From: Marta Rybczynska <[email protected]> The SPL FIT signing patch was signing individual images, but not the configuration.
Introduce signing of configuration with images under a separate option SPL_SIGN_CONF, enabled by default. It implies changes in the DTB content. The old behaviour is possible with SPL_SIGN_INDIVIDUAL, but should be removed in a subsequent patch. Signed-off-by: Marta Rybczynska <[email protected]> --- meta/classes-recipe/uboot-sign.bbclass | 76 ++++++++++++++++++++++++-- 1 file changed, 72 insertions(+), 4 deletions(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 9cb5c6ccf3..3af76200bf 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -34,6 +34,15 @@ UBOOT_FITIMAGE_ENABLE ?= "0" # Signature activation - this requires UBOOT_FITIMAGE_ENABLE = "1" SPL_SIGN_ENABLE ?= "0" +# Sign the FIT configuration in the SPL signing flow. Configuration +# signatures bind the selected images and boot metadata together. +SPL_SIGN_CONF ?= "1" + +# Legacy compatibility knob for per-image signatures in the SPL FIT path. +# Individual image signatures do not protect the configuration metadata +# which selects and parameterizes the boot images. +SPL_SIGN_INDIVIDUAL ?= "0" + # Default value for deployment filenames. UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb" UBOOT_DTB_BINARY ?= "u-boot.dtb" @@ -325,7 +334,15 @@ uboot_fitimage_atf() { entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_ENTRYPOINT}>; compression = "none"; EOF - if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + hash-1 { + algo = "${UBOOT_FIT_HASH_ALG}"; + }; +EOF + fi + + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then cat << EOF >> ${UBOOT_ITS} signature { algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; @@ -352,7 +369,15 @@ uboot_fitimage_tee() { entry = <${UBOOT_FIT_TEE_ENTRYPOINT}>; compression = "none"; EOF - if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + hash-1 { + algo = "${UBOOT_FIT_HASH_ALG}"; + }; +EOF + fi + + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then cat << EOF >> ${UBOOT_ITS} signature { algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; @@ -393,7 +418,15 @@ uboot_fitimage_assemble() { entry = <${UBOOT_FIT_UBOOT_ENTRYPOINT}>; EOF - if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + hash-1 { + algo = "${UBOOT_FIT_HASH_ALG}"; + }; +EOF + fi + + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then cat << EOF >> ${UBOOT_ITS} signature { algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; @@ -412,7 +445,15 @@ EOF compression = "none"; EOF - if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + hash-1 { + algo = "${UBOOT_FIT_HASH_ALG}"; + }; +EOF + fi + + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then cat << EOF >> ${UBOOT_ITS} signature { algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; @@ -442,8 +483,10 @@ EOF conf_loadables="${conf_loadables}${UBOOT_FIT_CONF_USER_LOADABLES}" fi + conf_sign_images='"loadables", "fdt"' if [ -n "${UBOOT_FIT_CONF_FIRMWARE}" ] ; then conf_firmware="firmware = \"${UBOOT_FIT_CONF_FIRMWARE}\";" + conf_sign_images='"firmware", "loadables", "fdt"' fi cat << EOF >> ${UBOOT_ITS} @@ -456,6 +499,19 @@ EOF ${conf_firmware} loadables = ${conf_loadables}; fdt = "fdt"; +EOF + + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + sign-images = ${conf_sign_images}; + signature { + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; + key-name-hint = "${SPL_SIGN_KEYNAME}"; + }; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} }; }; }; @@ -470,6 +526,18 @@ EOF ${UBOOT_FITIMAGE_BINARY} if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + if [ "${SPL_SIGN_CONF}" != "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" != "1" ] ; then + bbfatal "SPL_SIGN_ENABLE=1 requires SPL_SIGN_CONF=1 or SPL_SIGN_INDIVIDUAL=1" + fi + + if [ "${SPL_SIGN_CONF}" != "1" ] ; then + bbwarn "SPL_SIGN_CONF is disabled. FIT configuration signing is recommended for SPL verified boot." + fi + + if [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then + bbwarn "SPL_SIGN_INDIVIDUAL=1 is enabled for compatibility only. Individual image signatures do not replace configuration signing." + fi + if [ -n "${SPL_DTB_BINARY}" ] ; then # # Sign the U-boot FIT image and add public key to SPL dtb -- 2.47.3
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236447): https://lists.openembedded.org/g/openembedded-core/message/236447 Mute This Topic: https://lists.openembedded.org/mt/119140569/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
