Hi,
Just wanted to check if there were any review comments for this patch?
Thanks,
Usama
On 08/09/2020 13:43, Usama Arif via lists.openembedded.org wrote:
On 08/09/2020 13:28, Usama Arif wrote:
The keys are only generated if they dont exist. The key
generation can be turned off by setting FIT_GENERATE_KEYS to "0".
The default key length for private keys is 2048 and the default
format for public key certificate is x.509.
Signed-off-by: Usama Arif <[email protected]>
---
meta/classes/kernel-fitimage.bbclass | 44 ++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/meta/classes/kernel-fitimage.bbclass
b/meta/classes/kernel-fitimage.bbclass
index fa4ea6feef..1fa8c8f05c 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -56,6 +56,22 @@ FIT_HASH_ALG ?= "sha256"
# fitImage Signature Algo
FIT_SIGN_ALG ?= "rsa2048"
+# Generate keys for signing fitImage
+FIT_GENERATE_KEYS ?= "${@bb.utils.contains('UBOOT_SIGN_ENABLE', '1',
'1', '0', d)}"
+
+# Size of private key in number of bits
+FIT_SIGN_NUMBITS ?= "2048"
+
+# args to openssl genrsa (Default is just the public exponent)
+FIT_KEY_GENRSA_ARGS ?= "-F4"
+
+# args to openssl req (Default is -batch for non interactive mode and
+# -new for new certificate)
+FIT_KEY_REQ_ARGS ?= "-batch -new"
+
+# Standard format for public key certificate
+FIT_KEY_SIGN_PKCS ?= "-x509"
+
#
# Emit the fitImage ITS header
#
@@ -522,6 +538,34 @@ do_assemble_fitimage_initramfs() {
addtask assemble_fitimage_initramfs before do_deploy after
do_bundle_initramfs
+do_generate_rsa_keys() {
+ if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" =
"1" ]; then
+ bbwarn "FIT_GENERATE_KEYS is set to 1 eventhough
UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they
won't be used."
+ fi
+
+ if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" =
"1" ]; then
+
+ # Generate keys only if they don't already exist
+ if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ]
|| \
+ [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt];
then
+
+ # make directory if it does not already exist
+ mkdir -p "${UBOOT_SIGN_KEYDIR}"
+
+ echo "Generating RSA private key for signing fitImage"
+ openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
+ "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
+ "${FIT_SIGN_NUMBITS}"
+
+ echo "Generating certificate for signing fitImage"
+ openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
+ -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
+ -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
+ fi
+ fi
+}
+
+addtask generate_rsa_keys before do_assemble_fitimage after do_compile
kernel_do_deploy[vardepsexclude] = "DATETIME"
kernel_do_deploy_append() {
The relevant yocto-docs changes for this patch are in
https://lists.yoctoproject.org/g/docs/message/340
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#142675):
https://lists.openembedded.org/g/openembedded-core/message/142675
Mute This Topic: https://lists.openembedded.org/mt/76707315/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
