}.half2 ${ITB_RESIGN} 151} 152 153fit_resign $* 154