RE: [cbootimage PATCH v3 5/5] Add two sample scripts to do rsa signing for T210 bootimage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> -----Original Message-----
> From: linux-tegra-owner@xxxxxxxxxxxxxxx [mailto:linux-tegra-
> owner@xxxxxxxxxxxxxxx] On Behalf Of Stephen Warren
> Sent: Thursday, October 08, 2015 1:58 PM
> To: Jimmy Zhang
> Cc: Allen Martin; Stephen Warren; linux-tegra@xxxxxxxxxxxxxxx
> Subject: Re: [cbootimage PATCH v3 5/5] Add two sample scripts to do rsa
> signing for T210 bootimage
> 
> On 10/08/2015 01:38 PM, Jimmy Zhang wrote:
> > sign.sh runs openssl and other linux utilities to generate rsa-pss
> > signatures for a prebuilt bootimage and inject signatures and rsa
> > modulus into bct directly.
> >
> > Syntax: sign.sh <bootimage> <rsa_key.pem>
> >
> > sign-by-update.sh is similar to sign.sh. The difference is the
> > signatures update are done by cbootimage with configuration keywords
> > "RsaKeyModulusFile", "RsaPssSigBlFile", and "RsaPssSigBctFile".
> > Comparing to sign.sh, this script is relatively simple to be ported to
> > T124/T114.
> >
> > Syntax: sign-by-update.sh <bootimage> <rsa_key.pem>
> 
> > diff --git a/rsa_priv.pem b/rsa_priv.pem
> 
> I hope this is some random private key you generated just for the purposes
> of demonstration...
> 

This key is generated by openssl. It is used on my fused board. I will replace it with another random generated 2048 bit long modulus private key file.

> > diff --git a/sign-by-update.sh b/sign-by-update.sh
> 
> Let's put these example files in an examples directory or something like that.
> 
> Should we update the Makefile to install the examples into some doc
> directory?
> 

I am not sure how to change Makefile.

> > new file mode 100755
> > index 000000000000..b3f010a41d0e
> > --- /dev/null
> > +++ b/sign-by-update.sh
> > @@ -0,0 +1,59 @@
> > +IMAGE_FILE=$1
> > +KEY_FILE=$2
> 
> There's no #! line here.
> 

Will do.

> I'd suggest adding "set -e" so there is some simple error-checking.
> 
> > +echo " Get rid of all temporary files: *.sig, *.tosig, *.tmp *.mod *.rev"
> 
> Why a space at the start of the echo'd data? (Or the end in other
> commands) Quotes aren't needed either, at least for this command.
> Similar comments for all the other echo statements.
> 

OK. Will clean it up.

> > +echo " Reverse bl signature to meet tegra soc signature ordering"
> > +$OBJCOPY -I binary --reverse-bytes=256 $IMAGE_FILE.bl.sig
> > +$IMAGE_FILE.bl.sig.rev
> 
> Should cbootimage do this itself; this feels like an issue related to packing the
> data into the BCT which is what cbootimage handles...
> 


OK. I will add a function to handle this issue.

> > +echo " Create public key modulus from key file $KEY_FILE and save to
> $KEY_FILE.mod"
> > +$OPENSSL rsa -in $KEY_FILE -noout -modulus -out $KEY_FILE.mod #
> > +remove prefix and LF
> 
> -noout then -out?
> 

No. They are different options. Without -noout, private key is printed to output file as well.

> > +$DD bs=1 if=$KEY_FILE.mod of=$KEY_FILE.mod.tmp skip=8 count=512
> 
> I'd suggest using cut for that in case the prefix changes; `cut -d= f2`.
> 

Not sure how to use 'cut'. Instead, will use 'sed'

> > diff --git a/sign.sh b/sign.sh
> 
> Likely all the comments for sign-by-update.sh apply here too.
> 
> I expect these scripts are very similar. Can the script take a cmdline argument
> to request the update type (dd vs. a all to cbootimage -u) so that all the
> common logic isn't duplicated?
> 
> > +echo " Copy the signed binary to the target file $TARGET_IMAGE"
> > +$MV $IMAGE_FILE.tmp $TARGET_IMAGE
> > +
> 
> There's a blank line at EOF there.
> 

Will remove it.

> --
> To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the
> body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at
> http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-tegra" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [ARM Kernel]     [Linux ARM]     [Linux ARM MSM]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux