diff options
| author | Yannick Gicquel <yannick.gicquel@iot.bzh> | 2016-04-27 16:20:56 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-05-06 10:31:14 +0100 |
| commit | f088e693b2bf960ce027be75e835371abfe74e95 (patch) | |
| tree | 35b8abb06b2bc1ca58d643f45276135a6e5c2523 | |
| parent | cb565d5b4009432be2d10568aa07367ca7912770 (diff) | |
| download | poky-f088e693b2bf960ce027be75e835371abfe74e95.tar.gz | |
kernel: fitimage: basic support for fitimage signature
This is an initial support of fitImage signature to enable U-Boot verified
boot. This feature is implemented by adding a signature tag to the
configuration section of the generated fit-image.its file.
When a UBOOT_SIGN_ENABLE variable is set to "1", the signature procedure is
activated and performs a second call to mkimage to sign the fitImage file and
to include the public key in the deployed U-Boot device tree blob. (This
implementation depends on the use of CONFIG_OF_SEPARATE in U-Boot.)
As the U-Boot device tree blob is appended in the deploy dir, a dependency
on 'u-boot:do_deploy' is added when the feature is activated.
(From OE-Core rev: 38d675f568ed67505896f20dd9738ce80feece08)
Signed-off-by: Yannick Gicquel <yannick.gicquel@iot.bzh>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/classes/kernel-fitimage.bbclass | 45 |
1 files changed, 43 insertions, 2 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 62e0017617..809bd4d698 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | inherit kernel-uboot | 1 | inherit kernel-uboot uboot-sign |
| 2 | 2 | ||
| 3 | python __anonymous () { | 3 | python __anonymous () { |
| 4 | kerneltype = d.getVar('KERNEL_IMAGETYPE', True) | 4 | kerneltype = d.getVar('KERNEL_IMAGETYPE', True) |
| @@ -15,6 +15,13 @@ python __anonymous () { | |||
| 15 | image = d.getVar('INITRAMFS_IMAGE', True) | 15 | image = d.getVar('INITRAMFS_IMAGE', True) |
| 16 | if image: | 16 | if image: |
| 17 | d.appendVarFlag('do_assemble_fitimage', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') | 17 | d.appendVarFlag('do_assemble_fitimage', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') |
| 18 | |||
| 19 | # Verified boot will sign the fitImage and append the public key to | ||
| 20 | # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling | ||
| 21 | # the fitImage: | ||
| 22 | if d.getVar('UBOOT_SIGN_ENABLE', True): | ||
| 23 | uboot_pn = d.getVar('PREFERRED_PROVIDER_u-boot', True) or 'u-boot' | ||
| 24 | d.appendVarFlag('do_assemble_fitimage', 'depends', ' %s:do_deploy' % uboot_pn) | ||
| 18 | } | 25 | } |
| 19 | 26 | ||
| 20 | # Options for the device tree compiler passed to mkimage '-D' feature: | 27 | # Options for the device tree compiler passed to mkimage '-D' feature: |
| @@ -132,6 +139,9 @@ EOF | |||
| 132 | fitimage_emit_section_config() { | 139 | fitimage_emit_section_config() { |
| 133 | 140 | ||
| 134 | conf_csum="sha1" | 141 | conf_csum="sha1" |
| 142 | if [ -n "${UBOOT_SIGN_ENABLE}" ] ; then | ||
| 143 | conf_sign_keyname="${UBOOT_SIGN_KEYNAME}" | ||
| 144 | fi | ||
| 135 | 145 | ||
| 136 | # Test if we have any DTBs at all | 146 | # Test if we have any DTBs at all |
| 137 | if [ -z "${2}" ] ; then | 147 | if [ -z "${2}" ] ; then |
| @@ -152,6 +162,26 @@ fitimage_emit_section_config() { | |||
| 152 | hash@1 { | 162 | hash@1 { |
| 153 | algo = "${conf_csum}"; | 163 | algo = "${conf_csum}"; |
| 154 | }; | 164 | }; |
| 165 | EOF | ||
| 166 | |||
| 167 | if [ ! -z "${conf_sign_keyname}" ] ; then | ||
| 168 | |||
| 169 | if [ -z "${2}" ] ; then | ||
| 170 | sign_line="sign-images = \"kernel\";" | ||
| 171 | else | ||
| 172 | sign_line="sign-images = \"fdt\", \"kernel\";" | ||
| 173 | fi | ||
| 174 | |||
| 175 | cat << EOF >> fit-image.its | ||
| 176 | signature@1 { | ||
| 177 | algo = "${conf_csum},rsa2048"; | ||
| 178 | key-name-hint = "${conf_sign_keyname}"; | ||
| 179 | sign-images = "fdt", "kernel"; | ||
| 180 | }; | ||
| 181 | EOF | ||
| 182 | fi | ||
| 183 | |||
| 184 | cat << EOF >> fit-image.its | ||
| 155 | }; | 185 | }; |
| 156 | EOF | 186 | EOF |
| 157 | } | 187 | } |
| @@ -160,7 +190,7 @@ do_assemble_fitimage() { | |||
| 160 | if test "x${KERNEL_IMAGETYPE}" = "xfitImage" ; then | 190 | if test "x${KERNEL_IMAGETYPE}" = "xfitImage" ; then |
| 161 | kernelcount=1 | 191 | kernelcount=1 |
| 162 | dtbcount="" | 192 | dtbcount="" |
| 163 | rm -f fit-image.its | 193 | rm -f fit-image.its arch/${ARCH}/boot/fitImage |
| 164 | 194 | ||
| 165 | fitimage_emit_fit_header | 195 | fitimage_emit_fit_header |
| 166 | 196 | ||
| @@ -216,6 +246,17 @@ do_assemble_fitimage() { | |||
| 216 | ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ | 246 | ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ |
| 217 | -f fit-image.its \ | 247 | -f fit-image.its \ |
| 218 | arch/${ARCH}/boot/fitImage | 248 | arch/${ARCH}/boot/fitImage |
| 249 | |||
| 250 | # | ||
| 251 | # Step 5: Sign the image and add public key to U-Boot dtb | ||
| 252 | # | ||
| 253 | if test -n "${UBOOT_SIGN_ENABLE}"; then | ||
| 254 | uboot-mkimage \ | ||
| 255 | ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ | ||
| 256 | -F -k "${UBOOT_SIGN_KEYDIR}" \ | ||
| 257 | -K "${DEPLOY_DIR_IMAGE}/${UBOOT_DTB_BINARY}" \ | ||
| 258 | -r arch/${ARCH}/boot/fitImage | ||
| 259 | fi | ||
| 219 | fi | 260 | fi |
| 220 | } | 261 | } |
| 221 | 262 | ||