From 390e00355e9b659c92a54c526cac6774211ce351 Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Sat, 29 Mar 2025 03:52:42 +0000
Subject: [PATCH] uboot-tools: add fit-check-sign package

Add fit-check-sign package which allows validating a uImage.FIT.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
 package/boot/uboot-tools/Makefile             | 20 +++-
 ...kip-in-tools-build-if-key-is-missing.patch | 69 ++++++++++++++
 ...ols-fit_check_sign-make-key-optional.patch | 92 +++++++++++++++++++
 ...12-tools-fit_check_sign-no-libcrypto.patch | 13 +++
 4 files changed, 193 insertions(+), 1 deletion(-)
 create mode 100644 package/boot/uboot-tools/patches/010-image-fit-sig-skip-in-tools-build-if-key-is-missing.patch
 create mode 100644 package/boot/uboot-tools/patches/011-tools-fit_check_sign-make-key-optional.patch
 create mode 100644 package/boot/uboot-tools/patches/012-tools-fit_check_sign-no-libcrypto.patch

diff --git a/package/boot/uboot-tools/Makefile b/package/boot/uboot-tools/Makefile
index 6861a70d7a9..481fe776026 100644
--- a/package/boot/uboot-tools/Makefile
+++ b/package/boot/uboot-tools/Makefile
@@ -37,6 +37,18 @@ define Package/dumpimage/description
 	position to outfile.
 endef
 
+define Package/fit-check-sign
+	SECTION:=utils
+	CATEGORY:=Utilities
+	SUBMENU:=Boot Loaders
+	TITLE:=verify uImage.FIT
+	URL:=http://www.denx.de/wiki/U-Boot
+endef
+
+define Package/fit-check-sign/description
+	fit_check_sign validates uImage.FIT hashes and signatures
+endef
+
 define Package/uboot-envtools
 	SECTION:=utils
 	CATEGORY:=Utilities
@@ -75,7 +87,7 @@ define Build/Compile
 ifneq ($(CONFIG_PACKAGE_uboot-envtools),)
 	$(call Build/Compile/Default,envtools)
 endif
-ifneq ($(CONFIG_PACKAGE_dumpimage),)
+ifneq ($(CONFIG_PACKAGE_dumpimage)$(CONFIG_PACKAGE_fit-check-sign),)
 	$(call Build/Compile/Default,cross_tools)
 endif
 
@@ -86,6 +98,11 @@ define Package/dumpimage/install
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/tools/dumpimage $(1)/usr/bin
 endef
 
+define Package/fit-check-sign/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/tools/fit_check_sign $(1)/usr/bin
+endef
+
 define Package/uboot-envtools/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/tools/env/fw_printenv $(1)/usr/sbin
@@ -109,4 +126,5 @@ define Package/uboot-envtools/install
 endef
 
 $(eval $(call BuildPackage,dumpimage))
+$(eval $(call BuildPackage,fit-check-sign))
 $(eval $(call BuildPackage,uboot-envtools))
diff --git a/package/boot/uboot-tools/patches/010-image-fit-sig-skip-in-tools-build-if-key-is-missing.patch b/package/boot/uboot-tools/patches/010-image-fit-sig-skip-in-tools-build-if-key-is-missing.patch
new file mode 100644
index 00000000000..9defb598eed
--- /dev/null
+++ b/package/boot/uboot-tools/patches/010-image-fit-sig-skip-in-tools-build-if-key-is-missing.patch
@@ -0,0 +1,69 @@
+From patchwork Sat Mar 29 03:12:50 2025
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Daniel Golle <daniel@makrotopia.org>
+X-Patchwork-Id: 2066664
+Return-Path: <u-boot-bounces@lists.denx.de>
+X-Original-To: incoming@patchwork.ozlabs.org
+Delivered-To: patchwork-incoming@legolas.ozlabs.org
+Date: Sat, 29 Mar 2025 03:12:50 +0000
+From: Daniel Golle <daniel@makrotopia.org>
+To: Tom Rini <trini@konsulko.com>, Simon Glass <sjg@chromium.org>,
+ Chia-Wei Wang <chiawei_wang@aspeedtech.com>, u-boot@lists.denx.de
+Cc: Thomas =?iso-8859-1?q?H=FChn?= <thomas.huehn@hs-nordhausen.de>
+Subject: [PATCH 1/2] image-fit-sig: skip in tools build if key is missing
+Message-ID: 
+ <bf6a90e864b713db41bf788797554649eeaa0732.1743217745.git.daniel@makrotopia.org>
+MIME-Version: 1.0
+Content-Disposition: inline
+X-BeenThere: u-boot@lists.denx.de
+X-Mailman-Version: 2.1.39
+Precedence: list
+List-Id: U-Boot discussion <u-boot.lists.denx.de>
+List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
+ <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
+List-Archive: <https://lists.denx.de/pipermail/u-boot/>
+List-Post: <mailto:u-boot@lists.denx.de>
+List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
+List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
+ <mailto:u-boot-request@lists.denx.de?subject=subscribe>
+Errors-To: u-boot-bounces@lists.denx.de
+Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
+
+Skip signature verification in case no public key was given in order to
+allow using fit_check_sign also to validate uImage.FIT images without
+signatures. Guarded by USE_HOSTCC macro the behavior on target is
+unchanged.
+
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+---
+ boot/image-fit-sig.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/boot/image-fit-sig.c
++++ b/boot/image-fit-sig.c
+@@ -191,6 +191,11 @@ int fit_image_verify_required_sigs(const
+ 	int noffset;
+ 	int key_node;
+ 
++#ifdef USE_HOSTCC
++	if (!key_blob)
++		return 0;
++#endif
++
+ 	/* Work out what we need to verify */
+ 	*no_sigsp = 1;
+ 	key_node = fdt_subnode_offset(key_blob, 0, FIT_SIG_NODENAME);
+@@ -477,6 +482,11 @@ static int fit_config_verify_required_ke
+ 	bool reqd_policy_all = true;
+ 	const char *reqd_mode;
+ 
++#ifdef USE_HOSTCC
++	if (!key_blob)
++		return 0;
++#endif
++
+ 	/*
+ 	 * We don't support this since libfdt considers names with the
+ 	 * name root but different @ suffix to be equal
diff --git a/package/boot/uboot-tools/patches/011-tools-fit_check_sign-make-key-optional.patch b/package/boot/uboot-tools/patches/011-tools-fit_check_sign-make-key-optional.patch
new file mode 100644
index 00000000000..96ea7c434ad
--- /dev/null
+++ b/package/boot/uboot-tools/patches/011-tools-fit_check_sign-make-key-optional.patch
@@ -0,0 +1,92 @@
+From patchwork Sat Mar 29 03:13:01 2025
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+X-Patchwork-Submitter: Daniel Golle <daniel@makrotopia.org>
+X-Patchwork-Id: 2066665
+Return-Path: <u-boot-bounces@lists.denx.de>
+X-Original-To: incoming@patchwork.ozlabs.org
+Delivered-To: patchwork-incoming@legolas.ozlabs.org
+Date: Sat, 29 Mar 2025 03:13:01 +0000
+From: Daniel Golle <daniel@makrotopia.org>
+To: Tom Rini <trini@konsulko.com>, Simon Glass <sjg@chromium.org>,
+ Chia-Wei Wang <chiawei_wang@aspeedtech.com>,
+ Daniel Golle <daniel@makrotopia.org>, u-boot@lists.denx.de
+Cc: Thomas =?iso-8859-1?q?H=FChn?= <thomas.huehn@hs-nordhausen.de>
+Subject: [PATCH 2/2] tools/fit_check_sign: make key optional
+Message-ID: 
+ <1f0c5a1f7e84f638f921278284ff6245d78e730d.1743217745.git.daniel@makrotopia.org>
+References: 
+ <bf6a90e864b713db41bf788797554649eeaa0732.1743217745.git.daniel@makrotopia.org>
+MIME-Version: 1.0
+Content-Disposition: inline
+In-Reply-To: 
+ <bf6a90e864b713db41bf788797554649eeaa0732.1743217745.git.daniel@makrotopia.org>
+X-BeenThere: u-boot@lists.denx.de
+X-Mailman-Version: 2.1.39
+Precedence: list
+List-Id: U-Boot discussion <u-boot.lists.denx.de>
+List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
+ <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
+List-Archive: <https://lists.denx.de/pipermail/u-boot/>
+List-Post: <mailto:u-boot@lists.denx.de>
+List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
+List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
+ <mailto:u-boot-request@lists.denx.de?subject=subscribe>
+Errors-To: u-boot-bounces@lists.denx.de
+Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
+
+Allow invoking fit_check_sig without the key parameter, allowing to
+validate only checksums and hashes for unsigned images.
+
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+---
+ tools/fit_check_sign.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+--- a/tools/fit_check_sign.c
++++ b/tools/fit_check_sign.c
+@@ -45,7 +45,7 @@ int main(int argc, char **argv)
+ 	char *config_name = NULL;
+ 	char cmdname[256];
+ 	int ret;
+-	void *key_blob;
++	void *key_blob = NULL;
+ 	int c;
+ 
+ 	strncpy(cmdname, *argv, sizeof(cmdname) - 1);
+@@ -70,18 +70,15 @@ int main(int argc, char **argv)
+ 		fprintf(stderr, "%s: Missing fdt file\n", *argv);
+ 		usage(*argv);
+ 	}
+-	if (!keyfile) {
+-		fprintf(stderr, "%s: Missing key file\n", *argv);
+-		usage(*argv);
+-	}
+ 
+ 	ffd = mmap_fdt(cmdname, fdtfile, 0, &fit_blob, &fsbuf, false, true);
+ 	if (ffd < 0)
+ 		return EXIT_FAILURE;
+-	kfd = mmap_fdt(cmdname, keyfile, 0, &key_blob, &ksbuf, false, true);
+-	if (kfd < 0)
+-		return EXIT_FAILURE;
+-
++	if (keyfile) {
++		kfd = mmap_fdt(cmdname, keyfile, 0, &key_blob, &ksbuf, false, true);
++		if (kfd < 0)
++			return EXIT_FAILURE;
++	}
+ 	image_set_host_blob(key_blob);
+ 	ret = fit_check_sign(fit_blob, key_blob, config_name);
+ 	if (!ret) {
+@@ -93,7 +90,9 @@ int main(int argc, char **argv)
+ 	}
+ 
+ 	(void) munmap((void *)fit_blob, fsbuf.st_size);
+-	(void) munmap((void *)key_blob, ksbuf.st_size);
++
++	if (keyfile)
++		(void) munmap((void *)key_blob, ksbuf.st_size);
+ 
+ 	close(ffd);
+ 	close(kfd);
diff --git a/package/boot/uboot-tools/patches/012-tools-fit_check_sign-no-libcrypto.patch b/package/boot/uboot-tools/patches/012-tools-fit_check_sign-no-libcrypto.patch
new file mode 100644
index 00000000000..8f4dfefde24
--- /dev/null
+++ b/package/boot/uboot-tools/patches/012-tools-fit_check_sign-no-libcrypto.patch
@@ -0,0 +1,13 @@
+--- a/tools/Makefile
++++ b/tools/Makefile
+@@ -83,8 +83,8 @@ HOSTCFLAGS_img2srec.o := -pedantic
+ hostprogs-y += mkenvimage
+ mkenvimage-objs := mkenvimage.o os_support.o generated/lib/crc32.o
+ 
+-hostprogs-y += dumpimage mkimage
+-hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += fit_info fit_check_sign
++hostprogs-y += dumpimage mkimage fit_check_sign
++hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += fit_info
+ hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += fdt_add_pubkey
+ 
+ ifneq ($(CONFIG_CMD_BOOTEFI_SELFTEST)$(CONFIG_FWU_MDATA_GPT_BLK),)
-- 
2.47.2