Git Browser for ODROID
Code Review Sign In
git.odroid.com / yocto / rtos_sdk / scripts / 5459fc62cb98e0e7c5f7c116ce68def5c64c6a2b / . / sign_tool / imgtool.py
blob: af79e9fa254276ae5e083fe522e0fb1b48f86d81 [file] [log] [blame]
yang.li5459fc62022-10-24 17:31:15 +0800[diff] [blame^]1#! /usr/bin/env python3
2# -*- coding: utf-8 -*-
3#
4# Copyright 2017 Linaro Limited
5# Copyright (c) 2018-2019, Arm Limited.
6#
7# Licensed under the Apache License, Version 2.0 (the "License");
8# you may not use this file except in compliance with the License.
9# You may obtain a copy of the License at
10#
11# http://www.apache.org/licenses/LICENSE-2.0
12#
13# Unless required by applicable law or agreed to in writing, software
14# distributed under the License is distributed on an "AS IS" BASIS,
15# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16# See the License for the specific language governing permissions and
17# limitations under the License.
18
19from __future__ import print_function
20import os
21import re
22import argparse
23from imgtool_lib import keys
24from imgtool_lib import image
25from imgtool_lib import version
26import sys
27
28
29def find_load_address(args):
30 load_address_re = re.compile(r"^#define\sIMAGE_LOAD_ADDRESS\s+(0x[0-9a-fA-F]+)")
31 if args.layout is not None:
32 if os.path.isabs(args.layout):
33 configFile = args.layout
34 else:
35 scriptsDir = os.path.dirname(os.path.abspath(__file__))
36 configFile = os.path.join(scriptsDir, args.layout)
37
38 ramLoadAddress = None
39 with open(configFile, 'r') as flash_layout_file:
40 for line in flash_layout_file:
41 m = load_address_re.match(line)
42 if m is not None:
43 ramLoadAddress = int(m.group(1), 0)
44 print("**[INFO]** Writing load address from the macro in "
45 "flash_layout.h to the image header.. "
46 + hex(ramLoadAddress)
47 + " (dec. " + str(ramLoadAddress) + ")")
48 break
49 return ramLoadAddress
50 else:
51 return None
52
53
54# Returns the last version number if present, or None if not
55def get_last_version(path):
56 if (os.path.isfile(path) == False): # Version file not present
57 return None
58 else: # Version file is present, check it has a valid number inside it
59 with open(path, "r") as oldFile:
60 fileContents = oldFile.read()
61 if version.version_re.match(fileContents): # number is valid
62 return version.decode_version(fileContents)
63 else:
64 return None
65
66
67def next_version_number(args, defaultVersion, path):
68 newVersion = None
69 if (version.compare(args.version, defaultVersion) == 0): # Default version
70 lastVersion = get_last_version(path)
71 if (lastVersion is not None):
72 newVersion = version.increment_build_num(lastVersion)
73 else:
74 newVersion = version.increment_build_num(defaultVersion)
75 else: # Version number has been explicitly provided (not using the default)
76 newVersion = args.version
77 versionString = "{a}.{b}.{c}+{d}".format(
78 a=str(newVersion.major),
79 b=str(newVersion.minor),
80 c=str(newVersion.revision),
81 d=str(newVersion.build)
82 )
83 with open(path, "w") as newFile:
84 newFile.write(versionString)
85 print("**[INFO]** Image version number set to " + versionString)
86 return newVersion
87
88
89def gen_rsa2048(args):#PRIVATE
90 keys.RSAutil.generate().export_private(os.path.join(args.key,"rsa2048-private.pem"))
91 keys.RSAutil.generate().export_public(os.path.join(args.key,"rsa2048-public.pem"))
92
93def gen_rsa3072(args):
94 keys.RSAutil.generate(key_size=3072).export_private(os.path.join(args.key,"rsa3072-private.pem"))
95 keys.RSAutil.generate(key_size=3072).export_public(os.path.join(args.key, "rsa3072-public.pem"))
96
97def gen_rsa4096(args):
98 keys.RSAutil.generate(key_size=4096).export_private(os.path.join(args.key,"rsa4096-private.pem"))
99 keys.RSAutil.generate(key_size=4096).export_public(os.path.join(args.key, "rsa4096-public.pem"))
100
101keygens = {
102 'rsa-2048': gen_rsa2048,
103 'rsa-3072': gen_rsa3072,
104 'rsa-4096': gen_rsa4096, }
105
106
107def do_keygen(args):
108 if args.type not in keygens:
109 msg = "Unexpected key type: {}".format(args.type)
110 raise argparse.ArgumentTypeError(msg)
111 keygens[args.type](args)
112
113
114def do_getpub(args):
115 key = keys.load(args.key)
116 if args.lang == 'c':
117 key.emit_c()
118 else:
119 msg = "Unsupported language, valid are: c"
120 raise argparse.ArgumentTypeError(msg)
121
122
123def do_sign(args):
124 if args.rsa_pkcs1_15:
125 keys.sign_rsa_pss = False
126
127 version_num = next_version_number(args,
128 version.decode_version("0"),
129 "lastVerNum.txt")
130
131 if args.security_counter is None:
132 # Security counter has not been explicitly provided,
133 # generate it from the version number
134 args.security_counter = ((version_num.major << 24)
135 + (version_num.minor << 16)
136 + version_num.revision)
137
138 img = image.Image.load(args.infile,
139 version=version_num,
140 header_size=args.header_size,
141 security_cnt=args.security_counter,
142 included_header=args.included_header,
143 pad=args.pad)
144 key = keys.load_rsa(args.key) if args.key else None
145
146 img.sign(key, find_load_address(args)) # find_load_address(args))
147
148 if args.pad:
149 img.pad_to(args.pad, args.align)
150
151 img.save(args.outfile)
152
153
154def do_sign_bl2(args):
155 if args.rsa_pkcs1_15:
156 keys.sign_rsa_pss = False
157
158 version_num = next_version_number(args,
159 version.decode_version("0"),
160 "lastVerNum.txt")
161
162 if args.security_counter is None:
163 # Security counter has not been explicitly provided,
164 # generate it from the version number
165 args.security_counter = ((version_num.major << 24)
166 + (version_num.minor << 16)
167 + version_num.revision)
168
169 img = image.Image.load(args.infile,
170 version=version_num,
171 header_size=args.header_size,
172 security_cnt=args.security_counter,
173 included_header=args.included_header,
174 pad=args.pad)
175
176 # key = keys.load_rsa(args.key) if args.key else None
177
178 img.sign_for_bl2(args)
179
180 if args.pad:
181 img.pad_to(args.pad, args.align)
182
183 img.save(args.outfile)
184
185
186subcmds = {
187 'keygen': do_keygen,
188 'getpub': do_getpub,
189 'sign': do_sign,
190 'sign_bl2': do_sign_bl2}
191
192
193def alignment_value(text):
194 value = int(text)
195 if value not in [1, 2, 4, 8]:
196 msg = "{} must be one of 1, 2, 4 or 8".format(value)
197 raise argparse.ArgumentTypeError(msg)
198 return value
199
200
201def intparse(text):
202 """Parse a command line argument as an integer.
203
204 Accepts 0x and other prefixes to allow other bases to be used."""
205 return int(text, 0)
206
207
208def args():
209 parser = argparse.ArgumentParser()
210 subs = parser.add_subparsers(help='subcommand help', dest='subcmd')
211
212 keygenp = subs.add_parser('keygen', help='Generate pub/private keypair')
213 keygenp.add_argument('-k', '--key', metavar='filename', required=True)
214 keygenp.add_argument('-t', '--type', metavar='type',
215 choices=keygens.keys(), required=True)
216
217 getpub = subs.add_parser('getpub', help='Get public key from keypair')
218 getpub.add_argument('-k', '--key', metavar='filename', required=True)
219 getpub.add_argument('-l', '--lang', metavar='lang', default='c')
220 ################ sign ####################
221 sign = subs.add_parser('sign', help='Sign an image with a private key')
222 sign.add_argument('--layout', required=False,default=None,
223 help='Location of the memory layout file')
224 sign.add_argument('-k', '--key', metavar='key_file', required=True)
225 sign.add_argument("--align", type=alignment_value, required=False)
226 sign.add_argument("-v", "--version", type=version.decode_version,
227 default="0.0.0+0")
228 sign.add_argument("-s", "--security-counter", type=intparse,
229 help='Specify explicitly the security counter value')
230 sign.add_argument("-H", "--header-size", type=intparse, required=True)
231 sign.add_argument("--included-header", default=False, action='store_true',
232 help='Image has gap for header')
233 sign.add_argument("--pad", type=intparse,
234 help='Pad image to this many bytes, adding trailer magic')
235 sign.add_argument("--rsa-pkcs1-15",
236 help='Use old PKCS#1 v1.5 signature algorithm',
237 default=False, action='store_true')
238 sign.add_argument("infile")
239 sign.add_argument("outfile")
240 ################ sign-bl2 ####################
241 sign = subs.add_parser('sign_bl2', help='Sign an bl2 with a private key')
242 sign.add_argument('-k', '--key', default=None, metavar='key_file', required=False)
243 sign.add_argument('-P', '--path-of-key', required=True, help='path of the key')
244 sign.add_argument("-H", "--header-size", type=intparse, help='sign file header size ', required=True)
245 sign.add_argument("-K", "--key-type", default=1, type=intparse, help='0: ECC256, 1: RSA')
246 sign.add_argument("--rsa-pkcs1-15",
247 help='Use old PKCS#1 v1.5 signature algorithm',
248 default=False, action='store_true')
249 sign.add_argument("-v", "--version", type=version.decode_version,
250 default="0.0.0+0")
251 sign.add_argument("-s", "--security-counter", type=intparse,
252 help='Specify explicitly the security counter value')
253 sign.add_argument("--pad", type=intparse,
254 help='Pad image to this many bytes, adding trailer magic')
255 sign.add_argument("--included-header", default=False, action='store_true',
256 help='Image has gap for header')
257 sign.add_argument("infile")
258 sign.add_argument("outfile")
259
260 args = parser.parse_args()
261 if args.subcmd is None:
262 print('Must specify a subcommand', file=sys.stderr)
263 sys.exit(1)
264
265 subcmds[args.subcmd](args)
266
267
268if __name__ == '__main__':
269 args()