From 66b36f833a2ab8fedce2ce7fe6f392f85192cc3e Mon Sep 17 00:00:00 2001 From: Heiko Schocher Date: Mon, 3 Mar 2014 12:19:23 +0100 Subject: tools/image-host: fix sign-images bug property "sign-images" is never found, fix this. Signed-off-by: Heiko Schocher Acked-by: Simon Glass --- tools/image-host.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tools') diff --git a/tools/image-host.c b/tools/image-host.c index 0d5c88ca73c..8e185ec5df3 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -403,7 +403,7 @@ static int fit_config_get_hash_list(void *fit, int conf_noffset, goto err_mem; /* Get a list of images that we intend to sign */ - prop = fit_config_get_image_list(fit, conf_noffset, &len, + prop = fit_config_get_image_list(fit, sig_offset, &len, &allow_missing); if (!prop) return 0; -- cgit v1.3.1 From 2842c1c24269a05142802d25520e7cb9035e456c Mon Sep 17 00:00:00 2001 From: Heiko Schocher Date: Mon, 3 Mar 2014 12:19:25 +0100 Subject: fit: add sha256 support add sha256 support to fit images Signed-off-by: Heiko Schocher Acked-by: Simon Glass --- common/image-fit.c | 5 +++++ include/image.h | 9 +++++++++ lib/sha256.c | 5 +++-- tools/Makefile | 3 ++- tools/sha256.c | 1 + 5 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 tools/sha256.c (limited to 'tools') diff --git a/common/image-fit.c b/common/image-fit.c index b94a3fe86dc..77f32bce316 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -22,6 +22,7 @@ DECLARE_GLOBAL_DATA_PTR; #include #include +#include #include #include @@ -882,6 +883,10 @@ int calculate_hash(const void *data, int data_len, const char *algo, sha1_csum_wd((unsigned char *)data, data_len, (unsigned char *)value, CHUNKSZ_SHA1); *value_len = 20; + } else if (IMAGE_ENABLE_SHA256 && strcmp(algo, "sha256") == 0) { + sha256_csum_wd((unsigned char *)data, data_len, + (unsigned char *)value, CHUNKSZ_SHA256); + *value_len = SHA256_SUM_LEN; } else if (IMAGE_ENABLE_MD5 && strcmp(algo, "md5") == 0) { md5_wd((unsigned char *)data, data_len, value, CHUNKSZ_MD5); *value_len = 16; diff --git a/include/image.h b/include/image.h index 6afd57bafdd..52969aa653c 100644 --- a/include/image.h +++ b/include/image.h @@ -57,13 +57,18 @@ struct lmb; # ifdef CONFIG_SPL_SHA1_SUPPORT # define IMAGE_ENABLE_SHA1 1 # endif +# ifdef CONFIG_SPL_SHA256_SUPPORT +# define IMAGE_ENABLE_SHA256 1 +# endif # else # define CONFIG_CRC32 /* FIT images need CRC32 support */ # define CONFIG_MD5 /* and MD5 */ # define CONFIG_SHA1 /* and SHA1 */ +# define CONFIG_SHA256 /* and SHA256 */ # define IMAGE_ENABLE_CRC32 1 # define IMAGE_ENABLE_MD5 1 # define IMAGE_ENABLE_SHA1 1 +# define IMAGE_ENABLE_SHA256 1 # endif #ifndef IMAGE_ENABLE_CRC32 @@ -78,6 +83,10 @@ struct lmb; #define IMAGE_ENABLE_SHA1 0 #endif +#ifndef IMAGE_ENABLE_SHA256 +#define IMAGE_ENABLE_SHA256 0 +#endif + #endif /* CONFIG_FIT */ #ifdef CONFIG_SYS_BOOT_RAMDISK_HIGH diff --git a/lib/sha256.c b/lib/sha256.c index 7348162575c..3212baba5f6 100644 --- a/lib/sha256.c +++ b/lib/sha256.c @@ -258,14 +258,15 @@ void sha256_csum_wd(const unsigned char *input, unsigned int ilen, { sha256_context ctx; #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) - unsigned char *end, *curr; + const unsigned char *end; + unsigned char *curr; int chunk; #endif sha256_starts(&ctx); #if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) - curr = input; + curr = (unsigned char *)input; end = input + ilen; while (curr < end) { chunk = end - curr; diff --git a/tools/Makefile b/tools/Makefile index 097cc1df178..528d1adc2d9 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -40,7 +40,6 @@ CONFIG_BUILD_ENVCRC ?= $(ENVCRC-y) # TODO: CONFIG_CMD_LICENSE does not work hostprogs-$(CONFIG_CMD_LICENSE) += bin2header$(SFX) - hostprogs-$(CONFIG_LCD_LOGO) += bmp_logo$(SFX) hostprogs-$(CONFIG_VIDEO_LOGO) += bmp_logo$(SFX) HOSTCFLAGS_bmp_logo$(SFX).o := -pedantic @@ -85,6 +84,7 @@ dumpimage-mkimage-objs := aisimage.o \ os_support.o \ pblimage.o \ sha1.o \ + sha256.o \ ublimage.o \ $(LIBFDT_OBJS) \ $(RSA_OBJS-y) @@ -137,6 +137,7 @@ hostprogs-$(CONFIG_STATIC_RELA) += relocate-rela$(SFX) HOSTCFLAGS_crc32.o := -pedantic HOSTCFLAGS_md5.o := -pedantic HOSTCFLAGS_sha1.o := -pedantic +HOSTCFLAGS_sha256.o := -pedantic # Don't build by default #hostprogs-$(CONFIG_PPC) += mpc86x_clk$(SFX) diff --git a/tools/sha256.c b/tools/sha256.c new file mode 100644 index 00000000000..8ca931f6bf0 --- /dev/null +++ b/tools/sha256.c @@ -0,0 +1 @@ +#include "../lib/sha256.c" -- cgit v1.3.1 From 6bf4ca076f8c7a3c1c5abd1cbb059516f7af15df Mon Sep 17 00:00:00 2001 From: Heiko Schocher Date: Mon, 3 Mar 2014 12:19:29 +0100 Subject: tools, fit: add fit_info host command add fit_info command to the host tools. This command prints the name, offset and the len from a property from a node in a fit file. This info can be used to extract a properties data with linux tools, for example "dd". Signed-off-by: Heiko Schocher Acked-by: Simon Glass --- tools/.gitignore | 1 + tools/Makefile | 8 +++++ tools/fit_common.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++ tools/fit_common.h | 22 +++++++++++++ tools/fit_image.c | 62 +++-------------------------------- tools/fit_info.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 217 insertions(+), 58 deletions(-) create mode 100644 tools/fit_common.c create mode 100644 tools/fit_common.h create mode 100644 tools/fit_info.c (limited to 'tools') diff --git a/tools/.gitignore b/tools/.gitignore index 2a90dfe83a5..2f6ecc740a9 100644 --- a/tools/.gitignore +++ b/tools/.gitignore @@ -1,5 +1,6 @@ /bmp_logo /envcrc +/fit_info /gen_eth_addr /img2srec /kwboot diff --git a/tools/Makefile b/tools/Makefile index 528d1adc2d9..52fb69eae9d 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -60,6 +60,9 @@ hostprogs-y += mkenvimage$(SFX) mkenvimage$(SFX)-objs := crc32.o mkenvimage.o os_support.o hostprogs-y += dumpimage$(SFX) mkimage$(SFX) +ifdef CONFIG_FIT_SIGNATURE +hostprogs-y += fit_info$(SFX) +endif FIT_SIG_OBJS-$(CONFIG_FIT_SIGNATURE) := image-sig.o # Flattened device tree objects @@ -71,6 +74,8 @@ dumpimage-mkimage-objs := aisimage.o \ $(FIT_SIG_OBJS-y) \ crc32.o \ default_image.o \ + fdtdec.o \ + fit_common.o \ fit_image.o \ image-fit.o \ image-host.o \ @@ -91,6 +96,7 @@ dumpimage-mkimage-objs := aisimage.o \ dumpimage$(SFX)-objs := $(dumpimage-mkimage-objs) dumpimage.o mkimage$(SFX)-objs := $(dumpimage-mkimage-objs) mkimage.o +fit_info$(SFX)-objs := $(dumpimage-mkimage-objs) fit_info.o # TODO(sjg@chromium.org): Is this correct on Mac OS? @@ -98,6 +104,7 @@ mkimage$(SFX)-objs := $(dumpimage-mkimage-objs) mkimage.o ifneq ($(CONFIG_MX23)$(CONFIG_MX28),) HOSTLOADLIBES_dumpimage$(SFX) := -lssl -lcrypto HOSTLOADLIBES_mkimage$(SFX) := -lssl -lcrypto +HOSTLOADLIBES_fit_info$(SFX) := -lssl -lcrypto # Add CONFIG_MXS into host CFLAGS, so we can check whether or not register # the mxsimage support within tools/mxsimage.c . HOSTCFLAGS_mxsimage.o += -DCONFIG_MXS @@ -106,6 +113,7 @@ endif ifdef CONFIG_FIT_SIGNATURE HOSTLOADLIBES_dumpimage$(SFX) := -lssl -lcrypto HOSTLOADLIBES_mkimage$(SFX) := -lssl -lcrypto +HOSTLOADLIBES_fit_info$(SFX) := -lssl -lcrypto # This affects include/image.h, but including the board config file # is tricky, so manually define this options here. diff --git a/tools/fit_common.c b/tools/fit_common.c new file mode 100644 index 00000000000..ee1767bd019 --- /dev/null +++ b/tools/fit_common.c @@ -0,0 +1,86 @@ +/* + * (C) Copyright 2014 + * DENX Software Engineering + * Heiko Schocher + * + * (C) Copyright 2008 Semihalf + * + * (C) Copyright 2000-2004 + * DENX Software Engineering + * Wolfgang Denk, wd@denx.de + * + * Updated-by: Prafulla Wadaskar + * FIT image specific code abstracted from mkimage.c + * some functions added to address abstraction + * + * All rights reserved. + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#include "imagetool.h" +#include "mkimage.h" +#include "fit_common.h" +#include +#include + +int fit_verify_header(unsigned char *ptr, int image_size, + struct image_tool_params *params) +{ + return fdt_check_header(ptr); +} + +int fit_check_image_types(uint8_t type) +{ + if (type == IH_TYPE_FLATDT) + return EXIT_SUCCESS; + else + return EXIT_FAILURE; +} + +int mmap_fdt(char *cmdname, const char *fname, void **blobp, + struct stat *sbuf, int useunlink) +{ + void *ptr; + int fd; + + /* Load FIT blob into memory (we need to write hashes/signatures) */ + fd = open(fname, O_RDWR | O_BINARY); + + if (fd < 0) { + fprintf(stderr, "%s: Can't open %s: %s\n", + cmdname, fname, strerror(errno)); + if (useunlink) + unlink(fname); + return -1; + } + + if (fstat(fd, sbuf) < 0) { + fprintf(stderr, "%s: Can't stat %s: %s\n", + cmdname, fname, strerror(errno)); + if (useunlink) + unlink(fname); + return -1; + } + + errno = 0; + ptr = mmap(0, sbuf->st_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); + if ((ptr == MAP_FAILED) || (errno != 0)) { + fprintf(stderr, "%s: Can't read %s: %s\n", + cmdname, fname, strerror(errno)); + if (useunlink) + unlink(fname); + return -1; + } + + /* check if ptr has a valid blob */ + if (fdt_check_header(ptr)) { + fprintf(stderr, "%s: Invalid FIT blob\n", cmdname); + if (useunlink) + unlink(fname); + return -1; + } + + *blobp = ptr; + return fd; +} diff --git a/tools/fit_common.h b/tools/fit_common.h new file mode 100644 index 00000000000..adf440480b5 --- /dev/null +++ b/tools/fit_common.h @@ -0,0 +1,22 @@ +/* + * (C) Copyright 2014 + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#ifndef _FIT_COMMON_H_ +#define _FIT_COMMON_H_ + +#include "imagetool.h" +#include "mkimage.h" +#include + +int fit_verify_header(unsigned char *ptr, int image_size, + struct image_tool_params *params); + +int fit_check_image_types(uint8_t type); + +int mmap_fdt(char *cmdname, const char *fname, void **blobp, + struct stat *sbuf, int useunlink); + +#endif /* _FIT_COMMON_H_ */ diff --git a/tools/fit_image.c b/tools/fit_image.c index 1466164f0ae..eeee484cdec 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -15,68 +15,13 @@ */ #include "imagetool.h" +#include "fit_common.h" #include "mkimage.h" #include #include static image_header_t header; -static int fit_verify_header (unsigned char *ptr, int image_size, - struct image_tool_params *params) -{ - return fdt_check_header(ptr); -} - -static int fit_check_image_types (uint8_t type) -{ - if (type == IH_TYPE_FLATDT) - return EXIT_SUCCESS; - else - return EXIT_FAILURE; -} - -int mmap_fdt(struct image_tool_params *params, const char *fname, void **blobp, - struct stat *sbuf) -{ - void *ptr; - int fd; - - /* Load FIT blob into memory (we need to write hashes/signatures) */ - fd = open(fname, O_RDWR | O_BINARY); - - if (fd < 0) { - fprintf(stderr, "%s: Can't open %s: %s\n", - params->cmdname, fname, strerror(errno)); - unlink(fname); - return -1; - } - - if (fstat(fd, sbuf) < 0) { - fprintf(stderr, "%s: Can't stat %s: %s\n", - params->cmdname, fname, strerror(errno)); - unlink(fname); - return -1; - } - - ptr = mmap(0, sbuf->st_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); - if (ptr == MAP_FAILED) { - fprintf(stderr, "%s: Can't read %s: %s\n", - params->cmdname, fname, strerror(errno)); - unlink(fname); - return -1; - } - - /* check if ptr has a valid blob */ - if (fdt_check_header(ptr)) { - fprintf(stderr, "%s: Invalid FIT blob\n", params->cmdname); - unlink(fname); - return -1; - } - - *blobp = ptr; - return fd; -} - /** * fit_handle_file - main FIT file processing function * @@ -129,13 +74,14 @@ static int fit_handle_file(struct image_tool_params *params) } if (params->keydest) { - destfd = mmap_fdt(params, params->keydest, &dest_blob, &sbuf); + destfd = mmap_fdt(params->cmdname, params->keydest, + &dest_blob, &sbuf, 1); if (destfd < 0) goto err_keydest; destfd_size = sbuf.st_size; } - tfd = mmap_fdt(params, tmpfile, &ptr, &sbuf); + tfd = mmap_fdt(params->cmdname, tmpfile, &ptr, &sbuf, 1); if (tfd < 0) goto err_mmap; diff --git a/tools/fit_info.c b/tools/fit_info.c new file mode 100644 index 00000000000..50f3c8edf12 --- /dev/null +++ b/tools/fit_info.c @@ -0,0 +1,96 @@ +/* + * (C) Copyright 2014 + * DENX Software Engineering + * Heiko Schocher + * + * fit_info: print the offset and the len of a property from + * node in a fit file. + * + * Based on: + * (C) Copyright 2008 Semihalf + * + * (C) Copyright 2000-2004 + * DENX Software Engineering + * Wolfgang Denk, wd@denx.de + * + * Updated-by: Prafulla Wadaskar + * FIT image specific code abstracted from mkimage.c + * some functions added to address abstraction + * + * All rights reserved. + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#include "mkimage.h" +#include "fit_common.h" +#include +#include + +void usage(char *cmdname) +{ + fprintf(stderr, "Usage: %s -f fit file -n node -p property\n" + " -f ==> set fit file which is used'\n" + " -n ==> set node name'\n" + " -p ==> set property name'\n", + cmdname); + exit(EXIT_FAILURE); +} + +int main(int argc, char **argv) +{ + int ffd = -1; + struct stat fsbuf; + void *fit_blob; + int len; + int nodeoffset; /* node offset from libfdt */ + const void *nodep; /* property node pointer */ + char *fdtfile = NULL; + char *nodename = NULL; + char *propertyname = NULL; + char cmdname[50]; + int c; + + strcpy(cmdname, *argv); + while ((c = getopt(argc, argv, "f:n:p:")) != -1) + switch (c) { + case 'f': + fdtfile = optarg; + break; + case 'n': + nodename = optarg; + break; + case 'p': + propertyname = optarg; + break; + default: + usage(cmdname); + break; + } + + ffd = mmap_fdt(cmdname, fdtfile, &fit_blob, &fsbuf, 0); + + if (ffd < 0) { + printf("Could not open %s\n", fdtfile); + exit(EXIT_FAILURE); + } + + nodeoffset = fdt_path_offset(fit_blob, nodename); + if (nodeoffset < 0) { + printf("%s not found.", nodename); + exit(EXIT_FAILURE); + } + nodep = fdt_getprop(fit_blob, nodeoffset, propertyname, &len); + if (len == 0) { + printf("len == 0 %s\n", propertyname); + exit(EXIT_FAILURE); + } + + printf("NAME: %s\n", fit_get_name(fit_blob, nodeoffset, NULL)); + printf("LEN: %d\n", len); + printf("OFF: %d\n", (int)(nodep - fit_blob)); + (void) munmap((void *)fit_blob, fsbuf.st_size); + + close(ffd); + exit(EXIT_SUCCESS); +} -- cgit v1.3.1 From 29a23f9d6c533f8371be3ae0268c4c75866291b2 Mon Sep 17 00:00:00 2001 From: Heiko Schocher Date: Mon, 3 Mar 2014 12:19:30 +0100 Subject: tools, fit_check_sign: verify a signed fit image add host tool "fit_check_sign" which verifies, if a fit image is signed correct. Signed-off-by: Heiko Schocher Cc: Simon Glass --- common/image-sig.c | 18 +++++----- doc/uImage.FIT/signature.txt | 6 ++++ include/fdt_support.h | 5 +++ include/image.h | 17 +++++---- lib/fdtdec.c | 20 +++++++++++ lib/rsa/rsa-checksum.c | 10 ++++-- lib/rsa/rsa-sign.c | 2 +- lib/rsa/rsa-verify.c | 18 +++++++--- test/vboot/vboot_test.sh | 20 +++++++++++ tools/.gitignore | 1 + tools/Makefile | 7 ++-- tools/fdt_host.h | 2 ++ tools/fdtdec.c | 1 + tools/fit_check_sign.c | 85 ++++++++++++++++++++++++++++++++++++++++++++ tools/image-host.c | 15 ++++++++ tools/rsa-checksum.c | 1 + tools/rsa-verify.c | 1 + 17 files changed, 204 insertions(+), 25 deletions(-) create mode 100644 tools/fdtdec.c create mode 100644 tools/fit_check_sign.c create mode 100644 tools/rsa-checksum.c create mode 100644 tools/rsa-verify.c (limited to 'tools') diff --git a/common/image-sig.c b/common/image-sig.c index 763960a45a3..72284eb1d1f 100644 --- a/common/image-sig.c +++ b/common/image-sig.c @@ -19,9 +19,14 @@ DECLARE_GLOBAL_DATA_PTR; #define IMAGE_MAX_HASHED_NODES 100 #ifdef USE_HOSTCC -__attribute__((weak)) void *get_blob(void) +void *host_blob; +void image_set_host_blob(void *blob) { - return NULL; + host_blob = blob; +} +void *image_get_host_blob(void) +{ + return host_blob; } #endif @@ -32,10 +37,9 @@ struct checksum_algo checksum_algos[] = { RSA2048_BYTES, #if IMAGE_ENABLE_SIGN EVP_sha1, -#else +#endif sha1_calculate, padding_sha1_rsa2048, -#endif }, { "sha256", @@ -43,10 +47,9 @@ struct checksum_algo checksum_algos[] = { RSA2048_BYTES, #if IMAGE_ENABLE_SIGN EVP_sha256, -#else +#endif sha256_calculate, padding_sha256_rsa2048, -#endif }, { "sha256", @@ -54,10 +57,9 @@ struct checksum_algo checksum_algos[] = { RSA4096_BYTES, #if IMAGE_ENABLE_SIGN EVP_sha256, -#else +#endif sha256_calculate, padding_sha256_rsa4096, -#endif } }; diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index 71f8b6c06ad..95020377055 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -357,6 +357,9 @@ Build FIT with signed configuration Test Verified Boot Run: unsigned config: OK Sign images Test Verified Boot Run: signed config: OK +check signed config on the host +OK +Test Verified Boot Run: signed config: OK Test Verified Boot Run: signed config with bad hash: OK do sha256 test Build FIT with signed images @@ -367,6 +370,9 @@ Build FIT with signed configuration Test Verified Boot Run: unsigned config: OK Sign images Test Verified Boot Run: signed config: OK +check signed config on the host +OK +Test Verified Boot Run: signed config: OK Test Verified Boot Run: signed config with bad hash: OK Test passed diff --git a/include/fdt_support.h b/include/fdt_support.h index 9871e2f81a0..76c9b2e776c 100644 --- a/include/fdt_support.h +++ b/include/fdt_support.h @@ -115,4 +115,9 @@ static inline int fdt_status_disabled_by_alias(void *fdt, const char* alias) } #endif /* ifdef CONFIG_OF_LIBFDT */ + +#ifdef USE_HOSTCC +int fdtdec_get_int(const void *blob, int node, const char *prop_name, + int default_val); +#endif #endif /* ifndef __FDT_SUPPORT_H */ diff --git a/include/image.h b/include/image.h index 540afaaec5c..2508d7d2430 100644 --- a/include/image.h +++ b/include/image.h @@ -832,7 +832,7 @@ int calculate_hash(const void *data, int data_len, const char *algo, #if defined(CONFIG_FIT_SIGNATURE) # ifdef USE_HOSTCC # define IMAGE_ENABLE_SIGN 1 -# define IMAGE_ENABLE_VERIFY 0 +# define IMAGE_ENABLE_VERIFY 1 # include #else # define IMAGE_ENABLE_SIGN 0 @@ -844,7 +844,9 @@ int calculate_hash(const void *data, int data_len, const char *algo, #endif #ifdef USE_HOSTCC -# define gd_fdt_blob() NULL +void *image_get_host_blob(void); +void image_set_host_blob(void *host_blob); +# define gd_fdt_blob() image_get_host_blob() #else # define gd_fdt_blob() (gd->fdt_blob) #endif @@ -881,14 +883,11 @@ struct checksum_algo { const int checksum_len; const int pad_len; #if IMAGE_ENABLE_SIGN - const EVP_MD *(*calculate)(void); -#else -#if IMAGE_ENABLE_VERIFY + const EVP_MD *(*calculate_sign)(void); +#endif void (*calculate)(const struct image_region region[], int region_count, uint8_t *checksum); const uint8_t *rsa_padding; -#endif -#endif }; struct image_sig_algo { @@ -1009,7 +1008,11 @@ struct image_region *fit_region_make_list(const void *fit, static inline int fit_image_check_target_arch(const void *fdt, int node) { +#ifndef USE_HOSTCC return fit_image_check_arch(fdt, node, IH_ARCH_DEFAULT); +#else + return 0; +#endif } #ifdef CONFIG_FIT_VERBOSE diff --git a/lib/fdtdec.c b/lib/fdtdec.c index f65ab4f58ff..8da2d74041d 100644 --- a/lib/fdtdec.c +++ b/lib/fdtdec.c @@ -3,6 +3,7 @@ * SPDX-License-Identifier: GPL-2.0+ */ +#ifndef USE_HOSTCC #include #include #include @@ -643,3 +644,22 @@ int fdtdec_read_fmap_entry(const void *blob, int node, const char *name, return 0; } +#else +#include "libfdt.h" +#include "fdt_support.h" + +int fdtdec_get_int(const void *blob, int node, const char *prop_name, + int default_val) +{ + const int *cell; + int len; + + cell = fdt_getprop_w((void *)blob, node, prop_name, &len); + if (cell && len >= sizeof(int)) { + int val = fdt32_to_cpu(cell[0]); + + return val; + } + return default_val; +} +#endif diff --git a/lib/rsa/rsa-checksum.c b/lib/rsa/rsa-checksum.c index a9d096d455a..32d6602e975 100644 --- a/lib/rsa/rsa-checksum.c +++ b/lib/rsa/rsa-checksum.c @@ -4,14 +4,18 @@ * SPDX-License-Identifier: GPL-2.0+ */ +#ifndef USE_HOSTCC #include #include -#include -#include -#include #include #include #include +#else +#include "fdt_host.h" +#endif +#include +#include +#include /* PKCS 1.5 paddings as described in the RSA PKCS#1 v2.1 standard. */ diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index 0fe6e9f9cf1..ca8c120d97c 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -193,7 +193,7 @@ static int rsa_sign_with_key(RSA *rsa, struct checksum_algo *checksum_algo, goto err_create; } EVP_MD_CTX_init(context); - if (!EVP_SignInit(context, checksum_algo->calculate())) { + if (!EVP_SignInit(context, checksum_algo->calculate_sign())) { ret = rsa_err("Signer setup failed"); goto err_sign; } diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index 09268ca2939..587da5b4706 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -4,17 +4,28 @@ * SPDX-License-Identifier: GPL-2.0+ */ +#ifndef USE_HOSTCC #include #include -#include -#include -#include +#include #include #include +#include #include +#else +#include "fdt_host.h" +#include "mkimage.h" +#include +#endif +#include +#include +#include #define UINT64_MULT32(v, multby) (((uint64_t)(v)) * ((uint32_t)(multby))) +#define get_unaligned_be32(a) fdt32_to_cpu(*(uint32_t *)a) +#define put_unaligned_be32(a, b) (*(uint32_t *)(b) = cpu_to_fdt32(a)) + /** * subtract_modulus() - subtract modulus from the given value * @@ -150,7 +161,6 @@ static int pow_mod(const struct rsa_public_key *key, uint32_t *inout) /* Convert to bigendian byte array */ for (i = key->len - 1, ptr = inout; (int)i >= 0; i--, ptr++) put_unaligned_be32(result[i], ptr); - return 0; } diff --git a/test/vboot/vboot_test.sh b/test/vboot/vboot_test.sh index 3e2856ed1ff..3c6efa774ec 100755 --- a/test/vboot/vboot_test.sh +++ b/test/vboot/vboot_test.sh @@ -47,6 +47,7 @@ O=$(readlink -f ${O}) dtc="-I dts -O dtb -p 2000" uboot="${O}/u-boot" mkimage="${O}/tools/mkimage" +fit_check_sign="${O}/tools/fit_check_sign" keys="${dir}/dev-keys" echo ${mkimage} -D "${dtc}" @@ -99,6 +100,25 @@ function do_test { run_uboot "signed config" "dev+" + echo check signed config on the host + if ! ${fit_check_sign} -f test.fit -k sandbox-u-boot.dtb >${tmp}; then + echo + echo "Verified boot key check on host failed, output follows:" + cat ${tmp} + false + else + if ! grep -q "dev+" ${tmp}; then + echo + echo "Verified boot key check failed, output follows:" + cat ${tmp} + false + else + echo "OK" + fi + fi + + run_uboot "signed config" "dev+" + # Increment the first byte of the signature, which should cause failure sig=$(fdtget -t bx test.fit /configurations/conf@1/signature@1 value) newbyte=$(printf %x $((0x${sig:0:2} + 1))) diff --git a/tools/.gitignore b/tools/.gitignore index 2f6ecc740a9..b1e997fc3ee 100644 --- a/tools/.gitignore +++ b/tools/.gitignore @@ -1,5 +1,6 @@ /bmp_logo /envcrc +/fit_check_sign /fit_info /gen_eth_addr /img2srec diff --git a/tools/Makefile b/tools/Makefile index 52fb69eae9d..c5c378cf86f 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -61,13 +61,13 @@ mkenvimage$(SFX)-objs := crc32.o mkenvimage.o os_support.o hostprogs-y += dumpimage$(SFX) mkimage$(SFX) ifdef CONFIG_FIT_SIGNATURE -hostprogs-y += fit_info$(SFX) +hostprogs-y += fit_info$(SFX) fit_check_sign$(SFX) endif FIT_SIG_OBJS-$(CONFIG_FIT_SIGNATURE) := image-sig.o # Flattened device tree objects LIBFDT_OBJS := fdt.o fdt_ro.o fdt_rw.o fdt_strerror.o fdt_wip.o -RSA_OBJS-$(CONFIG_FIT_SIGNATURE) := rsa-sign.o +RSA_OBJS-$(CONFIG_FIT_SIGNATURE) := rsa-sign.o rsa-verify.o rsa-checksum.o # common objs for dumpimage and mkimage dumpimage-mkimage-objs := aisimage.o \ @@ -97,6 +97,7 @@ dumpimage-mkimage-objs := aisimage.o \ dumpimage$(SFX)-objs := $(dumpimage-mkimage-objs) dumpimage.o mkimage$(SFX)-objs := $(dumpimage-mkimage-objs) mkimage.o fit_info$(SFX)-objs := $(dumpimage-mkimage-objs) fit_info.o +fit_check_sign$(SFX)-objs := $(dumpimage-mkimage-objs) fit_check_sign.o # TODO(sjg@chromium.org): Is this correct on Mac OS? @@ -105,6 +106,7 @@ ifneq ($(CONFIG_MX23)$(CONFIG_MX28),) HOSTLOADLIBES_dumpimage$(SFX) := -lssl -lcrypto HOSTLOADLIBES_mkimage$(SFX) := -lssl -lcrypto HOSTLOADLIBES_fit_info$(SFX) := -lssl -lcrypto +HOSTLOADLIBES_fit_check_sign$(SFX) := -lssl -lcrypto # Add CONFIG_MXS into host CFLAGS, so we can check whether or not register # the mxsimage support within tools/mxsimage.c . HOSTCFLAGS_mxsimage.o += -DCONFIG_MXS @@ -114,6 +116,7 @@ ifdef CONFIG_FIT_SIGNATURE HOSTLOADLIBES_dumpimage$(SFX) := -lssl -lcrypto HOSTLOADLIBES_mkimage$(SFX) := -lssl -lcrypto HOSTLOADLIBES_fit_info$(SFX) := -lssl -lcrypto +HOSTLOADLIBES_fit_check_sign$(SFX) := -lssl -lcrypto # This affects include/image.h, but including the board config file # is tricky, so manually define this options here. diff --git a/tools/fdt_host.h b/tools/fdt_host.h index c2b23c6217f..134d9657139 100644 --- a/tools/fdt_host.h +++ b/tools/fdt_host.h @@ -11,4 +11,6 @@ #include "../include/libfdt.h" #include "../include/fdt_support.h" +int fit_check_sign(const void *working_fdt, const void *key); + #endif /* __FDT_HOST_H__ */ diff --git a/tools/fdtdec.c b/tools/fdtdec.c new file mode 100644 index 00000000000..f1c22569ca4 --- /dev/null +++ b/tools/fdtdec.c @@ -0,0 +1 @@ +#include "../lib/fdtdec.c" diff --git a/tools/fit_check_sign.c b/tools/fit_check_sign.c new file mode 100644 index 00000000000..d6d93400949 --- /dev/null +++ b/tools/fit_check_sign.c @@ -0,0 +1,85 @@ +/* + * (C) Copyright 2014 + * DENX Software Engineering + * Heiko Schocher + * + * Based on: + * (C) Copyright 2008 Semihalf + * + * (C) Copyright 2000-2004 + * DENX Software Engineering + * Wolfgang Denk, wd@denx.de + * + * Updated-by: Prafulla Wadaskar + * FIT image specific code abstracted from mkimage.c + * some functions added to address abstraction + * + * All rights reserved. + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#include "mkimage.h" +#include "fit_common.h" +#include +#include + +void usage(char *cmdname) +{ + fprintf(stderr, "Usage: %s -f fit file -k key file\n" + " -f ==> set fit file which should be checked'\n" + " -k ==> set key file which contains the key'\n", + cmdname); + exit(EXIT_FAILURE); +} + +int main(int argc, char **argv) +{ + int ffd = -1; + int kfd = -1; + struct stat fsbuf; + struct stat ksbuf; + void *fit_blob; + char *fdtfile = NULL; + char *keyfile = NULL; + char cmdname[50]; + int ret; + void *key_blob; + int c; + + strcpy(cmdname, *argv); + while ((c = getopt(argc, argv, "f:k:")) != -1) + switch (c) { + case 'f': + fdtfile = optarg; + break; + case 'k': + keyfile = optarg; + break; + default: + usage(cmdname); + break; + } + + ffd = mmap_fdt(cmdname, fdtfile, &fit_blob, &fsbuf, 0); + if (ffd < 0) + return EXIT_FAILURE; + kfd = mmap_fdt(cmdname, keyfile, &key_blob, &ksbuf, 0); + if (ffd < 0) + return EXIT_FAILURE; + + image_set_host_blob(key_blob); + ret = fit_check_sign(fit_blob, key_blob); + + if (ret) + ret = EXIT_SUCCESS; + else + ret = EXIT_FAILURE; + + (void) munmap((void *)fit_blob, fsbuf.st_size); + (void) munmap((void *)key_blob, ksbuf.st_size); + + close(ffd); + close(kfd); + exit(ret); +} diff --git a/tools/image-host.c b/tools/image-host.c index 8e185ec5df3..651f1c2f8b4 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -695,3 +695,18 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit, return 0; } + +#ifdef CONFIG_FIT_SIGNATURE +int fit_check_sign(const void *working_fdt, const void *key) +{ + int cfg_noffset; + int ret; + + cfg_noffset = fit_conf_get_node(working_fdt, NULL); + if (!cfg_noffset) + return -1; + + ret = fit_config_verify(working_fdt, cfg_noffset); + return ret; +} +#endif diff --git a/tools/rsa-checksum.c b/tools/rsa-checksum.c new file mode 100644 index 00000000000..09033e6201b --- /dev/null +++ b/tools/rsa-checksum.c @@ -0,0 +1 @@ +#include "../lib/rsa/rsa-checksum.c" diff --git a/tools/rsa-verify.c b/tools/rsa-verify.c new file mode 100644 index 00000000000..bb662a1ef85 --- /dev/null +++ b/tools/rsa-verify.c @@ -0,0 +1 @@ +#include "../lib/rsa/rsa-verify.c" -- cgit v1.3.1 From a8a752c084031905940129f8a6ba303925e0fac9 Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Wed, 5 Mar 2014 19:59:52 +0100 Subject: env: Implement support for AES encryption into fw_* tools Implement support for encrypting/decrypting the environment block into the tools/env/fw_* tools. The cipher used is AES 128 CBC and the implementation depends solely on components internal to U-Boot. To allow building against the internal AES library, the library did need minor adjustments to not include U-Boot's headers which are not wanted to be included and define missing types. Signed-off-by: Marek Vasut --- include/aes.h | 7 +++ lib/aes.c | 4 ++ tools/env/Makefile | 2 +- tools/env/fw_env.c | 129 +++++++++++++++++++++++++++++++++++++++++++++++- tools/env/fw_env_main.c | 17 +++++-- 5 files changed, 151 insertions(+), 8 deletions(-) (limited to 'tools') diff --git a/include/aes.h b/include/aes.h index 4897e6faa05..ee0e6c275f1 100644 --- a/include/aes.h +++ b/include/aes.h @@ -8,6 +8,13 @@ #ifndef _AES_REF_H_ #define _AES_REF_H_ +#ifdef USE_HOSTCC +/* Define compat stuff for use in fw_* tools. */ +typedef unsigned char u8; +typedef unsigned int u32; +#define debug(...) do {} while (0) +#endif + /* * AES encryption library, with small code size, supporting only 128-bit AES * diff --git a/lib/aes.c b/lib/aes.c index 9dadb22c3ad..05c97cd7409 100644 --- a/lib/aes.c +++ b/lib/aes.c @@ -22,7 +22,11 @@ * REDISTRIBUTION OF THIS SOFTWARE. */ +#ifndef USE_HOSTCC #include +#else +#include +#endif #include "aes.h" /* forward s-box */ diff --git a/tools/env/Makefile b/tools/env/Makefile index fcb752ddb44..f5368bc4d02 100644 --- a/tools/env/Makefile +++ b/tools/env/Makefile @@ -25,7 +25,7 @@ hostprogs-y := fw_printenv_unstripped fw_printenv_unstripped-objs := fw_env.o fw_env_main.o \ crc32.o ctype.o linux_string.o \ - env_attr.o env_flags.o + env_attr.o env_flags.o aes.o quiet_cmd_strip = STRIP $@ cmd_strip = $(STRIP) -o $@ $< diff --git a/tools/env/fw_env.c b/tools/env/fw_env.c index d228cc34da8..fba4c8c6654 100644 --- a/tools/env/fw_env.c +++ b/tools/env/fw_env.c @@ -31,6 +31,10 @@ #include "fw_env.h" +#include + +#define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d)) + #define WHITESPACE(c) ((c == '\t') || (c == ' ')) #define min(x, y) ({ \ @@ -98,6 +102,11 @@ static struct environment environment = { .flag_scheme = FLAG_NONE, }; +/* Is AES encryption used? */ +static int aes_flag; +static uint8_t aes_key[AES_KEY_LENGTH] = { 0 }; +static int env_aes_cbc_crypt(char *data, const int enc); + static int HaveRedundEnv = 0; static unsigned char active_flag = 1; @@ -120,6 +129,10 @@ static inline ulong getenvsize (void) if (HaveRedundEnv) rc -= sizeof (char); + + if (aes_flag) + rc &= ~(AES_KEY_LENGTH - 1); + return rc; } @@ -191,6 +204,36 @@ char *fw_getdefenv(char *name) return NULL; } +static int parse_aes_key(char *key) +{ + char tmp[5] = { '0', 'x', 0, 0, 0 }; + unsigned long ul; + int i; + + if (strnlen(key, 64) != 32) { + fprintf(stderr, + "## Error: '-a' option requires 16-byte AES key\n"); + return -1; + } + + for (i = 0; i < 16; i++) { + tmp[2] = key[0]; + tmp[3] = key[1]; + errno = 0; + ul = strtoul(tmp, NULL, 16); + if (errno) { + fprintf(stderr, + "## Error: '-a' option requires valid AES key\n"); + return -1; + } + aes_key[i] = ul & 0xff; + key += 2; + } + aes_flag = 1; + + return 0; +} + /* * Print the current definition of one, or more, or all * environment variables @@ -201,6 +244,19 @@ int fw_printenv (int argc, char *argv[]) int i, n_flag; int rc = 0; + if (argc >= 2 && strcmp(argv[1], "-a") == 0) { + if (argc < 3) { + fprintf(stderr, + "## Error: '-a' option requires AES key\n"); + return -1; + } + rc = parse_aes_key(argv[2]); + if (rc) + return rc; + argv += 2; + argc -= 2; + } + if (fw_env_open()) return -1; @@ -266,6 +322,16 @@ int fw_printenv (int argc, char *argv[]) int fw_env_close(void) { + int ret; + if (aes_flag) { + ret = env_aes_cbc_crypt(environment.data, 1); + if (ret) { + fprintf(stderr, + "Error: can't encrypt env for flash\n"); + return ret; + } + } + /* * Update CRC */ @@ -413,7 +479,7 @@ int fw_env_write(char *name, char *value) */ int fw_setenv(int argc, char *argv[]) { - int i; + int i, rc; size_t len; char *name; char *value = NULL; @@ -423,6 +489,24 @@ int fw_setenv(int argc, char *argv[]) return -1; } + if (strcmp(argv[1], "-a") == 0) { + if (argc < 3) { + fprintf(stderr, + "## Error: '-a' option requires AES key\n"); + return -1; + } + rc = parse_aes_key(argv[2]); + if (rc) + return rc; + argv += 2; + argc -= 2; + } + + if (argc < 2) { + errno = EINVAL; + return -1; + } + if (fw_env_open()) { fprintf(stderr, "Error: environment not initialized\n"); return -1; @@ -900,6 +984,28 @@ static int flash_flag_obsolete (int dev, int fd, off_t offset) return rc; } +/* Encrypt or decrypt the environment before writing or reading it. */ +static int env_aes_cbc_crypt(char *payload, const int enc) +{ + uint8_t *data = (uint8_t *)payload; + const int len = getenvsize(); + uint8_t key_exp[AES_EXPAND_KEY_LENGTH]; + uint32_t aes_blocks; + + /* First we expand the key. */ + aes_expand_key(aes_key, key_exp); + + /* Calculate the number of AES blocks to encrypt. */ + aes_blocks = DIV_ROUND_UP(len, AES_KEY_LENGTH); + + if (enc) + aes_cbc_encrypt_blocks(key_exp, data, data, aes_blocks); + else + aes_cbc_decrypt_blocks(key_exp, data, data, aes_blocks); + + return 0; +} + static int flash_write (int fd_current, int fd_target, int dev_target) { int rc; @@ -923,6 +1029,7 @@ static int flash_write (int fd_current, int fd_target, int dev_target) fprintf(stderr, "Writing new environment at 0x%lx on %s\n", DEVOFFSET (dev_target), DEVNAME (dev_target)); #endif + rc = flash_write_buf(dev_target, fd_target, environment.image, CUR_ENVSIZE, DEVOFFSET(dev_target), DEVTYPE(dev_target)); @@ -981,8 +1088,10 @@ static int flash_read (int fd) rc = flash_read_buf(dev_current, fd, environment.image, CUR_ENVSIZE, DEVOFFSET (dev_current), mtdinfo.type); + if (rc != CUR_ENVSIZE) + return -1; - return (rc != CUR_ENVSIZE) ? -1 : 0; + return 0; } static int flash_io (int mode) @@ -1075,6 +1184,8 @@ int fw_env_open(void) unsigned char flag1; void *addr1; + int ret; + struct env_image_single *single; struct env_image_redundant *redundant; @@ -1109,6 +1220,13 @@ int fw_env_open(void) return -1; crc0 = crc32 (0, (uint8_t *) environment.data, ENV_SIZE); + + if (aes_flag) { + ret = env_aes_cbc_crypt(environment.data, 0); + if (ret) + return ret; + } + crc0_ok = (crc0 == *environment.crc); if (!HaveRedundEnv) { if (!crc0_ok) { @@ -1159,6 +1277,13 @@ int fw_env_open(void) } crc1 = crc32 (0, (uint8_t *) redundant->data, ENV_SIZE); + + if (aes_flag) { + ret = env_aes_cbc_crypt(redundant->data, 0); + if (ret) + return ret; + } + crc1_ok = (crc1 == redundant->crc); flag1 = redundant->flags; diff --git a/tools/env/fw_env_main.c b/tools/env/fw_env_main.c index 2b85d788645..ce50d58b646 100644 --- a/tools/env/fw_env_main.c +++ b/tools/env/fw_env_main.c @@ -9,18 +9,22 @@ * Command line user interface to firmware (=U-Boot) environment. * * Implements: - * fw_printenv [[ -n name ] | [ name ... ]] + * fw_printenv [ -a key ] [[ -n name ] | [ name ... ]] * - prints the value of a single environment variable * "name", the ``name=value'' pairs of one or more * environment variables "name", or the whole * environment if no names are specified. - * fw_setenv name [ value ... ] + * fw_setenv [ -a key ] name [ value ... ] * - If a name without any values is given, the variable * with this name is deleted from the environment; * otherwise, all "value" arguments are concatenated, * separated by single blank characters, and the * resulting string is assigned to the environment * variable "name" + * + * If '-a key' is specified, the env block is encrypted with AES 128 CBC. + * The 'key' argument is in the format of 32 hexadecimal numbers (16 bytes + * of AES key), eg. '-a aabbccddeeff00112233445566778899'. */ #include @@ -46,8 +50,8 @@ void usage(void) fprintf(stderr, "fw_printenv/fw_setenv, " "a command line interface to U-Boot environment\n\n" - "usage:\tfw_printenv [-n] [variable name]\n" - "\tfw_setenv [variable name] [variable value]\n" + "usage:\tfw_printenv [-a key] [-n] [variable name]\n" + "\tfw_setenv [-a key] [variable name] [variable value]\n" "\tfw_setenv -s [ file ]\n" "\tfw_setenv -s - < [ file ]\n\n" "The file passed as argument contains only pairs " @@ -94,9 +98,12 @@ int main(int argc, char *argv[]) cmdname = p + 1; } - while ((c = getopt_long (argc, argv, "ns:h", + while ((c = getopt_long (argc, argv, "a:ns:h", long_options, NULL)) != EOF) { switch (c) { + case 'a': + /* AES key, handled later */ + break; case 'n': /* handled in fw_printenv */ break; -- cgit v1.3.1 From e1b7e1e3cfa8db7edfa494709ed2d477f73c2b66 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Tue, 1 Apr 2014 09:24:44 +0900 Subject: tools: fix Makefile to clean-up fit_info and fit_check_sign We should avoid the description in Makefile like this ifdef CONFIG_FIT_SIGNATURE hostprogs-y += fit_info$(SFX) fit_check_sign$(SFX) endif Otherwise, fit_info and fit_check_sign would never be cleaned by "make clean". Signed-off-by: Masahiro Yamada Cc: Heiko Schocher --- tools/Makefile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'tools') diff --git a/tools/Makefile b/tools/Makefile index c5c378cf86f..c34df4f8978 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -60,9 +60,7 @@ hostprogs-y += mkenvimage$(SFX) mkenvimage$(SFX)-objs := crc32.o mkenvimage.o os_support.o hostprogs-y += dumpimage$(SFX) mkimage$(SFX) -ifdef CONFIG_FIT_SIGNATURE -hostprogs-y += fit_info$(SFX) fit_check_sign$(SFX) -endif +hostprogs-$(CONFIG_FIT_SIGNATURE) += fit_info$(SFX) fit_check_sign$(SFX) FIT_SIG_OBJS-$(CONFIG_FIT_SIGNATURE) := image-sig.o # Flattened device tree objects -- cgit v1.3.1 From e0ba9299823b985b6b707516e4dc0b331be9e7a2 Mon Sep 17 00:00:00 2001 From: Daniel Schwierzeck Date: Thu, 17 Apr 2014 21:13:11 +0200 Subject: buildman: make output dir configurable Add an option to specify the output directory to override the default path '../'. This is useful for building in a ramdisk. Signed-off-by: Daniel Schwierzeck Acked-by: Simon Glass --- tools/buildman/buildman.py | 3 +++ tools/buildman/control.py | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'tools') diff --git a/tools/buildman/buildman.py b/tools/buildman/buildman.py index 8822efefa58..73a5483d46b 100755 --- a/tools/buildman/buildman.py +++ b/tools/buildman/buildman.py @@ -101,6 +101,9 @@ parser.add_option('-T', '--threads', type='int', default=None, help='Number of builder threads to use') parser.add_option('-u', '--show_unknown', action='store_true', default=False, help='Show boards with unknown build result') +parser.add_option('-o', '--output-dir', type='string', + dest='output_dir', default='..', + help='Directory where all builds happen and buildman has its workspace (default is ../)') parser.usage = """buildman -b [options] diff --git a/tools/buildman/control.py b/tools/buildman/control.py index 8e6a08f78e2..d2f4102ba72 100644 --- a/tools/buildman/control.py +++ b/tools/buildman/control.py @@ -145,7 +145,7 @@ def DoBuildman(options, args): options.step = len(series.commits) - 1 # Create a new builder with the selected options - output_dir = os.path.join('..', options.branch) + output_dir = os.path.join(options.output_dir, options.branch) builder = Builder(toolchains, output_dir, options.git_dir, options.threads, options.jobs, checkout=True, show_unknown=options.show_unknown, step=options.step) -- cgit v1.3.1