xref: /rk3399_rockchip-uboot/scripts/fit.sh (revision 10427e2df5a90fdf95a3ef373e36c5dd49ba07ad) 
1#!/bin/bash
2#
3# Copyright (c) 2020 Fuzhou Rockchip Electronics Co., Ltd
4#
5# SPDX-License-Identifier: GPL-2.0
6#
7set -e
8
9FIT_DIR="fit"
10IMG_UBOOT="uboot.img"
11IMG_BOOT="boot.img"
12IMG_RECOVERY="recovery.img"
13ITB_UBOOT="${FIT_DIR}/uboot.itb"
14ITB_BOOT="${FIT_DIR}/boot.itb"
15ITB_RECOVERY="${FIT_DIR}/recovery.itb"
16SIG_BIN="data2sign.bin"
17SIG_UBOOT="${FIT_DIR}/uboot.data2sign"
18SIG_BOOT="${FIT_DIR}/boot.data2sign"
19SIG_RECOVERY="${FIT_DIR}/recovery.data2sign"
20# offs
21OFFS_DATA="0x1000"
22# file
23CHIP_FILE="arch/arm/lib/.asm-offsets.s.cmd"
24# placeholder address
25FDT_ADDR_PLACEHOLDER="0xffffff00"
26KERNEL_ADDR_PLACEHOLDER="0xffffff01"
27RAMDISK_ADDR_PLACEHOLDER="0xffffff02"
28# tools
29MKIMAGE="./tools/mkimage"
30RK_SIGN_TOOL="../rkbin/tools/rk_sign_tool"
31FIT_UNPACK="./scripts/fit-unpack.sh"
32CHECK_SIGN="./tools/fit_check_sign"
33# key
34KEY_DIR="keys/"
35RSA_PRI_KEY="keys/dev.key"
36RSA_PUB_KEY="keys/dev.crt"
37SIGNATURE_KEY_NODE="/signature/key-dev"
38SPL_DTB="spl/u-boot-spl.dtb"
39UBOOT_DTB="u-boot.dtb"
40# its
41ITS_UBOOT="u-boot.its"
42ITS_BOOT="boot.its"
43ITS_RECOVERY="recovery.its"
44ARG_VER_UBOOT="0"
45ARG_VER_BOOT="0"
46ARG_VER_RECOVERY="0"
47
48function help()
49{
50	echo
51	echo "usage:"
52	echo "    $0 [args]"
53	echo
54	echo "args:"
55	echo "    --rollback-index-recovery  <decimal integer>"
56	echo "    --rollback-index-boot      <decimal integer>"
57	echo "    --rollback-index-uboot     <decimal integer>"
58	echo "    --version-recovery         <decimal integer>"
59	echo "    --version-boot             <decimal integer>"
60	echo "    --version-uboot            <decimal integer>"
61	echo "    --boot_img                 <boot image>"
62	echo "    --recovery_img             <recovery image>"
63	echo "    --args                     <arg>"
64	echo "    --ini-loader               <loader ini file>"
65	echo "    --ini-trust                <trust ini file>"
66	echo "    --no-check"
67	echo "    --spl-new"
68	echo
69}
70
71function arg_check_decimal()
72{
73	if [ -z $1 ]; then
74		help
75		exit 1
76	fi
77
78	decimal=`echo $1 |sed 's/[0-9]//g'`
79	if [ ! -z ${decimal} ]; then
80		echo "ERROR: $1 is not decimal integer"
81		help
82		exit 1
83	fi
84}
85
86function check_its()
87{
88	cat $1 | while read line
89	do
90		file=`echo ${line} | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '`
91		if [ ! -f ${file} ]; then
92			echo "ERROR: No ${file}"
93			exit 1
94		fi
95	done
96}
97
98function validate_arg()
99{
100	case $1 in
101		--no-check|--spl-new|--burn-key-hash)
102			shift=1
103			;;
104		--ini-trust|--ini-loader|--rollback-index-boot|--rollback-index-recovery|--rollback-index-uboot|--boot_img|--recovery_img|--version-uboot|--version-boot|--version-recovery|--chip)
105			shift=2
106			;;
107		*)
108			shift=0
109			;;
110	esac
111	echo ${shift}
112}
113
114function fit_process_args()
115{
116	if [ $# -eq 0 ]; then
117		help
118		exit 0
119	fi
120
121	while [ $# -gt 0 ]; do
122		case $1 in
123			--args)
124				ARG_VALIDATE=$2
125				shift 2
126				;;
127			--boot_img)     # boot.img
128				ARG_BOOT_IMG=$2
129				shift 2
130				;;
131			--chip)
132				ARG_CHIP=$2
133				shift 2
134				;;
135			--recovery_img) # recovery.img
136				ARG_RECOVERY_IMG=$2
137				shift 2
138				;;
139			--boot_img_dir) # boot.img components directory
140				ARG_BOOT_IMG_DIR=$2
141				shift 2
142				;;
143			--no-check)     # No hostcc fit signature check
144				ARG_NO_CHECK="y"
145				shift 1
146				;;
147			--ini-trust)    # Assign trust ini file
148				ARG_INI_TRUST=$2
149				shift 2
150				;;
151			--ini-loader)   # Assign loader ini file
152				ARG_INI_LOADER=$2
153				shift 2
154				;;
155			--spl-new)      # Use current build u-boot-spl.bin to pack loader
156				ARG_SPL_NEW="y"
157				shift 1
158				;;
159			--rollback-index-boot)
160				ARG_ROLLBACK_IDX_BOOT=$2
161				arg_check_decimal $2
162				shift 2
163				;;
164			--rollback-index-recovery)
165				ARG_ROLLBACK_IDX_RECOVERY=$2
166				arg_check_decimal $2
167				shift 2
168				;;
169			--rollback-index-uboot)
170				ARG_ROLLBACK_IDX_UBOOT=$2
171				arg_check_decimal $2
172				shift 2
173				;;
174			--version-uboot)
175				ARG_VER_UBOOT=$2
176				arg_check_decimal $2
177				shift 2
178				;;
179			--version-boot)
180				ARG_VER_BOOT=$2
181				arg_check_decimal $2
182				shift 2
183				;;
184			--version-recovery)
185				ARG_VER_RECOVERY=$2
186				arg_check_decimal $2
187				shift 2
188				;;
189			--burn-key-hash)
190				ARG_BURN_KEY_HASH="y"
191				shift 1
192				;;
193			*)
194				help
195				exit 1
196				;;
197		esac
198	done
199
200	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
201		ARG_SIGN="y"
202	fi
203}
204
205function fit_raw_compile()
206{
207	# Verified-boot: should rebuild code but don't need to repack images.
208	if [ "${ARG_SIGN}" == "y" ]; then
209		./make.sh --raw-compile
210	fi
211	rm ${FIT_DIR} -rf && mkdir -p ${FIT_DIR}
212}
213
214function fit_gen_uboot_itb()
215{
216	# generate u-boot.its file
217	./make.sh itb ${ARG_INI_TRUST}
218
219	# check existance of file in its
220	check_its ${ITS_UBOOT}
221
222	if [ "${ARG_SIGN}" != "y" ]; then
223		${MKIMAGE} -f ${ITS_UBOOT} -E -p ${OFFS_DATA} ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
224		if [ "${ARG_SPL_NEW}" == "y" ]; then
225			./make.sh --spl ${ARG_INI_LOADER}
226			echo "pack loader with new: spl/u-boot-spl.bin"
227		else
228			./make.sh loader ${ARG_INI_LOADER}
229		fi
230	else
231		if [ ! -f ${RSA_PRI_KEY} ]; then
232			echo "ERROR: No ${RSA_PRI_KEY} "
233			exit 1
234		elif [ ! -f ${RSA_PUB_KEY} ]; then
235			echo "ERROR: No ${RSA_PUB_KEY} "
236			exit 1
237		fi
238
239		if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' .config ; then
240			echo "ERROR: CONFIG_SPL_FIT_SIGNATURE is disabled"
241			exit 1
242		fi
243
244		# rollback-index
245		if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' .config ; then
246			ARG_SPL_ROLLBACK_PROTECT="y"
247			if [ -z ${ARG_ROLLBACK_IDX_UBOOT} ]; then
248				echo "ERROR: No arg \"--rollback-index-uboot <n>\""
249				exit 1
250			fi
251		fi
252
253		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
254			VERSION=`grep 'rollback-index' ${ITS_UBOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
255			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT}
256		fi
257
258		# Generally, boot.img is signed before uboot.img, so the ras key can be found
259		# in u-boot.dtb. If not found, let's insert rsa key anyway.
260		if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then
261			${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
262			echo "## Adding RSA public key into ${UBOOT_DTB}"
263		fi
264
265		# Pack
266		${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${SPL_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
267		mv ${SIG_BIN} ${SIG_UBOOT}
268
269		# burn-key-hash
270		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
271			if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
272				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash 0x1
273			else
274				echo "ERROR: --burn-key-hash requires CONFIG_SPL_FIT_HW_CRYPTO=y"
275				exit 1
276			fi
277		fi
278
279		# rollback-index read back check
280		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
281			VERSION=`fdtget -ti ${ITB_UBOOT} /configurations/conf rollback-index`
282			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_UBOOT}" ]; then
283				echo "ERROR: Failed to set rollback-index for ${ITB_UBOOT}";
284				exit 1
285			fi
286		fi
287
288		# burn-key-hash read back check
289		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
290			if [ "`fdtget -ti ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash`" != "1" ]; then
291				echo "ERROR: Failed to set burn-key-hash for ${SPL_DTB}";
292				exit 1
293			fi
294		fi
295
296		# host check signature
297		if [ "${ARG_NO_CHECK}" != "y" ]; then
298			if [ "${ARG_SPL_NEW}" == "y" ]; then
299				 ${CHECK_SIGN} -f ${ITB_UBOOT} -k ${SPL_DTB} -s
300			else
301				spl_file="../rkbin/"`sed -n "/FlashBoot=/s/FlashBoot=//p" ${ARG_INI_LOADER}  |tr -d '\r'`
302				offs=`fdtdump -s ${spl_file} | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset //g" | tr -d " "`
303				if [ -z ${offs}  ]; then
304					echo "ERROR: invalid ${spl_file} , unable to find fdt blob"
305				fi
306				offs=`printf %d ${offs} ` # hex -> dec
307				dd if=${spl_file} of=spl/u-boot-spl-old.dtb bs=${offs} skip=1 >/dev/null 2>&1
308				${CHECK_SIGN} -f ${ITB_UBOOT} -k spl/u-boot-spl-old.dtb -s
309			fi
310		fi
311
312		# minimize u-boot-spl.dtb: clear as 0 but not remove property.
313		if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
314			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
315			if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' .config ; then
316				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
317				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
318			else
319				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
320				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
321			fi
322		else
323			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
324			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
325			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
326			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
327			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
328		fi
329
330		# repack spl
331		rm -f *_loader_*.bin
332		if [ "${ARG_SPL_NEW}" == "y" ]; then
333			cat spl/u-boot-spl-nodtb.bin > spl/u-boot-spl.bin
334			if ! grep -q '^CONFIG_SPL_SEPARATE_BSS=y' .config ; then
335				cat spl/u-boot-spl-pad.bin >> spl/u-boot-spl.bin
336			fi
337			cat ${SPL_DTB} >> spl/u-boot-spl.bin
338
339			./make.sh --spl ${ARG_INI_LOADER}
340			echo "## pack loader with new: spl/u-boot-spl.bin"
341		else
342			./make.sh loader ${ARG_INI_LOADER}
343		fi
344
345		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
346			echo "## ${SPL_DTB}: burn-key-hash=1"
347		fi
348	fi
349
350	rm -f u-boot.itb u-boot.img u-boot-dtb.img
351	mv ${ITS_UBOOT} ${FIT_DIR}
352}
353
354function fit_gen_boot_itb()
355{
356	if [ ! -z ${ARG_BOOT_IMG} ]; then
357		${FIT_UNPACK} -f ${ARG_BOOT_IMG} -o ${FIT_DIR}/unpack
358		ITS_BOOT="${FIT_DIR}/unpack/image.its"
359	else
360		compression=`awk -F"," '/COMPRESSION=/  { printf $1 }' ${ARG_INI_TRUST} | tr -d ' ' | cut -c 13-`
361		if [ -z "${compression}" ]; then
362			compression="none"
363		fi
364		./arch/arm/mach-rockchip/make_fit_boot.sh -c ${compression} > ${ITS_BOOT}
365		check_its ${ITS_BOOT}
366	fi
367
368	if [ "${ARG_SIGN}" != "y" ]; then
369		${MKIMAGE} -f ${ITS_BOOT} -E -p ${OFFS_DATA} ${ITB_BOOT} -v ${ARG_VER_BOOT}
370	else
371		if [ ! -f ${RSA_PRI_KEY}  ]; then
372			echo "ERROR: No ${RSA_PRI_KEY}"
373			exit 1
374		elif [ ! -f ${RSA_PUB_KEY}  ]; then
375			echo "ERROR: No ${RSA_PUB_KEY}"
376			exit 1
377		fi
378
379		if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
380			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
381			exit 1
382		fi
383
384		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
385			ARG_ROLLBACK_PROTECT="y"
386			if [ -z ${ARG_ROLLBACK_IDX_BOOT} ]; then
387				echo "ERROR: No arg \"--rollback-index-boot <n>\""
388				exit 1
389			fi
390		fi
391
392		# fixup
393		COMMON_FILE=`sed -n "/_common.h/p" ${CHIP_FILE} | awk '{ print $1 }'`
394		FDT_ADDR_R=`awk /fdt_addr_r/         ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
395		KERNEL_ADDR_R=`awk /kernel_addr_r/   ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
396		RMADISK_ADDR_R=`awk /ramdisk_addr_r/ ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
397		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_BOOT}
398		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_BOOT}
399		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_BOOT}
400		if grep -q '^CONFIG_ARM64=y' .config ; then
401			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_BOOT}
402		fi
403
404		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
405			VERSION=`grep 'rollback-index' ${ITS_BOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
406			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_BOOT}>;/g" ${ITS_BOOT}
407		fi
408
409		${MKIMAGE} -f ${ITS_BOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_BOOT} -v ${ARG_VER_BOOT}
410		mv ${SIG_BIN} ${SIG_BOOT}
411
412		# rollback-index read back check
413		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
414			VERSION=`fdtget -ti ${ITB_BOOT} /configurations/conf rollback-index`
415			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_BOOT}" ]; then
416				echo "ERROR: Failed to set rollback-index for ${ITB_BOOT}";
417				exit 1
418			fi
419		fi
420
421		# host check signature
422		if [ "${ARG_NO_CHECK}" != "y" ]; then
423			 ${CHECK_SIGN} -f ${ITB_BOOT} -k ${UBOOT_DTB}
424		fi
425
426		# minimize u-boot.dtb: clearn as 0 but not remove property.
427		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
428			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
429			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
430				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
431			else
432				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
433			fi
434		else
435			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
436			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
437			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
438		fi
439		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
440		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
441	fi
442
443	mv ${ITS_BOOT} ${FIT_DIR}
444}
445
446function fit_gen_recovery_itb()
447{
448	if [ ! -z ${ARG_RECOVERY_IMG} ]; then
449		${FIT_UNPACK} -f ${ARG_RECOVERY_IMG} -o ${FIT_DIR}/unpack
450		ITS_RECOVERY="${FIT_DIR}/unpack/image.its"
451	else
452		echo "ERROR: No recovery.img"
453		exit 1
454	fi
455
456	if [ "${ARG_SIGN}" != "y" ]; then
457		${MKIMAGE} -f ${ITS_RECOVERY} -E -p ${OFFS_DATA} ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
458	else
459		if [ ! -f ${RSA_PRI_KEY}  ]; then
460			echo "ERROR: No ${RSA_PRI_KEY}"
461			exit 1
462		elif [ ! -f ${RSA_PUB_KEY}  ]; then
463			echo "ERROR: No ${RSA_PUB_KEY}"
464			exit 1
465		fi
466
467		if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
468			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
469			exit 1
470		fi
471
472		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
473			ARG_ROLLBACK_PROTECT="y"
474			if [ -z ${ARG_ROLLBACK_IDX_RECOVERY} ]; then
475				echo "ERROR: No arg \"--rollback-index-recovery <n>\""
476				exit 1
477			fi
478		fi
479
480		# fixup
481		COMMON_FILE=`sed -n "/_common.h/p" ${CHIP_FILE} | awk '{ print $1 }'`
482		FDT_ADDR_R=`awk /fdt_addr_r/         ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
483		KERNEL_ADDR_R=`awk /kernel_addr_r/   ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
484		RMADISK_ADDR_R=`awk /ramdisk_addr_r/ ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
485		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_RECOVERY}
486		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_RECOVERY}
487		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_RECOVERY}
488		if grep -q '^CONFIG_ARM64=y' .config ; then
489			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_RECOVERY}
490		fi
491
492		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
493			VERSION=`grep 'rollback-index' ${ITS_RECOVERY} | awk -F '=' '{ printf $2 }' | tr -d ' '`
494			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_RECOVERY}>;/g" ${ITS_RECOVERY}
495		fi
496
497		${MKIMAGE} -f ${ITS_RECOVERY} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
498		mv ${SIG_BIN} ${SIG_RECOVERY}
499
500		# rollback-index read back check
501		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
502			VERSION=`fdtget -ti ${ITB_RECOVERY} /configurations/conf rollback-index`
503			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_RECOVERY}" ]; then
504				echo "ERROR: Failed to set rollback-index for ${ITB_RECOVERY}";
505				exit 1
506			fi
507		fi
508
509		# host check signature
510		if [ "${ARG_NO_CHECK}" != "y" ]; then
511			 ${CHECK_SIGN} -f ${ITB_RECOVERY} -k ${UBOOT_DTB}
512		fi
513
514		# minimize u-boot.dtb: clearn as 0 but not remove property.
515		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
516			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
517			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
518				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
519			else
520				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
521			fi
522		else
523			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
524			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
525			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
526		fi
527		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
528		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
529	fi
530
531	mv ${ITS_RECOVERY} ${FIT_DIR}
532}
533
534function fit_gen_uboot_img()
535{
536	ITB=$1
537
538	if [ -z ${ITB} ]; then
539		ITB=${ITB_UBOOT}
540	fi
541
542	ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'`
543	ITB_MAX_KB=`sed  -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'`
544	ITB_MAX_BS=$((ITB_MAX_KB*1024))
545	ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'`
546
547	if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then
548		echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes"
549		exit 1
550	fi
551
552	rm -f ${IMG_UBOOT}
553	for ((i = 0; i < ${ITB_MAX_NUM}; i++));
554	do
555		cat ${ITB} >> ${IMG_UBOOT}
556		truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT}
557	done
558}
559
560function fit_gen_boot_img()
561{
562	ITB=$1
563
564	if [ -z ${ITB} ]; then
565		ITB=${ITB_BOOT}
566	fi
567
568	if [ "${ITB}" != "${IMG_BOOT}" ]; then
569		cp ${ITB} ${IMG_BOOT} -f
570	fi
571}
572
573function fit_gen_recovery_img()
574{
575	ITB=$1
576
577	if [ -z ${ITB} ]; then
578		ITB=${ITB_RECOVERY}
579	fi
580
581	if [ "${ITB}" != "${IMG_RECOVERY}" ]; then
582		cp ${ITB} ${IMG_RECOVERY} -f
583	fi
584}
585
586function fit_gen_loader()
587{
588	if grep -Eq '^CONFIG_FIT_SIGNATURE=y' .config ; then
589		${RK_SIGN_TOOL} cc --chip ${ARG_CHIP: 2: 6}
590		${RK_SIGN_TOOL} sl --key ./keys/dev.key --pubkey ./keys/dev.pubkey --loader *_loader_*.bin
591	fi
592}
593
594function fit_msg_uboot()
595{
596	if [ "${ARG_SIGN}" != "y" ]; then
597		MSG_SIGN="no-signed"
598	else
599		MSG_SIGN="signed"
600	fi
601
602	VERSION=`fdtget -ti ${ITB_UBOOT} / version`
603	if [ "${VERSION}" != "" ]; then
604		MSG_VER=", version=${VERSION}"
605	fi
606
607	if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
608		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT}):  ${IMG_UBOOT} (with uboot, trust...) is ready"
609	else
610		echo "Image(${MSG_SIGN}${MSG_VER}):  ${IMG_UBOOT} (FIT with uboot, trust...) is ready"
611	fi
612}
613
614function fit_msg_boot()
615{
616	if [ -z "${ARG_BOOT_IMG}" ]; then
617		return;
618	fi
619
620	if [ "${ARG_SIGN}" != "y" ]; then
621		MSG_SIGN="no-signed"
622	else
623		MSG_SIGN="signed"
624	fi
625
626	VERSION=`fdtget -ti ${ITB_BOOT} / version`
627	if [ "${VERSION}" != "" ]; then
628		MSG_VER=", version=${VERSION}"
629	fi
630
631	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
632		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_BOOT}):  ${IMG_BOOT} is ready"
633	else
634		echo "Image(${MSG_SIGN}${MSG_VER}):  ${IMG_BOOT} (FIT with kernel, fdt, resource...) is ready"
635	fi
636}
637
638function fit_msg_recovery()
639{
640	if [ -z "${ARG_RECOVERY_IMG}" ]; then
641		return;
642	fi
643
644	if [ "${ARG_SIGN}" != "y" ]; then
645		MSG_SIGN="no-signed"
646	else
647		MSG_SIGN="signed"
648	fi
649
650	VERSION=`fdtget -ti ${ITB_RECOVERY} / version`
651	if [ "${VERSION}" != "" ]; then
652		MSG_VER=", version=${VERSION}"
653	fi
654
655	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
656		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_RECOVERY}):  ${IMG_RECOVERY} is ready"
657	else
658		echo "Image(${MSG_SIGN}${MSG_VER}):  ${IMG_RECOVERY} (FIT with kernel, fdt, resource...) is ready"
659	fi
660}
661
662function fit_msg_loader()
663{
664	LOADER=`ls *loader*.bin`
665
666	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
667		echo "Image(signed):  ${LOADER} (with spl, ddr, usbplug) is ready"
668	else
669		echo "Image(no-signed):  ${LOADER} (with spl, ddr, usbplug) is ready"
670	fi
671}
672
673fit_process_args $*
674
675if [ ! -z "${ARG_VALIDATE}" ]; then
676	validate_arg ${ARG_VALIDATE}
677else
678	fit_raw_compile
679	if [ ! -z "${ARG_RECOVERY_IMG}" ]; then
680		fit_gen_recovery_itb
681		fit_gen_recovery_img
682	fi
683	# "--boot_img_dir" is for U-Boot debug only
684	if [ ! -z "${ARG_BOOT_IMG}" -o ! -z "${ARG_BOOT_IMG_DIR}" ]; then
685		fit_gen_boot_itb
686		fit_gen_boot_img
687	fi
688	fit_gen_uboot_itb
689	fit_gen_uboot_img
690	fit_gen_loader
691
692	echo
693	fit_msg_uboot
694	fit_msg_recovery
695	fit_msg_boot
696	fit_msg_loader
697fi
698