From: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
To: openembedded-core@lists.openembedded.org
Cc: andrew@aj.id.au, Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>,
openbmc@lists.ozlabs.org
Subject: [PATCH 3/4] u-boot: Use a different Key for SPL signing
Date: Mon, 15 Mar 2021 13:58:05 -0300 [thread overview]
Message-ID: <20210315165806.1633-4-klaus@linux.vnet.ibm.com> (raw)
In-Reply-To: <20210315165806.1633-1-klaus@linux.vnet.ibm.com>
Duplicate the variables governing u-boot signing so that we can have a
different set of keys/parameters signing the SPL.
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
---
meta/classes/uboot-config.bbclass | 2 ++
meta/classes/uboot-sign.bbclass | 55 ++++++++++++++++++++++++-------
2 files changed, 46 insertions(+), 11 deletions(-)
diff --git a/meta/classes/uboot-config.bbclass b/meta/classes/uboot-config.bbclass
index 31487c1418..3bba02828b 100644
--- a/meta/classes/uboot-config.bbclass
+++ b/meta/classes/uboot-config.bbclass
@@ -61,6 +61,7 @@ UBOOT_EXTLINUX_SYMLINK ?= "${UBOOT_EXTLINUX_CONF_NAME}-${MACHINE}-${PR}"
# Options for the device tree compiler passed to mkimage '-D' feature:
UBOOT_MKIMAGE_DTCOPTS ??= ""
+SPL_MKIMAGE_DTCOPTS ??= ""
# mkimage command
UBOOT_MKIMAGE ?= "uboot-mkimage"
@@ -68,6 +69,7 @@ UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}"
# Arguments passed to mkimage for signing
UBOOT_MKIMAGE_SIGN_ARGS ?= ""
+SPL_MKIMAGE_SIGN_ARGS ?= ""
python () {
ubootmachine = d.getVar("UBOOT_MACHINE")
diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
index 86380f2234..2ec93e0b8e 100644
--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -59,27 +59,34 @@ SPL_NODTB_IMAGE ?= "${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[0]}-nodtb-${
SPL_NODTB_BINARY ?= "u-boot-spl-nodtb.bin"
SPL_NODTB_SYMLINK ?= "${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[0]}-nodtb-${MACHINE}${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[1]}"
-# fitImage Hash Algo
+# Kernel / U-Boot fitImage Hash Algo
FIT_HASH_ALG ?= "sha256"
+UBOOT_FIT_HASH_ALG ?= "sha256"
-# fitImage Signature Algo
+# Kernel / U-Boot fitImage Signature Algo
FIT_SIGN_ALG ?= "rsa2048"
+UBOOT_FIT_SIGN_ALG ?= "rsa2048"
-# Generate keys for signing fitImage
+# Generate keys for signing Kernel / U-Boot fitImage
FIT_GENERATE_KEYS ?= "0"
+UBOOT_FIT_GENERATE_KEYS ?= "0"
-# Size of private key in number of bits
+# Size of private keys in number of bits
FIT_SIGN_NUMBITS ?= "2048"
+UBOOT_FIT_SIGN_NUMBITS ?= "2048"
# args to openssl genrsa (Default is just the public exponent)
FIT_KEY_GENRSA_ARGS ?= "-F4"
+UBOOT_FIT_KEY_GENRSA_ARGS ?= "-F4"
# args to openssl req (Default is -batch for non interactive mode and
# -new for new certificate)
FIT_KEY_REQ_ARGS ?= "-batch -new"
+UBOOT_FIT_KEY_REQ_ARGS ?= "-batch -new"
# Standard format for public key certificate
FIT_KEY_SIGN_PKCS ?= "-x509"
+UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
# Functions on this bbclass can apply to either U-boot or Kernel,
# depending on the scenario
@@ -280,6 +287,32 @@ do_generate_rsa_keys() {
-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
fi
fi
+
+ if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
+ bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
+ fi
+
+ if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
+
+ # Generate keys only if they don't already exist
+ if [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key ] || \
+ [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt ]; then
+
+ # make directory if it does not already exist
+ mkdir -p "${SPL_SIGN_KEYDIR}"
+
+ echo "Generating RSA private key for signing U-Boot fitImage"
+ openssl genrsa ${UBOOT_FIT_KEY_GENRSA_ARGS} -out \
+ "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
+ "${UBOOT_FIT_SIGN_NUMBITS}"
+
+ echo "Generating certificate for signing U-Boot fitImage"
+ openssl req ${FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \
+ -key "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
+ -out "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt
+ fi
+ fi
+
}
addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
@@ -292,9 +325,9 @@ uboot_fitimage_assemble() {
uboot_dtb="${3}"
uboot_bin="${4}"
spl_dtb="${5}"
- uboot_csum="${FIT_HASH_ALG}"
- uboot_sign_algo="${FIT_SIGN_ALG}"
- uboot_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+ uboot_csum="${UBOOT_FIT_HASH_ALG}"
+ uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}"
+ uboot_sign_keyname="${SPL_SIGN_KEYNAME}"
rm -f ${uboot_its} ${uboot_bin}
@@ -349,7 +382,7 @@ EOF
# Assemble the U-boot FIT image
#
${UBOOT_MKIMAGE} \
- ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
+ ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
-f ${uboot_its} \
${uboot_bin}
@@ -357,11 +390,11 @@ EOF
# Sign the U-boot FIT image and add public key to SPL dtb
#
${UBOOT_MKIMAGE_SIGN} \
- ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
- -F -k "${UBOOT_SIGN_KEYDIR}" \
+ ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
+ -F -k "${SPL_SIGN_KEYDIR}" \
-K "${spl_dtb}" \
-r ${uboot_bin} \
- ${UBOOT_MKIMAGE_SIGN_ARGS}
+ ${SPL_MKIMAGE_SIGN_ARGS}
}
--
2.25.1
next prev parent reply other threads:[~2021-03-15 17:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-15 16:58 [PATCH 0/4] u-boot: Support for SPL verified boot Klaus Heinrich Kiwi
2021-03-15 16:58 ` [PATCH 1/4] u-boot: Move definitions to common locations Klaus Heinrich Kiwi
2021-03-15 16:58 ` [PATCH 2/4] u-boot: Add infrastructure to SPL verified boot Klaus Heinrich Kiwi
2021-03-15 16:58 ` Klaus Heinrich Kiwi [this message]
2021-03-15 16:58 ` [PATCH 4/4] oe-selftest: Add U-Boot fitImage signing testcases Klaus Heinrich Kiwi
[not found] <mailman.866.1615827526.26598.openbmc@lists.ozlabs.org>
2021-03-15 22:42 ` [PATCH 3/4] u-boot: Use a different Key for SPL signing Dan Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210315165806.1633-4-klaus@linux.vnet.ibm.com \
--to=klaus@linux.vnet.ibm.com \
--cc=andrew@aj.id.au \
--cc=openbmc@lists.ozlabs.org \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).