浏览代码

mkimage: Add -k option to specify key directory

Keys required for signing images will be in a specific directory. Add a
-k option to specify that directory.

Also update the mkimage man page with this information and a clearer list
of available commands.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de> (v1)
Simon Glass 12 年之前
父节点
当前提交
80e4df8ac6
共有 4 个文件被更改,包括 38 次插入5 次删除
  1. 22 3
      doc/mkimage.1
  2. 1 1
      tools/fit_image.c
  3. 14 1
      tools/mkimage.c
  4. 1 0
      tools/mkimage.h

+ 22 - 3
doc/mkimage.1

@@ -4,7 +4,14 @@
 mkimage \- Generate image for U-Boot
 mkimage \- Generate image for U-Boot
 .SH SYNOPSIS
 .SH SYNOPSIS
 .B mkimage
 .B mkimage
-.RB [\fIoptions\fP]
+.RB "\-l [" "uimage file name" "]"
+
+.B mkimage
+.RB [\fIoptions\fP] " \-f [" "image tree source file" "]" " [" "uimage file name" "]"
+
+.B mkimage
+.RB [\fIoptions\fP] " (legacy mode)"
+
 .SH "DESCRIPTION"
 .SH "DESCRIPTION"
 The
 The
 .B mkimage
 .B mkimage
@@ -26,7 +33,8 @@ etc.
 The new
 The new
 .I FIT (Flattened Image Tree) format
 .I FIT (Flattened Image Tree) format
 allows for more flexibility in handling images of various types and also
 allows for more flexibility in handling images of various types and also
-enhances integrity protection of images with stronger checksums.
+enhances integrity protection of images with stronger checksums. It also
+supports verified boot.
 
 
 .SH "OPTIONS"
 .SH "OPTIONS"
 
 
@@ -66,6 +74,10 @@ Set load address with a hex number.
 .BI "\-e [" "entry point" "]"
 .BI "\-e [" "entry point" "]"
 Set entry point with a hex number.
 Set entry point with a hex number.
 
 
+.TP
+.BI "\-l"
+List the contents of an image.
+
 .TP
 .TP
 .BI "\-n [" "image name" "]"
 .BI "\-n [" "image name" "]"
 Set image name to 'image name'.
 Set image name to 'image name'.
@@ -91,6 +103,12 @@ create the image.
 Image tree source file that describes the structure and contents of the
 Image tree source file that describes the structure and contents of the
 FIT image.
 FIT image.
 
 
+.TP
+.BI "\-k [" "key_directory" "]"
+Specifies the directory containing keys to use for signing. This directory
+should contain a private key file <name>.key for use with signing and a
+certificate <name>.crt (containing the public key) for use with verification.
+
 .SH EXAMPLES
 .SH EXAMPLES
 
 
 List image information:
 List image information:
@@ -115,4 +133,5 @@ http://www.denx.de/wiki/U-Boot/WebHome
 .PP
 .PP
 .SH AUTHOR
 .SH AUTHOR
 This manual page was written by Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
 This manual page was written by Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
-and Wolfgang Denk <wd@denx.de>
+and Wolfgang Denk <wd@denx.de>. It was updated for image signing by
+Simon Glass <sjg@chromium.org>.

+ 1 - 1
tools/fit_image.c

@@ -137,7 +137,7 @@ static int fit_handle_file (struct mkimage_params *params)
 		goto err_mmap;
 		goto err_mmap;
 
 
 	/* set hashes for images in the blob */
 	/* set hashes for images in the blob */
-	if (fit_add_verification_data(NULL, NULL, ptr, NULL, 0)) {
+	if (fit_add_verification_data(params->keydir, NULL, ptr, NULL, 0)) {
 		fprintf (stderr, "%s Can't add hashes to FIT blob",
 		fprintf (stderr, "%s Can't add hashes to FIT blob",
 				params->cmdname);
 				params->cmdname);
 		goto err_add_hashes;
 		goto err_add_hashes;

+ 14 - 1
tools/mkimage.c

@@ -248,6 +248,11 @@ main (int argc, char **argv)
 				params.datafile = *++argv;
 				params.datafile = *++argv;
 				params.fflag = 1;
 				params.fflag = 1;
 				goto NXTARG;
 				goto NXTARG;
+			case 'k':
+				if (--argc <= 0)
+					usage();
+				params.keydir = *++argv;
+				goto NXTARG;
 			case 'n':
 			case 'n':
 				if (--argc <= 0)
 				if (--argc <= 0)
 					usage ();
 					usage ();
@@ -623,8 +628,16 @@ usage ()
 			 "          -d ==> use image data from 'datafile'\n"
 			 "          -d ==> use image data from 'datafile'\n"
 			 "          -x ==> set XIP (execute in place)\n",
 			 "          -x ==> set XIP (execute in place)\n",
 		params.cmdname);
 		params.cmdname);
-	fprintf (stderr, "       %s [-D dtc_options] -f fit-image.its fit-image\n",
+	fprintf(stderr, "       %s [-D dtc_options] -f fit-image.its fit-image\n",
 		params.cmdname);
 		params.cmdname);
+	fprintf(stderr, "          -D => set options for device tree compiler\n"
+			"          -f => input filename for FIT source\n");
+#ifdef CONFIG_FIT_SIGNATURE
+	fprintf(stderr, "Signing / verified boot options: [-k keydir]\n"
+			"          -k => set directory containing private keys\n");
+#else
+	fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
+#endif
 	fprintf (stderr, "       %s -V ==> print version information and exit\n",
 	fprintf (stderr, "       %s -V ==> print version information and exit\n",
 		params.cmdname);
 		params.cmdname);
 
 

+ 1 - 0
tools/mkimage.h

@@ -87,6 +87,7 @@ struct mkimage_params {
 	char *datafile;
 	char *datafile;
 	char *imagefile;
 	char *imagefile;
 	char *cmdname;
 	char *cmdname;
+	const char *keydir;	/* Directory holding private keys */
 };
 };
 
 
 /*
 /*