summaryrefslogtreecommitdiffstats
path: root/meta/classes
diff options
context:
space:
mode:
authorMing Liu <liu.ming50@gmail.com>2021-05-22 10:25:41 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-05-25 10:05:19 +0100
commitc20055e8bb90613985a23024602420313dc71906 (patch)
treeb3aa75b9fdeaf5d25cf4acca8b3918f8bdce30c9 /meta/classes
parent0ce91adbbf8d6a0ceb7c736e3e09b31f383215a8 (diff)
downloadpoky-c20055e8bb90613985a23024602420313dc71906.tar.gz
uboot-sign/kernel-fitimage: split generate_rsa_keys task
Currently generate_rsa_keys tasks are being executed parallelly in kernel and uboot's task list, and both of them are calling openssl to generate rsa keys in same path, this can lead to race condition. Let's split it to kernel_generate_rsa_keys and uboot_generate_rsa_keys. (From OE-Core rev: 36814f5467c9abd84aeb05916b4fd49f766f4f9f) Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
-rw-r--r--meta/classes/kernel-fitimage.bbclass37
-rw-r--r--meta/classes/uboot-sign.bbclass29
2 files changed, 34 insertions, 32 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 67cbda4d93..e363eeb64c 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -667,7 +667,34 @@ do_assemble_fitimage_initramfs() {
667 667
668addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs 668addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs
669 669
670addtask generate_rsa_keys before do_assemble_fitimage after do_compile 670do_kernel_generate_rsa_keys() {
671 if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
672 bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
673 fi
674
675 if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
676
677 # Generate keys only if they don't already exist
678 if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
679 [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
680
681 # make directory if it does not already exist
682 mkdir -p "${UBOOT_SIGN_KEYDIR}"
683
684 echo "Generating RSA private key for signing fitImage"
685 openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
686 "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
687 "${FIT_SIGN_NUMBITS}"
688
689 echo "Generating certificate for signing fitImage"
690 openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
691 -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
692 -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
693 fi
694 fi
695}
696
697addtask kernel_generate_rsa_keys before do_assemble_fitimage after do_compile
671 698
672kernel_do_deploy[vardepsexclude] = "DATETIME" 699kernel_do_deploy[vardepsexclude] = "DATETIME"
673kernel_do_deploy_append() { 700kernel_do_deploy_append() {
@@ -718,13 +745,13 @@ kernel_do_deploy_append() {
718# - Removes do_assemble_fitimage. FIT generation is done through 745# - Removes do_assemble_fitimage. FIT generation is done through
719# do_assemble_fitimage_initramfs. do_assemble_fitimage is not needed 746# do_assemble_fitimage_initramfs. do_assemble_fitimage is not needed
720# and should not be part of the tasks to be executed. 747# and should not be part of the tasks to be executed.
721# - Since do_generate_rsa_keys is inserted by default 748# - Since do_kernel_generate_rsa_keys is inserted by default
722# between do_compile and do_assemble_fitimage, this is 749# between do_compile and do_assemble_fitimage, this is
723# not suitable in case of initramfs bundles. do_generate_rsa_keys 750# not suitable in case of initramfs bundles. do_kernel_generate_rsa_keys
724# should be between do_bundle_initramfs and do_assemble_fitimage_initramfs. 751# should be between do_bundle_initramfs and do_assemble_fitimage_initramfs.
725python () { 752python () {
726 if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1": 753 if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
727 bb.build.deltask('do_assemble_fitimage', d) 754 bb.build.deltask('do_assemble_fitimage', d)
728 bb.build.deltask('generate_rsa_keys', d) 755 bb.build.deltask('kernel_generate_rsa_keys', d)
729 bb.build.addtask('generate_rsa_keys', 'do_assemble_fitimage_initramfs', 'do_bundle_initramfs', d) 756 bb.build.addtask('kernel_generate_rsa_keys', 'do_assemble_fitimage_initramfs', 'do_bundle_initramfs', d)
730} 757}
diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
index d11882f90f..29b2edc833 100644
--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -255,32 +255,7 @@ do_install_append() {
255 fi 255 fi
256} 256}
257 257
258do_generate_rsa_keys() { 258do_uboot_generate_rsa_keys() {
259 if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
260 bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
261 fi
262
263 if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
264
265 # Generate keys only if they don't already exist
266 if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
267 [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
268
269 # make directory if it does not already exist
270 mkdir -p "${UBOOT_SIGN_KEYDIR}"
271
272 echo "Generating RSA private key for signing fitImage"
273 openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
274 "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
275 "${FIT_SIGN_NUMBITS}"
276
277 echo "Generating certificate for signing fitImage"
278 openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
279 -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
280 -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
281 fi
282 fi
283
284 if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then 259 if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
285 bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." 260 bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
286 fi 261 fi
@@ -308,7 +283,7 @@ do_generate_rsa_keys() {
308 283
309} 284}
310 285
311addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile 286addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
312 287
313# Create a ITS file for the U-boot FIT, for use when 288# Create a ITS file for the U-boot FIT, for use when
314# we want to sign it so that the SPL can verify it 289# we want to sign it so that the SPL can verify it