<feed xmlns='http://www.w3.org/2005/Atom'>
<title>u-boot.git/tools/binman/btool, branch v2026.04</title>
<subtitle>Unnamed repository; edit this file 'description' to name the repository.</subtitle>
<id>http://cgit.235523.xyz/u-boot.git/atom/tools/binman/btool?h=v2026.04</id>
<link rel='self' href='http://cgit.235523.xyz/u-boot.git/atom/tools/binman/btool?h=v2026.04'/>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/'/>
<updated>2025-12-06T17:43:08Z</updated>
<entry>
<title>tools: binman: fit: add tests for signing with an OpenSSL engine</title>
<updated>2025-12-06T17:43:08Z</updated>
<author>
<name>Quentin Schulz</name>
<email>quentin.schulz@cherry.de</email>
</author>
<published>2025-11-21T17:15:00Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=564c6682fa9689e408e6b795cc8c8c40e5e60e81'/>
<id>urn:sha1:564c6682fa9689e408e6b795cc8c8c40e5e60e81</id>
<content type='text'>
This adds a test that signs a FIT and verifies the signature with
fit_check_sign.

OpenSSL engines are typically for signing with external HW so it's not
that straight-forward to simulate.

For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA
4096 private key is made available. It can be selected by setting the
OpenSSL engine argument to dummy-rsa-engine. This can only be done if
the engine is detected by OpenSSL, which works by setting the
OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine
is properly implementing what is expected from an RSA engine, but it
seems to be enough for testing.

For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11
without specific hardware. The keypairs and tokens are generated on the
fly. The "prod" token is generated with a different PIN (1234 instead of
1111) to also test MKIMAGE_SIGN_PIN env variable while we're at it.

Binman will not mess with the local SoftHSMv2 setup as it will only use
tokens from a per-test temporary directory enforced via the temporary
configuration file set via SOFTHSM2_CONF env variable in the tests. The
files created in the input dir should NOT be named the same as it is
shared between all tests in the same process (which is all tests when
running binman with -P 1 or with -T).

Once signed, it's checked with fit_check_sign with the associated
certificate.

Finally, a new softhsm2_util bintool is added so that we can initialize
the token and import keypairs. On Debian, the package also brings
libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It
is not the only package required though, as it also needs p11-kit and
libengine-pkcs11-openssl (the latter bringing the former). We can detect
if it's properly installed by running openssl engine dynamic -c pkcs11.
If that fails, we simply skip the test.
The package is installed in the CI container by default.

Signed-off-by: Quentin Schulz &lt;quentin.schulz@cherry.de&gt;
</content>
</entry>
<entry>
<title>tools: binman: mkimage: add support for passing the engine</title>
<updated>2025-12-06T17:43:08Z</updated>
<author>
<name>Quentin Schulz</name>
<email>quentin.schulz@cherry.de</email>
</author>
<published>2025-11-21T17:14:58Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=9f9de386c1e54e6b009e5510ff335ab339a89a62'/>
<id>urn:sha1:9f9de386c1e54e6b009e5510ff335ab339a89a62</id>
<content type='text'>
mkimage has support for OpenSSL engines but binman currently doesn't for
direct callers of mkimage (e.g. the fit etype). This prepares for adding
support for OpenSSL engines for signing elements of a FIT image, which
will done in the next commit.

Reviewed-by: Wolfgang Wallner &lt;wolfgang.wallner@br-automation.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Quentin Schulz &lt;quentin.schulz@cherry.de&gt;
</content>
</entry>
<entry>
<title>binman: btool: mkimage: fix Bintoolmkimage.run() method docstring</title>
<updated>2025-11-02T18:15:23Z</updated>
<author>
<name>Quentin Schulz</name>
<email>quentin.schulz@cherry.de</email>
</author>
<published>2025-10-29T11:30:36Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=07436b5778fc7b920d9c93f8aa4c14987b17a443'/>
<id>urn:sha1:07436b5778fc7b920d9c93f8aa4c14987b17a443</id>
<content type='text'>
Commit 65e2c14d5a5a ("binman: btool: mkimage: use Bintool.version")
removed the version argument from the run method but forgot to remove it
from the method docstring, so let's fix this oversight.

Fixes: 65e2c14d5a5a ("binman: btool: mkimage: use Bintool.version")
Signed-off-by: Quentin Schulz &lt;quentin.schulz@cherry.de&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Reviewed-by: Kever Yang &lt;kever.yang@rock-chips.com&gt;
</content>
</entry>
<entry>
<title>binman: openssl: disable JTAG access by default</title>
<updated>2025-06-25T19:43:34Z</updated>
<author>
<name>Bryan Brattlof</name>
<email>bb@ti.com</email>
</author>
<published>2025-06-02T21:56:52Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=e18472f1dee609b2ee8a492985bf77a5012e4d01'/>
<id>urn:sha1:e18472f1dee609b2ee8a492985bf77a5012e4d01</id>
<content type='text'>
Typically boards operating in production environments will not be
monitored and so will not need JTAG access unlocked. Disable the debug
extension by default (set debugType = 0) unless we add the 'debug'
property in the binman configs.

Acked-by: Andrew Davis &lt;afd@ti.com&gt;
Signed-off-by: Bryan Brattlof &lt;bb@ti.com&gt;
</content>
</entry>
<entry>
<title>binman: cst: Build from source</title>
<updated>2025-03-12T16:25:25Z</updated>
<author>
<name>Leonard Anderweit</name>
<email>l.anderweit@phytec.de</email>
</author>
<published>2025-02-26T21:05:01Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=326b7ea9823a74a83b3a7ef6ee3f4927eb36987e'/>
<id>urn:sha1:326b7ea9823a74a83b3a7ef6ee3f4927eb36987e</id>
<content type='text'>
Build the imx code singing tool from source instead of relying on the
distro to provide the tool.
Use the debian/unstable branch because the default branch is outdated.
The binary is supposed to be build with docker, work around that by selecting
the correct Makefile directly.
Also append the description and add a link to documentation.

Signed-off-by: Leonard Anderweit &lt;l.anderweit@phytec.de&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>tools: binman: add 'fit, encrypt' property to pass keys directory to mkimage</title>
<updated>2024-12-19T15:10:34Z</updated>
<author>
<name>Paul HENRYS</name>
<email>paul.henrys_ext@softathome.com</email>
</author>
<published>2024-11-25T17:47:16Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=e2cc9b4fc10f521fac098ab5e324446125e6a85d'/>
<id>urn:sha1:e2cc9b4fc10f521fac098ab5e324446125e6a85d</id>
<content type='text'>
mkimage can be used for both signing the FIT or encrypt its content and the
option '-k' can be used to pass a directory where both signing and encryption
keys can be retrieved. Adding 'fit,encrypt' property to the 'fit' node, leads to
try to find keys directory among binman include directories.
_get_priv_keys_dir() is renamed as _get_keys_dir() and adapted to support both
signing and encryption nodes in the FIT.

Signed-off-by: Paul HENRYS &lt;paul.henrys_ext@softathome.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>binman: implement signing FIT images during image build</title>
<updated>2024-10-18T20:10:22Z</updated>
<author>
<name>Alexander Kochetkov</name>
<email>al.kochet@gmail.com</email>
</author>
<published>2024-09-16T08:24:46Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=133c000ca334743fda3a4d77f7638da1a807e40e'/>
<id>urn:sha1:133c000ca334743fda3a4d77f7638da1a807e40e</id>
<content type='text'>
The patch implement new property 'fit,sign' that can be declared
at the top-level 'fit' node. If that option is declared, fit tryies
to detect private keys directory among binman include directories.
That directory than passed to mkimage using '-k' flag and that enable
signing of FIT.

Signed-off-by: Alexander Kochetkov &lt;al.kochet@gmail.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Renumbered files, moved new tests to end:
Signed-off-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>binman: Correct the comment for fdtgrep</title>
<updated>2024-09-26T10:40:30Z</updated>
<author>
<name>Simon Glass</name>
<email>sjg@chromium.org</email>
</author>
<published>2024-08-26T19:11:30Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=548e86198bd0bf659118bd8f9060c927b77e6e6e'/>
<id>urn:sha1:548e86198bd0bf659118bd8f9060c927b77e6e6e</id>
<content type='text'>
This returns stdout, not a CommandResult so update the comment.

Signed-off-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>binman: Collect the version number for mkeficapsule</title>
<updated>2024-08-05T18:15:29Z</updated>
<author>
<name>Simon Glass</name>
<email>sjg@chromium.org</email>
</author>
<published>2024-07-31T14:49:01Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=d0dbfd5299910a85c821b06ae8bd9a38818331c1'/>
<id>urn:sha1:d0dbfd5299910a85c821b06ae8bd9a38818331c1</id>
<content type='text'>
Now that this tool has a version number, collect it.

Signed-off-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>binman: Add support for alternative FDTs</title>
<updated>2024-07-29T14:42:18Z</updated>
<author>
<name>Simon Glass</name>
<email>sjg@chromium.org</email>
</author>
<published>2024-07-20T10:49:45Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=7081a94ea46df42dcef77c902d16c38685739719'/>
<id>urn:sha1:7081a94ea46df42dcef77c902d16c38685739719</id>
<content type='text'>
FIT provides a way to select between different devicetree blobs
depending on the model. This works fine for U-Boot proper and allows SPL
to select the correct blob for the current board at runtime. The boot
sequence (SPL-&gt;U-Boot proper) is therefore covered by the existing
feature set.

The first boot phase (typically TPL) cannot use FIT since SoC boot ROMs
don't currently support it. Therefore the TPL image must be specific to
each model it boots on.

To support booting on mulitple models, binman must therefore produce a
separate TPL image for each model, even if the images for the rest of
the phases are identical.

TPL needs to be packaged as an executable binary along with a reduced
devicetree. When multiple models are supported, a reduced devicetree
must be provided for each model.

U-Boot's build system is designed to build a single devicetree for SPL
builds, so does not support this requirement.

Add a new 'alternatives' feature to Binman, allowing it to automatically
subset a devicetree to produce the reduced devicetree for a particular
phase for each supported model. With this it is possible to produce a
separate TPL image for each of the models. The correct one can then be
loaded onto a board, along with the common FIT image(s).

Signed-off-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
</feed>
