u-boot.git/tools/binman/etype, branch master Unnamed repository; edit this file 'description' to name the repository. binman: DTS: Add dump-signature option for capsules 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:15+00:00 e2c46d33cfbb92f493b520524a099fdf9af0a056 Mkeficapsule can dump signature for signed capsules. It can be used in test to validate signature i.e. with openssl. Add an entry for device tree node. Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Simon Glass <simon.glass@canonical.com> 
Mkeficapsule can dump signature for signed capsules. It can
be used in test to validate signature i.e. with openssl.
Add an entry for device tree node.

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
binman: Accept pkcs11 URI tokens for capsule updates 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:12+00:00 a8c8ebc8064183921ed419130df229a9d5d43192 With pkcs11 support in mkeficapsule we can now accept URI tokens and not only files. Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Simon Glass <simon.glass@canonical.com> 
With pkcs11 support in mkeficapsule we can now accept URI
tokens and not only files.

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
binman: blob_dtb: improve error message when SPL is not found 2025-12-10T19:45:29+00:00 Jérémie Dautheribes jeremie.dautheribes@bootlin.com 2025-11-28T11:03:04+00:00 66be03b7ee19444b23aae3990a434a7470fc1641 When using binman with the '-a spl-dtb=y' flag, if the SPL blob is not found, binman throws a cryptic error message: binman: 'NoneType' object has no attribute 'startswith' Let's improve the error message to explicitly state which SPL blob is missing. This is particularly useful when binman is used as a standalone tool outside the U-Boot source tree. Signed-off-by: Jérémie Dautheribes <jeremie.dautheribes@bootlin.com> [trini: Add '# pragma: no cover' because coverage doesn't seem to like the documentation about this error] Signed-off-by: Tom Rini <trini@konsulko.com> 
When using binman with the '-a spl-dtb=y' flag, if the SPL blob is not
found, binman throws a cryptic error message:
binman: 'NoneType' object has no attribute 'startswith'

Let's improve the error message to explicitly state which SPL blob is
missing.
This is particularly useful when binman is used as a standalone tool
outside the U-Boot source tree.

Signed-off-by: Jérémie Dautheribes <jeremie.dautheribes@bootlin.com>
[trini: Add '# pragma: no cover' because coverage doesn't seem to like
the documentation about this error]
Signed-off-by: Tom Rini <trini@konsulko.com>
tools: binman: fit: add support for OpenSSL engines 2025-12-06T17:43:08+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-11-21T17:14:59+00:00 fc75d216f0162d4a85b60fefa9938b8690480e27 This adds support for using an OpenSSL engine for signing a FIT image. To use it, one should set the fit,engine property at the FIT node level with the engine to use. This will in turn call mkimage with the -N option. The -k argument to mkimage can be specified via fit,engine-keydir. If not specified, -k is not passed to mkimage. This property is especially useful for pkcs11 engine to specify slots, token label, etc... As far as I could tell, mkimage encrypts and signs a FIT in one go, thus the -k argument applies to both signing and encrypting. Considering we reuse the -k argument for two different meanings (info to pass to the engine when using an engine otherwise the directory where keys are stored), we cannot reasonably encrypt using local keys and signing with an engine, hence the enforced check. I believe it should be possible to support encrypting and signing with the same engine (using different key pairs of course, via different key-name-hint likely), but this is left for the next person to implement. This is why the property is named fit,engine and not fit,sign-engine. Ditto for fit,engine-keydir. The public key (with .crt extension) is still required if it needs to be embedded in the SPL DTB for example. We could probably support retrieving the public key from an engine, but this is a change to make to fdt_add_pubkey.c. Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
This adds support for using an OpenSSL engine for signing a FIT image.
To use it, one should set the fit,engine property at the FIT node level
with the engine to use. This will in turn call mkimage with the -N
option.

The -k argument to mkimage can be specified via fit,engine-keydir. If
not specified, -k is not passed to mkimage. This property is especially
useful for pkcs11 engine to specify slots, token label, etc...

As far as I could tell, mkimage encrypts and signs a FIT in one go, thus
the -k argument applies to both signing and encrypting. Considering we
reuse the -k argument for two different meanings (info to pass to the
engine when using an engine otherwise the directory where keys are
stored), we cannot reasonably encrypt using local keys and signing with
an engine, hence the enforced check. I believe it should be possible to
support encrypting and signing with the same engine (using different
key pairs of course, via different key-name-hint likely), but this is
left for the next person to implement.
This is why the property is named fit,engine and not fit,sign-engine.
Ditto for fit,engine-keydir.

The public key (with .crt extension) is still required if it needs to be
embedded in the SPL DTB for example. We could probably support
retrieving the public key from an engine, but this is a change to make
to fdt_add_pubkey.c.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
binman: add a new entry type to support .bin file generation for the i.MX95 platform 2025-09-17T11:16:04+00:00 Alice Guo alice.guo@nxp.com 2025-09-05T18:22:03+00:00 5c389e61902d12bf295c3ab1db221da3fb034519 To support passing specific commands defined in enum imx8image_cmd to the imx8image_copy_image() function, this patch introduces a new entry type nxp-imx9image. This entry generates a plain text data file containing the relevant commands, enabling flexible configuration during image creation. Signed-off-by: Alice Guo <alice.guo@nxp.com> 
To support passing specific commands defined in enum imx8image_cmd to
the imx8image_copy_image() function, this patch introduces a new entry
type nxp-imx9image. This entry generates a plain text data file
containing the relevant commands, enabling flexible configuration during
image creation.

Signed-off-by: Alice Guo <alice.guo@nxp.com>
binman: Fix typing for python >= 3.7 2025-07-22T17:30:03+00:00 Yannic Moog y.moog@phytec.de 2025-07-15T06:21:24+00:00 187ac12927c042a982961096c9a418287b8e97e2 To get the [] annotation working with python 3.7 and 3.8, import annotations. Reported-by: Tim Harvey <tharvey@gateworks.com> Fixes: 21bc3433a43d ("binman: rework dropping absent entries from packaged image") Reviewed-by: Bryan Brattlof <bb@ti.com> Signed-off-by: Yannic Moog <y.moog@phytec.de> Tested-by: Tim Harvey <tharvey@gateworks.com> 
To get the [] annotation working with python 3.7 and 3.8, import
annotations.

Reported-by: Tim Harvey <tharvey@gateworks.com>
Fixes: 21bc3433a43d ("binman: rework dropping absent entries from packaged image")
Reviewed-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Yannic Moog <y.moog@phytec.de>
Tested-by: Tim Harvey <tharvey@gateworks.com>
binman: Add renesas_rcar4_sa0 etype 2025-07-10T17:26:56+00:00 Marek Vasut marek.vasut+renesas@mailbox.org 2025-06-16T22:45:02+00:00 583b49a0ce94dca20efc72ccf6e81e61b8f9e573 Add new etype which generates the Renesas R-Car Gen4 SA0 header. This header is placed at the beginning of SPI NOR and describes where should data from SPI NOR offset 0x40000 be loaded to, and how much data should be loaded there. In case of U-Boot, this is used to load SPL and possibly other payload(s) into RT-VRAM. Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org> 
Add new etype which generates the Renesas R-Car Gen4 SA0 header.
This header is placed at the beginning of SPI NOR and describes
where should data from SPI NOR offset 0x40000 be loaded to, and
how much data should be loaded there. In case of U-Boot, this is
used to load SPL and possibly other payload(s) into RT-VRAM.

Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Merge patch series "binman: properly error out if path provided to key-name-hint in signature nodes" 2025-07-01T16:52:04+00:00 Tom Rini trini@konsulko.com 2025-07-01T16:52:04+00:00 cbb5672790d400e9ec6e9fceaf89ece2660c0117 Quentin Schulz <foss+uboot@0leil.net> says: I misunderstood the documentation and put the signing key in a keys/ directory while setting key-name-hint property in the signature node and u-boot-spl-pubkey-dtb to a path. mkimage doesn't fail if it cannot find the public key when signing a FIT but returns something on stderr to notify the user it couldn't find the key. The issue is that bintool currently discards stderr if the command successfully returns, so the FIT is not signed AND the user isn't made aware of it unless the image is manually inspected. mkimage does fail when trying to insert a public key in a DTB if it isn't found but we can have a better error message. Link: https://lore.kernel.org/r/20250418-binman-pubkey-dir-v2-0-b6b90a765ffe@cherry.de 
Quentin Schulz <foss+uboot@0leil.net> says:

I misunderstood the documentation and put the signing key in a keys/
directory while setting key-name-hint property in the signature node and
u-boot-spl-pubkey-dtb to a path.

mkimage doesn't fail if it cannot find the public key when signing a
FIT but returns something on stderr to notify the user it couldn't find
the key. The issue is that bintool currently discards stderr if the
command successfully returns, so the FIT is not signed AND the user
isn't made aware of it unless the image is manually inspected.

mkimage does fail when trying to insert a public key in a DTB if it
isn't found but we can have a better error message.

Link: https://lore.kernel.org/r/20250418-binman-pubkey-dir-v2-0-b6b90a765ffe@cherry.de
binman: etype: u_boot_spl_pubkey_dtb: provide more explicit error for key-name-hint with path 2025-07-01T16:52:01+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-04-18T11:26:08+00:00 4e7e0ebcf59794b97542bb6b3d1e0a0fefa145f2 key-name-hint property in u-boot-spl-pubkey-dtb binman entry may contain a path instead of a filename due to user mistake. Because we currently assume it is a filename instead of a path, binman will find the full path to the key based on that path, and return the dirname of the full path but keeps the path in key-name-hint instead of stripping the directories from it. This means mkimage will fail with the following error message if we have key-name-hint set to keys/dev: binman: Error 1 running 'fdt_add_pubkey -a sha256,rsa2048 -k /home/qschulz/work/upstream/u-boot/keys -n keys/dev -r conf /home/qschulz/work/upstream/u-boot/build/ringneck/u-boot-spl-dtbdhsfx3mf': Couldn't open RSA certificate: '/home/qschulz/work/upstream/u-boot/keys/keys/dev.crt': No such file or directory Let's make it a bit more obvious what the error is by erroring out in binman if a path is provided in key-name-hint (it is named key-name-hint and not key-path-hint after all). Fixes: 5609843b57a4 ("binman: etype: Add u-boot-spl-pubkey-dtb etype") Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Simon Glass <sjg@chromium.org> 
key-name-hint property in u-boot-spl-pubkey-dtb binman entry may contain
a path instead of a filename due to user mistake.

Because we currently assume it is a filename instead of a path, binman
will find the full path to the key based on that path, and return the
dirname of the full path but keeps the path in key-name-hint instead of
stripping the directories from it.

This means mkimage will fail with the following error message if we have
key-name-hint set to keys/dev:

binman: Error 1 running 'fdt_add_pubkey -a sha256,rsa2048 -k /home/qschulz/work/upstream/u-boot/keys -n keys/dev -r conf /home/qschulz/work/upstream/u-boot/build/ringneck/u-boot-spl-dtbdhsfx3mf': Couldn't open RSA certificate: '/home/qschulz/work/upstream/u-boot/keys/keys/dev.crt': No such file or directory

Let's make it a bit more obvious what the error is by erroring out in
binman if a path is provided in key-name-hint (it is named key-name-hint
and not key-path-hint after all).

Fixes: 5609843b57a4 ("binman: etype: Add u-boot-spl-pubkey-dtb etype")
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
binman: etype: fit: raise ValueError if key-name-hint is a path 2025-07-01T16:52:01+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-04-18T11:26:07+00:00 2ddc47f9aa0581a907dd07cb4468ef6d4f3519dc mkimage doesn't fail if it cannot find the public key but it prints to stderr. Considering that btool.run() discards stderr, it means binman happily returns an unsigned FIT and doesn't tell you something went wrong. Binman will actually find the file if there's a path in the key-name-hint property but the current logic expects key-name-hint to be a filename and thus returns the dirname of the found path for the key, but with the original key-name-hint appended. This means we can have the following: - key-name-hint = "keys/dev" - name = "/home/qschulz/work/upstream/u-boot/keys/" so we pass /home/qschulz/work/upstream/u-boot/keys/ to the -k option of mkimage but the FIT still contains "keys/dev" in key-name-hint which means mkimage will try to find the key at /home/qschulz/work/upstream/u-boot/keys/keys/, which doesn't exist. Let's assume paths are simply not supported (it is named key-name-hint and not key-path-hint after all) and raise an error if the property contains a path so that the build fails and not quietly. Fixes: 133c000ca334 ("binman: implement signing FIT images during image build") Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Simon Glass <sjg@chromium.org> 
mkimage doesn't fail if it cannot find the public key but it prints to
stderr. Considering that btool.run() discards stderr, it means binman
happily returns an unsigned FIT and doesn't tell you something went
wrong.

Binman will actually find the file if there's a path in the
key-name-hint property but the current logic expects key-name-hint to be
a filename and thus returns the dirname of the found path for the key,
but with the original key-name-hint appended. This means we can have the
following:

- key-name-hint = "keys/dev"
- name = "/home/qschulz/work/upstream/u-boot/keys/"

so we pass /home/qschulz/work/upstream/u-boot/keys/ to the -k option of
mkimage but the FIT still contains "keys/dev" in key-name-hint which
means mkimage will try to find the key at
/home/qschulz/work/upstream/u-boot/keys/keys/, which doesn't exist.

Let's assume paths are simply not supported (it is named key-name-hint
and not key-path-hint after all) and raise an error if the property
contains a path so that the build fails and not quietly.

Fixes: 133c000ca334 ("binman: implement signing FIT images during image build")
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Simon Glass <sjg@chromium.org>