3 files changed, 82 insertions, 50 deletions
diff --git a/meta/classes-recipe/kernel-fitimage.bbclass b/meta/classes-recipe/kernel-fitimage.bbclass
index 07786647e1..f5f02f30f0 100644
--- a/meta/classes-recipe/kernel-fitimage.bbclass
+++ b/meta/classes-recipe/kernel-fitimage.bbclass
@@ -27,7 +27,10 @@ def get_fit_replacement_type(d):
    return replacementtype
 KERNEL_IMAGETYPE_REPLACEMENT ?= "${@get_fit_replacement_type(d)}"
-DEPENDS:append = " ${@'u-boot-tools-native dtc-native' if 'fitImage' in (d.getVar('KERNEL_IMAGETYPES') or '').split() else ''}"
+DEPENDS:append = " \
+    ${@'u-boot-tools-native dtc-native' if 'fitImage' in (d.getVar('KERNEL_IMAGETYPES') or '').split() else ''} \
+    ${@'kernel-signing-keys-native' if d.getVar('FIT_GENERATE_KEYS') == '1' else ''} \
+"
 python __anonymous () {
    # Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal
@@ -754,53 +757,6 @@ do_assemble_fitimage_initramfs() {
 addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs
-do_kernel_generate_rsa_keys() {
-        if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
-                bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
-        fi
-        if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
-                # Generate keys to sign configuration nodes, only if they don't already exist
-                if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
-                        [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
-                        # make directory if it does not already exist
-                        mkdir -p "${UBOOT_SIGN_KEYDIR}"
-                        bbnote "Generating RSA private key for signing fitImage"
-                        openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
-                                "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
-                        "${FIT_SIGN_NUMBITS}"
-                        bbnote "Generating certificate for signing fitImage"
-                        openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
-                                -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
-                                -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
-                fi
-                # Generate keys to sign image nodes, only if they don't already exist
-                if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] || \
-                        [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then
-                        # make directory if it does not already exist
-                        mkdir -p "${UBOOT_SIGN_KEYDIR}"
-                        bbnote "Generating RSA private key for signing fitImage"
-                        openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
-                                "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
-                        "${FIT_SIGN_NUMBITS}"
-                        bbnote "Generating certificate for signing fitImage"
-                        openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
-                                -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
-                                -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt
-                fi
-        fi
-}
-addtask kernel_generate_rsa_keys before do_assemble_fitimage after do_compile
 kernel_do_deploy[vardepsexclude] = "DATETIME"
 kernel_do_deploy:append() {
        # Update deploy directory
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 796c040e8b..73e9ce3f11 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -112,13 +112,14 @@ UBOOT_FIT_CONF_USER_LOADABLES ?= ''
 UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
 UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
+DEPENDS:append = " ${@'kernel-signing-keys-native' if d.getVar('FIT_GENERATE_KEYS') == '1' else ''}"
 python() {
    # We need u-boot-tools-native if we're creating a U-Boot fitImage
    sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
    if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign:
        d.appendVar('DEPENDS', " u-boot-tools-native dtc-native")
-    if d.getVar('FIT_GENERATE_KEYS') == '1' and sign:
-        d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' virtual/kernel:do_kernel_generate_rsa_keys')
 }
 concat_dtb() {
diff --git a/meta/recipes-kernel/kernel-signing-keys/kernel-signing-keys-native.bb b/meta/recipes-kernel/kernel-signing-keys/kernel-signing-keys-native.bb
new file mode 100644
index 0000000000..704973dffb
--- /dev/null
+++ b/meta/recipes-kernel/kernel-signing-keys/kernel-signing-keys-native.bb
@@ -0,0 +1,75 @@
+# Automatically generate key pairs in UBOOT_SIGN_KEYDIR if they do not exist.
+# The key pair is generated by the kernel-signing-keys-native recipe and is not
+# stored in the sstate cache. This can be beneficial from a security standpoint,
+# as it avoids unintentionally caching and distributing private keys.
+# However, this behavior can lead to non-reproducible builds. For example, if
+# the keys are deleted, they must be manually restored, or you must run:
+#   bitbake -c cleanall kernel-signing-keys-native
+# before new key pairs are generated.
+#
+# However, this approach is only suitable for simple or local development use
+# cases. For more advanced or production-grade scenarios, a more robust solution
+# is usually required—such as external signing or re-signing using e.g a HSM.
+SUMMARY = "Signing keys for the kernel FIT image"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+require conf/image-fitimage.conf
+DEPENDS += "openssl-native"
+inherit native
+do_fetch[noexec] = "1"
+do_unpack[noexec] = "1"
+do_patch[noexec] = "1"
+do_configure[noexec] = "1"
+do_install[noexec] = "1"
+do_compile() {
+        if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
+                bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
+        fi
+        if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
+                # Generate keys to sign configuration nodes, only if they don't already exist
+                if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
+                        [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
+                        # make directory if it does not already exist
+                        mkdir -p "${UBOOT_SIGN_KEYDIR}"
+                        bbnote "Generating RSA private key for signing fitImage"
+                        openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
+                                "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
+                        "${FIT_SIGN_NUMBITS}"
+                        bbnote "Generating certificate for signing fitImage"
+                        openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
+                                -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
+                                -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
+                fi
+                # Generate keys to sign image nodes, only if they don't already exist
+                if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] || \
+                        [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then
+                        # make directory if it does not already exist
+                        mkdir -p "${UBOOT_SIGN_KEYDIR}"
+                        bbnote "Generating RSA private key for signing fitImage"
+                        openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
+                                "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
+                        "${FIT_SIGN_NUMBITS}"
+                        bbnote "Generating certificate for signing fitImage"
+                        openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
+                                -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
+                                -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt
+                fi
+        fi
+}

diff --git a/meta/classes-recipe/kernel-fitimage.bbclass b/meta/classes-recipe/kernel-fitimage.bbclass index 07786647e1..f5f02f30f0 100644 --- a/meta/classes-recipe/kernel-fitimage.bbclass +++ b/meta/classes-recipe/kernel-fitimage.bbclass
@@ -27,7 +27,10 @@ def get_fit_replacement_type(d):
27	return replacementtype	27	return replacementtype
28		28
29	KERNEL_IMAGETYPE_REPLACEMENT ?= "${@get_fit_replacement_type(d)}"	29	KERNEL_IMAGETYPE_REPLACEMENT ?= "${@get_fit_replacement_type(d)}"
30	DEPENDS:append = " ${@'u-boot-tools-native dtc-native' if 'fitImage' in (d.getVar('KERNEL_IMAGETYPES') or '').split() else ''}"	30	DEPENDS:append = " \
		31	${@'u-boot-tools-native dtc-native' if 'fitImage' in (d.getVar('KERNEL_IMAGETYPES') or '').split() else ''} \
		32	${@'kernel-signing-keys-native' if d.getVar('FIT_GENERATE_KEYS') == '1' else ''} \
		33	"
31		34
32	python __anonymous () {	35	python __anonymous () {
33	# Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal	36	# Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal
@@ -754,53 +757,6 @@ do_assemble_fitimage_initramfs() {
754		757
755	addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs	758	addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs
756		759
757	do_kernel_generate_rsa_keys() {
758	if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
759	bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
760	fi
761
762	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
763
764	# Generate keys to sign configuration nodes, only if they don't already exist
765	if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] \|\| \
766	[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
767
768	# make directory if it does not already exist
769	mkdir -p "${UBOOT_SIGN_KEYDIR}"
770
771	bbnote "Generating RSA private key for signing fitImage"
772	openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
773	"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
774	"${FIT_SIGN_NUMBITS}"
775
776	bbnote "Generating certificate for signing fitImage"
777	openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
778	-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
779	-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
780	fi
781
782	# Generate keys to sign image nodes, only if they don't already exist
783	if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] \|\| \
784	[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then
785
786	# make directory if it does not already exist
787	mkdir -p "${UBOOT_SIGN_KEYDIR}"
788
789	bbnote "Generating RSA private key for signing fitImage"
790	openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
791	"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
792	"${FIT_SIGN_NUMBITS}"
793
794	bbnote "Generating certificate for signing fitImage"
795	openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
796	-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
797	-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt
798	fi
799	fi
800	}
801
802	addtask kernel_generate_rsa_keys before do_assemble_fitimage after do_compile
803
804	kernel_do_deploy[vardepsexclude] = "DATETIME"	760	kernel_do_deploy[vardepsexclude] = "DATETIME"
805	kernel_do_deploy:append() {	761	kernel_do_deploy:append() {
806	# Update deploy directory	762	# Update deploy directory


diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 796c040e8b..73e9ce3f11 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -112,13 +112,14 @@ UBOOT_FIT_CONF_USER_LOADABLES ?= ''
112	UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"	112	UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}"
113	UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"	113	UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}"
114		114
		115
		116	DEPENDS:append = " ${@'kernel-signing-keys-native' if d.getVar('FIT_GENERATE_KEYS') == '1' else ''}"
		117
115	python() {	118	python() {
116	# We need u-boot-tools-native if we're creating a U-Boot fitImage	119	# We need u-boot-tools-native if we're creating a U-Boot fitImage
117	sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'	120	sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
118	if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign:	121	if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign:
119	d.appendVar('DEPENDS', " u-boot-tools-native dtc-native")	122	d.appendVar('DEPENDS', " u-boot-tools-native dtc-native")
120	if d.getVar('FIT_GENERATE_KEYS') == '1' and sign:
121	d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' virtual/kernel:do_kernel_generate_rsa_keys')
122	}	123	}
123		124
124	concat_dtb() {	125	concat_dtb() {


diff --git a/meta/recipes-kernel/kernel-signing-keys/kernel-signing-keys-native.bb b/meta/recipes-kernel/kernel-signing-keys/kernel-signing-keys-native.bb new file mode 100644 index 0000000000..704973dffb --- /dev/null +++ b/meta/recipes-kernel/kernel-signing-keys/kernel-signing-keys-native.bb
@@ -0,0 +1,75 @@
		1	# Automatically generate key pairs in UBOOT_SIGN_KEYDIR if they do not exist.
		2	# The key pair is generated by the kernel-signing-keys-native recipe and is not
		3	# stored in the sstate cache. This can be beneficial from a security standpoint,
		4	# as it avoids unintentionally caching and distributing private keys.
		5	# However, this behavior can lead to non-reproducible builds. For example, if
		6	# the keys are deleted, they must be manually restored, or you must run:
		7	# bitbake -c cleanall kernel-signing-keys-native
		8	# before new key pairs are generated.
		9	#
		10	# However, this approach is only suitable for simple or local development use
		11	# cases. For more advanced or production-grade scenarios, a more robust solution
		12	# is usually required—such as external signing or re-signing using e.g a HSM.
		13
		14
		15	SUMMARY = "Signing keys for the kernel FIT image"
		16	LICENSE = "MIT"
		17	LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
		18
		19	require conf/image-fitimage.conf
		20
		21	DEPENDS += "openssl-native"
		22
		23	inherit native
		24
		25	do_fetch[noexec] = "1"
		26	do_unpack[noexec] = "1"
		27	do_patch[noexec] = "1"
		28	do_configure[noexec] = "1"
		29	do_install[noexec] = "1"
		30
		31
		32	do_compile() {
		33	if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
		34	bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
		35	fi
		36
		37	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
		38
		39	# Generate keys to sign configuration nodes, only if they don't already exist
		40	if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] \|\| \
		41	[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
		42
		43	# make directory if it does not already exist
		44	mkdir -p "${UBOOT_SIGN_KEYDIR}"
		45
		46	bbnote "Generating RSA private key for signing fitImage"
		47	openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
		48	"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
		49	"${FIT_SIGN_NUMBITS}"
		50
		51	bbnote "Generating certificate for signing fitImage"
		52	openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
		53	-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
		54	-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
		55	fi
		56
		57	# Generate keys to sign image nodes, only if they don't already exist
		58	if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] \|\| \
		59	[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then
		60
		61	# make directory if it does not already exist
		62	mkdir -p "${UBOOT_SIGN_KEYDIR}"
		63
		64	bbnote "Generating RSA private key for signing fitImage"
		65	openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
		66	"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
		67	"${FIT_SIGN_NUMBITS}"
		68
		69	bbnote "Generating certificate for signing fitImage"
		70	openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
		71	-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
		72	-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt
		73	fi
		74	fi
		75	}