[U-Boot] [PATCH 1/2] tools: image: allow to sign image nodes without -K option
If -K option is missing when you sign image nodes, it fails with an unclear error message:
tools/mkimage Can't add hashes to FIT blob: -1
It is hard to figure out the cause of the failure.
In contrast, when you sign configuration nodes, -K is optional because fit_config_process_sig() returns successfully if keydest is unset. Probably this is a preferred behavior when you want to update FIT with the same key; you do not have to update the public key in this case.
So, this commit changes fit_image_process_sig() to continue signing without keydest. If ->add_verify_data() fails, show a clearer error message, which has been borrowed from fit_config_process_sig().
Signed-off-by: Masahiro Yamada yamada.masahiro@socionext.com ---
tools/image-host.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/tools/image-host.c b/tools/image-host.c index ad9a73a..d42c1ca 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -242,18 +242,19 @@ static int fit_image_process_sig(const char *keydir, void *keydest, /* Get keyname again, as FDT has changed and invalidated our pointer */ info.keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
- if (keydest) - ret = info.crypto->add_verify_data(&info, keydest); - else - return -1; - /* * Write the public key into the supplied FDT file; this might fail * several times, since we try signing with successively increasing * size values */ - if (keydest && ret) - return ret; + if (keydest) { + ret = info.crypto->add_verify_data(&info, keydest); + if (ret) { + printf("Failed to add verification data for '%s' signature node in '%s' image node\n", + node_name, image_name); + return ret; + } + }
return 0; }
This function is called when signing configuration nodes. Adjust the error message.
I do not know why we do not need to show the error message in case of ENOSPC. Remove the if-conditional that seems unnecessary.
Signed-off-by: Masahiro Yamada yamada.masahiro@socionext.com ---
tools/image-host.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/tools/image-host.c b/tools/image-host.c index d42c1ca..2c0030b 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -626,10 +626,8 @@ static int fit_config_process_sig(const char *keydir, void *keydest, /* Write the public key into the supplied FDT file */ if (keydest) { ret = info.crypto->add_verify_data(&info, keydest); - if (ret == -ENOSPC) - return -ENOSPC; if (ret) { - printf("Failed to add verification data for '%s' signature node in '%s' image node\n", + printf("Failed to add verification data for '%s' signature node in '%s' configuration node\n", node_name, conf_name); } return ret;
On Fri, Oct 27, 2017 at 03:04:21PM +0900, Masahiro Yamada wrote:
This function is called when signing configuration nodes. Adjust the error message.
I do not know why we do not need to show the error message in case of ENOSPC. Remove the if-conditional that seems unnecessary.
Signed-off-by: Masahiro Yamada yamada.masahiro@socionext.com
Applied to u-boot/master, thanks!
On Fri, Oct 27, 2017 at 03:04:20PM +0900, Masahiro Yamada wrote:
If -K option is missing when you sign image nodes, it fails with an unclear error message:
tools/mkimage Can't add hashes to FIT blob: -1
It is hard to figure out the cause of the failure.
In contrast, when you sign configuration nodes, -K is optional because fit_config_process_sig() returns successfully if keydest is unset. Probably this is a preferred behavior when you want to update FIT with the same key; you do not have to update the public key in this case.
So, this commit changes fit_image_process_sig() to continue signing without keydest. If ->add_verify_data() fails, show a clearer error message, which has been borrowed from fit_config_process_sig().
Signed-off-by: Masahiro Yamada yamada.masahiro@socionext.com
Applied to u-boot/master, thanks!
participants (2)
-
Masahiro Yamada -
Tom Rini