xref: /rk3399_rockchip-uboot/scripts/fit.sh (revision 7c7eb7613f9522c26eb156f50a2f47b4d4cf84b4) 
1#!/bin/bash
2#
3# Copyright (c) 2020 Fuzhou Rockchip Electronics Co., Ltd
4#
5# SPDX-License-Identifier: GPL-2.0
6#
7set -e
8
9FIT_DIR="fit"
10IMG_UBOOT="uboot.img"
11IMG_BOOT="boot.img"
12IMG_RECOVERY="recovery.img"
13ITB_UBOOT="${FIT_DIR}/uboot.itb"
14ITB_BOOT="${FIT_DIR}/boot.itb"
15ITB_RECOVERY="${FIT_DIR}/recovery.itb"
16SIG_BIN="data2sign.bin"
17SIG_UBOOT="${FIT_DIR}/uboot.data2sign"
18SIG_BOOT="${FIT_DIR}/boot.data2sign"
19SIG_RECOVERY="${FIT_DIR}/recovery.data2sign"
20# offs
21OFFS_DATA="0xE00"
22# file
23CHIP_FILE="arch/arm/lib/.asm-offsets.s.cmd"
24# placeholder address
25FDT_ADDR_PLACEHOLDER="0xffffff00"
26KERNEL_ADDR_PLACEHOLDER="0xffffff01"
27RAMDISK_ADDR_PLACEHOLDER="0xffffff02"
28# tools
29MKIMAGE="./tools/mkimage"
30FIT_UNPACK="./scripts/fit-unpack.sh"
31CHECK_SIGN="./tools/fit_check_sign"
32# key
33KEY_DIR="keys/"
34RSA_PRI_KEY="keys/dev.key"
35RSA_PUB_KEY="keys/dev.crt"
36SIGNATURE_KEY_NODE="/signature/key-dev"
37SPL_DTB="spl/u-boot-spl.dtb"
38UBOOT_DTB="u-boot.dtb"
39# its
40ITS_UBOOT="u-boot.its"
41ITS_BOOT="boot.its"
42ITS_RECOVERY="recovery.its"
43ARG_VER_UBOOT="0"
44ARG_VER_BOOT="0"
45ARG_VER_RECOVERY="0"
46
47function help()
48{
49	echo
50	echo "usage:"
51	echo "    $0 [args]"
52	echo
53	echo "args:"
54	echo "    --rollback-index-recovery  <decimal integer>"
55	echo "    --rollback-index-boot      <decimal integer>"
56	echo "    --rollback-index-uboot     <decimal integer>"
57	echo "    --version-recovery         <decimal integer>"
58	echo "    --version-boot             <decimal integer>"
59	echo "    --version-uboot            <decimal integer>"
60	echo "    --boot_img                 <boot image>"
61	echo "    --recovery_img             <recovery image>"
62	echo "    --args                     <arg>"
63	echo "    --ini-loader               <loader ini file>"
64	echo "    --ini-trust                <trust ini file>"
65	echo "    --no-check"
66	echo "    --spl-new"
67	echo
68}
69
70function arg_check_decimal()
71{
72	if [ -z $1 ]; then
73		help
74		exit 1
75	fi
76
77	decimal=`echo $1 |sed 's/[0-9]//g'`
78	if [ ! -z ${decimal} ]; then
79		echo "ERROR: $1 is not decimal integer"
80		help
81		exit 1
82	fi
83}
84
85function check_its()
86{
87	cat $1 | while read line
88	do
89		file=`echo ${line} | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '`
90		if [ ! -f ${file} ]; then
91			echo "ERROR: No ${file}"
92			exit 1
93		fi
94	done
95}
96
97function validate_arg()
98{
99	case $1 in
100		--no-check|--spl-new|--burn-key-hash)
101			shift=1
102			;;
103		--ini-trust|--ini-loader|--rollback-index-boot|--rollback-index-recovery|--rollback-index-uboot|--boot_img|--recovery_img|--version-uboot|--version-boot|--version-recovery)
104			shift=2
105			;;
106		*)
107			shift=0
108			;;
109	esac
110	echo ${shift}
111}
112
113function fit_process_args()
114{
115	if [ $# -eq 0 ]; then
116		help
117		exit 0
118	fi
119
120	while [ $# -gt 0 ]; do
121		case $1 in
122			--args)
123				ARG_VALIDATE=$2
124				shift 2
125				;;
126			--boot_img)     # boot.img
127				ARG_BOOT_IMG=$2
128				shift 2
129				;;
130			--recovery_img) # recovery.img
131				ARG_RECOVERY_IMG=$2
132				shift 2
133				;;
134			--boot_img_dir) # boot.img components directory
135				ARG_BOOT_IMG_DIR=$2
136				shift 2
137				;;
138			--no-check)     # No hostcc fit signature check
139				ARG_NO_CHECK="y"
140				shift 1
141				;;
142			--ini-trust)    # Assign trust ini file
143				ARG_INI_TRUST=$2
144				shift 2
145				;;
146			--ini-loader)   # Assign loader ini file
147				ARG_INI_LOADER=$2
148				shift 2
149				;;
150			--spl-new)      # Use current build u-boot-spl.bin to pack loader
151				ARG_SPL_NEW="y"
152				shift 1
153				;;
154			--rollback-index-boot)
155				ARG_ROLLBACK_IDX_BOOT=$2
156				arg_check_decimal $2
157				shift 2
158				;;
159			--rollback-index-recovery)
160				ARG_ROLLBACK_IDX_RECOVERY=$2
161				arg_check_decimal $2
162				shift 2
163				;;
164			--rollback-index-uboot)
165				ARG_ROLLBACK_IDX_UBOOT=$2
166				arg_check_decimal $2
167				shift 2
168				;;
169			--version-uboot)
170				ARG_VER_UBOOT=$2
171				arg_check_decimal $2
172				shift 2
173				;;
174			--version-boot)
175				ARG_VER_BOOT=$2
176				arg_check_decimal $2
177				shift 2
178				;;
179			--version-recovery)
180				ARG_VER_RECOVERY=$2
181				arg_check_decimal $2
182				shift 2
183				;;
184			--burn-key-hash)
185				ARG_BURN_KEY_HASH="y"
186				shift 1
187				;;
188			*)
189				help
190				exit 1
191				;;
192		esac
193	done
194
195	if grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
196		ARG_SIGN="y"
197	fi
198}
199
200function fit_raw_compile()
201{
202	# Verified-boot: should rebuild code but don't need to repack images.
203	if [ "${ARG_SIGN}" == "y" ]; then
204		./make.sh --raw-compile
205	fi
206	rm ${FIT_DIR} -rf && mkdir -p ${FIT_DIR}
207}
208
209function fit_gen_uboot_itb()
210{
211	# generate u-boot.its file
212	./make.sh itb ${ARG_INI_TRUST}
213
214	# check existance of file in its
215	check_its ${ITS_UBOOT}
216
217	if [ "${ARG_SIGN}" != "y" ]; then
218		${MKIMAGE} -f ${ITS_UBOOT} -E -p ${OFFS_DATA} ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
219		if [ "${ARG_SPL_NEW}" == "y" ]; then
220			./make.sh --spl ${ARG_INI_LOADER}
221			echo "pack loader with new: spl/u-boot-spl.bin"
222		else
223			./make.sh loader ${ARG_INI_LOADER}
224		fi
225	else
226		if [ ! -f ${RSA_PRI_KEY} ]; then
227			echo "ERROR: No ${RSA_PRI_KEY} "
228			exit 1
229		elif [ ! -f ${RSA_PUB_KEY} ]; then
230			echo "ERROR: No ${RSA_PUB_KEY} "
231			exit 1
232		fi
233
234		if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' .config ; then
235			echo "ERROR: CONFIG_SPL_FIT_SIGNATURE is disabled"
236			exit 1
237		fi
238
239		# rollback-index
240		if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' .config ; then
241			ARG_SPL_ROLLBACK_PROTECT="y"
242			if [ -z ${ARG_ROLLBACK_IDX_UBOOT} ]; then
243				echo "ERROR: No arg \"--rollback-index-uboot <n>\""
244				exit 1
245			fi
246		fi
247
248		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
249			VERSION=`grep 'rollback-index' ${ITS_UBOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
250			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT}
251		fi
252
253		# Generally, boot.img is signed before uboot.img, so the ras key can be found
254		# in u-boot.dtb. If not found, let's insert rsa key anyway.
255		if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then
256			${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
257			echo "## Adding RSA public key into ${UBOOT_DTB}"
258		fi
259
260		# Pack
261		${MKIMAGE} -f ${ITS_UBOOT} -k ${KEY_DIR} -K ${SPL_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
262		mv ${SIG_BIN} ${SIG_UBOOT}
263
264		# burn-key-hash
265		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
266			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash 0x1
267		fi
268
269		# rollback-index read back check
270		if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
271			VERSION=`fdtget -ti ${ITB_UBOOT} /configurations/conf rollback-index`
272			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_UBOOT}" ]; then
273				echo "ERROR: Failed to set rollback-index for ${ITB_UBOOT}";
274				exit 1
275			fi
276		fi
277
278		# burn-key-hash read back check
279		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
280			if [ "`fdtget -ti ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash`" != "1" ]; then
281				echo "ERROR: Failed to set burn-key-hash for ${SPL_DTB}";
282				exit 1
283			fi
284		fi
285
286		# host check signature
287		if [ "${ARG_NO_CHECK}" != "y" ]; then
288			if [ "${ARG_SPL_NEW}" == "y" ]; then
289				 ${CHECK_SIGN} -f ${ITB_UBOOT} -k ${SPL_DTB} -s
290			else
291				spl_file="../rkbin/"`sed -n "/FlashBoot=/s/FlashBoot=//p" ${ARG_INI_LOADER}  |tr -d '\r'`
292				offs=`fdtdump -s ${spl_file} | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset //g" | tr -d " "`
293				if [ -z ${offs}  ]; then
294					echo "ERROR: invalid ${spl_file} , unable to find fdt blob"
295				fi
296				offs=`printf %d ${offs} ` # hex -> dec
297				dd if=${spl_file} of=spl/u-boot-spl-old.dtb bs=${offs} skip=1 >/dev/null 2>&1
298				${CHECK_SIGN} -f ${ITB_UBOOT} -k spl/u-boot-spl-old.dtb -s
299			fi
300		fi
301
302		# minimize u-boot-spl.dtb: clear as 0 but not remove property.
303		if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' .config ; then
304			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
305			if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' .config ; then
306				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
307				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
308			else
309				fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
310				fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
311			fi
312		else
313			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
314			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
315			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
316			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
317			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
318		fi
319
320		# repack spl
321		rm -f *_loader_*.bin
322		if [ "${ARG_SPL_NEW}" == "y" ]; then
323			cat spl/u-boot-spl-nodtb.bin > spl/u-boot-spl.bin
324			if ! grep -q '^CONFIG_SPL_SEPARATE_BSS=y' .config ; then
325				cat spl/u-boot-spl-pad.bin >> spl/u-boot-spl.bin
326			fi
327			cat ${SPL_DTB} >> spl/u-boot-spl.bin
328
329			./make.sh --spl ${ARG_INI_LOADER}
330			echo "## pack loader with new: spl/u-boot-spl.bin"
331		else
332			./make.sh loader ${ARG_INI_LOADER}
333		fi
334
335		if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
336			echo "## ${SPL_DTB}: burn-key-hash=1"
337		fi
338	fi
339
340	rm -f u-boot.itb u-boot.img u-boot-dtb.img
341	mv ${ITS_UBOOT} ${FIT_DIR}
342}
343
344function fit_gen_boot_itb()
345{
346	if [ ! -z ${ARG_BOOT_IMG} ]; then
347		${FIT_UNPACK} -f ${ARG_BOOT_IMG} -o ${FIT_DIR}/unpack
348		ITS_BOOT="${FIT_DIR}/unpack/image.its"
349	else
350		compression=`awk -F"," '/COMPRESSION=/  { printf $1 }' ${ARG_INI_TRUST} | tr -d ' ' | cut -c 13-`
351		if [ -z "${compression}" ]; then
352			compression="none"
353		fi
354		./arch/arm/mach-rockchip/make_fit_boot.sh -c ${compression} > ${ITS_BOOT}
355		check_its ${ITS_BOOT}
356	fi
357
358	if [ "${ARG_SIGN}" != "y" ]; then
359		${MKIMAGE} -f ${ITS_BOOT} -E -p ${OFFS_DATA} ${ITB_BOOT} -v ${ARG_VER_BOOT}
360	else
361		if [ ! -f ${RSA_PRI_KEY}  ]; then
362			echo "ERROR: No ${RSA_PRI_KEY}"
363			exit 1
364		elif [ ! -f ${RSA_PUB_KEY}  ]; then
365			echo "ERROR: No ${RSA_PUB_KEY}"
366			exit 1
367		fi
368
369		if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
370			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
371			exit 1
372		fi
373
374		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
375			ARG_ROLLBACK_PROTECT="y"
376			if [ -z ${ARG_ROLLBACK_IDX_BOOT} ]; then
377				echo "ERROR: No arg \"--rollback-index-boot <n>\""
378				exit 1
379			fi
380		fi
381
382		# fixup
383		COMMON_FILE=`sed -n "/_common.h/p" ${CHIP_FILE} | awk '{ print $1 }'`
384		FDT_ADDR_R=`awk /fdt_addr_r/         ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
385		KERNEL_ADDR_R=`awk /kernel_addr_r/   ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
386		RMADISK_ADDR_R=`awk /ramdisk_addr_r/ ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
387		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_BOOT}
388		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_BOOT}
389		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_BOOT}
390		if grep -q '^CONFIG_ARM64=y' .config ; then
391			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_BOOT}
392		fi
393
394		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
395			VERSION=`grep 'rollback-index' ${ITS_BOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
396			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_BOOT}>;/g" ${ITS_BOOT}
397		fi
398
399		${MKIMAGE} -f ${ITS_BOOT} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_BOOT} -v ${ARG_VER_BOOT}
400		mv ${SIG_BIN} ${SIG_BOOT}
401
402		# rollback-index read back check
403		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
404			VERSION=`fdtget -ti ${ITB_BOOT} /configurations/conf rollback-index`
405			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_BOOT}" ]; then
406				echo "ERROR: Failed to set rollback-index for ${ITB_BOOT}";
407				exit 1
408			fi
409		fi
410
411		# host check signature
412		if [ "${ARG_NO_CHECK}" != "y" ]; then
413			 ${CHECK_SIGN} -f ${ITB_BOOT} -k ${UBOOT_DTB}
414		fi
415
416		# minimize u-boot.dtb: clearn as 0 but not remove property.
417		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
418			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
419			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
420				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
421			else
422				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
423			fi
424		else
425			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
426			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
427			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
428		fi
429		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
430		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
431	fi
432
433	mv ${ITS_BOOT} ${FIT_DIR}
434}
435
436function fit_gen_recovery_itb()
437{
438	if [ ! -z ${ARG_RECOVERY_IMG} ]; then
439		${FIT_UNPACK} -f ${ARG_RECOVERY_IMG} -o ${FIT_DIR}/unpack
440		ITS_RECOVERY="${FIT_DIR}/unpack/image.its"
441	else
442		echo "ERROR: No recovery.img"
443		exit 1
444	fi
445
446	if [ "${ARG_SIGN}" != "y" ]; then
447		${MKIMAGE} -f ${ITS_RECOVERY} -E -p ${OFFS_DATA} ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
448	else
449		if [ ! -f ${RSA_PRI_KEY}  ]; then
450			echo "ERROR: No ${RSA_PRI_KEY}"
451			exit 1
452		elif [ ! -f ${RSA_PUB_KEY}  ]; then
453			echo "ERROR: No ${RSA_PUB_KEY}"
454			exit 1
455		fi
456
457		if ! grep -q '^CONFIG_FIT_SIGNATURE=y' .config ; then
458			echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
459			exit 1
460		fi
461
462		if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' .config ; then
463			ARG_ROLLBACK_PROTECT="y"
464			if [ -z ${ARG_ROLLBACK_IDX_RECOVERY} ]; then
465				echo "ERROR: No arg \"--rollback-index-recovery <n>\""
466				exit 1
467			fi
468		fi
469
470		# fixup
471		COMMON_FILE=`sed -n "/_common.h/p" ${CHIP_FILE} | awk '{ print $1 }'`
472		FDT_ADDR_R=`awk /fdt_addr_r/         ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
473		KERNEL_ADDR_R=`awk /kernel_addr_r/   ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
474		RMADISK_ADDR_R=`awk /ramdisk_addr_r/ ${COMMON_FILE} | awk -F '=' '{ print $2 }' | awk -F '\\' '{ print $1 }'`
475		sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_RECOVERY}
476		sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_RECOVERY}
477		sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RMADISK_ADDR_R}/g" ${ITS_RECOVERY}
478		if grep -q '^CONFIG_ARM64=y' .config ; then
479			sed -i 's/arch = "arm";/arch = "arm64";/g' ${ITS_RECOVERY}
480		fi
481
482		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
483			VERSION=`grep 'rollback-index' ${ITS_RECOVERY} | awk -F '=' '{ printf $2 }' | tr -d ' '`
484			sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_RECOVERY}>;/g" ${ITS_RECOVERY}
485		fi
486
487		${MKIMAGE} -f ${ITS_RECOVERY} -k ${KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_RECOVERY} -v ${ARG_VER_RECOVERY}
488		mv ${SIG_BIN} ${SIG_RECOVERY}
489
490		# rollback-index read back check
491		if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
492			VERSION=`fdtget -ti ${ITB_RECOVERY} /configurations/conf rollback-index`
493			if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_RECOVERY}" ]; then
494				echo "ERROR: Failed to set rollback-index for ${ITB_RECOVERY}";
495				exit 1
496			fi
497		fi
498
499		# host check signature
500		if [ "${ARG_NO_CHECK}" != "y" ]; then
501			 ${CHECK_SIGN} -f ${ITB_RECOVERY} -k ${UBOOT_DTB}
502		fi
503
504		# minimize u-boot.dtb: clearn as 0 but not remove property.
505		if grep -q '^CONFIG_FIT_HW_CRYPTO=y' .config ; then
506			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
507			if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' .config ; then
508				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
509			else
510				fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
511			fi
512		else
513			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
514			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
515			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
516		fi
517		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
518		fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
519	fi
520
521	mv ${ITS_RECOVERY} ${FIT_DIR}
522}
523
524function fit_gen_uboot_img()
525{
526	ITB=$1
527
528	if [ -z ${ITB} ]; then
529		ITB=${ITB_UBOOT}
530	fi
531
532	ITB_MAX_NUM=`sed -n "/SPL_FIT_IMAGE_MULTIPLE/p" .config | awk -F "=" '{ print $2 }'`
533	ITB_MAX_KB=`sed  -n "/SPL_FIT_IMAGE_KB/p" .config | awk -F "=" '{ print $2 }'`
534	ITB_MAX_BS=$((ITB_MAX_KB*1024))
535	ITB_BS=`ls -l ${ITB} | awk '{ print $5 }'`
536
537	if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then
538		echo "ERROR: pack ${IMG_UBOOT} failed! ${ITB} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes"
539		exit 1
540	fi
541
542	rm -f ${IMG_UBOOT}
543	for ((i = 0; i < ${ITB_MAX_NUM}; i++));
544	do
545		cat ${ITB} >> ${IMG_UBOOT}
546		truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT}
547	done
548}
549
550function fit_gen_boot_img()
551{
552	ITB=$1
553
554	if [ -z ${ITB} ]; then
555		ITB=${ITB_BOOT}
556	fi
557
558	if [ "${ITB}" != "${IMG_BOOT}" ]; then
559		cp ${ITB} ${IMG_BOOT} -f
560	fi
561}
562
563function fit_gen_recovery_img()
564{
565	ITB=$1
566
567	if [ -z ${ITB} ]; then
568		ITB=${ITB_RECOVERY}
569	fi
570
571	if [ "${ITB}" != "${IMG_RECOVERY}" ]; then
572		cp ${ITB} ${IMG_RECOVERY} -f
573	fi
574}
575
576function fit_msg_uboot()
577{
578	if [ "${ARG_SIGN}" != "y" ]; then
579		MSG_SIGN="no-signed"
580	else
581		MSG_SIGN="signed"
582	fi
583
584	VERSION=`fdtget -ti ${ITB_UBOOT} / version`
585	if [ "${VERSION}" != "" ]; then
586		MSG_VER=", version=${VERSION}"
587	fi
588
589	if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
590		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT}):  ${IMG_UBOOT} (with uboot, trust...) is ready"
591	else
592		echo "Image(${MSG_SIGN}${MSG_VER}):  ${IMG_UBOOT} (FIT with uboot, trust...) is ready"
593	fi
594}
595
596function fit_msg_boot()
597{
598	if [ -z "${ARG_BOOT_IMG}" ]; then
599		return;
600	fi
601
602	if [ "${ARG_SIGN}" != "y" ]; then
603		MSG_SIGN="no-signed"
604	else
605		MSG_SIGN="signed"
606	fi
607
608	VERSION=`fdtget -ti ${ITB_BOOT} / version`
609	if [ "${VERSION}" != "" ]; then
610		MSG_VER=", version=${VERSION}"
611	fi
612
613	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
614		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_BOOT}):  ${IMG_BOOT} is ready"
615	else
616		echo "Image(${MSG_SIGN}${MSG_VER}):  ${IMG_BOOT} (FIT with kernel, fdt, resource...) is ready"
617	fi
618}
619
620function fit_msg_recovery()
621{
622	if [ -z "${ARG_RECOVERY_IMG}" ]; then
623		return;
624	fi
625
626	if [ "${ARG_SIGN}" != "y" ]; then
627		MSG_SIGN="no-signed"
628	else
629		MSG_SIGN="signed"
630	fi
631
632	VERSION=`fdtget -ti ${ITB_RECOVERY} / version`
633	if [ "${VERSION}" != "" ]; then
634		MSG_VER=", version=${VERSION}"
635	fi
636
637	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
638		echo "Image(${MSG_SIGN}${MSG_VER}, rollback-index=${ARG_ROLLBACK_IDX_RECOVERY}):  ${IMG_RECOVERY} is ready"
639	else
640		echo "Image(${MSG_SIGN}${MSG_VER}):  ${IMG_RECOVERY} (FIT with kernel, fdt, resource...) is ready"
641	fi
642}
643
644function fit_msg_loader()
645{
646	LOADER=`ls *loader*.bin`
647	echo "Image(no-signed):  ${LOADER} (with spl, ddr, usbplug) is ready"
648}
649
650fit_process_args $*
651
652if [ ! -z "${ARG_VALIDATE}" ]; then
653	validate_arg ${ARG_VALIDATE}
654else
655	fit_raw_compile
656	if [ ! -z "${ARG_RECOVERY_IMG}" ]; then
657		fit_gen_recovery_itb
658		fit_gen_recovery_img
659	fi
660	# "--boot_img_dir" is for U-Boot debug only
661	if [ ! -z "${ARG_BOOT_IMG}" -o ! -z "${ARG_BOOT_IMG_DIR}" ]; then
662		fit_gen_boot_itb
663		fit_gen_boot_img
664	fi
665	fit_gen_uboot_itb
666	fit_gen_uboot_img
667
668	echo
669	fit_msg_uboot
670	fit_msg_recovery
671	fit_msg_boot
672	fit_msg_loader
673fi
674