This is an initial support of fitImage signature to enable U-Boot verified boot. This feature is implemented by adding a signature tag to the configuration section of the generated fit-image.its file.
When a UBOOT_SIGN_ENABLE variable is set to "1", the signature procedure is activated and performs a second call to mkimage to sign the fitImage file and to include the public key in the deployed U-Boot device tree blob. (This implementation depends on the use of CONFIG_OF_SEPARATE in U-Boot.) As the U-Boot device tree blob is appended in the deploy dir, a dependency on 'u-boot:do_deploy' is added when the feature is activated. Signed-off-by: Yannick Gicquel <[email protected]> --- meta/classes/kernel-fitimage.bbclass | 45 +++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 62e0017..cbf07ba 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -1,5 +1,8 @@ inherit kernel-uboot +# To resolve the following UBOOT_DTB_BINARY identifier +require recipes-bsp/u-boot/u-boot-sign.inc + python __anonymous () { kerneltype = d.getVar('KERNEL_IMAGETYPE', True) if kerneltype == 'fitImage': @@ -15,6 +18,12 @@ python __anonymous () { image = d.getVar('INITRAMFS_IMAGE', True) if image: d.appendVarFlag('do_assemble_fitimage', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') + + # Verified boot will sign the fitImage and append the public key to + # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling + # the fitImage: + if d.getVar('UBOOT_SIGN_ENABLE', True): + d.appendVarFlag('do_assemble_fitimage', 'depends', ' u-boot:do_deploy') } # Options for the device tree compiler passed to mkimage '-D' feature: @@ -132,6 +141,9 @@ EOF fitimage_emit_section_config() { conf_csum="sha1" + if [ -n "${UBOOT_SIGN_ENABLE}" ] ; then + conf_sign_keyname="${UBOOT_SIGN_KEYNAME}" + fi # Test if we have any DTBs at all if [ -z "${2}" ] ; then @@ -152,6 +164,26 @@ fitimage_emit_section_config() { hash@1 { algo = "${conf_csum}"; }; +EOF + + if [ ! -z "${conf_sign_keyname}" ] ; then + + if [ -z "${2}" ] ; then + sign_line="sign-images = \"kernel\";" + else + sign_line="sign-images = \"fdt\", \"kernel\";" + fi + + cat << EOF >> fit-image.its + signature@1 { + algo = "${conf_csum},rsa2048"; + key-name-hint = "${conf_sign_keyname}"; + sign-images = "fdt", "kernel"; + }; +EOF + fi + + cat << EOF >> fit-image.its }; EOF } @@ -160,7 +192,7 @@ do_assemble_fitimage() { if test "x${KERNEL_IMAGETYPE}" = "xfitImage" ; then kernelcount=1 dtbcount="" - rm -f fit-image.its + rm -f fit-image.its arch/${ARCH}/boot/fitImage fitimage_emit_fit_header @@ -216,6 +248,17 @@ do_assemble_fitimage() { ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ -f fit-image.its \ arch/${ARCH}/boot/fitImage + + # + # Step 5: Sign the image and add public key to U-Boot dtb + # + if test -n "${UBOOT_SIGN_ENABLE}"; then + uboot-mkimage \ + ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ + -F -k "${UBOOT_SIGN_KEYDIR}" \ + -K "${DEPLOY_DIR_IMAGE}/${UBOOT_DTB_BINARY}" \ + -r arch/${ARCH}/boot/fitImage + fi fi } -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
