summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKlaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>2021-03-26 17:14:09 -0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-04-06 11:36:51 +0100
commit575cf33e6b7124899f2eb7c72afb67e67ad2a449 (patch)
tree7e532028097df4cce16de2e7f50a107bd04a7138
parent49d274b61b01dc3b48c58526c932e701deae3b62 (diff)
downloadpoky-575cf33e6b7124899f2eb7c72afb67e67ad2a449.tar.gz
u-boot: Use a different Key for SPL signing
Duplicate the variables governing u-boot signing so that we can have a different set of keys/parameters signing the SPL. (From OE-Core rev: 0e6b0fefa02356afeb11a32dfee7f0c7c250ab7f) Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/uboot-config.bbclass2
-rw-r--r--meta/classes/uboot-sign.bbclass53
2 files changed, 45 insertions, 10 deletions
diff --git a/meta/classes/uboot-config.bbclass b/meta/classes/uboot-config.bbclass
index 31487c1418..3bba02828b 100644
--- a/meta/classes/uboot-config.bbclass
+++ b/meta/classes/uboot-config.bbclass
@@ -61,6 +61,7 @@ UBOOT_EXTLINUX_SYMLINK ?= "${UBOOT_EXTLINUX_CONF_NAME}-${MACHINE}-${PR}"
61 61
62# Options for the device tree compiler passed to mkimage '-D' feature: 62# Options for the device tree compiler passed to mkimage '-D' feature:
63UBOOT_MKIMAGE_DTCOPTS ??= "" 63UBOOT_MKIMAGE_DTCOPTS ??= ""
64SPL_MKIMAGE_DTCOPTS ??= ""
64 65
65# mkimage command 66# mkimage command
66UBOOT_MKIMAGE ?= "uboot-mkimage" 67UBOOT_MKIMAGE ?= "uboot-mkimage"
@@ -68,6 +69,7 @@ UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}"
68 69
69# Arguments passed to mkimage for signing 70# Arguments passed to mkimage for signing
70UBOOT_MKIMAGE_SIGN_ARGS ?= "" 71UBOOT_MKIMAGE_SIGN_ARGS ?= ""
72SPL_MKIMAGE_SIGN_ARGS ?= ""
71 73
72python () { 74python () {
73 ubootmachine = d.getVar("UBOOT_MACHINE") 75 ubootmachine = d.getVar("UBOOT_MACHINE")
diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
index ec50c3208b..137ce29b43 100644
--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -65,27 +65,34 @@ SPL_NODTB_SYMLINK ?= "u-boot-spl-nodtb-${MACHINE}.bin"
65# U-Boot fitImage description 65# U-Boot fitImage description
66UBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" 66UBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
67 67
68# fitImage Hash Algo 68# Kernel / U-Boot fitImage Hash Algo
69FIT_HASH_ALG ?= "sha256" 69FIT_HASH_ALG ?= "sha256"
70UBOOT_FIT_HASH_ALG ?= "sha256"
70 71
71# fitImage Signature Algo 72# Kernel / U-Boot fitImage Signature Algo
72FIT_SIGN_ALG ?= "rsa2048" 73FIT_SIGN_ALG ?= "rsa2048"
74UBOOT_FIT_SIGN_ALG ?= "rsa2048"
73 75
74# Generate keys for signing fitImage 76# Generate keys for signing Kernel / U-Boot fitImage
75FIT_GENERATE_KEYS ?= "0" 77FIT_GENERATE_KEYS ?= "0"
78UBOOT_FIT_GENERATE_KEYS ?= "0"
76 79
77# Size of private key in number of bits 80# Size of private keys in number of bits
78FIT_SIGN_NUMBITS ?= "2048" 81FIT_SIGN_NUMBITS ?= "2048"
82UBOOT_FIT_SIGN_NUMBITS ?= "2048"
79 83
80# args to openssl genrsa (Default is just the public exponent) 84# args to openssl genrsa (Default is just the public exponent)
81FIT_KEY_GENRSA_ARGS ?= "-F4" 85FIT_KEY_GENRSA_ARGS ?= "-F4"
86UBOOT_FIT_KEY_GENRSA_ARGS ?= "-F4"
82 87
83# args to openssl req (Default is -batch for non interactive mode and 88# args to openssl req (Default is -batch for non interactive mode and
84# -new for new certificate) 89# -new for new certificate)
85FIT_KEY_REQ_ARGS ?= "-batch -new" 90FIT_KEY_REQ_ARGS ?= "-batch -new"
91UBOOT_FIT_KEY_REQ_ARGS ?= "-batch -new"
86 92
87# Standard format for public key certificate 93# Standard format for public key certificate
88FIT_KEY_SIGN_PKCS ?= "-x509" 94FIT_KEY_SIGN_PKCS ?= "-x509"
95UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
89 96
90# Functions on this bbclass can apply to either U-boot or Kernel, 97# Functions on this bbclass can apply to either U-boot or Kernel,
91# depending on the scenario 98# depending on the scenario
@@ -280,6 +287,32 @@ do_generate_rsa_keys() {
280 -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt 287 -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
281 fi 288 fi
282 fi 289 fi
290
291 if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
292 bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
293 fi
294
295 if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
296
297 # Generate keys only if they don't already exist
298 if [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key ] || \
299 [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt ]; then
300
301 # make directory if it does not already exist
302 mkdir -p "${SPL_SIGN_KEYDIR}"
303
304 echo "Generating RSA private key for signing U-Boot fitImage"
305 openssl genrsa ${UBOOT_FIT_KEY_GENRSA_ARGS} -out \
306 "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
307 "${UBOOT_FIT_SIGN_NUMBITS}"
308
309 echo "Generating certificate for signing U-Boot fitImage"
310 openssl req ${FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \
311 -key "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
312 -out "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt
313 fi
314 fi
315
283} 316}
284 317
285addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile 318addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
@@ -292,9 +325,9 @@ uboot_fitimage_assemble() {
292 uboot_dtb="${3}" 325 uboot_dtb="${3}"
293 uboot_bin="${4}" 326 uboot_bin="${4}"
294 spl_dtb="${5}" 327 spl_dtb="${5}"
295 uboot_csum="${FIT_HASH_ALG}" 328 uboot_csum="${UBOOT_FIT_HASH_ALG}"
296 uboot_sign_algo="${FIT_SIGN_ALG}" 329 uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}"
297 uboot_sign_keyname="${UBOOT_SIGN_KEYNAME}" 330 uboot_sign_keyname="${SPL_SIGN_KEYNAME}"
298 331
299 rm -f ${uboot_its} ${uboot_bin} 332 rm -f ${uboot_its} ${uboot_bin}
300 333
@@ -365,7 +398,7 @@ EOF
365 # Assemble the U-boot FIT image 398 # Assemble the U-boot FIT image
366 # 399 #
367 ${UBOOT_MKIMAGE} \ 400 ${UBOOT_MKIMAGE} \
368 ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ 401 ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
369 -f ${uboot_its} \ 402 -f ${uboot_its} \
370 ${uboot_bin} 403 ${uboot_bin}
371 404
@@ -374,11 +407,11 @@ EOF
374 # Sign the U-boot FIT image and add public key to SPL dtb 407 # Sign the U-boot FIT image and add public key to SPL dtb
375 # 408 #
376 ${UBOOT_MKIMAGE_SIGN} \ 409 ${UBOOT_MKIMAGE_SIGN} \
377 ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ 410 ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
378 -F -k "${SPL_SIGN_KEYDIR}" \ 411 -F -k "${SPL_SIGN_KEYDIR}" \
379 -K "${spl_dtb}" \ 412 -K "${spl_dtb}" \
380 -r ${uboot_bin} \ 413 -r ${uboot_bin} \
381 ${UBOOT_MKIMAGE_SIGN_ARGS} 414 ${SPL_MKIMAGE_SIGN_ARGS}
382 fi 415 fi
383 416
384} 417}