diff options
| author | Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> | 2021-03-26 17:14:08 -0300 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-04-06 11:36:51 +0100 |
| commit | 49d274b61b01dc3b48c58526c932e701deae3b62 (patch) | |
| tree | a315d5283e72098687fa07b4ad31cc50dc6d7ab2 | |
| parent | 068d114385adc679770dc5e8909ad7c432bf8ec1 (diff) | |
| download | poky-49d274b61b01dc3b48c58526c932e701deae3b62.tar.gz | |
u-boot: Add infrastructure to SPL verified boot
Add the necessary infrastructure to create a U-boot proper fitimage,
sign it (using the same keys as the kernel-fitimage), and put the public
key in the SPL binary so that verified SPL boot can be accomplished.
(From OE-Core rev: 5af4dfe83c2f6509015916262be32fc09bc9714d)
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/classes/kernel-fitimage.bbclass | 24 | ||||
| -rw-r--r-- | meta/classes/uboot-sign.bbclass | 351 |
2 files changed, 340 insertions, 35 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 6b7c1c3a7d..5cfd8af99d 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass | |||
| @@ -55,7 +55,7 @@ python __anonymous () { | |||
| 55 | 55 | ||
| 56 | 56 | ||
| 57 | # Description string | 57 | # Description string |
| 58 | FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" | 58 | FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" |
| 59 | 59 | ||
| 60 | # Sign individual images as well | 60 | # Sign individual images as well |
| 61 | FIT_SIGN_INDIVIDUAL ?= "0" | 61 | FIT_SIGN_INDIVIDUAL ?= "0" |
| @@ -695,12 +695,22 @@ kernel_do_deploy_append() { | |||
| 695 | ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}" | 695 | ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.bin "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}" |
| 696 | fi | 696 | fi |
| 697 | fi | 697 | fi |
| 698 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then | 698 | fi |
| 699 | # UBOOT_DTB_IMAGE is a realfile, but we can't use | 699 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \ |
| 700 | # ${UBOOT_DTB_IMAGE} since it contains ${PV} which is aimed | 700 | [ -n "${UBOOT_DTB_BINARY}" ] ; then |
| 701 | # for u-boot, but we are in kernel env now. | 701 | # UBOOT_DTB_IMAGE is a realfile, but we can't use |
| 702 | install -m 0644 ${B}/u-boot-${MACHINE}*.dtb "$deployDir/" | 702 | # ${UBOOT_DTB_IMAGE} since it contains ${PV} which is aimed |
| 703 | fi | 703 | # for u-boot, but we are in kernel env now. |
| 704 | install -m 0644 ${B}/u-boot-${MACHINE}*.dtb "$deployDir/" | ||
| 705 | fi | ||
| 706 | if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${UBOOT_BINARY}" -a -n "${SPL_DTB_BINARY}" ] ; then | ||
| 707 | # If we're also creating and/or signing the uboot fit, now we need to | ||
| 708 | # deploy it, it's its file, as well as u-boot-spl.dtb | ||
| 709 | install -m 0644 ${B}/u-boot-spl-${MACHINE}*.dtb "$deployDir/" | ||
| 710 | echo "Copying u-boot-fitImage file..." | ||
| 711 | install -m 0644 ${B}/u-boot-fitImage-* "$deployDir/" | ||
| 712 | echo "Copying u-boot-its file..." | ||
| 713 | install -m 0644 ${B}/u-boot-its-* "$deployDir/" | ||
| 704 | fi | 714 | fi |
| 705 | } | 715 | } |
| 706 | 716 | ||
diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass index 4e4941e733..ec50c3208b 100644 --- a/meta/classes/uboot-sign.bbclass +++ b/meta/classes/uboot-sign.bbclass | |||
| @@ -34,26 +34,36 @@ | |||
| 34 | # We need some variables from u-boot-config | 34 | # We need some variables from u-boot-config |
| 35 | inherit uboot-config | 35 | inherit uboot-config |
| 36 | 36 | ||
| 37 | # Signature activation. | 37 | # Enable use of a U-Boot fitImage |
| 38 | UBOOT_FITIMAGE_ENABLE ?= "0" | ||
| 39 | |||
| 40 | # Signature activation - these require their respective fitImages | ||
| 38 | UBOOT_SIGN_ENABLE ?= "0" | 41 | UBOOT_SIGN_ENABLE ?= "0" |
| 42 | SPL_SIGN_ENABLE ?= "0" | ||
| 39 | 43 | ||
| 40 | # Default value for deployment filenames. | 44 | # Default value for deployment filenames. |
| 41 | UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb" | 45 | UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb" |
| 42 | UBOOT_DTB_BINARY ?= "u-boot.dtb" | 46 | UBOOT_DTB_BINARY ?= "u-boot.dtb" |
| 43 | UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb" | 47 | UBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb" |
| 44 | UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.${UBOOT_SUFFIX}" | 48 | UBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.bin" |
| 45 | UBOOT_NODTB_BINARY ?= "u-boot-nodtb.${UBOOT_SUFFIX}" | 49 | UBOOT_NODTB_BINARY ?= "u-boot-nodtb.bin" |
| 46 | UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.${UBOOT_SUFFIX}" | 50 | UBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.bin" |
| 47 | UBOOT_ITS_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.its" | 51 | UBOOT_ITS_IMAGE ?= "u-boot-its-${MACHINE}-${PV}-${PR}" |
| 48 | UBOOT_ITS ?= "u-boot.its" | 52 | UBOOT_ITS ?= "u-boot.its" |
| 49 | UBOOT_ITS_SYMLINK ?= "u-boot-${MACHINE}.its" | 53 | UBOOT_ITS_SYMLINK ?= "u-boot-its-${MACHINE}" |
| 50 | SPL_DIR ?= "${@os.path.dirname(d.getVar("SPL_BINARY")) or '.'}" | 54 | UBOOT_FITIMAGE_IMAGE ?= "u-boot-fitImage-${MACHINE}-${PV}-${PR}" |
| 55 | UBOOT_FITIMAGE_BINARY ?= "u-boot-fitImage" | ||
| 56 | UBOOT_FITIMAGE_SYMLINK ?= "u-boot-fitImage-${MACHINE}" | ||
| 57 | SPL_DIR ?= "spl" | ||
| 51 | SPL_DTB_IMAGE ?= "u-boot-spl-${MACHINE}-${PV}-${PR}.dtb" | 58 | SPL_DTB_IMAGE ?= "u-boot-spl-${MACHINE}-${PV}-${PR}.dtb" |
| 52 | SPL_DTB_BINARY ?= "u-boot-spl.dtb" | 59 | SPL_DTB_BINARY ?= "u-boot-spl.dtb" |
| 53 | SPL_DTB_SYMLINK ?= "u-boot-spl-${MACHINE}.dtb" | 60 | SPL_DTB_SYMLINK ?= "u-boot-spl-${MACHINE}.dtb" |
| 54 | SPL_NODTB_IMAGE ?= "${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[0]}-nodtb-${MACHINE}-${PV}-${PR}${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[1]}" | 61 | SPL_NODTB_IMAGE ?= "u-boot-spl-nodtb-${MACHINE}-${PV}-${PR}.bin" |
| 55 | SPL_NODTB_BINARY ?= "${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[0]}-nodtb${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[1]}" | 62 | SPL_NODTB_BINARY ?= "u-boot-spl-nodtb.bin" |
| 56 | SPL_NODTB_SYMLINK ?= "${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[0]}-nodtb-${MACHINE}${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[1]}" | 63 | SPL_NODTB_SYMLINK ?= "u-boot-spl-nodtb-${MACHINE}.bin" |
| 64 | |||
| 65 | # U-Boot fitImage description | ||
| 66 | UBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" | ||
| 57 | 67 | ||
| 58 | # fitImage Hash Algo | 68 | # fitImage Hash Algo |
| 59 | FIT_HASH_ALG ?= "sha256" | 69 | FIT_HASH_ALG ?= "sha256" |
| @@ -77,8 +87,18 @@ FIT_KEY_REQ_ARGS ?= "-batch -new" | |||
| 77 | # Standard format for public key certificate | 87 | # Standard format for public key certificate |
| 78 | FIT_KEY_SIGN_PKCS ?= "-x509" | 88 | FIT_KEY_SIGN_PKCS ?= "-x509" |
| 79 | 89 | ||
| 80 | # Functions in this bbclass is for u-boot only | 90 | # Functions on this bbclass can apply to either U-boot or Kernel, |
| 91 | # depending on the scenario | ||
| 81 | UBOOT_PN = "${@d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'}" | 92 | UBOOT_PN = "${@d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'}" |
| 93 | KERNEL_PN = "${@d.getVar('PREFERRED_PROVIDER_virtual/kernel')}" | ||
| 94 | |||
| 95 | # We need u-boot-tools-native if we're creating a U-Boot fitImage | ||
| 96 | python() { | ||
| 97 | if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1': | ||
| 98 | depends = d.getVar("DEPENDS") | ||
| 99 | depends = "%s u-boot-tools-native dtc-native" % depends | ||
| 100 | d.setVar("DEPENDS", depends) | ||
| 101 | } | ||
| 82 | 102 | ||
| 83 | concat_dtb_helper() { | 103 | concat_dtb_helper() { |
| 84 | if [ -e "${UBOOT_DTB_BINARY}" ]; then | 104 | if [ -e "${UBOOT_DTB_BINARY}" ]; then |
| @@ -92,21 +112,51 @@ concat_dtb_helper() { | |||
| 92 | ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_BINARY} | 112 | ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_BINARY} |
| 93 | fi | 113 | fi |
| 94 | 114 | ||
| 95 | # Concatenate U-Boot w/o DTB & DTB with public key | 115 | # If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB |
| 96 | # (cf. kernel-fitimage.bbclass for more details) | 116 | # with public key (otherwise it will be deployed by the equivalent |
| 97 | deployed_uboot_dtb_binary='${DEPLOY_DIR_IMAGE}/${UBOOT_DTB_IMAGE}' | 117 | # concat_spl_dtb_helper function - cf. kernel-fitimage.bbclass for more details) |
| 98 | if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \ | 118 | if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then |
| 99 | [ -e "$deployed_uboot_dtb_binary" ]; then | 119 | deployed_uboot_dtb_binary='${DEPLOY_DIR_IMAGE}/${UBOOT_DTB_IMAGE}' |
| 100 | oe_runmake EXT_DTB=$deployed_uboot_dtb_binary | 120 | if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \ |
| 101 | install ${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE} | 121 | [ -e "$deployed_uboot_dtb_binary" ]; then |
| 102 | elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e "$deployed_uboot_dtb_binary" ]; then | 122 | oe_runmake EXT_DTB=$deployed_uboot_dtb_binary |
| 123 | install ${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE} | ||
| 124 | elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e "$deployed_uboot_dtb_binary" ]; then | ||
| 125 | cd ${DEPLOYDIR} | ||
| 126 | cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary | tee ${B}/${CONFIG_B_PATH}/${UBOOT_BINARY} > ${UBOOT_IMAGE} | ||
| 127 | else | ||
| 128 | bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available." | ||
| 129 | fi | ||
| 130 | fi | ||
| 131 | } | ||
| 132 | |||
| 133 | concat_spl_dtb_helper() { | ||
| 134 | |||
| 135 | # We only deploy symlinks to the u-boot-spl.dtb,as the KERNEL_PN will | ||
| 136 | # be responsible for deploying the real file | ||
| 137 | if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then | ||
| 138 | deployed_spl_dtb_binary='${DEPLOY_DIR_IMAGE}/${SPL_DTB_IMAGE}' | ||
| 139 | ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_SYMLINK} | ||
| 140 | ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_BINARY} | ||
| 141 | fi | ||
| 142 | |||
| 143 | if [ -f "${SPL_DIR}/${SPL_NODTB_BINARY}" ] ; then | ||
| 144 | echo "Copying u-boot-nodtb binary..." | ||
| 145 | install -m 0644 ${SPL_DIR}/${SPL_NODTB_BINARY} ${DEPLOYDIR}/${SPL_NODTB_IMAGE} | ||
| 146 | ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_SYMLINK} | ||
| 147 | ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_BINARY} | ||
| 148 | fi | ||
| 149 | |||
| 150 | # Concatenate the SPL nodtb binary and u-boot.dtb | ||
| 151 | if [ -e "${DEPLOYDIR}/${SPL_NODTB_IMAGE}" -a -e "$deployed_spl_dtb_binary" ] ; then | ||
| 103 | cd ${DEPLOYDIR} | 152 | cd ${DEPLOYDIR} |
| 104 | cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary | tee ${B}/${CONFIG_B_PATH}/${UBOOT_BINARY} > ${UBOOT_IMAGE} | 153 | cat ${SPL_NODTB_IMAGE} $deployed_spl_dtb_binary | tee ${B}/${CONFIG_B_PATH}/${SPL_BINARY} > ${SPL_IMAGE} |
| 105 | else | 154 | else |
| 106 | bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available." | 155 | bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available." |
| 107 | fi | 156 | fi |
| 108 | } | 157 | } |
| 109 | 158 | ||
| 159 | |||
| 110 | concat_dtb() { | 160 | concat_dtb() { |
| 111 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${PN}" = "${UBOOT_PN}" -a -n "${UBOOT_DTB_BINARY}" ]; then | 161 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${PN}" = "${UBOOT_PN}" -a -n "${UBOOT_DTB_BINARY}" ]; then |
| 112 | mkdir -p ${DEPLOYDIR} | 162 | mkdir -p ${DEPLOYDIR} |
| @@ -124,6 +174,24 @@ concat_dtb() { | |||
| 124 | fi | 174 | fi |
| 125 | } | 175 | } |
| 126 | 176 | ||
| 177 | concat_spl_dtb() { | ||
| 178 | if [ "${SPL_SIGN_ENABLE}" = "1" -a "${PN}" = "${UBOOT_PN}" -a -n "${SPL_DTB_BINARY}" ]; then | ||
| 179 | mkdir -p ${DEPLOYDIR} | ||
| 180 | if [ -n "${UBOOT_CONFIG}" ]; then | ||
| 181 | for config in ${UBOOT_MACHINE}; do | ||
| 182 | CONFIG_B_PATH="${config}" | ||
| 183 | cd ${B}/${config} | ||
| 184 | concat_spl_dtb_helper | ||
| 185 | done | ||
| 186 | else | ||
| 187 | CONFIG_B_PATH="" | ||
| 188 | cd ${B} | ||
| 189 | concat_spl_dtb_helper | ||
| 190 | fi | ||
| 191 | fi | ||
| 192 | } | ||
| 193 | |||
| 194 | |||
| 127 | # Install UBOOT_DTB_BINARY to datadir, so that kernel can use it for | 195 | # Install UBOOT_DTB_BINARY to datadir, so that kernel can use it for |
| 128 | # signing, and kernel will deploy UBOOT_DTB_BINARY after signs it. | 196 | # signing, and kernel will deploy UBOOT_DTB_BINARY after signs it. |
| 129 | install_helper() { | 197 | install_helper() { |
| @@ -138,24 +206,233 @@ install_helper() { | |||
| 138 | fi | 206 | fi |
| 139 | } | 207 | } |
| 140 | 208 | ||
| 209 | # Install SPL dtb and u-boot nodtb to datadir, | ||
| 210 | install_spl_helper() { | ||
| 211 | if [ -f "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then | ||
| 212 | install -d ${D}${datadir} | ||
| 213 | install ${SPL_DIR}/${SPL_DTB_BINARY} ${D}${datadir}/${SPL_DTB_IMAGE} | ||
| 214 | ln -sf ${SPL_DTB_IMAGE} ${D}${datadir}/${SPL_DTB_BINARY} | ||
| 215 | else | ||
| 216 | bbwarn "${SPL_DTB_BINARY} not found" | ||
| 217 | fi | ||
| 218 | if [ -f "${UBOOT_NODTB_BINARY}" ] ; then | ||
| 219 | install ${UBOOT_NODTB_BINARY} ${D}${datadir}/${UBOOT_NODTB_IMAGE} | ||
| 220 | ln -sf ${UBOOT_NODTB_IMAGE} ${D}${datadir}/${UBOOT_NODTB_BINARY} | ||
| 221 | else | ||
| 222 | bbwarn "${UBOOT_NODTB_BINARY} not found" | ||
| 223 | fi | ||
| 224 | |||
| 225 | # We need to install a 'stub' u-boot-fitimage + its to datadir, | ||
| 226 | # so that the KERNEL_PN can use the correct filename when | ||
| 227 | # assembling and deploying them | ||
| 228 | touch ${D}/${datadir}/${UBOOT_FITIMAGE_IMAGE} | ||
| 229 | touch ${D}/${datadir}/${UBOOT_ITS_IMAGE} | ||
| 230 | } | ||
| 231 | |||
| 141 | do_install_append() { | 232 | do_install_append() { |
| 142 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${PN}" = "${UBOOT_PN}" -a -n "${UBOOT_DTB_BINARY}" ]; then | 233 | if [ "${PN}" = "${UBOOT_PN}" ]; then |
| 143 | if [ -n "${UBOOT_CONFIG}" ]; then | 234 | if [ -n "${UBOOT_CONFIG}" ]; then |
| 144 | for config in ${UBOOT_MACHINE}; do | 235 | for config in ${UBOOT_MACHINE}; do |
| 145 | cd ${B}/${config} | 236 | cd ${B}/${config} |
| 146 | install_helper | 237 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \ |
| 238 | [ -n "${UBOOT_DTB_BINARY}" ]; then | ||
| 239 | install_helper | ||
| 240 | fi | ||
| 241 | if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then | ||
| 242 | install_spl_helper | ||
| 243 | fi | ||
| 147 | done | 244 | done |
| 148 | else | 245 | else |
| 149 | cd ${B} | 246 | cd ${B} |
| 150 | install_helper | 247 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \ |
| 248 | [ -n "${UBOOT_DTB_BINARY}" ]; then | ||
| 249 | install_helper | ||
| 250 | fi | ||
| 251 | if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then | ||
| 252 | install_spl_helper | ||
| 253 | fi | ||
| 151 | fi | 254 | fi |
| 152 | fi | 255 | fi |
| 153 | } | 256 | } |
| 154 | 257 | ||
| 258 | do_generate_rsa_keys() { | ||
| 259 | if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then | ||
| 260 | bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." | ||
| 261 | fi | ||
| 262 | |||
| 263 | if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then | ||
| 264 | |||
| 265 | # Generate keys only if they don't already exist | ||
| 266 | if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \ | ||
| 267 | [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then | ||
| 268 | |||
| 269 | # make directory if it does not already exist | ||
| 270 | mkdir -p "${UBOOT_SIGN_KEYDIR}" | ||
| 271 | |||
| 272 | echo "Generating RSA private key for signing fitImage" | ||
| 273 | openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \ | ||
| 274 | "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ | ||
| 275 | "${FIT_SIGN_NUMBITS}" | ||
| 276 | |||
| 277 | echo "Generating certificate for signing fitImage" | ||
| 278 | openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \ | ||
| 279 | -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ | ||
| 280 | -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt | ||
| 281 | fi | ||
| 282 | fi | ||
| 283 | } | ||
| 284 | |||
| 285 | addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile | ||
| 286 | |||
| 287 | # Create a ITS file for the U-boot FIT, for use when | ||
| 288 | # we want to sign it so that the SPL can verify it | ||
| 289 | uboot_fitimage_assemble() { | ||
| 290 | uboot_its="${1}" | ||
| 291 | uboot_nodtb_bin="${2}" | ||
| 292 | uboot_dtb="${3}" | ||
| 293 | uboot_bin="${4}" | ||
| 294 | spl_dtb="${5}" | ||
| 295 | uboot_csum="${FIT_HASH_ALG}" | ||
| 296 | uboot_sign_algo="${FIT_SIGN_ALG}" | ||
| 297 | uboot_sign_keyname="${UBOOT_SIGN_KEYNAME}" | ||
| 298 | |||
| 299 | rm -f ${uboot_its} ${uboot_bin} | ||
| 300 | |||
| 301 | # First we create the ITS script | ||
| 302 | cat << EOF >> ${uboot_its} | ||
| 303 | /dts-v1/; | ||
| 304 | |||
| 305 | / { | ||
| 306 | description = "${UBOOT_FIT_DESC}"; | ||
| 307 | #address-cells = <1>; | ||
| 308 | |||
| 309 | images { | ||
| 310 | uboot { | ||
| 311 | description = "U-Boot image"; | ||
| 312 | data = /incbin/("${uboot_nodtb_bin}"); | ||
| 313 | type = "uboot"; | ||
| 314 | os = "U-Boot"; | ||
| 315 | arch = "${UBOOT_ARCH}"; | ||
| 316 | compression = "none"; | ||
| 317 | load = <${UBOOT_LOADADDRESS}>; | ||
| 318 | entry = <${UBOOT_ENTRYPOINT}>; | ||
| 319 | EOF | ||
| 320 | |||
| 321 | if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then | ||
| 322 | cat << EOF >> ${uboot_its} | ||
| 323 | signature { | ||
| 324 | algo = "${uboot_csum},${uboot_sign_algo}"; | ||
| 325 | key-name-hint = "${uboot_sign_keyname}"; | ||
| 326 | }; | ||
| 327 | EOF | ||
| 328 | fi | ||
| 329 | |||
| 330 | cat << EOF >> ${uboot_its} | ||
| 331 | }; | ||
| 332 | fdt { | ||
| 333 | description = "U-Boot FDT"; | ||
| 334 | data = /incbin/("${uboot_dtb}"); | ||
| 335 | type = "flat_dt"; | ||
| 336 | arch = "${UBOOT_ARCH}"; | ||
| 337 | compression = "none"; | ||
| 338 | EOF | ||
| 339 | |||
| 340 | if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then | ||
| 341 | cat << EOF >> ${uboot_its} | ||
| 342 | signature { | ||
| 343 | algo = "${uboot_csum},${uboot_sign_algo}"; | ||
| 344 | key-name-hint = "${uboot_sign_keyname}"; | ||
| 345 | }; | ||
| 346 | EOF | ||
| 347 | fi | ||
| 348 | |||
| 349 | cat << EOF >> ${uboot_its} | ||
| 350 | }; | ||
| 351 | }; | ||
| 352 | |||
| 353 | configurations { | ||
| 354 | default = "conf"; | ||
| 355 | conf { | ||
| 356 | description = "Boot with signed U-Boot FIT"; | ||
| 357 | loadables = "uboot"; | ||
| 358 | fdt = "fdt"; | ||
| 359 | }; | ||
| 360 | }; | ||
| 361 | }; | ||
| 362 | EOF | ||
| 363 | |||
| 364 | # | ||
| 365 | # Assemble the U-boot FIT image | ||
| 366 | # | ||
| 367 | ${UBOOT_MKIMAGE} \ | ||
| 368 | ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ | ||
| 369 | -f ${uboot_its} \ | ||
| 370 | ${uboot_bin} | ||
| 371 | |||
| 372 | if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then | ||
| 373 | # | ||
| 374 | # Sign the U-boot FIT image and add public key to SPL dtb | ||
| 375 | # | ||
| 376 | ${UBOOT_MKIMAGE_SIGN} \ | ||
| 377 | ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ | ||
| 378 | -F -k "${SPL_SIGN_KEYDIR}" \ | ||
| 379 | -K "${spl_dtb}" \ | ||
| 380 | -r ${uboot_bin} \ | ||
| 381 | ${UBOOT_MKIMAGE_SIGN_ARGS} | ||
| 382 | fi | ||
| 383 | |||
| 384 | } | ||
| 385 | |||
| 386 | do_uboot_assemble_fitimage() { | ||
| 387 | # This function runs in KERNEL_PN context. The reason for that is that we need to | ||
| 388 | # support the scenario where UBOOT_SIGN_ENABLE is placing the Kernel fitImage's | ||
| 389 | # pubkey in the u-boot.dtb file, so that we can use it when building the U-Boot | ||
| 390 | # fitImage itself. | ||
| 391 | if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \ | ||
| 392 | [ -n "${SPL_DTB_BINARY}" -a "${PN}" = "${KERNEL_PN}" ] ; then | ||
| 393 | if [ "${UBOOT_SIGN_ENABLE}" != "1" ]; then | ||
| 394 | # If we're not signing the Kernel fitImage, that means | ||
| 395 | # we need to copy the u-boot.dtb from staging ourselves | ||
| 396 | cp -P ${STAGING_DATADIR}/u-boot*.dtb ${B} | ||
| 397 | fi | ||
| 398 | # As we are in the kernel context, we need to copy u-boot-spl.dtb from staging first. | ||
| 399 | # Unfortunately, need to glob on top of ${SPL_DTB_BINARY} since _IMAGE and _SYMLINK | ||
| 400 | # will contain U-boot's PV | ||
| 401 | # Similarly, we need to get the filename for the 'stub' u-boot-fitimage + its in | ||
| 402 | # staging so that we can use it for creating the image with the correct filename | ||
| 403 | # in the KERNEL_PN context. | ||
| 404 | # As for the u-boot.dtb (with fitimage's pubkey), it should come from the dependent | ||
| 405 | # do_assemble_fitimage task | ||
| 406 | cp -P ${STAGING_DATADIR}/u-boot-spl*.dtb ${B} | ||
| 407 | cp -P ${STAGING_DATADIR}/u-boot-nodtb*.bin ${B} | ||
| 408 | kernel_uboot_fitimage_name=`basename ${STAGING_DATADIR}/u-boot-fitImage-*` | ||
| 409 | kernel_uboot_its_name=`basename ${STAGING_DATADIR}/u-boot-its-*` | ||
| 410 | cd ${B} | ||
| 411 | uboot_fitimage_assemble ${kernel_uboot_its_name} ${UBOOT_NODTB_BINARY} \ | ||
| 412 | ${UBOOT_DTB_BINARY} ${kernel_uboot_fitimage_name} \ | ||
| 413 | ${SPL_DTB_BINARY} | ||
| 414 | fi | ||
| 415 | } | ||
| 416 | |||
| 417 | addtask uboot_assemble_fitimage before do_deploy after do_compile | ||
| 418 | |||
| 155 | do_deploy_prepend_pn-${UBOOT_PN}() { | 419 | do_deploy_prepend_pn-${UBOOT_PN}() { |
| 156 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ]; then | 420 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then |
| 157 | concat_dtb | 421 | concat_dtb |
| 158 | fi | 422 | fi |
| 423 | if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then | ||
| 424 | concat_spl_dtb | ||
| 425 | fi | ||
| 426 | |||
| 427 | # We only deploy the symlinks to the uboot-fitImage and uboot-its | ||
| 428 | # images, as the KERNEL_PN will take care of deploying the real file | ||
| 429 | if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] ; then | ||
| 430 | ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_BINARY} | ||
| 431 | ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_SYMLINK} | ||
| 432 | ln -sf ${UBOOT_ITS_IMAGE} ${DEPLOYDIR}/${UBOOT_ITS} | ||
| 433 | ln -sf ${UBOOT_ITS_IMAGE} ${DEPLOYDIR}/${UBOOT_ITS_SYMLINK} | ||
| 434 | fi | ||
| 435 | |||
| 159 | } | 436 | } |
| 160 | 437 | ||
| 161 | do_deploy_append_pn-${UBOOT_PN}() { | 438 | do_deploy_append_pn-${UBOOT_PN}() { |
| @@ -168,9 +445,27 @@ do_deploy_append_pn-${UBOOT_PN}() { | |||
| 168 | } | 445 | } |
| 169 | 446 | ||
| 170 | python () { | 447 | python () { |
| 171 | if d.getVar('UBOOT_SIGN_ENABLE') == '1' and d.getVar('PN') == d.getVar('UBOOT_PN') and d.getVar('UBOOT_DTB_BINARY'): | 448 | if ( (d.getVar('UBOOT_SIGN_ENABLE') == '1' |
| 172 | kernel_pn = d.getVar('PREFERRED_PROVIDER_virtual/kernel') | 449 | or d.getVar('UBOOT_FITIMAGE_ENABLE') == '1') |
| 450 | and d.getVar('PN') == d.getVar('UBOOT_PN') | ||
| 451 | and d.getVar('UBOOT_DTB_BINARY')): | ||
| 173 | 452 | ||
| 174 | # Make "bitbake u-boot -cdeploy" deploys the signed u-boot.dtb | 453 | # Make "bitbake u-boot -cdeploy" deploys the signed u-boot.dtb |
| 175 | d.appendVarFlag('do_deploy', 'depends', ' %s:do_deploy' % kernel_pn) | 454 | # and/or the U-Boot fitImage |
| 455 | d.appendVarFlag('do_deploy', 'depends', ' %s:do_deploy' % d.getVar('KERNEL_PN')) | ||
| 456 | |||
| 457 | if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' and d.getVar('PN') == d.getVar('KERNEL_PN'): | ||
| 458 | # As the U-Boot fitImage is created by the KERNEL_PN, we need | ||
| 459 | # to make sure that the u-boot-spl.dtb and u-boot-spl-nodtb.bin | ||
| 460 | # files are in the staging dir for it's use | ||
| 461 | d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % d.getVar('UBOOT_PN')) | ||
| 462 | |||
| 463 | # If the Kernel fitImage is being signed, we need to | ||
| 464 | # create the U-Boot fitImage after it | ||
| 465 | if d.getVar('UBOOT_SIGN_ENABLE') == '1': | ||
| 466 | if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1": | ||
| 467 | d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_assemble_fitimage_initramfs' % d.getVar('KERNEL_PN')) | ||
| 468 | else: | ||
| 469 | d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_assemble_fitimage' % d.getVar('KERNEL_PN')) | ||
| 470 | |||
| 176 | } | 471 | } |