Add missing help text for the -y and -Y parameters of mkimage.
Fixes: 6dfd14e1228e ("mkimage: Add support for bundling TFA BL31 in mkimage -f auto")
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
This reverts commit 4d84fa1261eb27d57687f2e4c404a78b8653c183, reversing
changes made to b82a1fa7ddc7f3be2f3b75898d5dc44c34420bdd.
I had missed some feedback on this series from earlier, and we have
since had reports of regressions due to this as well. For now, revert
this.
Signed-off-by: Tom Rini <trini@konsulko.com>
Aristo Chen <jj251510319013@gmail.com> says:
This patch series enhances FIT image robustness by adding **memory
region overlap detection** to `mkimage` and fixing existing overlaps
in DTS files and `binman` tests.
The primary goal is to prevent runtime memory corruption from
conflicting load addresses in FIT images.
Key Changes:
1. `mkimage` Overlap Detection: A new validation in
`tools/fit_image.c` checks for overlapping load addresses
within FIT configurations. `mkimage` now errors out with
detailed info on conflicts, preventing bad FIT image creation.
2. New Test Case: A Python test verifies the new detection.
It intentionally creates an overlap (kernel and FDT)
to confirm correct error handling.
3. Fixes for Existing Overlaps:
* Board DTS (k3-am6xx): Adjusted load addresses for TI
firmware stubs to prevent conflicts. This resolves
previously undetected overlaps.
* `binman` Tests: Fixed several tests. U-Boot load
addresses were shifted to avoid ATF conflicts. A new
linker script for TEE ELF sections ensures distinct
memory layouts.
4. Documentation: Added guidance for developers on how to
determine ELF load addresses using readelf, linker scripts,
and objdump when working with binman FIT images.
Impact:
This series improves FIT image reliability by catching overlaps
at build time, helping developers resolve issues before runtime
failures.
Link: https://lore.kernel.org/r/20250914110021.4103-1-aristo.chen@canonical.com
This patch adds a validation step in mkimage to detect memory region
overlaps between images specified in the same configuration of a
FIT image. If any overlaps are found, the tool prints an error and
aborts the build.
This helps prevent runtime memory corruption caused by conflicting
load addresses between images.
Signed-off-by: Aristo Chen <aristo.chen@canonical.com>
Introduce two new parameters to be used with mkimage -f auto to bundle
TFA BL31 image into fitImage, using auto-generated fitImage. Add -y to
specify TFA BL31 file name and -Y to specify TFA BL31 load and entry
point address. This is meant to be used with systems which boot all of
TFA BL31, Linux and its DT from a single fitImage, all booted by U-Boot.
Example invocation:
"
$ mkimage -E -A arm64 -C none -e 0x50200000 -a 0x50200000 -f auto \
-d arch/arm64/boot/Image \
-b arch/arm64/boot/dts/renesas/r8a779g3-sparrow-hawk.dtb \
-y ../tfa/build/rcar_gen4/release/bl31.bin -Y 0x46400000 \
/path/to/output/fitImage
"
Documentation update and test are also included, the test validates
both positive and negative test cases, where fitImage does not include
TFA BL31 and does include TFA BL31 blobs.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
The function is only used locally. Enabling -Wmissing-prototypes
triggers a warning. Mark it as static.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
When parsing a FIT image source (ITS), mkimage does not currently check
whether the image names referenced in the /configurations section (e.g.
"kernel", "fdt", "ramdisk", "loadables") actually exist in the /images
node.
This patch introduces a validation step during FIT import that iterates
over each configuration and verifies that all referenced image names are
defined under /images. If a missing image is detected, an appropriate
error is reported and mkimage exits with FDT_ERR_NOTFOUND.
This ensures that configuration integrity is validated at build time.
Signed-off-by: Aristo Chen <aristo.chen@canonical.com>
getopt_long() expects a NULL-terminated list of structures. The current
list in mkimage does not have a zero-filled structure at the end, which
can cause getopt_long() to walk past the end of the array when passing
an unknown option, causing a segmentation fault.
As a reproducer, the following command causes a segmentation fault
(tested in Debian 12):
mkimage --foobar
Signed-off-by: Carlos López <carlos.lopezr4096@gmail.com>
Commit cb9faa6f98ae ("tools: Use a single target-independent config to
enable OpenSSL") introduced a target-independent configuration to build
crypto features in host tools.
But since commit 2c21256b27d7 ("hash: Use Kconfig to enable hashing in
host tools and SPL") the build without OpenSSL is broken, due to FIT
signature/encryption features. Add missing conditional compilation
tokens to fix this.
Signed-off-by: Paul-Erwan Rio <paulerwan.rio@gmail.com>
Tested-by: Alexander Dahl <ada@thorsis.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This is part of a longer series, which isn't quite ready. Revert this
for now at least.
This reverts commit 4cb6c8e5f0de3c4c5f9eba51c6a1610934a8cf77.
Signed-off-by: Tom Rini <trini@konsulko.com>
The man page correctly said that -B was ignored without -E, while the
`mkimage -h` output suggested otherwise. Now that -B can actually be
used by itself, update the man page.
While at it, also amend the `mkimage -h` line to mention the
connection with -E.
The FDT header is a fixed 40 bytes, so its size cannot (and is not)
modified, while its alignment is a property of the address in RAM one
loads the FIT to, so not something mkimage can affect in any way. (In
the file itself, the header is of course at offset 0, which has all
possible alignments already.)
Reported-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Simon Glass <sjg@chromium.org>
This allows image type print_header() callback to access struct
image_tool_params *params.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
When mkimage was instructed to skip datafile via option -s then do not try
to validate or open datafile as it does not have to exist or to be
specified via -d option.
This change allows to use -s option for skipping datafile when -d option
for datafile was not specified.
Signed-off-by: Pali Rohár <pali@kernel.org>
When asking mkimage to create a new image file and option -d is not
specified then mkimage show human unfriendly error message:
mkimage: Can't open (null): Bad address
Without debugger it is hard to debug what is the issue. Function open() is
being called with file name set to NULL. So add a check for this and if it
happens then show human readable message that option -d was not specified.
Signed-off-by: Pali Rohár <pali@kernel.org>
Skip filling legacy_img_hdr structure for XIP images which do not use
legacy_img_hdr structure header. Adding unwanted header to other image
formats, like kwbimage cause generation of broken image.
Signed-off-by: Pali Rohár <pali@kernel.org>
Extend support for signing in auto-generated (-f auto) FIT. Previously,
it was possible to get signed 'images' subnodes in the FIT using
options -g and -o together with -f auto. This patch allows signing
'configurations' subnodes instead of 'images' ones (which are hashed),
using option -f auto-conf instead of -f auto. Adding also -K <dtb> and
-r options, will add public key to <dtb> file with required = "conf"
property.
Summary:
-f auto => FIT with crc32 images
-f auto -g ... -o ... => FIT with signed images
-f auto-conf -g ... -o ... => FIT with sha1 images and signed confs
Example: FIT with kernel, two device tree files, and signed
configurations; public key (needed to verify signatures) is
added to u-boot.dtb with required = "conf" property.
mkimage -f auto-conf -A arm -O linux -T kernel -C none -a 43e00000 \
-e 0 -d vmlinuz -b /path/to/first.dtb -b /path/to/second.dtb \
-k /folder/with/key-files -g keyname -o sha256,rsa4096 \
-K u-boot.dtb -r kernel.itb
Example: Add public key with required = "conf" property to u-boot.dtb
without needing to sign anything. This will also create a useless FIT
named unused.itb.
mkimage -f auto-conf -d /dev/null -k /folder/with/key-files \
-g keyname -o sha256,rsa4096 -K u-boot.dtb -r unused.itb
Signed-off-by: Massimo Pegorer <massimo.pegorer@vimar.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
In case there's no struct image_type_params::set_header callback, no
"errno" will be set. Don't fail with an error message, followed by
"Success". Remove the printing of the human readable "errno" value.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
The copy_datafile(ifd, params.datafile) function has been
implemented to copy data by reducing the number of lines in the main
function.
Signed-off-by: Mikhail Ilin <ilin.mikhail.ol@gmail.com>
This is not needed and we should avoid typedefs. Use the struct instead
and rename it to indicate that it really is a legacy struct.
Signed-off-by: Simon Glass <sjg@chromium.org>
The mkimage command has had many options added over the years.
Unfortunately, we are starting to run out of short options. Recent options
don't have any obvious relation to their meaning (e.g. -o/-g). Fortunately,
long options exist. Add long options for each current short option.
For the curious, the remaining short options are HIkLmMPQSuUwWXyYzZ.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This adds support for signing images in auto-generated FITs. To do this,
we need to add a signature node. The algorithm name property already has
its own option, but we need one for the key name hint. We could have
gone the -G route and added an explicit name for the public key (like
what is done for the private key). However, many places assume the
public key can be constructed from the key dir and hint, and I don't
want to do the refactoring necessary.
As a consequence of this, it is now easier to add public keys to an
existing image without signing something. This could be done all along,
but now you don't have to create an its just to do it. Ideally, we
wouldn't create a FIT at the end. This could be done by calling
fit_image_setup_sig/info.crypto->add_verify_data directly.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Over the years, several options have not made it into the help message.
Document them. Do the same for the man page.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
If image backend provides verify_header callback then call it after writing
image to disk. This ensures that written image is correct.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
The sunxi_egon type used to take no -A argument (because we assume sunxi
targets are all ARM). However, as Allwinner D1 appears as the first
RISC-V sunxi target, we need to support -A; in addition, as external
projects rely on U-Boot mkimage to generate sunxi eGON.BT0 header, we
need to keep compatibility with command line without -A.
As the default value of arch in mkimage is not proper (IH_ARCH_PPC
instead of IH_ARCH_INVALID), to keep more compatibility, add an Aflag
field to image parameters to describe whether an architecture is
explicitly specified.
Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
If parameter -F is given but FIT support is missing, a NULL pointer might
dereferenced (Coverity CID 350249).
If incorrect parameters are given, provide a message and show usage.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Currently -l option for mkimage and dumpimage ignores option -T and always
tries to autodetect image type.
With this change it is possible to tell mkimage and dumpimage to parse
image file as specific type (and not random autodetected type). This allows
to use mkimage -l or dumpimage -l as tool for validating image.
params.type for -l option is now by default initialized to zero
(IH_TYPE_INVALID) instead of IH_TYPE_KERNEL. imagetool_get_type() for
IH_TYPE_INVALID returns NULL, which is assigned to tparams. mkimage and
dumpimage code is extended to handle tparams with NULL for -l option. And
imagetool_verify_print_header() is extended to do validation via tparams if
is not NULL.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
At present mkimage displays the node information but it is not clear what
signing action was taken. Add a message that shows it. For now it only
supports showing a single signing action, since that is the common case.
Sample:
Signature written to 'sha1-basic/test.fit',
node '/configurations/conf-1/signature'
Public key written to 'sha1-basic/sandbox-u-boot.dtb',
node '/signature/key-dev'
Signed-off-by: Simon Glass <sjg@chromium.org>
The component st_size of struct stat is of type off_t. Depending on the
system printing it using %ld leads to a warning:
tools/mkimage.c:438:54: warning: format '%ld' expects argument of type
'long int', but argument 5 has type
'off_t' {aka 'long long int'} [-Wformat=]
438 | "%s: Bad size: \"%s\" is not valid image: size %ld < %u\n",
| ~~^
| |
| long int
| %lld
When comparing an off_t value to a 32bit integer we should not convert to
uint32_t but to off_t which may be wider.
Reported-by: Milan P. Stanić <mps@arvanta.net>
Fixes: 331f0800f1a3 ("mkimage: allow -l to work on block devices on Linux")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
This permits to prepare FIT image description that do not hard-code the
final choice of the signature algorithm, possibly requiring the user to
patch the sources.
When -o <algo> is specified, this information is used in favor of the
'algo' property in the signature node. Furthermore, that property is set
accordingly when writing the image.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The actual opt string is inlined - and different. Seems this was a
left-over from older versions of 603e26f76346.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Currently, an empty imput file causes `mmap()` to fail, and you get an
error like "mkimage: Can't read file.img: Invalid argument", which is
extremely unintuitive and hard to diagnose if you don't know what to
look for. Add an explicit check for an empty file and provide a clear
error message instead.
We already bounds check the image size when listing and re-signing
existing images, so we only need this check here, when opening data
files going into a image.
Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When "mkimage -l" was run on a block device it would fail with
erroneous message, because fstat reports a size of zero for those:
mkimage: Bad size: "/dev/sdb4" is not valid image
This patch identifies the "is a block device" case and reports it as
such, and if it knows how to determine the size of a block device on
the current OS, proceeds.
As shown in
http://www.mit.edu/afs.new/sipb/user/tytso/e2fsprogs/lib/blkid/getsize.c
this is no portable task, and I only handled the case of a modern
Linux kernel, which is what I can test.
Signed-off-by: Yann Dirson <yann@blade-group.com>
It's not always desirable to use 'keydir' and some ad-hoc heuristics
to get the filename of the signing key. More often, just passing the
filename is the simpler, easier, and logical thing to do.
Since mkimage doesn't use long options, we're slowly running out of
letters. I've chosen '-G' because it was available.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
These commands were disabled when CONFIG_FIT_SIGNATURE is disabled, but
they do not depend on crypto support so they can be unconditionally
enabled.
Signed-off-by: Joel Stanley <joel@jms.id.au>
In show_valid_options(), this patch introduces checking whether
a category has an entry ID. If not, adding it to a list for output
is skipped before calling qsort().
This patch will affect all kinds of image header categories
(-A, -C, -O and -T flags).
Signed-off-by: Naoki Hayama <naoki.hayama@lineo.co.jp>
Reviewed-by: Simon Glass <sjg@chromium.org>
Normally the FIT timestamp is created the first time mkimage is run on a
FIT, when converting the source .its to the binary .fit file. This
corresponds to using the -f flag. But if the original input to mkimage is
a binary file (already compiled) then the timestamp is assumed to have
been set previously.
Add a -t flag to allow setting the timestamp in this case.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
This reverts commit 5d3a21df6694ebd66d5c34c9d62a26edc7456fc7, reversing
changes made to 56d37f1c564107e27d873181d838571b7d7860e7.
Unfortunately this is causing CI failures:
https://travis-ci.org/github/trini/u-boot/jobs/711313649
Signed-off-by: Tom Rini <trini@konsulko.com>
Normally the FIT timestamp is created the first time mkimage is run on a
FIT, when converting the source .its to the binary .fit file. This
corresponds to using the -f flag. But if the original input to mkimage is
a binary file (already compiled) then the timestamp is assumed to have
been set previously.
Add a -t flag to allow setting the timestamp in this case.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Add a new error message in case the size of data written
are shorter than the one expected.
Currently, it will lead to the following error message:
"mkimage: Write error on uImage: Success"
This is not explicit when the error is because the device
doesn't have enough space. Let's use a more understandable message:
"mkimage: Write only 4202432/4682240 bytes, probably no space left on the device"
Signed-off-by: Mylène Josserand <mylene.josserand@collabora.com>
Reviewed-by: Walter Lozano <walter.lozano@collabora.com>
GCC recognizes /* fallthrough */ if -Wimplicit-fallthrough=3 is enabled.
Let's use it consistently.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The image is usually stored in block device like emmc, SD card, make the
offset of image data aligned to block(512 byte) can avoid data copy
during boot process.
eg. SPL boot from FIT image with external data:
- SPL read the first block of FIT image, and then parse the header;
- SPL read image data separately;
- The first image offset is the base_offset which is the header size;
- The second image offset is just after the first image;
- If the offset of imge does not aligned, SPL will do memcpy;
The header size is a ramdon number, which is very possible not aligned, so
add '-B size'to specify the align size in hex for better performance.
example usage:
./tools/mkimage -E -f u-boot.its -B 0x200 u-boot.itb
Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
Reviewed-by: Punit Agrawal <punit1.agrawal@toshiba.co.jp>
Reviewed-by: Tom Rini <trini@konsulko.com>
The ALIGN() is now available at imagetool.h, migrate to use it.
Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
Reviewed-by: Punit Agrawal <punit1.agrawal@toshiba.co.jp>
Reviewed-by: Tom Rini <trini@konsulko.com>
There are multiple other openssl engines used by HSMs that can be used to
sign FIT images instead of forcing users to use pkcs11 type of service.
Relax engine selection so that other openssl engines can be specified and
use generic key id definition formula.
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Cc: Tom Rini <trini@konsulko.com>
FIT header verification in mkimage was treating a return code as a boolean,
which meant that failures in validating the fit were seen as successes.
Additionally, mkimage was checking all formats to find a header which
passes validation, rather than using the image type specified to
mkimage.
checkpatch.pl checks for lines ending with '(' and alignment matching
open parentheses are ignored to keep with existing coding style.
Signed-off-by: Jordan Hand <jorhand@microsoft.com>
i.MX8M bootable image type is like i.MX6/7, but there is signed HDMI
firmware image in front of A53 bootable image, which is also has an IVT
header.
Here we also include fit image to generate a bootable image.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Stefano Babic <sbabic@denx.de>
i.MX8/8X bootable image type is container type.
The bootable image, containers a container set which supports two
container. The 1st container is for SECO firmware, the 2nd container
needs to include scfw, m4_0/1 image, ACore images per your requirement.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
The set_header call in kwbimage.c adds a checksum to the end of the
image in addition to setting up the header. It 'helpfully' updates the
st_size to match the fact that the file is now longer. However, mkimage
uses this length in the munmap call. This can lead to unmapping an extra
page, of perhaps required data. When this happens, a SEGV can occur.
To prevent this from happening, the munmap call now uses the same length
that was passed to mmap. This could also have been fixed by not changing
the length in kwbimage.c, however changing it in the main file means
that other plugins will also not fall for the same trap.
Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
Signed-off-by: Chris Packham <judge.packham@gmail.com>
[cp: resolve checkpatch complaints]
Tested-by: Chris Packham <judge.packham@gmail.com>
The officially described way to generate boot.bin files for ZynqMP is to
describe the contents of the target binary using a file of the "bif"
format. This file then links to other files that all get packed into a
bootable image.
This patch adds support to read such a .bif file and generate a respective
ZynqMP boot.bin file that can include the normal image and pmu files, but
also supports image partitions now. This makes it a handy replacement for
the proprietary "bootgen" utility that is currently used to generate
boot.bin files with FSBL.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
