u-boot.git/tools/binman/test, branch v2026.04 Unnamed repository; edit this file 'description' to name the repository. binman: Regenerate expired test certificate 2026-01-27T22:20:33+00:00 Simon Glass sjg@chromium.org 2026-01-22T22:44:10+00:00 4234f4d432bf1dcd30b5fee91c71abc1acae5e75 The test certificate expired on Feb 13, 2024. This just used for testing, so regenerate it with a 100-year validity period. Suggested-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Simon Glass <simon.glass@canonical.com> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> 
The test certificate expired on Feb 13, 2024. This just used for
testing, so regenerate it with a 100-year validity period.

Suggested-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
tools: binman: fit: add tests for signing with an OpenSSL engine 2025-12-06T17:43:08+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-11-21T17:15:00+00:00 564c6682fa9689e408e6b795cc8c8c40e5e60e81 This adds a test that signs a FIT and verifies the signature with fit_check_sign. OpenSSL engines are typically for signing with external HW so it's not that straight-forward to simulate. For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA 4096 private key is made available. It can be selected by setting the OpenSSL engine argument to dummy-rsa-engine. This can only be done if the engine is detected by OpenSSL, which works by setting the OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine is properly implementing what is expected from an RSA engine, but it seems to be enough for testing. For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11 without specific hardware. The keypairs and tokens are generated on the fly. The "prod" token is generated with a different PIN (1234 instead of 1111) to also test MKIMAGE_SIGN_PIN env variable while we're at it. Binman will not mess with the local SoftHSMv2 setup as it will only use tokens from a per-test temporary directory enforced via the temporary configuration file set via SOFTHSM2_CONF env variable in the tests. The files created in the input dir should NOT be named the same as it is shared between all tests in the same process (which is all tests when running binman with -P 1 or with -T). Once signed, it's checked with fit_check_sign with the associated certificate. Finally, a new softhsm2_util bintool is added so that we can initialize the token and import keypairs. On Debian, the package also brings libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It is not the only package required though, as it also needs p11-kit and libengine-pkcs11-openssl (the latter bringing the former). We can detect if it's properly installed by running openssl engine dynamic -c pkcs11. If that fails, we simply skip the test. The package is installed in the CI container by default. Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
This adds a test that signs a FIT and verifies the signature with
fit_check_sign.

OpenSSL engines are typically for signing with external HW so it's not
that straight-forward to simulate.

For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA
4096 private key is made available. It can be selected by setting the
OpenSSL engine argument to dummy-rsa-engine. This can only be done if
the engine is detected by OpenSSL, which works by setting the
OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine
is properly implementing what is expected from an RSA engine, but it
seems to be enough for testing.

For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11
without specific hardware. The keypairs and tokens are generated on the
fly. The "prod" token is generated with a different PIN (1234 instead of
1111) to also test MKIMAGE_SIGN_PIN env variable while we're at it.

Binman will not mess with the local SoftHSMv2 setup as it will only use
tokens from a per-test temporary directory enforced via the temporary
configuration file set via SOFTHSM2_CONF env variable in the tests. The
files created in the input dir should NOT be named the same as it is
shared between all tests in the same process (which is all tests when
running binman with -P 1 or with -T).

Once signed, it's checked with fit_check_sign with the associated
certificate.

Finally, a new softhsm2_util bintool is added so that we can initialize
the token and import keypairs. On Debian, the package also brings
libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It
is not the only package required though, as it also needs p11-kit and
libengine-pkcs11-openssl (the latter bringing the former). We can detect
if it's properly installed by running openssl engine dynamic -c pkcs11.
If that fails, we simply skip the test.
The package is installed in the CI container by default.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
binman: add a new entry type to support .bin file generation for the i.MX95 platform 2025-09-17T11:16:04+00:00 Alice Guo alice.guo@nxp.com 2025-09-05T18:22:03+00:00 5c389e61902d12bf295c3ab1db221da3fb034519 To support passing specific commands defined in enum imx8image_cmd to the imx8image_copy_image() function, this patch introduces a new entry type nxp-imx9image. This entry generates a plain text data file containing the relevant commands, enabling flexible configuration during image creation. Signed-off-by: Alice Guo <alice.guo@nxp.com> 
To support passing specific commands defined in enum imx8image_cmd to
the imx8image_copy_image() function, this patch introduces a new entry
type nxp-imx9image. This entry generates a plain text data file
containing the relevant commands, enabling flexible configuration during
image creation.

Signed-off-by: Alice Guo <alice.guo@nxp.com>
binman: Add renesas_rcar4_sa0 etype 2025-07-10T17:26:56+00:00 Marek Vasut marek.vasut+renesas@mailbox.org 2025-06-16T22:45:02+00:00 583b49a0ce94dca20efc72ccf6e81e61b8f9e573 Add new etype which generates the Renesas R-Car Gen4 SA0 header. This header is placed at the beginning of SPI NOR and describes where should data from SPI NOR offset 0x40000 be loaded to, and how much data should be loaded there. In case of U-Boot, this is used to load SPL and possibly other payload(s) into RT-VRAM. Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org> 
Add new etype which generates the Renesas R-Car Gen4 SA0 header.
This header is placed at the beginning of SPI NOR and describes
where should data from SPI NOR offset 0x40000 be loaded to, and
how much data should be loaded there. In case of U-Boot, this is
used to load SPL and possibly other payload(s) into RT-VRAM.

Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Merge patch series "binman: properly error out if path provided to key-name-hint in signature nodes" 2025-07-01T16:52:04+00:00 Tom Rini trini@konsulko.com 2025-07-01T16:52:04+00:00 cbb5672790d400e9ec6e9fceaf89ece2660c0117 Quentin Schulz <foss+uboot@0leil.net> says: I misunderstood the documentation and put the signing key in a keys/ directory while setting key-name-hint property in the signature node and u-boot-spl-pubkey-dtb to a path. mkimage doesn't fail if it cannot find the public key when signing a FIT but returns something on stderr to notify the user it couldn't find the key. The issue is that bintool currently discards stderr if the command successfully returns, so the FIT is not signed AND the user isn't made aware of it unless the image is manually inspected. mkimage does fail when trying to insert a public key in a DTB if it isn't found but we can have a better error message. Link: https://lore.kernel.org/r/20250418-binman-pubkey-dir-v2-0-b6b90a765ffe@cherry.de 
Quentin Schulz <foss+uboot@0leil.net> says:

I misunderstood the documentation and put the signing key in a keys/
directory while setting key-name-hint property in the signature node and
u-boot-spl-pubkey-dtb to a path.

mkimage doesn't fail if it cannot find the public key when signing a
FIT but returns something on stderr to notify the user it couldn't find
the key. The issue is that bintool currently discards stderr if the
command successfully returns, so the FIT is not signed AND the user
isn't made aware of it unless the image is manually inspected.

mkimage does fail when trying to insert a public key in a DTB if it
isn't found but we can have a better error message.

Link: https://lore.kernel.org/r/20250418-binman-pubkey-dir-v2-0-b6b90a765ffe@cherry.de
binman: etype: u_boot_spl_pubkey_dtb: provide more explicit error for key-name-hint with path 2025-07-01T16:52:01+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-04-18T11:26:08+00:00 4e7e0ebcf59794b97542bb6b3d1e0a0fefa145f2 key-name-hint property in u-boot-spl-pubkey-dtb binman entry may contain a path instead of a filename due to user mistake. Because we currently assume it is a filename instead of a path, binman will find the full path to the key based on that path, and return the dirname of the full path but keeps the path in key-name-hint instead of stripping the directories from it. This means mkimage will fail with the following error message if we have key-name-hint set to keys/dev: binman: Error 1 running 'fdt_add_pubkey -a sha256,rsa2048 -k /home/qschulz/work/upstream/u-boot/keys -n keys/dev -r conf /home/qschulz/work/upstream/u-boot/build/ringneck/u-boot-spl-dtbdhsfx3mf': Couldn't open RSA certificate: '/home/qschulz/work/upstream/u-boot/keys/keys/dev.crt': No such file or directory Let's make it a bit more obvious what the error is by erroring out in binman if a path is provided in key-name-hint (it is named key-name-hint and not key-path-hint after all). Fixes: 5609843b57a4 ("binman: etype: Add u-boot-spl-pubkey-dtb etype") Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Simon Glass <sjg@chromium.org> 
key-name-hint property in u-boot-spl-pubkey-dtb binman entry may contain
a path instead of a filename due to user mistake.

Because we currently assume it is a filename instead of a path, binman
will find the full path to the key based on that path, and return the
dirname of the full path but keeps the path in key-name-hint instead of
stripping the directories from it.

This means mkimage will fail with the following error message if we have
key-name-hint set to keys/dev:

binman: Error 1 running 'fdt_add_pubkey -a sha256,rsa2048 -k /home/qschulz/work/upstream/u-boot/keys -n keys/dev -r conf /home/qschulz/work/upstream/u-boot/build/ringneck/u-boot-spl-dtbdhsfx3mf': Couldn't open RSA certificate: '/home/qschulz/work/upstream/u-boot/keys/keys/dev.crt': No such file or directory

Let's make it a bit more obvious what the error is by erroring out in
binman if a path is provided in key-name-hint (it is named key-name-hint
and not key-path-hint after all).

Fixes: 5609843b57a4 ("binman: etype: Add u-boot-spl-pubkey-dtb etype")
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
binman: etype: fit: raise ValueError if key-name-hint is a path 2025-07-01T16:52:01+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-04-18T11:26:07+00:00 2ddc47f9aa0581a907dd07cb4468ef6d4f3519dc mkimage doesn't fail if it cannot find the public key but it prints to stderr. Considering that btool.run() discards stderr, it means binman happily returns an unsigned FIT and doesn't tell you something went wrong. Binman will actually find the file if there's a path in the key-name-hint property but the current logic expects key-name-hint to be a filename and thus returns the dirname of the found path for the key, but with the original key-name-hint appended. This means we can have the following: - key-name-hint = "keys/dev" - name = "/home/qschulz/work/upstream/u-boot/keys/" so we pass /home/qschulz/work/upstream/u-boot/keys/ to the -k option of mkimage but the FIT still contains "keys/dev" in key-name-hint which means mkimage will try to find the key at /home/qschulz/work/upstream/u-boot/keys/keys/, which doesn't exist. Let's assume paths are simply not supported (it is named key-name-hint and not key-path-hint after all) and raise an error if the property contains a path so that the build fails and not quietly. Fixes: 133c000ca334 ("binman: implement signing FIT images during image build") Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Simon Glass <sjg@chromium.org> 
mkimage doesn't fail if it cannot find the public key but it prints to
stderr. Considering that btool.run() discards stderr, it means binman
happily returns an unsigned FIT and doesn't tell you something went
wrong.

Binman will actually find the file if there's a path in the
key-name-hint property but the current logic expects key-name-hint to be
a filename and thus returns the dirname of the found path for the key,
but with the original key-name-hint appended. This means we can have the
following:

- key-name-hint = "keys/dev"
- name = "/home/qschulz/work/upstream/u-boot/keys/"

so we pass /home/qschulz/work/upstream/u-boot/keys/ to the -k option of
mkimage but the FIT still contains "keys/dev" in key-name-hint which
means mkimage will try to find the key at
/home/qschulz/work/upstream/u-boot/keys/keys/, which doesn't exist.

Let's assume paths are simply not supported (it is named key-name-hint
and not key-path-hint after all) and raise an error if the property
contains a path so that the build fails and not quietly.

Fixes: 133c000ca334 ("binman: implement signing FIT images during image build")
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Merge patch series "Propagate bootph-all and bootph-some-ram property to all supernodes" 2025-06-26T17:48:39+00:00 Tom Rini trini@konsulko.com 2025-06-26T15:58:45+00:00 ba60a726d9e64f9ef8af01fcf2d9a6239940e799 Moteen Shah <m-shah@ti.com> says: In the U-Boot pre-relocation stage, if the parent node lacks bootph-all/bootph-some-ram property and the driver lacks a pre-reloc flag, all of its subsequent subnodes gets skipped over from driver binding—even if they have a bootph* property. This series addresses the issue by scanning through all the nodes during build time and propagating the applicable property to all of its supernode. Link: https://lore.kernel.org/r/20250516114148.3862114-1-m-shah@ti.com 
Moteen Shah <m-shah@ti.com> says:

In the U-Boot pre-relocation stage, if the parent node lacks
bootph-all/bootph-some-ram property and the driver lacks a pre-reloc
flag, all of its subsequent subnodes gets skipped over from driver
binding—even if they have a bootph* property.

This series addresses the issue by scanning through all the nodes during
build time and propagating the applicable  property to all of its supernode.

Link: https://lore.kernel.org/r/20250516114148.3862114-1-m-shah@ti.com
tools: binman: ftest.py: Add testcase for bootph-* propagation 2025-06-26T17:48:37+00:00 Moteen Shah m-shah@ti.com 2025-05-16T11:41:48+00:00 1b5e41964c34ee062fe9932ef5f9ccc747c50ea1 Add a testcase to ensure that scan_and_prop_bootph() actually propagates bootph-* properties to supernodes. Signed-off-by: Moteen Shah <m-shah@ti.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
Add a testcase to ensure that scan_and_prop_bootph() actually
propagates bootph-* properties to supernodes.

Signed-off-by: Moteen Shah <m-shah@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Merge patch series "mkimage: validate image references in FIT configurations" 2025-06-26T14:33:42+00:00 Tom Rini trini@konsulko.com 2025-06-26T14:13:03+00:00 579d1a1bb77004d0e22d9db6de12fe87cac44055 Aristo Chen <jj251510319013@gmail.com> says: This series introduces a validation step in mkimage to ensure that all image names referenced under the /configurations node of a FIT source (ITS) are actually defined under the /images node. ### Motivation When using mkimage to build FIT images, it's easy to mistakenly reference nonexistent image nodes in configurations (e.g., referencing a missing `fdt` or `firmware` node). Such issues are often not caught until runtime in U-Boot. This series aims to catch these errors early during FIT image creation by validating the configuration references in mkimage itself. Link: https://lore.kernel.org/r/20250610074121.8308-1-aristo.chen@canonical.com 
Aristo Chen <jj251510319013@gmail.com> says:

This series introduces a validation step in mkimage to ensure that all image
names referenced under the /configurations node of a FIT source (ITS) are
actually defined under the /images node.

### Motivation

When using mkimage to build FIT images, it's easy to mistakenly reference
nonexistent image nodes in configurations (e.g., referencing a missing `fdt` or
`firmware` node). Such issues are often not caught until runtime in U-Boot.

This series aims to catch these errors early during FIT image creation by
validating the configuration references in mkimage itself.

Link: https://lore.kernel.org/r/20250610074121.8308-1-aristo.chen@canonical.com