From 95dfd6ea3a2c06a81a4513fe943d640d4d990194 Mon Sep 17 00:00:00 2001
From: "steven.lin" <steven.lin@senao.com>
Date: Mon, 11 Nov 2024 09:28:18 +0800
Subject: [PATCH] secure boot support sha256

---
 scripts/mkits-secure_boot.sh | 37 ++++++++++++++++++++++++++++++++----
 1 file changed, 33 insertions(+), 4 deletions(-)

diff --git a/scripts/mkits-secure_boot.sh b/scripts/mkits-secure_boot.sh
index 1c7f292618..0a09792971 100755
--- a/scripts/mkits-secure_boot.sh
+++ b/scripts/mkits-secure_boot.sh
@@ -17,7 +17,7 @@
 usage() {
 	printf "Usage: %s -A arch -C comp -a addr -e entry" "$(basename "$0")"
 	printf " -v version -k kernel [-D name -n address -d dtb] -o its_file"
-	printf " [-s script] [-S key_name_hint] [-r ar_ver] [-R rootfs]"
+	printf " [-s script] [-S key_name_hint] [-b key_alg] [-r ar_ver] [-R rootfs] [-m rfsk]"
 
 	printf "\n\t-A ==> set architecture to 'arch'"
 	printf "\n\t-C ==> set compression type 'comp'"
@@ -32,18 +32,21 @@ usage() {
 	printf "\n\t-o ==> create output file 'its_file'"
 	printf "\n\t-s ==> include u-boot script 'script'"
 	printf "\n\t-S ==> add signature at configurations and assign its key_name_hint by 'key_name_hint'"
+	printf "\n\t-b ==> set key algorithm"
 	printf "\n\t-r ==> set anti-rollback version to 'fw_ar_ver' (dec)"
-	printf "\n\t-R ==> specify rootfs file for embedding hash\n"
+	printf "\n\t-R ==> specify rootfs file for embedding hash"
+	printf "\n\t-m ==> include encrypted rootfs key'\n"
 	exit 1
 }
 
 FDTNUM=1
 
-while getopts ":A:a:c:C:D:d:e:k:n:o:v:s:S:r:R:" OPTION
+while getopts ":A:a:b:c:C:D:d:e:k:n:o:v:s:S:r:R:m:" OPTION
 do
 	case $OPTION in
 		A ) ARCH=$OPTARG;;
 		a ) LOAD_ADDR=$OPTARG;;
+		b ) KEY_ALG=$OPTARG;;
 		c ) CONFIG=$OPTARG;;
 		C ) COMPRESS=$OPTARG;;
 		D ) DEVICE=$OPTARG;;
@@ -57,6 +60,7 @@ do
 		S ) KEY_NAME_HINT=$OPTARG;;
 		r ) AR_VER=$OPTARG;;
 		R ) ROOTFS_FILE=$OPTARG;;
+		m ) ROOTFS_KEY=$OPTARG;;
 		* ) echo "Invalid option passed to '$0' (options:$*)"
 		usage;;
 	esac
@@ -91,6 +95,19 @@ if [ -n "${DTB}" ]; then
 	FDT_PROP="fdt = \"fdt-$FDTNUM\";"
 fi
 
+# Conditionally create encrypted rootfs-key information
+if [ -n "${ROOTFS_KEY}" ]; then
+	RFSK_NODE="
+			rfsk = <$(cat ${ROOTFS_KEY} | od -An -t x1 -w256 | sed 's/ //g; s/.\{8\}/0x& /g; s/.$//g')>;";
+
+	FIT_SECRET_NODE="
+	fit-secrets {
+		${CONFIG} {
+		};
+	};
+"
+fi
+
 # Conditionally create rootfs hash information
 if [ -f "${ROOTFS_FILE}" ]; then
 	ROOTFS_SIZE=$(stat -c %s ${ROOTFS_FILE})
@@ -149,11 +166,20 @@ fi
 
 # Conditionally create signature information
 if [ -n "${KEY_NAME_HINT}" ]; then
+	if [[ "${KEY_NAME_HINT}" == "offline,"* ]]; then
+		KEY_NAME_HINT=$(echo -n "${KEY_NAME_HINT}" | sed "s/^.*[,]//g")
+		SIGN_OFFLINE="
+				sign-offline = <1>;"
+	fi
+	if [ -z "${KEY_ALG}" ]; then
+		KEY_ALG="sha256,rsa2048"
+	fi
 	SIGNATURE="\
 			signature {
-				algo = \"sha1,rsa2048\";
+				algo = \"${KEY_ALG}\";
 				key-name-hint = \"${KEY_NAME_HINT}\";
 ${SIGN_IMAGES}
+${SIGN_OFFLINE}
 			};\
 "
 fi
@@ -200,12 +226,15 @@ ${ROOTFS}
 		${CONFIG} {
 			description = \"OpenWrt\";
 ${FW_AR_VER}
+${RFSK_NODE}
 ${LOADABLES}
 			kernel = \"kernel-1\";
 			${FDT_PROP}
 ${SIGNATURE}
 		};
 	};
+
+${FIT_SECRET_NODE}
 };"
 
 # Write .its file to disk
-- 
2.43.2