From c20055e8bb90613985a23024602420313dc71906 Mon Sep 17 00:00:00 2001
From: Ming Liu <liu.ming50@gmail.com>
Date: Sat, 22 May 2021 10:25:41 +0200
Subject: uboot-sign/kernel-fitimage: split generate_rsa_keys task

Currently generate_rsa_keys tasks are being executed parallelly in
kernel and uboot's task list, and both of them are calling openssl to
generate rsa keys in same path, this can lead to race condition.

Let's split it to kernel_generate_rsa_keys and uboot_generate_rsa_keys.

(From OE-Core rev: 36814f5467c9abd84aeb05916b4fd49f766f4f9f)

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/classes/uboot-sign.bbclass | 29 ++---------------------------
 1 file changed, 2 insertions(+), 27 deletions(-)

(limited to 'meta/classes/uboot-sign.bbclass')

diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
index d11882f90f..29b2edc833 100644
--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -255,32 +255,7 @@ do_install_append() {
 	fi
 }
 
-do_generate_rsa_keys() {
-	if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
-		bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
-	fi
-
-	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
-
-		# Generate keys only if they don't already exist
-		if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
-			[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
-
-			# make directory if it does not already exist
-			mkdir -p "${UBOOT_SIGN_KEYDIR}"
-
-			echo "Generating RSA private key for signing fitImage"
-			openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
-				"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
-				"${FIT_SIGN_NUMBITS}"
-
-			echo "Generating certificate for signing fitImage"
-			openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
-				-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
-				-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
-		fi
-	fi
-
+do_uboot_generate_rsa_keys() {
 	if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
 		bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
 	fi
@@ -308,7 +283,7 @@ do_generate_rsa_keys() {
 
 }
 
-addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
+addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
 
 # Create a ITS file for the U-boot FIT, for use when
 # we want to sign it so that the SPL can verify it
-- 
cgit v1.2.3-54-g00ecf