1 files changed, 44 insertions, 0 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index fa4ea6feef..bb2f3c4ccc 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -56,6 +56,22 @@ FIT_HASH_ALG ?= "sha256"
 # fitImage Signature Algo
 FIT_SIGN_ALG ?= "rsa2048"
+# Generate keys for signing fitImage
+FIT_GENERATE_KEYS ?= "0"
+# Size of private key in number of bits
+FIT_SIGN_NUMBITS ?= "2048"
+# args to openssl genrsa (Default is just the public exponent)
+FIT_KEY_GENRSA_ARGS ?= "-F4"
+# args to openssl req (Default is -batch for non interactive mode and
+# -new for new certificate)
+FIT_KEY_REQ_ARGS ?= "-batch -new"
+# Standard format for public key certificate
+FIT_KEY_SIGN_PKCS ?= "-x509"
 #
 # Emit the fitImage ITS header
 #
@@ -522,6 +538,34 @@ do_assemble_fitimage_initramfs() {
 addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs
+do_generate_rsa_keys() {
+        if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
+                bbwarn "FIT_GENERATE_KEYS is set to 1 eventhough UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
+        fi
+        if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
+                # Generate keys only if they don't already exist
+                if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
+                        [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt]; then
+                        # make directory if it does not already exist
+                        mkdir -p "${UBOOT_SIGN_KEYDIR}"
+                        echo "Generating RSA private key for signing fitImage"
+                        openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
+                                "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
+                                "${FIT_SIGN_NUMBITS}"
+                        echo "Generating certificate for signing fitImage"
+                        openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
+                                -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
+                                -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
+                fi
+        fi
+}
+addtask generate_rsa_keys before do_assemble_fitimage after do_compile
 kernel_do_deploy[vardepsexclude] = "DATETIME"
 kernel_do_deploy_append() {

diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index fa4ea6feef..bb2f3c4ccc 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass
@@ -56,6 +56,22 @@ FIT_HASH_ALG ?= "sha256"
56	# fitImage Signature Algo	56	# fitImage Signature Algo
57	FIT_SIGN_ALG ?= "rsa2048"	57	FIT_SIGN_ALG ?= "rsa2048"
58		58
		59	# Generate keys for signing fitImage
		60	FIT_GENERATE_KEYS ?= "0"
		61
		62	# Size of private key in number of bits
		63	FIT_SIGN_NUMBITS ?= "2048"
		64
		65	# args to openssl genrsa (Default is just the public exponent)
		66	FIT_KEY_GENRSA_ARGS ?= "-F4"
		67
		68	# args to openssl req (Default is -batch for non interactive mode and
		69	# -new for new certificate)
		70	FIT_KEY_REQ_ARGS ?= "-batch -new"
		71
		72	# Standard format for public key certificate
		73	FIT_KEY_SIGN_PKCS ?= "-x509"
		74
59	#	75	#
60	# Emit the fitImage ITS header	76	# Emit the fitImage ITS header
61	#	77	#
@@ -522,6 +538,34 @@ do_assemble_fitimage_initramfs() {
522		538
523	addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs	539	addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs
524		540
		541	do_generate_rsa_keys() {
		542	if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
		543	bbwarn "FIT_GENERATE_KEYS is set to 1 eventhough UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
		544	fi
		545
		546	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
		547
		548	# Generate keys only if they don't already exist
		549	if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] \|\| \
		550	[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt]; then
		551
		552	# make directory if it does not already exist
		553	mkdir -p "${UBOOT_SIGN_KEYDIR}"
		554
		555	echo "Generating RSA private key for signing fitImage"
		556	openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
		557	"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
		558	"${FIT_SIGN_NUMBITS}"
		559
		560	echo "Generating certificate for signing fitImage"
		561	openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
		562	-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
		563	-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
		564	fi
		565	fi
		566	}
		567
		568	addtask generate_rsa_keys before do_assemble_fitimage after do_compile
525		569
526	kernel_do_deploy[vardepsexclude] = "DATETIME"	570	kernel_do_deploy[vardepsexclude] = "DATETIME"
527	kernel_do_deploy_append() {	571	kernel_do_deploy_append() {