Re: [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage

From: "Usama Arif" <usama.arif@arm.com>
To: openembedded-core@lists.openembedded.org
Cc: nd@arm.com
Subject: Re: [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage
Date: Tue, 8 Sep 2020 13:43:01 +0100	[thread overview]
Message-ID: <195ee8ef-96b3-112a-6954-bb5df8e65e4f@arm.com> (raw)
In-Reply-To: <20200908122835.38284-1-usama.arif@arm.com>


On 08/09/2020 13:28, Usama Arif wrote:
> The keys are only generated if they dont exist. The key
> generation can be turned off by setting FIT_GENERATE_KEYS to "0".
> The default key length for private keys is 2048 and the default
> format for public key certificate is x.509.
> 
> Signed-off-by: Usama Arif <usama.arif@arm.com>
> ---
>   meta/classes/kernel-fitimage.bbclass | 44 ++++++++++++++++++++++++++++
>   1 file changed, 44 insertions(+)
> 
> diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> index fa4ea6feef..1fa8c8f05c 100644
> --- a/meta/classes/kernel-fitimage.bbclass
> +++ b/meta/classes/kernel-fitimage.bbclass
> @@ -56,6 +56,22 @@ FIT_HASH_ALG ?= "sha256"
>   # fitImage Signature Algo
>   FIT_SIGN_ALG ?= "rsa2048"
>   
> +# Generate keys for signing fitImage
> +FIT_GENERATE_KEYS ?= "${@bb.utils.contains('UBOOT_SIGN_ENABLE', '1', '1', '0', d)}"
> +
> +# Size of private key in number of bits
> +FIT_SIGN_NUMBITS ?= "2048"
> +
> +# args to openssl genrsa (Default is just the public exponent)
> +FIT_KEY_GENRSA_ARGS ?= "-F4"
> +
> +# args to openssl req (Default is -batch for non interactive mode and
> +# -new for new certificate)
> +FIT_KEY_REQ_ARGS ?= "-batch -new"
> +
> +# Standard format for public key certificate
> +FIT_KEY_SIGN_PKCS ?= "-x509"
> +
>   #
>   # Emit the fitImage ITS header
>   #
> @@ -522,6 +538,34 @@ do_assemble_fitimage_initramfs() {
>   
>   addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs
>   
> +do_generate_rsa_keys() {
> +	if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
> +		bbwarn "FIT_GENERATE_KEYS is set to 1 eventhough UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
> +	fi
> +
> +	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
> +
> +		# Generate keys only if they don't already exist
> +		if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
> +			[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt]; then
> +
> +			# make directory if it does not already exist
> +			mkdir -p "${UBOOT_SIGN_KEYDIR}"
> +
> +			echo "Generating RSA private key for signing fitImage"
> +			openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
> +				"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
> +				"${FIT_SIGN_NUMBITS}"
> +
> +			echo "Generating certificate for signing fitImage"
> +			openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
> +				-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
> +				-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
> +		fi
> +	fi
> +}
> +
> +addtask generate_rsa_keys before do_assemble_fitimage after do_compile
>   
>   kernel_do_deploy[vardepsexclude] = "DATETIME"
>   kernel_do_deploy_append() {
> 

The relevant yocto-docs changes for this patch are in 
https://lists.yoctoproject.org/g/docs/message/340