diff options
| author | Ming Liu <liu.ming50@gmail.com> | 2021-05-22 10:25:41 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-05-25 10:05:19 +0100 |
| commit | c20055e8bb90613985a23024602420313dc71906 (patch) | |
| tree | b3aa75b9fdeaf5d25cf4acca8b3918f8bdce30c9 | |
| parent | 0ce91adbbf8d6a0ceb7c736e3e09b31f383215a8 (diff) | |
| download | poky-c20055e8bb90613985a23024602420313dc71906.tar.gz | |
uboot-sign/kernel-fitimage: split generate_rsa_keys task
Currently generate_rsa_keys tasks are being executed parallelly in
kernel and uboot's task list, and both of them are calling openssl to
generate rsa keys in same path, this can lead to race condition.
Let's split it to kernel_generate_rsa_keys and uboot_generate_rsa_keys.
(From OE-Core rev: 36814f5467c9abd84aeb05916b4fd49f766f4f9f)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/classes/kernel-fitimage.bbclass | 37 | ||||
| -rw-r--r-- | meta/classes/uboot-sign.bbclass | 29 |
2 files changed, 34 insertions, 32 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 67cbda4d93..e363eeb64c 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass | |||
| @@ -667,7 +667,34 @@ do_assemble_fitimage_initramfs() { | |||
| 667 | 667 | ||
| 668 | addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs | 668 | addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs |
| 669 | 669 | ||
| 670 | addtask generate_rsa_keys before do_assemble_fitimage after do_compile | 670 | do_kernel_generate_rsa_keys() { |
| 671 | if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then | ||
| 672 | bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." | ||
| 673 | fi | ||
| 674 | |||
| 675 | if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then | ||
| 676 | |||
| 677 | # Generate keys only if they don't already exist | ||
| 678 | if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \ | ||
| 679 | [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then | ||
| 680 | |||
| 681 | # make directory if it does not already exist | ||
| 682 | mkdir -p "${UBOOT_SIGN_KEYDIR}" | ||
| 683 | |||
| 684 | echo "Generating RSA private key for signing fitImage" | ||
| 685 | openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \ | ||
| 686 | "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ | ||
| 687 | "${FIT_SIGN_NUMBITS}" | ||
| 688 | |||
| 689 | echo "Generating certificate for signing fitImage" | ||
| 690 | openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \ | ||
| 691 | -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ | ||
| 692 | -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt | ||
| 693 | fi | ||
| 694 | fi | ||
| 695 | } | ||
| 696 | |||
| 697 | addtask kernel_generate_rsa_keys before do_assemble_fitimage after do_compile | ||
| 671 | 698 | ||
| 672 | kernel_do_deploy[vardepsexclude] = "DATETIME" | 699 | kernel_do_deploy[vardepsexclude] = "DATETIME" |
| 673 | kernel_do_deploy_append() { | 700 | kernel_do_deploy_append() { |
| @@ -718,13 +745,13 @@ kernel_do_deploy_append() { | |||
| 718 | # - Removes do_assemble_fitimage. FIT generation is done through | 745 | # - Removes do_assemble_fitimage. FIT generation is done through |
| 719 | # do_assemble_fitimage_initramfs. do_assemble_fitimage is not needed | 746 | # do_assemble_fitimage_initramfs. do_assemble_fitimage is not needed |
| 720 | # and should not be part of the tasks to be executed. | 747 | # and should not be part of the tasks to be executed. |
| 721 | # - Since do_generate_rsa_keys is inserted by default | 748 | # - Since do_kernel_generate_rsa_keys is inserted by default |
| 722 | # between do_compile and do_assemble_fitimage, this is | 749 | # between do_compile and do_assemble_fitimage, this is |
| 723 | # not suitable in case of initramfs bundles. do_generate_rsa_keys | 750 | # not suitable in case of initramfs bundles. do_kernel_generate_rsa_keys |
| 724 | # should be between do_bundle_initramfs and do_assemble_fitimage_initramfs. | 751 | # should be between do_bundle_initramfs and do_assemble_fitimage_initramfs. |
| 725 | python () { | 752 | python () { |
| 726 | if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1": | 753 | if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1": |
| 727 | bb.build.deltask('do_assemble_fitimage', d) | 754 | bb.build.deltask('do_assemble_fitimage', d) |
| 728 | bb.build.deltask('generate_rsa_keys', d) | 755 | bb.build.deltask('kernel_generate_rsa_keys', d) |
| 729 | bb.build.addtask('generate_rsa_keys', 'do_assemble_fitimage_initramfs', 'do_bundle_initramfs', d) | 756 | bb.build.addtask('kernel_generate_rsa_keys', 'do_assemble_fitimage_initramfs', 'do_bundle_initramfs', d) |
| 730 | } | 757 | } |
diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass index d11882f90f..29b2edc833 100644 --- a/meta/classes/uboot-sign.bbclass +++ b/meta/classes/uboot-sign.bbclass | |||
| @@ -255,32 +255,7 @@ do_install_append() { | |||
| 255 | fi | 255 | fi |
| 256 | } | 256 | } |
| 257 | 257 | ||
| 258 | do_generate_rsa_keys() { | 258 | do_uboot_generate_rsa_keys() { |
| 259 | if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then | ||
| 260 | bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." | ||
| 261 | fi | ||
| 262 | |||
| 263 | if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then | ||
| 264 | |||
| 265 | # Generate keys only if they don't already exist | ||
| 266 | if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \ | ||
| 267 | [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then | ||
| 268 | |||
| 269 | # make directory if it does not already exist | ||
| 270 | mkdir -p "${UBOOT_SIGN_KEYDIR}" | ||
| 271 | |||
| 272 | echo "Generating RSA private key for signing fitImage" | ||
| 273 | openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \ | ||
| 274 | "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ | ||
| 275 | "${FIT_SIGN_NUMBITS}" | ||
| 276 | |||
| 277 | echo "Generating certificate for signing fitImage" | ||
| 278 | openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \ | ||
| 279 | -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ | ||
| 280 | -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt | ||
| 281 | fi | ||
| 282 | fi | ||
| 283 | |||
| 284 | if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then | 259 | if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then |
| 285 | bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." | 260 | bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." |
| 286 | fi | 261 | fi |
| @@ -308,7 +283,7 @@ do_generate_rsa_keys() { | |||
| 308 | 283 | ||
| 309 | } | 284 | } |
| 310 | 285 | ||
| 311 | addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile | 286 | addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile |
| 312 | 287 | ||
| 313 | # Create a ITS file for the U-boot FIT, for use when | 288 | # Create a ITS file for the U-boot FIT, for use when |
| 314 | # we want to sign it so that the SPL can verify it | 289 | # we want to sign it so that the SPL can verify it |