summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Perrot <thomas.perrot@bootlin.com>2021-08-10 14:30:12 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-08-13 14:44:06 +0100
commit50d8801d72feb4e8a7e78cbbbc0dff889f9b03b0 (patch)
treed88e48f99169da299ebc721fabae7b79a432a759
parenta42896018396d685bbf81261cca20d9d0cfe9817 (diff)
downloadpoky-50d8801d72feb4e8a7e78cbbbc0dff889f9b03b0.tar.gz
kernel-fitimage: images should not be signed with the same keys as the configurations
Otherwise the "required" property, from UBOOT_DTB_BINARY, will be set to "conf" and no error will be raised in case of error. (From OE-Core rev: 080e0dfed710035b2e40187d9d639ecf5ab84be2) Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat
-rw-r--r--meta/classes/kernel-fitimage.bbclass40
1 files changed, 35 insertions, 5 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index a9d1002200..2ef8f06b14 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -60,6 +60,14 @@ FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
60# Sign individual images as well 60# Sign individual images as well
61FIT_SIGN_INDIVIDUAL ?= "0" 61FIT_SIGN_INDIVIDUAL ?= "0"
62 62
63# Keys used to sign individually image nodes.
64# The keys to sign image nodes must be different from those used to sign
65# configuration nodes, otherwise the "required" property, from
66# UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image".
67# Then the images signature checking will not be mandatory and no error will be
68# raised in case of failure.
69# UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key")
70
63# 71#
64# Emit the fitImage ITS header 72# Emit the fitImage ITS header
65# 73#
@@ -121,7 +129,7 @@ fitimage_emit_section_kernel() {
121 129
122 kernel_csum="${FIT_HASH_ALG}" 130 kernel_csum="${FIT_HASH_ALG}"
123 kernel_sign_algo="${FIT_SIGN_ALG}" 131 kernel_sign_algo="${FIT_SIGN_ALG}"
124 kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}" 132 kernel_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
125 133
126 ENTRYPOINT="${UBOOT_ENTRYPOINT}" 134 ENTRYPOINT="${UBOOT_ENTRYPOINT}"
127 if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then 135 if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
@@ -167,7 +175,7 @@ fitimage_emit_section_dtb() {
167 175
168 dtb_csum="${FIT_HASH_ALG}" 176 dtb_csum="${FIT_HASH_ALG}"
169 dtb_sign_algo="${FIT_SIGN_ALG}" 177 dtb_sign_algo="${FIT_SIGN_ALG}"
170 dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}" 178 dtb_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
171 179
172 dtb_loadline="" 180 dtb_loadline=""
173 dtb_ext=${DTB##*.} 181 dtb_ext=${DTB##*.}
@@ -214,7 +222,7 @@ fitimage_emit_section_boot_script() {
214 222
215 bootscr_csum="${FIT_HASH_ALG}" 223 bootscr_csum="${FIT_HASH_ALG}"
216 bootscr_sign_algo="${FIT_SIGN_ALG}" 224 bootscr_sign_algo="${FIT_SIGN_ALG}"
217 bootscr_sign_keyname="${UBOOT_SIGN_KEYNAME}" 225 bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
218 226
219 cat << EOF >> ${1} 227 cat << EOF >> ${1}
220 bootscr-${2} { 228 bootscr-${2} {
@@ -278,7 +286,7 @@ fitimage_emit_section_ramdisk() {
278 286
279 ramdisk_csum="${FIT_HASH_ALG}" 287 ramdisk_csum="${FIT_HASH_ALG}"
280 ramdisk_sign_algo="${FIT_SIGN_ALG}" 288 ramdisk_sign_algo="${FIT_SIGN_ALG}"
281 ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}" 289 ramdisk_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
282 ramdisk_loadline="" 290 ramdisk_loadline=""
283 ramdisk_entryline="" 291 ramdisk_entryline=""
284 292
@@ -475,6 +483,10 @@ fitimage_assemble() {
475 bootscr_id="" 483 bootscr_id=""
476 rm -f ${1} arch/${ARCH}/boot/${2} 484 rm -f ${1} arch/${ARCH}/boot/${2}
477 485
486 if [ ! -z "${UBOOT_SIGN_IMG_KEYNAME}" -a "${UBOOT_SIGN_KEYNAME}" = "${UBOOT_SIGN_IMG_KEYNAME}" ]; then
487 bbfatal "Keys used to sign images and configuration nodes must be different."
488 fi
489
478 fitimage_emit_fit_header ${1} 490 fitimage_emit_fit_header ${1}
479 491
480 # 492 #
@@ -674,7 +686,7 @@ do_kernel_generate_rsa_keys() {
674 686
675 if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then 687 if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
676 688
677 # Generate keys only if they don't already exist 689 # Generate keys to sign configuration nodes, only if they don't already exist
678 if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \ 690 if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
679 [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then 691 [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
680 692
@@ -691,6 +703,24 @@ do_kernel_generate_rsa_keys() {
691 -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ 703 -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
692 -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt 704 -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
693 fi 705 fi
706
707 # Generate keys to sign image nodes, only if they don't already exist
708 if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] || \
709 [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then
710
711 # make directory if it does not already exist
712 mkdir -p "${UBOOT_SIGN_KEYDIR}"
713
714 echo "Generating RSA private key for signing fitImage"
715 openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
716 "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
717 "${FIT_SIGN_NUMBITS}"
718
719 echo "Generating certificate for signing fitImage"
720 openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
721 -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
722 -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt
723 fi
694 fi 724 fi
695} 725}
696 726
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-01-09 22:56:58 +0000