summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorUsama Arif <usama.arif@arm.com>2020-09-30 11:48:00 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-10-06 23:14:24 +0100
commite65267d3768429a39967de3c283c981a5848913e (patch)
treeb828a5b5924ce6cc4fc16314b754aade5e62650b /meta
parenta6b78aa2541c9b348e6bd5e53bd1c8efa0faadf2 (diff)
downloadpoky-e65267d3768429a39967de3c283c981a5848913e.tar.gz
kernel-fitimage: generate openssl RSA keys for signing fitimage
The keys are only generated if they dont exist. The key generation can be turned off by setting FIT_GENERATE_KEYS to "0". The default key length for private keys is 2048 and the default format for public key certificate is x.509. (From OE-Core rev: 8dfaf5cd4eb5c8e352e7833ec47db1a14ea58b47) Signed-off-by: Usama Arif <usama.arif@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/classes/kernel-fitimage.bbclass44
1 files changed, 44 insertions, 0 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index fa4ea6feef..bb2f3c4ccc 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -56,6 +56,22 @@ FIT_HASH_ALG ?= "sha256"
56# fitImage Signature Algo 56# fitImage Signature Algo
57FIT_SIGN_ALG ?= "rsa2048" 57FIT_SIGN_ALG ?= "rsa2048"
58 58
59# Generate keys for signing fitImage
60FIT_GENERATE_KEYS ?= "0"
61
62# Size of private key in number of bits
63FIT_SIGN_NUMBITS ?= "2048"
64
65# args to openssl genrsa (Default is just the public exponent)
66FIT_KEY_GENRSA_ARGS ?= "-F4"
67
68# args to openssl req (Default is -batch for non interactive mode and
69# -new for new certificate)
70FIT_KEY_REQ_ARGS ?= "-batch -new"
71
72# Standard format for public key certificate
73FIT_KEY_SIGN_PKCS ?= "-x509"
74
59# 75#
60# Emit the fitImage ITS header 76# Emit the fitImage ITS header
61# 77#
@@ -522,6 +538,34 @@ do_assemble_fitimage_initramfs() {
522 538
523addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs 539addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs
524 540
541do_generate_rsa_keys() {
542 if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
543 bbwarn "FIT_GENERATE_KEYS is set to 1 eventhough UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
544 fi
545
546 if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
547
548 # Generate keys only if they don't already exist
549 if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
550 [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt]; then
551
552 # make directory if it does not already exist
553 mkdir -p "${UBOOT_SIGN_KEYDIR}"
554
555 echo "Generating RSA private key for signing fitImage"
556 openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
557 "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
558 "${FIT_SIGN_NUMBITS}"
559
560 echo "Generating certificate for signing fitImage"
561 openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
562 -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
563 -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
564 fi
565 fi
566}
567
568addtask generate_rsa_keys before do_assemble_fitimage after do_compile
525 569
526kernel_do_deploy[vardepsexclude] = "DATETIME" 570kernel_do_deploy[vardepsexclude] = "DATETIME"
527kernel_do_deploy_append() { 571kernel_do_deploy_append() {