mkimage: Add -k option to specify key directory

Keys required for signing images will be in a specific directory. Add a
-k option to specify that directory.

Also update the mkimage man page with this information and a clearer list
of available commands.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de> (v1)

diff --git a/doc/mkimage.1 b/doc/mkimage.1
index 39652c82d0cf576ce889fdfc0f474d3060b53867..6740fb1061b1cf592312706a0de4ac1fa95b730b 100644 (file)
--- a/doc/mkimage.1
+++ b/doc/mkimage.1
@@ -4,7 +4,14 @@
 mkimage \- Generate image for U-Boot
 .SH SYNOPSIS
 .B mkimage
-.RB [\fIoptions\fP]
+.RB "\-l [" "uimage file name" "]"
+
+.B mkimage
+.RB [\fIoptions\fP] " \-f [" "image tree source file" "]" " [" "uimage file name" "]"
+
+.B mkimage
+.RB [\fIoptions\fP] " (legacy mode)"
+
 .SH "DESCRIPTION"
 The
 .B mkimage
@@ -26,7 +33,8 @@ etc.
 The new
 .I FIT (Flattened Image Tree) format
 allows for more flexibility in handling images of various types and also
-enhances integrity protection of images with stronger checksums.
+enhances integrity protection of images with stronger checksums. It also
+supports verified boot.
 
 .SH "OPTIONS"
 
@@ -66,6 +74,10 @@ Set load address with a hex number.
 .BI "\-e [" "entry point" "]"
 Set entry point with a hex number.
 
+.TP
+.BI "\-l"
+List the contents of an image.
+
 .TP
 .BI "\-n [" "image name" "]"
 Set image name to 'image name'.
@@ -91,6 +103,12 @@ create the image.
 Image tree source file that describes the structure and contents of the
 FIT image.
 
+.TP
+.BI "\-k [" "key_directory" "]"
+Specifies the directory containing keys to use for signing. This directory
+should contain a private key file <name>.key for use with signing and a
+certificate <name>.crt (containing the public key) for use with verification.
+
 .SH EXAMPLES
 
 List image information:
@@ -115,4 +133,5 @@ http://www.denx.de/wiki/U-Boot/WebHome
 .PP
 .SH AUTHOR
 This manual page was written by Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
-and Wolfgang Denk <wd@denx.de>
+and Wolfgang Denk <wd@denx.de>. It was updated for image signing by
+Simon Glass <sjg@chromium.org>.

diff --git a/tools/fit_image.c b/tools/fit_image.c
index ef6ef44dc9de9558f0d1348eca5ee29e22d2e057..339e0f8dfb728096b88b9750830a046727235b99 100644 (file)
--- a/tools/fit_image.c
+++ b/tools/fit_image.c
@@ -137,7 +137,7 @@ static int fit_handle_file (struct mkimage_params *params)
                goto err_mmap;
 
        /* set hashes for images in the blob */
-       if (fit_add_verification_data(NULL, NULL, ptr, NULL, 0)) {
+       if (fit_add_verification_data(params->keydir, NULL, ptr, NULL, 0)) {
                fprintf (stderr, "%s Can't add hashes to FIT blob",
                                params->cmdname);
                goto err_add_hashes;

diff --git a/tools/mkimage.c b/tools/mkimage.c
index e43b09f76612e58b26e07244929d2bc7c535b5fe..def7df250cc72f9dc6719c5fb74a4134ef601528 100644 (file)
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -248,6 +248,11 @@ main (int argc, char **argv)
                                params.datafile = *++argv;
                                params.fflag = 1;
                                goto NXTARG;
+                       case 'k':
+                               if (--argc <= 0)
+                                       usage();
+                               params.keydir = *++argv;
+                               goto NXTARG;
                        case 'n':
                                if (--argc <= 0)
                                        usage ();
@@ -623,8 +628,16 @@ usage ()
                         "          -d ==> use image data from 'datafile'\n"
                         "          -x ==> set XIP (execute in place)\n",
                params.cmdname);
-       fprintf (stderr, "       %s [-D dtc_options] -f fit-image.its fit-image\n",
+       fprintf(stderr, "       %s [-D dtc_options] -f fit-image.its fit-image\n",
                params.cmdname);
+       fprintf(stderr, "          -D => set options for device tree compiler\n"
+                       "          -f => input filename for FIT source\n");
+#ifdef CONFIG_FIT_SIGNATURE
+       fprintf(stderr, "Signing / verified boot options: [-k keydir]\n"
+                       "          -k => set directory containing private keys\n");
+#else
+       fprintf(stderr, "Signing / verified boot not supported (CONFIG_FIT_SIGNATURE undefined)\n");
+#endif
        fprintf (stderr, "       %s -V ==> print version information and exit\n",
                params.cmdname);
 

diff --git a/tools/mkimage.h b/tools/mkimage.h
index 03c6c8f5237d741cbc17793ace87fee2a855c946..059e12439f1c0cc99b2a86c633bc6f55a04941c5 100644 (file)
--- a/tools/mkimage.h
+++ b/tools/mkimage.h
@@ -87,6 +87,7 @@ struct mkimage_params {
        char *datafile;
        char *imagefile;
        char *cmdname;
+       const char *keydir;     /* Directory holding private keys */
 };
 
 /*