[OE-core] [PATCH 3/4] u-boot: Use a different Key for SPL signing

Mon, 15 Mar 2021 09:58:47 -0700 

Duplicate the variables governing u-boot signing so that we can have a
different set of keys/parameters signing the SPL.

Signed-off-by: Klaus Heinrich Kiwi <[email protected]>
---
 meta/classes/uboot-config.bbclass |  2 ++
 meta/classes/uboot-sign.bbclass   | 55 ++++++++++++++++++++++++-------
 2 files changed, 46 insertions(+), 11 deletions(-)

diff --git a/meta/classes/uboot-config.bbclass 
b/meta/classes/uboot-config.bbclass
index 31487c1418..3bba02828b 100644
--- a/meta/classes/uboot-config.bbclass
+++ b/meta/classes/uboot-config.bbclass
@@ -61,6 +61,7 @@ UBOOT_EXTLINUX_SYMLINK ?= 
"${UBOOT_EXTLINUX_CONF_NAME}-${MACHINE}-${PR}"
 
 # Options for the device tree compiler passed to mkimage '-D' feature:
 UBOOT_MKIMAGE_DTCOPTS ??= ""
+SPL_MKIMAGE_DTCOPTS ??= ""
 
 # mkimage command
 UBOOT_MKIMAGE ?= "uboot-mkimage"
@@ -68,6 +69,7 @@ UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}"
 
 # Arguments passed to mkimage for signing
 UBOOT_MKIMAGE_SIGN_ARGS ?= ""
+SPL_MKIMAGE_SIGN_ARGS ?= ""
 
 python () {
     ubootmachine = d.getVar("UBOOT_MACHINE")
diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
index 86380f2234..2ec93e0b8e 100644
--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -59,27 +59,34 @@ SPL_NODTB_IMAGE ?= 
"${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[0]}-nodtb-${
 SPL_NODTB_BINARY ?= "u-boot-spl-nodtb.bin"
 SPL_NODTB_SYMLINK ?= 
"${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[0]}-nodtb-${MACHINE}${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[1]}"
 
-# fitImage Hash Algo
+# Kernel / U-Boot fitImage Hash Algo
 FIT_HASH_ALG ?= "sha256"
+UBOOT_FIT_HASH_ALG ?= "sha256"
 
-# fitImage Signature Algo
+# Kernel / U-Boot fitImage Signature Algo
 FIT_SIGN_ALG ?= "rsa2048"
+UBOOT_FIT_SIGN_ALG ?= "rsa2048"
 
-# Generate keys for signing fitImage
+# Generate keys for signing Kernel / U-Boot fitImage
 FIT_GENERATE_KEYS ?= "0"
+UBOOT_FIT_GENERATE_KEYS ?= "0"
 
-# Size of private key in number of bits
+# Size of private keys in number of bits
 FIT_SIGN_NUMBITS ?= "2048"
+UBOOT_FIT_SIGN_NUMBITS ?= "2048"
 
 # args to openssl genrsa (Default is just the public exponent)
 FIT_KEY_GENRSA_ARGS ?= "-F4"
+UBOOT_FIT_KEY_GENRSA_ARGS ?= "-F4"
 
 # args to openssl req (Default is -batch for non interactive mode and
 # -new for new certificate)
 FIT_KEY_REQ_ARGS ?= "-batch -new"
+UBOOT_FIT_KEY_REQ_ARGS ?= "-batch -new"
 
 # Standard format for public key certificate
 FIT_KEY_SIGN_PKCS ?= "-x509"
+UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
 
 # Functions on this bbclass can apply to either U-boot or Kernel,
 # depending on the scenario
@@ -280,6 +287,32 @@ do_generate_rsa_keys() {
                                -out 
"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
                fi
        fi
+
+       if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = 
"1" ]; then
+               bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough 
SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be 
used."
+       fi
+
+       if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = 
"1" ]; then
+
+               # Generate keys only if they don't already exist
+               if [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key ] || \
+                       [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt ]; 
then
+
+                       # make directory if it does not already exist
+                       mkdir -p "${SPL_SIGN_KEYDIR}"
+
+                       echo "Generating RSA private key for signing U-Boot 
fitImage"
+                       openssl genrsa ${UBOOT_FIT_KEY_GENRSA_ARGS} -out \
+                               "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
+                               "${UBOOT_FIT_SIGN_NUMBITS}"
+
+                       echo "Generating certificate for signing U-Boot 
fitImage"
+                       openssl req ${FIT_KEY_REQ_ARGS} 
"${UBOOT_FIT_KEY_SIGN_PKCS}" \
+                               -key 
"${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
+                               -out 
"${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt
+               fi
+       fi
+
 }
 
 addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
@@ -292,9 +325,9 @@ uboot_fitimage_assemble() {
        uboot_dtb="${3}"
        uboot_bin="${4}"
        spl_dtb="${5}"
-       uboot_csum="${FIT_HASH_ALG}"
-       uboot_sign_algo="${FIT_SIGN_ALG}"
-       uboot_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+       uboot_csum="${UBOOT_FIT_HASH_ALG}"
+       uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}"
+       uboot_sign_keyname="${SPL_SIGN_KEYNAME}"
 
        rm -f ${uboot_its} ${uboot_bin}
 
@@ -349,7 +382,7 @@ EOF
        # Assemble the U-boot FIT image
        #
        ${UBOOT_MKIMAGE} \
-               ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if 
len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
+               ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if 
len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
                -f ${uboot_its} \
                ${uboot_bin}
 
@@ -357,11 +390,11 @@ EOF
        # Sign the U-boot FIT image and add public key to SPL dtb
        #
        ${UBOOT_MKIMAGE_SIGN} \
-               ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if 
len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
-               -F -k "${UBOOT_SIGN_KEYDIR}" \
+               ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if 
len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
+               -F -k "${SPL_SIGN_KEYDIR}" \
                -K "${spl_dtb}" \
                -r ${uboot_bin} \
-               ${UBOOT_MKIMAGE_SIGN_ARGS}
+               ${SPL_MKIMAGE_SIGN_ARGS}
 
 }
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#149536): 
https://lists.openembedded.org/g/openembedded-core/message/149536
Mute This Topic: https://lists.openembedded.org/mt/81354693/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to