diff options
| author | Usama Arif <usama.arif@arm.com> | 2020-09-30 11:48:00 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-10-06 23:14:24 +0100 |
| commit | e65267d3768429a39967de3c283c981a5848913e (patch) | |
| tree | b828a5b5924ce6cc4fc16314b754aade5e62650b /meta | |
| parent | a6b78aa2541c9b348e6bd5e53bd1c8efa0faadf2 (diff) | |
| download | poky-e65267d3768429a39967de3c283c981a5848913e.tar.gz | |
kernel-fitimage: generate openssl RSA keys for signing fitimage
The keys are only generated if they dont exist. The key
generation can be turned off by setting FIT_GENERATE_KEYS to "0".
The default key length for private keys is 2048 and the default
format for public key certificate is x.509.
(From OE-Core rev: 8dfaf5cd4eb5c8e352e7833ec47db1a14ea58b47)
Signed-off-by: Usama Arif <usama.arif@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/classes/kernel-fitimage.bbclass | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index fa4ea6feef..bb2f3c4ccc 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass | |||
| @@ -56,6 +56,22 @@ FIT_HASH_ALG ?= "sha256" | |||
| 56 | # fitImage Signature Algo | 56 | # fitImage Signature Algo |
| 57 | FIT_SIGN_ALG ?= "rsa2048" | 57 | FIT_SIGN_ALG ?= "rsa2048" |
| 58 | 58 | ||
| 59 | # Generate keys for signing fitImage | ||
| 60 | FIT_GENERATE_KEYS ?= "0" | ||
| 61 | |||
| 62 | # Size of private key in number of bits | ||
| 63 | FIT_SIGN_NUMBITS ?= "2048" | ||
| 64 | |||
| 65 | # args to openssl genrsa (Default is just the public exponent) | ||
| 66 | FIT_KEY_GENRSA_ARGS ?= "-F4" | ||
| 67 | |||
| 68 | # args to openssl req (Default is -batch for non interactive mode and | ||
| 69 | # -new for new certificate) | ||
| 70 | FIT_KEY_REQ_ARGS ?= "-batch -new" | ||
| 71 | |||
| 72 | # Standard format for public key certificate | ||
| 73 | FIT_KEY_SIGN_PKCS ?= "-x509" | ||
| 74 | |||
| 59 | # | 75 | # |
| 60 | # Emit the fitImage ITS header | 76 | # Emit the fitImage ITS header |
| 61 | # | 77 | # |
| @@ -522,6 +538,34 @@ do_assemble_fitimage_initramfs() { | |||
| 522 | 538 | ||
| 523 | addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs | 539 | addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs |
| 524 | 540 | ||
| 541 | do_generate_rsa_keys() { | ||
| 542 | if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then | ||
| 543 | bbwarn "FIT_GENERATE_KEYS is set to 1 eventhough UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." | ||
| 544 | fi | ||
| 545 | |||
| 546 | if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then | ||
| 547 | |||
| 548 | # Generate keys only if they don't already exist | ||
| 549 | if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \ | ||
| 550 | [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt]; then | ||
| 551 | |||
| 552 | # make directory if it does not already exist | ||
| 553 | mkdir -p "${UBOOT_SIGN_KEYDIR}" | ||
| 554 | |||
| 555 | echo "Generating RSA private key for signing fitImage" | ||
| 556 | openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \ | ||
| 557 | "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ | ||
| 558 | "${FIT_SIGN_NUMBITS}" | ||
| 559 | |||
| 560 | echo "Generating certificate for signing fitImage" | ||
| 561 | openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \ | ||
| 562 | -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ | ||
| 563 | -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt | ||
| 564 | fi | ||
| 565 | fi | ||
| 566 | } | ||
| 567 | |||
| 568 | addtask generate_rsa_keys before do_assemble_fitimage after do_compile | ||
| 525 | 569 | ||
| 526 | kernel_do_deploy[vardepsexclude] = "DATETIME" | 570 | kernel_do_deploy[vardepsexclude] = "DATETIME" |
| 527 | kernel_do_deploy_append() { | 571 | kernel_do_deploy_append() { |