u-boot: kernel-fitimage: Restore FIT_SIGN_INDIVIDUAL="1" behavior

OE FIT_SIGN_INDIVIDUAL is implemented in an unusual manner,
where the resulting signed fitImage contains both signed
images and signed configurations, possibly using different
keys. This kind of signing of images is redundant, but so is
the behavior of FIT_SIGN_INDIVIDUAL="1" and that is here to
stay.

Adjust the process of public key insertion into u-boot.dtb
such that if FIT_SIGN_INDIVIDUAL==1, the image signing key
is inserted into u-boot.dtb first, and in any case the
configuration signing key is inserted into u-boot.dtb last.

The verification of the keys inserted into u-boot.dtb against
unused.itb is performed only for FIT_SIGN_INDIVIDUAL!=1 due to
mkimage limitation, which does not allow mkimage -f auto-conf
to update the generated unused.itb, and instead rewrites it.

Fixes: 259bfa86f384 ("u-boot: kernel-fitimage: Fix dependency loop if UBOOT_SIGN_ENABLE and UBOOT_ENV enabled")
(From OE-Core rev: 699822a163a4efa32735f75d21fde4ffa195c0e0)

Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0106e5efab99c8016836a2ab71e2327ce58a9a9d)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

1 files changed, 51 insertions, 9 deletions

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 96c47ab016..5c579a9fb0 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -101,27 +101,69 @@ concat_dtb() {
         binary="$2"
 
         if [ -e "${UBOOT_DTB_BINARY}" ]; then
-                # Re-sign the kernel in order to add the keys to our dtb
-                UBOOT_MKIMAGE_MODE="auto-conf"
                 # Signing individual images is not recommended as that
                 # makes fitImage susceptible to mix-and-match attack.
+                #
+                # OE FIT_SIGN_INDIVIDUAL is implemented in an unusual manner,
+                # where the resulting signed fitImage contains both signed
+                # images and signed configurations. This is redundant. In
+                # order to prevent mix-and-match attack, it is sufficient
+                # to sign configurations. The FIT_SIGN_INDIVIDUAL = "1"
+                # support is kept to avoid breakage of existing layers, but
+                # it is highly recommended to avoid FIT_SIGN_INDIVIDUAL = "1",
+                # i.e. set FIT_SIGN_INDIVIDUAL = "0" .
                 if [ "${FIT_SIGN_INDIVIDUAL}" = "1" ] ; then
-                        UBOOT_MKIMAGE_MODE="auto"
+                        # Sign dummy image images in order to
+                        # add the image signing keys to our dtb
+                        ${UBOOT_MKIMAGE_SIGN} \
+                                ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
+                                -f auto \
+                                -k "${UBOOT_SIGN_KEYDIR}" \
+                                -o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \
+                                -g "${UBOOT_SIGN_IMG_KEYNAME}" \
+                                -K "${UBOOT_DTB_BINARY}" \
+                                -d /dev/null \
+                                -r ${B}/unused.itb \
+                                ${UBOOT_MKIMAGE_SIGN_ARGS}
                 fi
+
+                # Sign dummy image configurations in order to
+                # add the configuration signing keys to our dtb
                 ${UBOOT_MKIMAGE_SIGN} \
                         ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
-                        -f $UBOOT_MKIMAGE_MODE \
+                        -f auto-conf \
                         -k "${UBOOT_SIGN_KEYDIR}" \
                         -o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \
-                        -g "${UBOOT_SIGN_IMG_KEYNAME}" \
+                        -g "${UBOOT_SIGN_KEYNAME}" \
                         -K "${UBOOT_DTB_BINARY}" \
                         -d /dev/null \
                         -r ${B}/unused.itb \
                         ${UBOOT_MKIMAGE_SIGN_ARGS}
-                # Verify the kernel image and u-boot dtb
-                ${UBOOT_FIT_CHECK_SIGN} \
-                        -k "${UBOOT_DTB_BINARY}" \
-                        -f ${B}/unused.itb
+
+                # Verify the dummy fitImage signature against u-boot.dtb
+                # augmented using public key material.
+                #
+                # This only works for FIT_SIGN_INDIVIDUAL = "0", because
+                # mkimage -f auto-conf does not support -F to extend the
+                # existing unused.itb , and instead rewrites unused.itb
+                # from scratch.
+                #
+                # Using two separate unused.itb for mkimage -f auto and
+                # mkimage -f auto-conf invocation above would not help, as
+                # the signature verification process below checks whether
+                # all keys inserted into u-boot.dtb /signature node pass
+                # the verification. Separate unused.itb would each miss one
+                # of the signatures.
+                #
+                # The FIT_SIGN_INDIVIDUAL = "1" support is kept to avoid
+                # breakage of existing layers, but it is highly recommended
+                # to not use FIT_SIGN_INDIVIDUAL = "1", i.e. set
+                # FIT_SIGN_INDIVIDUAL = "0" .
+                if [ "${FIT_SIGN_INDIVIDUAL}" != "1" ] ; then
+                        ${UBOOT_FIT_CHECK_SIGN} \
+                                -k "${UBOOT_DTB_BINARY}" \
+                                -f ${B}/unused.itb
+                fi
                 cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED}
         fi