diff options
author | Thomas Perrot <thomas.perrot@bootlin.com> | 2021-08-10 14:30:12 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-08-13 14:44:06 +0100 |
commit | 50d8801d72feb4e8a7e78cbbbc0dff889f9b03b0 (patch) | |
tree | d88e48f99169da299ebc721fabae7b79a432a759 | |
parent | a42896018396d685bbf81261cca20d9d0cfe9817 (diff) | |
download | poky-50d8801d72feb4e8a7e78cbbbc0dff889f9b03b0.tar.gz |
kernel-fitimage: images should not be signed with the same keys as the configurations
Otherwise the "required" property, from UBOOT_DTB_BINARY, will be set to "conf"
and no error will be raised in case of error.
(From OE-Core rev: 080e0dfed710035b2e40187d9d639ecf5ab84be2)
Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/classes/kernel-fitimage.bbclass | 40 |
1 files changed, 35 insertions, 5 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index a9d1002200..2ef8f06b14 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass | |||
@@ -60,6 +60,14 @@ FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" | |||
60 | # Sign individual images as well | 60 | # Sign individual images as well |
61 | FIT_SIGN_INDIVIDUAL ?= "0" | 61 | FIT_SIGN_INDIVIDUAL ?= "0" |
62 | 62 | ||
63 | # Keys used to sign individually image nodes. | ||
64 | # The keys to sign image nodes must be different from those used to sign | ||
65 | # configuration nodes, otherwise the "required" property, from | ||
66 | # UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image". | ||
67 | # Then the images signature checking will not be mandatory and no error will be | ||
68 | # raised in case of failure. | ||
69 | # UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key") | ||
70 | |||
63 | # | 71 | # |
64 | # Emit the fitImage ITS header | 72 | # Emit the fitImage ITS header |
65 | # | 73 | # |
@@ -121,7 +129,7 @@ fitimage_emit_section_kernel() { | |||
121 | 129 | ||
122 | kernel_csum="${FIT_HASH_ALG}" | 130 | kernel_csum="${FIT_HASH_ALG}" |
123 | kernel_sign_algo="${FIT_SIGN_ALG}" | 131 | kernel_sign_algo="${FIT_SIGN_ALG}" |
124 | kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}" | 132 | kernel_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}" |
125 | 133 | ||
126 | ENTRYPOINT="${UBOOT_ENTRYPOINT}" | 134 | ENTRYPOINT="${UBOOT_ENTRYPOINT}" |
127 | if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then | 135 | if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then |
@@ -167,7 +175,7 @@ fitimage_emit_section_dtb() { | |||
167 | 175 | ||
168 | dtb_csum="${FIT_HASH_ALG}" | 176 | dtb_csum="${FIT_HASH_ALG}" |
169 | dtb_sign_algo="${FIT_SIGN_ALG}" | 177 | dtb_sign_algo="${FIT_SIGN_ALG}" |
170 | dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}" | 178 | dtb_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}" |
171 | 179 | ||
172 | dtb_loadline="" | 180 | dtb_loadline="" |
173 | dtb_ext=${DTB##*.} | 181 | dtb_ext=${DTB##*.} |
@@ -214,7 +222,7 @@ fitimage_emit_section_boot_script() { | |||
214 | 222 | ||
215 | bootscr_csum="${FIT_HASH_ALG}" | 223 | bootscr_csum="${FIT_HASH_ALG}" |
216 | bootscr_sign_algo="${FIT_SIGN_ALG}" | 224 | bootscr_sign_algo="${FIT_SIGN_ALG}" |
217 | bootscr_sign_keyname="${UBOOT_SIGN_KEYNAME}" | 225 | bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}" |
218 | 226 | ||
219 | cat << EOF >> ${1} | 227 | cat << EOF >> ${1} |
220 | bootscr-${2} { | 228 | bootscr-${2} { |
@@ -278,7 +286,7 @@ fitimage_emit_section_ramdisk() { | |||
278 | 286 | ||
279 | ramdisk_csum="${FIT_HASH_ALG}" | 287 | ramdisk_csum="${FIT_HASH_ALG}" |
280 | ramdisk_sign_algo="${FIT_SIGN_ALG}" | 288 | ramdisk_sign_algo="${FIT_SIGN_ALG}" |
281 | ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}" | 289 | ramdisk_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}" |
282 | ramdisk_loadline="" | 290 | ramdisk_loadline="" |
283 | ramdisk_entryline="" | 291 | ramdisk_entryline="" |
284 | 292 | ||
@@ -475,6 +483,10 @@ fitimage_assemble() { | |||
475 | bootscr_id="" | 483 | bootscr_id="" |
476 | rm -f ${1} arch/${ARCH}/boot/${2} | 484 | rm -f ${1} arch/${ARCH}/boot/${2} |
477 | 485 | ||
486 | if [ ! -z "${UBOOT_SIGN_IMG_KEYNAME}" -a "${UBOOT_SIGN_KEYNAME}" = "${UBOOT_SIGN_IMG_KEYNAME}" ]; then | ||
487 | bbfatal "Keys used to sign images and configuration nodes must be different." | ||
488 | fi | ||
489 | |||
478 | fitimage_emit_fit_header ${1} | 490 | fitimage_emit_fit_header ${1} |
479 | 491 | ||
480 | # | 492 | # |
@@ -674,7 +686,7 @@ do_kernel_generate_rsa_keys() { | |||
674 | 686 | ||
675 | if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then | 687 | if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then |
676 | 688 | ||
677 | # Generate keys only if they don't already exist | 689 | # Generate keys to sign configuration nodes, only if they don't already exist |
678 | if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \ | 690 | if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \ |
679 | [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then | 691 | [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then |
680 | 692 | ||
@@ -691,6 +703,24 @@ do_kernel_generate_rsa_keys() { | |||
691 | -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ | 703 | -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ |
692 | -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt | 704 | -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt |
693 | fi | 705 | fi |
706 | |||
707 | # Generate keys to sign image nodes, only if they don't already exist | ||
708 | if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] || \ | ||
709 | [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then | ||
710 | |||
711 | # make directory if it does not already exist | ||
712 | mkdir -p "${UBOOT_SIGN_KEYDIR}" | ||
713 | |||
714 | echo "Generating RSA private key for signing fitImage" | ||
715 | openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \ | ||
716 | "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \ | ||
717 | "${FIT_SIGN_NUMBITS}" | ||
718 | |||
719 | echo "Generating certificate for signing fitImage" | ||
720 | openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \ | ||
721 | -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \ | ||
722 | -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt | ||
723 | fi | ||
694 | fi | 724 | fi |
695 | } | 725 | } |
696 | 726 | ||