diff options
-rw-r--r-- | meta/classes/uboot-config.bbclass | 2 | ||||
-rw-r--r-- | meta/classes/uboot-sign.bbclass | 53 |
2 files changed, 45 insertions, 10 deletions
diff --git a/meta/classes/uboot-config.bbclass b/meta/classes/uboot-config.bbclass index 31487c1418..3bba02828b 100644 --- a/meta/classes/uboot-config.bbclass +++ b/meta/classes/uboot-config.bbclass | |||
@@ -61,6 +61,7 @@ UBOOT_EXTLINUX_SYMLINK ?= "${UBOOT_EXTLINUX_CONF_NAME}-${MACHINE}-${PR}" | |||
61 | 61 | ||
62 | # Options for the device tree compiler passed to mkimage '-D' feature: | 62 | # Options for the device tree compiler passed to mkimage '-D' feature: |
63 | UBOOT_MKIMAGE_DTCOPTS ??= "" | 63 | UBOOT_MKIMAGE_DTCOPTS ??= "" |
64 | SPL_MKIMAGE_DTCOPTS ??= "" | ||
64 | 65 | ||
65 | # mkimage command | 66 | # mkimage command |
66 | UBOOT_MKIMAGE ?= "uboot-mkimage" | 67 | UBOOT_MKIMAGE ?= "uboot-mkimage" |
@@ -68,6 +69,7 @@ UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}" | |||
68 | 69 | ||
69 | # Arguments passed to mkimage for signing | 70 | # Arguments passed to mkimage for signing |
70 | UBOOT_MKIMAGE_SIGN_ARGS ?= "" | 71 | UBOOT_MKIMAGE_SIGN_ARGS ?= "" |
72 | SPL_MKIMAGE_SIGN_ARGS ?= "" | ||
71 | 73 | ||
72 | python () { | 74 | python () { |
73 | ubootmachine = d.getVar("UBOOT_MACHINE") | 75 | ubootmachine = d.getVar("UBOOT_MACHINE") |
diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass index ec50c3208b..137ce29b43 100644 --- a/meta/classes/uboot-sign.bbclass +++ b/meta/classes/uboot-sign.bbclass | |||
@@ -65,27 +65,34 @@ SPL_NODTB_SYMLINK ?= "u-boot-spl-nodtb-${MACHINE}.bin" | |||
65 | # U-Boot fitImage description | 65 | # U-Boot fitImage description |
66 | UBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" | 66 | UBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" |
67 | 67 | ||
68 | # fitImage Hash Algo | 68 | # Kernel / U-Boot fitImage Hash Algo |
69 | FIT_HASH_ALG ?= "sha256" | 69 | FIT_HASH_ALG ?= "sha256" |
70 | UBOOT_FIT_HASH_ALG ?= "sha256" | ||
70 | 71 | ||
71 | # fitImage Signature Algo | 72 | # Kernel / U-Boot fitImage Signature Algo |
72 | FIT_SIGN_ALG ?= "rsa2048" | 73 | FIT_SIGN_ALG ?= "rsa2048" |
74 | UBOOT_FIT_SIGN_ALG ?= "rsa2048" | ||
73 | 75 | ||
74 | # Generate keys for signing fitImage | 76 | # Generate keys for signing Kernel / U-Boot fitImage |
75 | FIT_GENERATE_KEYS ?= "0" | 77 | FIT_GENERATE_KEYS ?= "0" |
78 | UBOOT_FIT_GENERATE_KEYS ?= "0" | ||
76 | 79 | ||
77 | # Size of private key in number of bits | 80 | # Size of private keys in number of bits |
78 | FIT_SIGN_NUMBITS ?= "2048" | 81 | FIT_SIGN_NUMBITS ?= "2048" |
82 | UBOOT_FIT_SIGN_NUMBITS ?= "2048" | ||
79 | 83 | ||
80 | # args to openssl genrsa (Default is just the public exponent) | 84 | # args to openssl genrsa (Default is just the public exponent) |
81 | FIT_KEY_GENRSA_ARGS ?= "-F4" | 85 | FIT_KEY_GENRSA_ARGS ?= "-F4" |
86 | UBOOT_FIT_KEY_GENRSA_ARGS ?= "-F4" | ||
82 | 87 | ||
83 | # args to openssl req (Default is -batch for non interactive mode and | 88 | # args to openssl req (Default is -batch for non interactive mode and |
84 | # -new for new certificate) | 89 | # -new for new certificate) |
85 | FIT_KEY_REQ_ARGS ?= "-batch -new" | 90 | FIT_KEY_REQ_ARGS ?= "-batch -new" |
91 | UBOOT_FIT_KEY_REQ_ARGS ?= "-batch -new" | ||
86 | 92 | ||
87 | # Standard format for public key certificate | 93 | # Standard format for public key certificate |
88 | FIT_KEY_SIGN_PKCS ?= "-x509" | 94 | FIT_KEY_SIGN_PKCS ?= "-x509" |
95 | UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509" | ||
89 | 96 | ||
90 | # Functions on this bbclass can apply to either U-boot or Kernel, | 97 | # Functions on this bbclass can apply to either U-boot or Kernel, |
91 | # depending on the scenario | 98 | # depending on the scenario |
@@ -280,6 +287,32 @@ do_generate_rsa_keys() { | |||
280 | -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt | 287 | -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt |
281 | fi | 288 | fi |
282 | fi | 289 | fi |
290 | |||
291 | if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then | ||
292 | bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." | ||
293 | fi | ||
294 | |||
295 | if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then | ||
296 | |||
297 | # Generate keys only if they don't already exist | ||
298 | if [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key ] || \ | ||
299 | [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt ]; then | ||
300 | |||
301 | # make directory if it does not already exist | ||
302 | mkdir -p "${SPL_SIGN_KEYDIR}" | ||
303 | |||
304 | echo "Generating RSA private key for signing U-Boot fitImage" | ||
305 | openssl genrsa ${UBOOT_FIT_KEY_GENRSA_ARGS} -out \ | ||
306 | "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \ | ||
307 | "${UBOOT_FIT_SIGN_NUMBITS}" | ||
308 | |||
309 | echo "Generating certificate for signing U-Boot fitImage" | ||
310 | openssl req ${FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \ | ||
311 | -key "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \ | ||
312 | -out "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt | ||
313 | fi | ||
314 | fi | ||
315 | |||
283 | } | 316 | } |
284 | 317 | ||
285 | addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile | 318 | addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile |
@@ -292,9 +325,9 @@ uboot_fitimage_assemble() { | |||
292 | uboot_dtb="${3}" | 325 | uboot_dtb="${3}" |
293 | uboot_bin="${4}" | 326 | uboot_bin="${4}" |
294 | spl_dtb="${5}" | 327 | spl_dtb="${5}" |
295 | uboot_csum="${FIT_HASH_ALG}" | 328 | uboot_csum="${UBOOT_FIT_HASH_ALG}" |
296 | uboot_sign_algo="${FIT_SIGN_ALG}" | 329 | uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}" |
297 | uboot_sign_keyname="${UBOOT_SIGN_KEYNAME}" | 330 | uboot_sign_keyname="${SPL_SIGN_KEYNAME}" |
298 | 331 | ||
299 | rm -f ${uboot_its} ${uboot_bin} | 332 | rm -f ${uboot_its} ${uboot_bin} |
300 | 333 | ||
@@ -365,7 +398,7 @@ EOF | |||
365 | # Assemble the U-boot FIT image | 398 | # Assemble the U-boot FIT image |
366 | # | 399 | # |
367 | ${UBOOT_MKIMAGE} \ | 400 | ${UBOOT_MKIMAGE} \ |
368 | ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ | 401 | ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ |
369 | -f ${uboot_its} \ | 402 | -f ${uboot_its} \ |
370 | ${uboot_bin} | 403 | ${uboot_bin} |
371 | 404 | ||
@@ -374,11 +407,11 @@ EOF | |||
374 | # Sign the U-boot FIT image and add public key to SPL dtb | 407 | # Sign the U-boot FIT image and add public key to SPL dtb |
375 | # | 408 | # |
376 | ${UBOOT_MKIMAGE_SIGN} \ | 409 | ${UBOOT_MKIMAGE_SIGN} \ |
377 | ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ | 410 | ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ |
378 | -F -k "${SPL_SIGN_KEYDIR}" \ | 411 | -F -k "${SPL_SIGN_KEYDIR}" \ |
379 | -K "${spl_dtb}" \ | 412 | -K "${spl_dtb}" \ |
380 | -r ${uboot_bin} \ | 413 | -r ${uboot_bin} \ |
381 | ${UBOOT_MKIMAGE_SIGN_ARGS} | 414 | ${SPL_MKIMAGE_SIGN_ARGS} |
382 | fi | 415 | fi |
383 | 416 | ||
384 | } | 417 | } |