xref: /rkbin/tools/fit-sign.sh (revision 8385bc167340c8b87af098621d7312a8a120a56d) 
1#!/bin/bash
2#
3# Copyright (c) 2024 Rockchip Electronics Co., Ltd
4#
5# SPDX-License-Identifier: GPL-2.0
6#
7set -e
8
9SIGN_DIR=".fit_sign"
10SIGN_OUTPUT="${SIGN_DIR}/output"
11UNPACK_UBOOT="${SIGN_DIR}/unpack_uboot"
12UNPACK_LOADER="${SIGN_DIR}/unpack_loader"
13TOOLS=$(cd `dirname $0`; pwd)
14# tools
15TOOL_MKIMAGE=${TOOLS}/mkimage
16TOOL_FIT_UNPACK=${TOOLS}/fit-unpack.sh
17TOOL_FIT_CHECK_SIGN=${TOOLS}/fit_check_sign
18TOOL_RK_SIGN=${TOOLS}/rk_sign_tool
19TOOL_BOOT_MERGER=${TOOLS}/boot_merger
20# offset
21OFFS_DATA=0x1200
22# placeholder address
23FDT_ADDR_PLACEHOLDER="0xffffff00"
24KERNEL_ADDR_PLACEHOLDER="0xffffff01"
25RAMDISK_ADDR_PLACEHOLDER="0xffffff02"
26# key
27SIGNATURE_KEY_NODE="/signature/key-dev"
28# dtb
29SPL_DTB="${UNPACK_LOADER}/u-boot-spl.dtb"
30UBOOT_DTB="${UNPACK_UBOOT}/fdt"
31UBOOT_DTB_ORIG="${UNPACK_UBOOT}/fdt_orig"
32# uboot
33ITS_UBOOT="${UNPACK_UBOOT}/image.its"
34ITB_UBOOT="${UNPACK_UBOOT}/image.itb"
35IMG_UBOOT="${SIGN_OUTPUT}/uboot.img"
36# rollback & version
37declare -A ROLLBACK_PARAMS
38declare -A VERSION_PARAMS
39
40# All required tools:
41#
42#    ├── boot_merger
43#    ├── fit_check_sign
44#    ├── fit-unpack.sh
45#    ├── mkimage
46#    ├── rk_sign_tool
47#    └── setting.ini
48
49function filt_val()
50{
51	sed -n "/${1}=/s/${1}=//p" $2 | tr -d '\r' | tr -d '"'
52}
53
54function help()
55{
56	echo
57	echo "Usage:"
58	echo "    $0 [args]"
59	echo
60	echo "Args:"
61	echo "    --key-dir                  <dir>                         | Mandatory"
62	echo "    --src-dir                  <dir>                         | Mandatory"
63	echo "    --out-dir                  <dir>                         | Mandatory"
64	echo "    --burn-key-hash                                          | Optional"
65	echo "    --rollback-index           <image1 n1> <image2 n2> ...   | Optional"
66	echo "    --version                  <image1 n1> <image2 n2> ...   | Optional"
67	echo ""
68	echo "Example:"
69	echo "    $0 --key-dir keys/ --src-dir src/ --out-dir output/  --version uboot.img 1 boot.img 3  --rollback-index uboot.img 3 boot.img 5"
70	echo
71}
72
73function arg_check_decimal()
74{
75	if [ -z $1 ]; then
76		help
77		exit 1
78	fi
79
80	DECIMAL=`echo $1 |sed 's/[0-9]//g'`
81	if [ ! -z ${DECIMAL} ]; then
82		echo "ERROR: $1 is not decimal integer"
83		help
84		exit 1
85	fi
86}
87
88function process_args()
89{
90	while [ $# -gt 0 ]; do
91		case $1 in
92			--key-dir)
93				ARG_KEY_DIR=$2
94				RSA_PRI_KEY="${ARG_KEY_DIR}/dev.key"
95				RSA_PUB_KEY="${ARG_KEY_DIR}/dev.pubkey"
96				RSA_CRT_KEY="${ARG_KEY_DIR}/dev.crt"
97				check_dir_exist $2
98				check_rsa_keys $2
99				shift 2
100				;;
101			--src-dir)
102				ARG_SRC_DIR=$2
103				check_dir_exist $2
104				SIGN_CFG_DIR="${ARG_SRC_DIR}/fit_signcfg/"
105				SIGN_CONFIG="${ARG_SRC_DIR}/fit_signcfg/sign.readonly_config"
106				shift 2
107				;;
108			--out-dir)
109				ARG_OUTPUT_DIR=$2
110				check_dir_exist $2
111				shift 2
112				;;
113			--rollback-index)
114				shift 1
115				for arg in "$@"; do
116					FILE_NAME="${1%.img}"
117					arg_check_decimal $2
118					ROLLBACK_PARAMS["${FILE_NAME}"]="$2"
119					if [[ $3 == *"--"* || -z $3 ]]; then
120						shift 2
121						break;
122					fi
123					shift 2
124				done
125				;;
126			--version)
127				shift 1
128				for arg in "$@"; do
129					FILE_NAME="${1%.img}"
130					arg_check_decimal $2
131					VERSION_PARAMS["${FILE_NAME}"]="$2"
132					if [[ $3 == *"--"* || -z $3 ]]; then
133						shift 2
134						break;
135					fi
136					shift 2
137				done
138				;;
139			--burn-key-hash)
140				ARG_BURN_KEY_HASH="y"
141				shift 1
142				;;
143			*)
144				help
145				exit 1
146				;;
147		esac
148	done
149
150	if [ -z "${ARG_KEY_DIR}" ] || [ -z "${ARG_SRC_DIR}" ] || [ -z "${ARG_OUTPUT_DIR}" ]; then
151		help
152		exit 1
153	fi
154}
155
156function check_dir_exist()
157{
158	if [ ! -d $1 ]; then
159		echo "ERROR: No $1 directory"
160		exit 1
161	fi
162}
163
164function check_file_exist()
165{
166	if [ ! -f $1 ]; then
167		echo "ERROR: No $1"
168		exit 1
169	fi
170}
171
172function check_its()
173{
174	cat $1 | while read LINE
175	do
176		FILE=`echo ${LINE} | sed -n "/incbin/p" | awk -F '"' '{ printf $2 }' | tr -d ' '`
177		if [ ! -f ${FILE} ]; then
178			echo "ERROR: ${FILE} not exist"
179			exit 1
180		fi
181	done
182}
183
184function check_rsa_algo()
185{
186	if grep -q '^CONFIG_FIT_ENABLE_RSA4096_SUPPORT=y' ${SIGN_CONFIG} ; then
187		RSA_ALGO="rsa4096"
188	else
189		RSA_ALGO="rsa2048"
190	fi
191
192	if ! grep -q ${RSA_ALGO} $1 ; then
193		echo "ERROR: Wrong rsa 'algo' in its file. It should be ${RSA_ALGO}."
194		exit 1
195	fi
196}
197
198function check_rsa_keys()
199{
200	if [ ! -f ${RSA_PRI_KEY} ]; then
201		echo "ERROR: No ${RSA_PRI_KEY} "
202		exit 1
203	elif [ ! -f ${RSA_PUB_KEY} ]; then
204		echo "ERROR: No ${RSA_PUB_KEY} "
205		exit 1
206	elif [ ! -f ${RSA_CRT_KEY} ]; then
207		echo "ERROR: No ${RSA_CRT_KEY} "
208		exit 1
209	fi
210}
211
212function sign_loader()
213{
214	echo
215	echo "==================== sign loader ===================="
216	cp ${INI_PATH} ${UNPACK_LOADER}/
217	INI_PATH=`find ${UNPACK_LOADER}/ -name 'MINIALL.ini'`
218	sed -i "s|PATH=|PATH=${SIGN_OUTPUT}\/|g" ${INI_PATH}
219
220	# code471
221	DDR=`grep "Path1=bin/[^ ]*_ddr_" ${INI_PATH} | tr -d ' '`
222	if [ ! -z ${DDR} ]; then
223		DDR=${DDR/*=/}
224		NEW_DDR=`find ${UNPACK_LOADER}/ -name '*ddr*bin' | head -n 1`
225		echo "${DDR} ${NEW_DDR}"
226		sed -i "s|${DDR}|${NEW_DDR}|g" ${INI_PATH}
227	fi
228	# code472
229	USBPLUG=`grep "Path1=bin/[^ ]*_usbplug_" ${INI_PATH} | tr -d ' '`
230	if [ ! -z ${USBPLUG} ]; then
231		USBPLUG=${USBPLUG/*=/}
232		NEW_USBPLUG=`find ${UNPACK_LOADER}/ -name '*usbplug*bin' | head -n 1`
233		echo "${USBPLUG} ${NEW_USBPLUG}"
234		sed -i "s|${USBPLUG}|${NEW_USBPLUG}|g" ${INI_PATH}
235	fi
236	# FlashData
237	FlashData=`grep "FlashData=bin/[^ ]*_ddr_" ${INI_PATH} | tr -d ' '`
238	if [ ! -z ${FlashData} ]; then
239		FlashData=${FlashData/*=/}
240		NEW_FlashData=`find ${UNPACK_LOADER}/ -name '*FlashData*bin' | head -n 1`
241		echo "${FlashData} ${NEW_FlashData}"
242		sed -i "s|${FlashData}|${NEW_FlashData}|g" ${INI_PATH}
243	fi
244	# FlashBoot
245	FlashBoot=`grep "FlashBoot=bin/[^ ]*_spl_" ${INI_PATH} | tr -d ' '`
246	if [ ! -z ${FlashBoot} ]; then
247		FlashBoot=${FlashBoot/*=/}
248		NEW_FlashBoot=`find ${UNPACK_LOADER}/ -name '*FlashBoot*bin' | head -n 1`
249		echo "${FlashBoot} ${NEW_FlashBoot}"
250		sed -i "s|${FlashBoot}|${NEW_FlashBoot}|g" ${INI_PATH}
251	fi
252	# FlashBoost
253	FlashBoost=`grep "FlashBoost=bin/[^ ]*_boost_" ${INI_PATH} | tr -d ' '`
254	if [ ! -z ${FlashBoost} ]; then
255		FlashBoost=${FlashBoost/*=/}
256		NEW_FlashBoot=`find ${UNPACK_LOADER}/ -name '*FlashBoost*bin' | head -n 1`
257		echo "${FlashBoost} ${NEW_FlashBoot}"
258		sed -i "s|${FlashBoost}|${NEW_FlashBoot}|g" ${INI_PATH}
259	fi
260
261	${TOOL_BOOT_MERGER} ${INI_PATH}
262
263	# chip name
264	CHIP_PATTERN='^CONFIG_ROCKCHIP_[R,P][X,V,K][0-9ESXB]{1,5}'
265	RKCHIP=`egrep -o ${CHIP_PATTERN} ${SIGN_CONFIG}`
266	RKCHIP=${RKCHIP##*_}
267	CHIP_NAME=`filt_val "CONFIG_CHIP_NAME" ${SIGN_CONFIG}`
268	if [ -z "${CHIP_NAME}" ]; then
269		CHIP_NAME=${RKCHIP}
270	fi
271
272	# sign
273	${TOOL_RK_SIGN} cc --chip ${CHIP_NAME: 2: 6}
274	${TOOL_RK_SIGN} lk --key ${RSA_PRI_KEY} --pubkey ${RSA_PUB_KEY}
275	if ls ${SIGN_OUTPUT}/*loader*.bin >/dev/null 2>&1 ; then
276		${TOOL_RK_SIGN} sl --loader ${SIGN_OUTPUT}/*loader*.bin
277	elif ls ${SIGN_OUTPUT}/MiniLoaderAll.bin >/dev/null 2>&1 ; then
278		${TOOL_RK_SIGN} sl --loader ${SIGN_OUTPUT}/MiniLoaderAll.bin
279	fi
280	if ls ${SIGN_OUTPUT}/*download*.bin >/dev/null 2>&1 ; then
281		${TOOL_RK_SIGN} sl --loader ${SIGN_OUTPUT}/*download*.bin
282	fi
283	if ls ${SIGN_OUTPUT}/*idblock*.img >/dev/null 2>&1 ; then
284		${TOOL_RK_SIGN} sb --idb ${SIGN_OUTPUT}/*idblock*.img
285	fi
286}
287
288function sign_uboot()
289{
290	ARG_ROLLBACK_IDX_UBOOT=${ROLLBACK_PARAMS["uboot"]:-0}
291	ARG_VER_UBOOT=${VERSION_PARAMS["uboot"]:-0}
292
293	echo
294	echo "==================== sign uboot.img: version=${ARG_VER_UBOOT}, rollback-index=${ARG_ROLLBACK_IDX_UBOOT} ===================="
295	if ! grep -q '^CONFIG_SPL_FIT_SIGNATURE=y' ${SIGN_CONFIG} ; then
296		echo "ERROR: CONFIG_SPL_FIT_SIGNATURE is disabled"
297		exit 1
298	fi
299	# spl dtb
300	FlashBoot=`find ${UNPACK_LOADER}/ -name '*FlashBoot*bin' | head -n 1`
301	TOTALSIZE=`fdtdump -s ${FlashBoot} | grep totalsize | awk '{ print $4 }' | tr -d "()"`
302	OFFSET=`fdtdump -s ${FlashBoot} | head -1 | awk -F ":" '{ print $2 }' | sed "s/ found fdt at offset //g" | tr -d " "`
303	if [ -z ${OFFSET}  ]; then
304		echo "ERROR: invalid ${FlashBoot} , unable to find fdt blob"
305	fi
306	OFFSET=`printf %d ${OFFSET} ` # hex -> dec
307
308	dd if=${FlashBoot} of=${SPL_DTB} bs=1 skip=${OFFSET} count=${TOTALSIZE} >/dev/null 2>&1
309
310	# rollback-index
311	if grep -q '^CONFIG_SPL_FIT_ROLLBACK_PROTECT=y' ${SIGN_CONFIG} ; then
312		ARG_SPL_ROLLBACK_PROTECT="y"
313		if [ ${ARG_ROLLBACK_IDX_UBOOT} -eq 0 ]; then
314			echo "ERROR: No arg \"--rollback-index uboot.img <n>\""
315			exit 1
316		fi
317	fi
318
319	if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
320		VERSION=`grep 'rollback-index' ${ITS_UBOOT} | awk -F '=' '{ printf $2 }' | tr -d ' '`
321		sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX_UBOOT}>;/g" ${ITS_UBOOT}
322	fi
323
324	if ! fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then
325		${TOOL_MKIMAGE} -f ${ITS_UBOOT} -k ${ARG_KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
326		echo "## Adding RSA public key into ${UBOOT_DTB}"
327	fi
328
329	if fdtget -l ${SPL_DTB} /signature >/dev/null 2>&1 ; then
330		fdtput -r ${SPL_DTB} /signature
331	fi
332
333	# sign
334	${TOOL_MKIMAGE} -f ${ITS_UBOOT} -k ${ARG_KEY_DIR} -K ${SPL_DTB} -E -p ${OFFS_DATA} -r ${ITB_UBOOT} -v ${ARG_VER_UBOOT}
335
336	# burn-key-hash
337	if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
338		if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' ${SIGN_CONFIG} ; then
339			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash 0x1
340		else
341			echo "ERROR: --burn-key-hash requires CONFIG_SPL_FIT_HW_CRYPTO=y"
342			exit 1
343		fi
344	fi
345
346	# rollback-index read back check
347	if [ "${ARG_SPL_ROLLBACK_PROTECT}" == "y" ]; then
348		VERSION=`fdtget -ti ${ITB_UBOOT} /configurations/conf rollback-index`
349		if [ "${VERSION}" != "${ARG_ROLLBACK_IDX_UBOOT}" ]; then
350			echo "ERROR: Failed to set rollback-index for ${ITB_UBOOT}";
351			exit 1
352		fi
353	else
354		if [ ! -z "${ARG_ROLLBACK_IDX_UBOOT}" ]; then
355			echo "WARNING: ignore \"--rollback-index uboot.img ${ARG_ROLLBACK_IDX_UBOOT}\" due to CONFIG_SPL_FIT_ROLLBACK_PROTECT=n"
356			echo
357		fi
358	fi
359
360	# burn-key-hash read back check
361	if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
362		if [ "`fdtget -ti ${SPL_DTB} ${SIGNATURE_KEY_NODE} burn-key-hash`" != "1" ]; then
363			echo "ERROR: Failed to set burn-key-hash for ${SPL_DTB}";
364			exit 1
365		fi
366	fi
367
368	# host check signature
369	${TOOL_FIT_CHECK_SIGN} -f ${ITB_UBOOT} -k ${SPL_DTB} -s
370
371	# minimize u-boot-spl.dtb: clear as 0 but not remove property.
372	if grep -q '^CONFIG_SPL_FIT_HW_CRYPTO=y' ${SIGN_CONFIG} ; then
373		fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
374		if grep -q '^CONFIG_SPL_ROCKCHIP_CRYPTO_V1=y' ${SIGN_CONFIG} ; then
375			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
376			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
377		else
378			fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
379			fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
380		fi
381	else
382		fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
383		fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
384		fdtput -tx ${SPL_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
385		fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@c
386		fdtput -r ${SPL_DTB} ${SIGNATURE_KEY_NODE}/hash@np
387	fi
388
389	# repack spl
390	dd if=${SPL_DTB} of=${FlashBoot} bs=${OFFSET} seek=1 >/dev/null 2>&1
391
392	if [ "${ARG_BURN_KEY_HASH}" == "y" ]; then
393		echo "## ${SPL_DTB}: burn-key-hash=1"
394	fi
395
396	ITB_MAX_NUM=`sed -n "/CONFIG_SPL_FIT_IMAGE_MULTIPLE/p" ${SIGN_CONFIG} | awk -F "=" '{ print $2 }'`
397	ITB_MAX_KB=`sed  -n "/CONFIG_SPL_FIT_IMAGE_KB/p" ${SIGN_CONFIG} | awk -F "=" '{ print $2 }'`
398	ITB_MAX_BS=$((ITB_MAX_KB*1024))
399	ITB_BS=`ls -l ${ITB_UBOOT} | awk '{ print $5 }'`
400
401	if [ ${ITB_BS} -gt ${ITB_MAX_BS} ]; then
402		echo "ERROR: pack uboot.img failed! ${ITB_UBOOT} actual: ${ITB_BS} bytes, max limit: ${ITB_MAX_BS} bytes"
403		exit 1
404	fi
405
406	for ((i = 0; i < ${ITB_MAX_NUM}; i++));
407	do
408		cat ${ITB_UBOOT} >> ${IMG_UBOOT}
409		truncate -s %${ITB_MAX_KB}K ${IMG_UBOOT}
410	done
411}
412
413function sign_fit()
414{
415	SRC_FILE="$1.img"
416	UNPACK_DIR="${SIGN_DIR}/unpack_$1"
417	ITS_FILE="${UNPACK_DIR}/image.its"
418	ITB_FILE="${UNPACK_DIR}/image.itb"
419	IMG_FILE="${SIGN_OUTPUT}/${SRC_FILE}"
420	ARG_VERSION=${VERSION_PARAMS["$1"]:-0}
421	ARG_ROLLBACK_IDX=${ROLLBACK_PARAMS["$1"]:-0}
422
423	echo
424	echo "==================== sign ${SRC_FILE}: version=${ARG_VERSION}, rollback-index=${ARG_ROLLBACK_IDX} ===================="
425	cp ${UBOOT_DTB_ORIG} ${UBOOT_DTB}
426	rm -rf ${UNPACK_DIR}
427	${TOOL_FIT_UNPACK} -f ${ARG_SRC_DIR}/${SRC_FILE} -o ${UNPACK_DIR}
428	check_rsa_algo ${ITS_FILE}
429
430	if ! grep -q '^CONFIG_FIT_SIGNATURE=y' ${SIGN_CONFIG} ; then
431		echo "ERROR: CONFIG_FIT_SIGNATURE is disabled"
432		exit 1
433	fi
434
435	# ARG_ROLLBACK_IDX default value is 0.
436	if grep -q '^CONFIG_FIT_ROLLBACK_PROTECT=y' ${SIGN_CONFIG} ; then
437		ARG_ROLLBACK_PROTECT="y"
438		if ! grep -q '^CONFIG_OPTEE_CLIENT=y' ${SIGN_CONFIG} ; then
439			if [ ${ARG_ROLLBACK_IDX} -gt 0 ]; then
440				echo "ERROR: Don't support \"--rollback-index ${SRC_FILE} <n>\" due to CONFIG_FIT_ROLLBACK_PROTECT=y but CONFIG_OPTEE_CLIENT=n"
441				exit 1
442			fi
443		else
444			if [ ${ARG_ROLLBACK_IDX} -eq 0 ]; then
445				echo "ERROR: No arg \"--rollback-index ${SRC_FILE} <n>\""
446				exit 1
447			fi
448		fi
449	else
450		if [ ${ARG_ROLLBACK_IDX} -gt 0 ]; then
451			echo "WARNING: ignore \"--rollback-index ${SRC_FILE} ${ARG_ROLLBACK_IDX}\" due to CONFIG_FIT_ROLLBACK_PROTECT=n"
452			echo
453		fi
454	fi
455
456	# Limit as same.
457	if [ -z "${PREV_ARG_ROLLBACK_IDX}" ]; then
458		PREV_ARG_ROLLBACK_IDX=${ARG_ROLLBACK_IDX}
459	else
460		if [ "${PREV_ARG_ROLLBACK_IDX}" != "${ARG_ROLLBACK_IDX}" ]; then
461			echo "ERROR: ${SRC_FILE} rollback version should be the same as previous: ${PREV_ARG_ROLLBACK_IDX}"
462			exit 1
463		fi
464	fi
465
466	# fixup for non-thunderboot
467	FDT_ADDR_R=`filt_val "fdt_addr_r" ${SIGN_CONFIG}`
468	KERNEL_ADDR_R=`filt_val "kernel_addr_r" ${SIGN_CONFIG}`
469	RAMDISK_ADDR_R=`filt_val "ramdisk_addr_r" ${SIGN_CONFIG}`
470	sed -i "s/${FDT_ADDR_PLACEHOLDER}/${FDT_ADDR_R}/g"         ${ITS_FILE}
471	sed -i "s/${KERNEL_ADDR_PLACEHOLDER}/${KERNEL_ADDR_R}/g"   ${ITS_FILE}
472	sed -i "s/${RAMDISK_ADDR_PLACEHOLDER}/${RAMDISK_ADDR_R}/g" ${ITS_FILE}
473
474	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
475		VERSION=`grep 'rollback-index' ${ITS_FILE} | awk -F '=' '{ printf $2 }' | tr -d ' '`
476		sed -i "s/rollback-index = ${VERSION}/rollback-index = <${ARG_ROLLBACK_IDX}>;/g" ${ITS_FILE}
477	fi
478
479	# sign
480	${TOOL_MKIMAGE} -f ${ITS_FILE} -k ${ARG_KEY_DIR} -K ${UBOOT_DTB} -E -p ${OFFS_DATA} -r ${ITB_FILE} -v ${ARG_VERSION}
481
482	# rollback-index read back check
483	if [ "${ARG_ROLLBACK_PROTECT}" == "y" ]; then
484		VERSION=`fdtget -ti ${ITB_FILE} /configurations/conf rollback-index`
485		if [ "${VERSION}" != "${ARG_ROLLBACK_IDX}" ]; then
486			echo "ERROR: Failed to set rollback-index for ${ITB_FILE}";
487			exit 1
488		fi
489	fi
490
491	# host check signature
492	${TOOL_FIT_CHECK_SIGN} -f ${ITB_FILE} -k ${UBOOT_DTB}
493
494	# minimize u-boot.dtb: clearn as 0 but not remove property.
495	if grep -q '^CONFIG_FIT_HW_CRYPTO=y' ${SIGN_CONFIG} ; then
496		fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,r-squared 0x0
497		if grep -q '^CONFIG_ROCKCHIP_CRYPTO_V1=y' ${SIGN_CONFIG} ; then
498			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
499		else
500			fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
501		fi
502	else
503		fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,c 0x0
504		fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,np 0x0
505		fdtput -tx ${UBOOT_DTB} ${SIGNATURE_KEY_NODE} rsa,exponent-BN 0x0
506	fi
507	fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@c
508	fdtput -r ${UBOOT_DTB} ${SIGNATURE_KEY_NODE}/hash@np
509
510	cp ${ITB_FILE} ${IMG_FILE}
511}
512
513function unpack_loader_uboot()
514{
515	echo
516	echo "==================== unpack files ===================="
517	# unpack loader
518	rm -rf ${UNPACK_LOADER}/ && mkdir -p ${UNPACK_LOADER}/
519	${TOOL_BOOT_MERGER} unpack -i ${LOADER_NAME} -o ${UNPACK_LOADER}/
520
521	# csum spl
522	FlashBoot=`find ${UNPACK_LOADER}/ -name '*FlashBoot*bin' | head -n 1`
523	SIZE=`grep 'spl_size=' ${SIGN_CONFIG} | awk -F "=" '{print $2}'`
524	dd if=${FlashBoot} of=${UNPACK_LOADER}/u-boot-spl-nodtb.bin bs=1 skip=0 count=${SIZE} >/dev/null 2>&1
525	CSUM1=`grep 'spl_sha256sum=' ${SIGN_CONFIG} | awk -F "=" '{print $2}'`
526	CSUM2=`sha256sum ${UNPACK_LOADER}/u-boot-spl-nodtb.bin | awk '{ print $1 }'`
527	if [ "${CSUM1}" != "${CSUM2}" ]; then
528		echo "ERROR: SHA256 checksum is not match:"
529		echo "    ${CSUM1}: ${LOADER_NAME}/"
530		echo "    ${CSUM2}: ${SIGN_CONFIG} history"
531		echo
532		echo "Build info of ${SIGN_CONFIG}:"
533		echo "    ${BUILD}"
534		echo
535		exit 1
536	fi
537
538	# unpack uboot.img
539	rm -rf ${UNPACK_UBOOT}/
540	${TOOL_FIT_UNPACK} -f ${ARG_SRC_DIR}/uboot.img -o ${UNPACK_UBOOT}
541
542	# csum uboot
543	CSUM1=`grep 'uboot_sha256sum=' ${SIGN_CONFIG} | awk -F "=" '{print $2}'`
544	CSUM2=`sha256sum ${UNPACK_UBOOT}/uboot | awk '{ print $1 }'`
545	BUILD=`grep 'BUILD:' ${SIGN_CONFIG}`
546	if [ "${CSUM1}" != "${CSUM2}" ]; then
547		echo "ERROR: SHA256 checksum is not match:"
548		echo "    ${CSUM1}: uboot in ${ARG_SRC_DIR}/uboot.img"
549		echo "    ${CSUM2}: in ${SIGN_CONFIG}"
550		echo
551		echo "Build info of ${SIGN_CONFIG}:"
552		echo "    ${BUILD}"
553		echo
554		exit 1
555	fi
556
557	check_rsa_algo ${ITS_UBOOT}
558	if fdtget -l ${UBOOT_DTB} /signature >/dev/null 2>&1 ; then
559		fdtput -r ${UBOOT_DTB} /signature
560	fi
561	cp ${UBOOT_DTB} ${UBOOT_DTB_ORIG}
562}
563
564function prepare()
565{
566	if [ ! -d ${SIGN_CFG_DIR} ]; then
567		echo "ERROR: No ${SIGN_CFG_DIR} directory"
568		exit 1
569	fi
570	if [ ! -f ${SIGN_CONFIG} ]; then
571		echo "ERROR: No ${SIGN_CONFIG} file"
572		exit 1
573	fi
574	if [ ! -f ${ARG_SRC_DIR}/uboot.img ]; then
575		echo "ERROR: No ${ARG_SRC_DIR}/uboot.img file"
576		exit 1
577	fi
578	INI_PATH=`find ${SIGN_CFG_DIR} -name 'MINIALL.ini' | head -n 1`
579	if [ -z "${INI_PATH}" ]; then
580		echo "ERROR: No platform MINIALL.ini file"
581		exit 1
582	fi
583	LOADER_NAME=`find ${ARG_SRC_DIR} -name '*loader*bin' | head -n 1`
584	if [ -z "${LOADER_NAME}" ]; then
585		LOADER_NAME=`find ${ARG_SRC_DIR} -name '*download*.bin' | head -n 1`
586	fi
587	if [ -z "${LOADER_NAME}" ]; then
588		LOADER_NAME=`find ${ARG_SRC_DIR} -name 'MiniLoaderAll.bin' | head -n 1`
589	fi
590	if [ -z "${LOADER_NAME}" ]; then
591		echo "ERROR: No platform loader or download found"
592		exit 1
593	fi
594
595	rm -rf ${SIGN_DIR} && mkdir -p ${SIGN_OUTPUT}
596}
597
598function finish()
599{
600	echo
601	echo "Rollback-Index:"
602	for FILE in ${SIGN_OUTPUT}/*.img; do
603		if file $(realpath ${FILE}) | grep -q 'Device Tree Blob' ; then
604			VERSION=`fdtget -ti ${FILE} /configurations/conf rollback-index`
605			NAME=`basename ${FILE}`
606			echo "    - ${NAME}=${VERSION}"
607		fi
608	done
609	echo
610	echo "OK. Signed images are ready in ${ARG_OUTPUT_DIR}:"
611	ls ${SIGN_OUTPUT}
612	mv ${SIGN_OUTPUT}/* ${ARG_OUTPUT_DIR}/
613	rm -rf ${SIGN_DIR}/ data2sign*
614	echo
615}
616
617function main()
618{
619	prepare
620	unpack_loader_uboot
621
622	for FILE in ${ARG_SRC_DIR}/*.img; do
623		if echo ${FILE} | grep -q "uboot.img"; then
624			continue;
625		fi
626		if file $(realpath ${FILE}) | grep -q 'Device Tree Blob' ; then
627			FILE=$(basename "${FILE}" .img)
628			sign_fit ${FILE}
629		fi
630	done
631
632	sign_uboot
633	sign_loader
634	finish
635}
636
637process_args $*
638main
639