diff options
| -rw-r--r-- | meta/classes-recipe/kernel-fitimage.bbclass | 53 | ||||
| -rw-r--r-- | meta/classes-recipe/uboot-sign.bbclass | 26 | ||||
| -rw-r--r-- | meta/conf/image-fitimage.conf | 53 |
3 files changed, 68 insertions, 64 deletions
diff --git a/meta/classes-recipe/kernel-fitimage.bbclass b/meta/classes-recipe/kernel-fitimage.bbclass index 67c98adb23..fe076badfa 100644 --- a/meta/classes-recipe/kernel-fitimage.bbclass +++ b/meta/classes-recipe/kernel-fitimage.bbclass | |||
| @@ -5,6 +5,7 @@ | |||
| 5 | # | 5 | # |
| 6 | 6 | ||
| 7 | inherit kernel-uboot kernel-artifact-names uboot-config | 7 | inherit kernel-uboot kernel-artifact-names uboot-config |
| 8 | require conf/image-fitimage.conf | ||
| 8 | 9 | ||
| 9 | def get_fit_replacement_type(d): | 10 | def get_fit_replacement_type(d): |
| 10 | kerneltypes = d.getVar('KERNEL_IMAGETYPES') or "" | 11 | kerneltypes = d.getVar('KERNEL_IMAGETYPES') or "" |
| @@ -52,58 +53,6 @@ python __anonymous () { | |||
| 52 | d.setVar('EXTERNAL_KERNEL_DEVICETREE', "${RECIPE_SYSROOT}/boot/devicetree") | 53 | d.setVar('EXTERNAL_KERNEL_DEVICETREE', "${RECIPE_SYSROOT}/boot/devicetree") |
| 53 | } | 54 | } |
| 54 | 55 | ||
| 55 | |||
| 56 | # Description string | ||
| 57 | FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" | ||
| 58 | |||
| 59 | # Kernel fitImage Hash Algo | ||
| 60 | FIT_HASH_ALG ?= "sha256" | ||
| 61 | |||
| 62 | # Kernel fitImage Signature Algo | ||
| 63 | FIT_SIGN_ALG ?= "rsa2048" | ||
| 64 | |||
| 65 | # Kernel / U-Boot fitImage Padding Algo | ||
| 66 | FIT_PAD_ALG ?= "pkcs-1.5" | ||
| 67 | |||
| 68 | # Generate keys for signing Kernel fitImage | ||
| 69 | FIT_GENERATE_KEYS ?= "0" | ||
| 70 | |||
| 71 | # Size of private keys in number of bits | ||
| 72 | FIT_SIGN_NUMBITS ?= "2048" | ||
| 73 | |||
| 74 | # args to openssl genrsa (Default is just the public exponent) | ||
| 75 | FIT_KEY_GENRSA_ARGS ?= "-F4" | ||
| 76 | |||
| 77 | # args to openssl req (Default is -batch for non interactive mode and | ||
| 78 | # -new for new certificate) | ||
| 79 | FIT_KEY_REQ_ARGS ?= "-batch -new" | ||
| 80 | |||
| 81 | # Standard format for public key certificate | ||
| 82 | FIT_KEY_SIGN_PKCS ?= "-x509" | ||
| 83 | |||
| 84 | # Sign individual images as well | ||
| 85 | FIT_SIGN_INDIVIDUAL ?= "0" | ||
| 86 | |||
| 87 | FIT_CONF_PREFIX ?= "conf-" | ||
| 88 | FIT_CONF_PREFIX[doc] = "Prefix to use for FIT configuration node name" | ||
| 89 | |||
| 90 | FIT_SUPPORTED_INITRAMFS_FSTYPES ?= "cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.zst cpio.gz ext2.gz cpio" | ||
| 91 | |||
| 92 | # Allow user to select the default DTB for FIT image when multiple dtb's exists. | ||
| 93 | FIT_CONF_DEFAULT_DTB ?= "" | ||
| 94 | |||
| 95 | # length of address in number of <u32> cells | ||
| 96 | # ex: 1 32bits address, 2 64bits address | ||
| 97 | FIT_ADDRESS_CELLS ?= "1" | ||
| 98 | |||
| 99 | # Keys used to sign individually image nodes. | ||
| 100 | # The keys to sign image nodes must be different from those used to sign | ||
| 101 | # configuration nodes, otherwise the "required" property, from | ||
| 102 | # UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image". | ||
| 103 | # Then the images signature checking will not be mandatory and no error will be | ||
| 104 | # raised in case of failure. | ||
| 105 | # UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key") | ||
| 106 | |||
| 107 | # | 56 | # |
| 108 | # Emit the fitImage ITS header | 57 | # Emit the fitImage ITS header |
| 109 | # | 58 | # |
diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index a17be745ce..96c47ab016 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass | |||
| @@ -26,6 +26,7 @@ | |||
| 26 | 26 | ||
| 27 | # We need some variables from u-boot-config | 27 | # We need some variables from u-boot-config |
| 28 | inherit uboot-config | 28 | inherit uboot-config |
| 29 | require conf/image-fitimage.conf | ||
| 29 | 30 | ||
| 30 | # Enable use of a U-Boot fitImage | 31 | # Enable use of a U-Boot fitImage |
| 31 | UBOOT_FITIMAGE_ENABLE ?= "0" | 32 | UBOOT_FITIMAGE_ENABLE ?= "0" |
| @@ -85,9 +86,6 @@ UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509" | |||
| 85 | # ex: 1 32bits address, 2 64bits address | 86 | # ex: 1 32bits address, 2 64bits address |
| 86 | UBOOT_FIT_ADDRESS_CELLS ?= "1" | 87 | UBOOT_FIT_ADDRESS_CELLS ?= "1" |
| 87 | 88 | ||
| 88 | # This is only necessary for determining the signing configuration | ||
| 89 | KERNEL_PN = "${PREFERRED_PROVIDER_virtual/kernel}" | ||
| 90 | |||
| 91 | UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}" | 89 | UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}" |
| 92 | UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}" | 90 | UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}" |
| 93 | 91 | ||
| @@ -96,8 +94,6 @@ python() { | |||
| 96 | sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' | 94 | sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' |
| 97 | if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign: | 95 | if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign: |
| 98 | d.appendVar('DEPENDS', " u-boot-tools-native dtc-native") | 96 | d.appendVar('DEPENDS', " u-boot-tools-native dtc-native") |
| 99 | if sign: | ||
| 100 | d.appendVar('DEPENDS', " " + d.getVar('KERNEL_PN')) | ||
| 101 | } | 97 | } |
| 102 | 98 | ||
| 103 | concat_dtb() { | 99 | concat_dtb() { |
| @@ -106,16 +102,26 @@ concat_dtb() { | |||
| 106 | 102 | ||
| 107 | if [ -e "${UBOOT_DTB_BINARY}" ]; then | 103 | if [ -e "${UBOOT_DTB_BINARY}" ]; then |
| 108 | # Re-sign the kernel in order to add the keys to our dtb | 104 | # Re-sign the kernel in order to add the keys to our dtb |
| 105 | UBOOT_MKIMAGE_MODE="auto-conf" | ||
| 106 | # Signing individual images is not recommended as that | ||
| 107 | # makes fitImage susceptible to mix-and-match attack. | ||
| 108 | if [ "${FIT_SIGN_INDIVIDUAL}" = "1" ] ; then | ||
| 109 | UBOOT_MKIMAGE_MODE="auto" | ||
| 110 | fi | ||
| 109 | ${UBOOT_MKIMAGE_SIGN} \ | 111 | ${UBOOT_MKIMAGE_SIGN} \ |
| 110 | ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ | 112 | ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ |
| 111 | -F -k "${UBOOT_SIGN_KEYDIR}" \ | 113 | -f $UBOOT_MKIMAGE_MODE \ |
| 114 | -k "${UBOOT_SIGN_KEYDIR}" \ | ||
| 115 | -o "${FIT_HASH_ALG},${FIT_SIGN_ALG}" \ | ||
| 116 | -g "${UBOOT_SIGN_IMG_KEYNAME}" \ | ||
| 112 | -K "${UBOOT_DTB_BINARY}" \ | 117 | -K "${UBOOT_DTB_BINARY}" \ |
| 113 | -r ${B}/fitImage-linux \ | 118 | -d /dev/null \ |
| 119 | -r ${B}/unused.itb \ | ||
| 114 | ${UBOOT_MKIMAGE_SIGN_ARGS} | 120 | ${UBOOT_MKIMAGE_SIGN_ARGS} |
| 115 | # Verify the kernel image and u-boot dtb | 121 | # Verify the kernel image and u-boot dtb |
| 116 | ${UBOOT_FIT_CHECK_SIGN} \ | 122 | ${UBOOT_FIT_CHECK_SIGN} \ |
| 117 | -k "${UBOOT_DTB_BINARY}" \ | 123 | -k "${UBOOT_DTB_BINARY}" \ |
| 118 | -f ${B}/fitImage-linux | 124 | -f ${B}/unused.itb |
| 119 | cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED} | 125 | cp ${UBOOT_DTB_BINARY} ${UBOOT_DTB_SIGNED} |
| 120 | fi | 126 | fi |
| 121 | 127 | ||
| @@ -351,10 +357,6 @@ uboot_assemble_fitimage_helper() { | |||
| 351 | } | 357 | } |
| 352 | 358 | ||
| 353 | do_uboot_assemble_fitimage() { | 359 | do_uboot_assemble_fitimage() { |
| 354 | if [ "${UBOOT_SIGN_ENABLE}" = "1" ] ; then | ||
| 355 | cp "${STAGING_DIR_HOST}/sysroot-only/fitImage" "${B}/fitImage-linux" | ||
| 356 | fi | ||
| 357 | |||
| 358 | if [ -n "${UBOOT_CONFIG}" ]; then | 360 | if [ -n "${UBOOT_CONFIG}" ]; then |
| 359 | unset i | 361 | unset i |
| 360 | for config in ${UBOOT_MACHINE}; do | 362 | for config in ${UBOOT_MACHINE}; do |
diff --git a/meta/conf/image-fitimage.conf b/meta/conf/image-fitimage.conf new file mode 100644 index 0000000000..be9ae30134 --- /dev/null +++ b/meta/conf/image-fitimage.conf | |||
| @@ -0,0 +1,53 @@ | |||
| 1 | # Possible options for fitImage generation, mainly | ||
| 2 | # related to signing of the fitImage content. | ||
| 3 | |||
| 4 | # Description string | ||
| 5 | FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" | ||
| 6 | |||
| 7 | # Kernel fitImage Hash Algo | ||
| 8 | FIT_HASH_ALG ?= "sha256" | ||
| 9 | |||
| 10 | # Kernel fitImage Signature Algo | ||
| 11 | FIT_SIGN_ALG ?= "rsa2048" | ||
| 12 | |||
| 13 | # Kernel / U-Boot fitImage Padding Algo | ||
| 14 | FIT_PAD_ALG ?= "pkcs-1.5" | ||
| 15 | |||
| 16 | # Generate keys for signing Kernel fitImage | ||
| 17 | FIT_GENERATE_KEYS ?= "0" | ||
| 18 | |||
| 19 | # Size of private keys in number of bits | ||
| 20 | FIT_SIGN_NUMBITS ?= "2048" | ||
| 21 | |||
| 22 | # args to openssl genrsa (Default is just the public exponent) | ||
| 23 | FIT_KEY_GENRSA_ARGS ?= "-F4" | ||
| 24 | |||
| 25 | # args to openssl req (Default is -batch for non interactive mode and | ||
| 26 | # -new for new certificate) | ||
| 27 | FIT_KEY_REQ_ARGS ?= "-batch -new" | ||
| 28 | |||
| 29 | # Standard format for public key certificate | ||
| 30 | FIT_KEY_SIGN_PKCS ?= "-x509" | ||
| 31 | |||
| 32 | # Sign individual images as well | ||
| 33 | FIT_SIGN_INDIVIDUAL ?= "0" | ||
| 34 | |||
| 35 | FIT_CONF_PREFIX ?= "conf-" | ||
| 36 | FIT_CONF_PREFIX[doc] = "Prefix to use for FIT configuration node name" | ||
| 37 | |||
| 38 | FIT_SUPPORTED_INITRAMFS_FSTYPES ?= "cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.zst cpio.gz ext2.gz cpio" | ||
| 39 | |||
| 40 | # Allow user to select the default DTB for FIT image when multiple dtb's exists. | ||
| 41 | FIT_CONF_DEFAULT_DTB ?= "" | ||
| 42 | |||
| 43 | # length of address in number of <u32> cells | ||
| 44 | # ex: 1 32bits address, 2 64bits address | ||
| 45 | FIT_ADDRESS_CELLS ?= "1" | ||
| 46 | |||
| 47 | # Keys used to sign individually image nodes. | ||
| 48 | # The keys to sign image nodes must be different from those used to sign | ||
| 49 | # configuration nodes, otherwise the "required" property, from | ||
| 50 | # UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image". | ||
| 51 | # Then the images signature checking will not be mandatory and no error will be | ||
| 52 | # raised in case of failure. | ||
| 53 | # UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key") | ||