* [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage
@ 2020-09-08 12:28 Usama Arif
2020-09-08 12:43 ` Usama Arif
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Usama Arif @ 2020-09-08 12:28 UTC (permalink / raw)
To: openembedded-core; +Cc: nd, Usama Arif
The keys are only generated if they dont exist. The key
generation can be turned off by setting FIT_GENERATE_KEYS to "0".
The default key length for private keys is 2048 and the default
format for public key certificate is x.509.
Signed-off-by: Usama Arif <usama.arif@arm.com>
---
meta/classes/kernel-fitimage.bbclass | 44 ++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index fa4ea6feef..1fa8c8f05c 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -56,6 +56,22 @@ FIT_HASH_ALG ?= "sha256"
# fitImage Signature Algo
FIT_SIGN_ALG ?= "rsa2048"
+# Generate keys for signing fitImage
+FIT_GENERATE_KEYS ?= "${@bb.utils.contains('UBOOT_SIGN_ENABLE', '1', '1', '0', d)}"
+
+# Size of private key in number of bits
+FIT_SIGN_NUMBITS ?= "2048"
+
+# args to openssl genrsa (Default is just the public exponent)
+FIT_KEY_GENRSA_ARGS ?= "-F4"
+
+# args to openssl req (Default is -batch for non interactive mode and
+# -new for new certificate)
+FIT_KEY_REQ_ARGS ?= "-batch -new"
+
+# Standard format for public key certificate
+FIT_KEY_SIGN_PKCS ?= "-x509"
+
#
# Emit the fitImage ITS header
#
@@ -522,6 +538,34 @@ do_assemble_fitimage_initramfs() {
addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs
+do_generate_rsa_keys() {
+ if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
+ bbwarn "FIT_GENERATE_KEYS is set to 1 eventhough UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
+ fi
+
+ if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
+
+ # Generate keys only if they don't already exist
+ if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
+ [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt]; then
+
+ # make directory if it does not already exist
+ mkdir -p "${UBOOT_SIGN_KEYDIR}"
+
+ echo "Generating RSA private key for signing fitImage"
+ openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
+ "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
+ "${FIT_SIGN_NUMBITS}"
+
+ echo "Generating certificate for signing fitImage"
+ openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
+ -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
+ -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
+ fi
+ fi
+}
+
+addtask generate_rsa_keys before do_assemble_fitimage after do_compile
kernel_do_deploy[vardepsexclude] = "DATETIME"
kernel_do_deploy_append() {
--
2.17.1
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage
2020-09-08 12:28 [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage Usama Arif
@ 2020-09-08 12:43 ` Usama Arif
[not found] ` <1632CF861F095801.32160@lists.openembedded.org>
2020-09-21 13:03 ` Richard Purdie
2 siblings, 0 replies; 8+ messages in thread
From: Usama Arif @ 2020-09-08 12:43 UTC (permalink / raw)
To: openembedded-core; +Cc: nd
On 08/09/2020 13:28, Usama Arif wrote:
> The keys are only generated if they dont exist. The key
> generation can be turned off by setting FIT_GENERATE_KEYS to "0".
> The default key length for private keys is 2048 and the default
> format for public key certificate is x.509.
>
> Signed-off-by: Usama Arif <usama.arif@arm.com>
> ---
> meta/classes/kernel-fitimage.bbclass | 44 ++++++++++++++++++++++++++++
> 1 file changed, 44 insertions(+)
>
> diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> index fa4ea6feef..1fa8c8f05c 100644
> --- a/meta/classes/kernel-fitimage.bbclass
> +++ b/meta/classes/kernel-fitimage.bbclass
> @@ -56,6 +56,22 @@ FIT_HASH_ALG ?= "sha256"
> # fitImage Signature Algo
> FIT_SIGN_ALG ?= "rsa2048"
>
> +# Generate keys for signing fitImage
> +FIT_GENERATE_KEYS ?= "${@bb.utils.contains('UBOOT_SIGN_ENABLE', '1', '1', '0', d)}"
> +
> +# Size of private key in number of bits
> +FIT_SIGN_NUMBITS ?= "2048"
> +
> +# args to openssl genrsa (Default is just the public exponent)
> +FIT_KEY_GENRSA_ARGS ?= "-F4"
> +
> +# args to openssl req (Default is -batch for non interactive mode and
> +# -new for new certificate)
> +FIT_KEY_REQ_ARGS ?= "-batch -new"
> +
> +# Standard format for public key certificate
> +FIT_KEY_SIGN_PKCS ?= "-x509"
> +
> #
> # Emit the fitImage ITS header
> #
> @@ -522,6 +538,34 @@ do_assemble_fitimage_initramfs() {
>
> addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs
>
> +do_generate_rsa_keys() {
> + if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
> + bbwarn "FIT_GENERATE_KEYS is set to 1 eventhough UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
> + fi
> +
> + if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
> +
> + # Generate keys only if they don't already exist
> + if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
> + [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt]; then
> +
> + # make directory if it does not already exist
> + mkdir -p "${UBOOT_SIGN_KEYDIR}"
> +
> + echo "Generating RSA private key for signing fitImage"
> + openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
> + "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
> + "${FIT_SIGN_NUMBITS}"
> +
> + echo "Generating certificate for signing fitImage"
> + openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
> + -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
> + -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
> + fi
> + fi
> +}
> +
> +addtask generate_rsa_keys before do_assemble_fitimage after do_compile
>
> kernel_do_deploy[vardepsexclude] = "DATETIME"
> kernel_do_deploy_append() {
>
The relevant yocto-docs changes for this patch are in
https://lists.yoctoproject.org/g/docs/message/340
^ permalink raw reply [flat|nested] 8+ messages in thread[parent not found: <1632CF861F095801.32160@lists.openembedded.org>]
* Re: [OE-core] [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage
[not found] ` <1632CF861F095801.32160@lists.openembedded.org>
@ 2020-09-21 9:47 ` Usama Arif
0 siblings, 0 replies; 8+ messages in thread
From: Usama Arif @ 2020-09-21 9:47 UTC (permalink / raw)
To: openembedded-core, Richard Purdie; +Cc: nd
Hi,
Just wanted to check if there were any review comments for this patch?
Thanks,
Usama
On 08/09/2020 13:43, Usama Arif via lists.openembedded.org wrote:
>
>
> On 08/09/2020 13:28, Usama Arif wrote:
>> The keys are only generated if they dont exist. The key
>> generation can be turned off by setting FIT_GENERATE_KEYS to "0".
>> The default key length for private keys is 2048 and the default
>> format for public key certificate is x.509.
>>
>> Signed-off-by: Usama Arif <usama.arif@arm.com>
>> ---
>> meta/classes/kernel-fitimage.bbclass | 44 ++++++++++++++++++++++++++++
>> 1 file changed, 44 insertions(+)
>>
>> diff --git a/meta/classes/kernel-fitimage.bbclass
>> b/meta/classes/kernel-fitimage.bbclass
>> index fa4ea6feef..1fa8c8f05c 100644
>> --- a/meta/classes/kernel-fitimage.bbclass
>> +++ b/meta/classes/kernel-fitimage.bbclass
>> @@ -56,6 +56,22 @@ FIT_HASH_ALG ?= "sha256"
>> # fitImage Signature Algo
>> FIT_SIGN_ALG ?= "rsa2048"
>> +# Generate keys for signing fitImage
>> +FIT_GENERATE_KEYS ?= "${@bb.utils.contains('UBOOT_SIGN_ENABLE', '1',
>> '1', '0', d)}"
>> +
>> +# Size of private key in number of bits
>> +FIT_SIGN_NUMBITS ?= "2048"
>> +
>> +# args to openssl genrsa (Default is just the public exponent)
>> +FIT_KEY_GENRSA_ARGS ?= "-F4"
>> +
>> +# args to openssl req (Default is -batch for non interactive mode and
>> +# -new for new certificate)
>> +FIT_KEY_REQ_ARGS ?= "-batch -new"
>> +
>> +# Standard format for public key certificate
>> +FIT_KEY_SIGN_PKCS ?= "-x509"
>> +
>> #
>> # Emit the fitImage ITS header
>> #
>> @@ -522,6 +538,34 @@ do_assemble_fitimage_initramfs() {
>> addtask assemble_fitimage_initramfs before do_deploy after
>> do_bundle_initramfs
>> +do_generate_rsa_keys() {
>> + if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" =
>> "1" ]; then
>> + bbwarn "FIT_GENERATE_KEYS is set to 1 eventhough
>> UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they
>> won't be used."
>> + fi
>> +
>> + if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" =
>> "1" ]; then
>> +
>> + # Generate keys only if they don't already exist
>> + if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ]
>> || \
>> + [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt];
>> then
>> +
>> + # make directory if it does not already exist
>> + mkdir -p "${UBOOT_SIGN_KEYDIR}"
>> +
>> + echo "Generating RSA private key for signing fitImage"
>> + openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
>> + "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
>> + "${FIT_SIGN_NUMBITS}"
>> +
>> + echo "Generating certificate for signing fitImage"
>> + openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
>> + -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
>> + -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
>> + fi
>> + fi
>> +}
>> +
>> +addtask generate_rsa_keys before do_assemble_fitimage after do_compile
>> kernel_do_deploy[vardepsexclude] = "DATETIME"
>> kernel_do_deploy_append() {
>>
>
> The relevant yocto-docs changes for this patch are in
> https://lists.yoctoproject.org/g/docs/message/340
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage
2020-09-08 12:28 [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage Usama Arif
2020-09-08 12:43 ` Usama Arif
[not found] ` <1632CF861F095801.32160@lists.openembedded.org>
@ 2020-09-21 13:03 ` Richard Purdie
2020-09-21 13:24 ` Usama Arif
[not found] ` <1636CF692A74423D.559@lists.openembedded.org>
2 siblings, 2 replies; 8+ messages in thread
From: Richard Purdie @ 2020-09-21 13:03 UTC (permalink / raw)
To: Usama Arif, openembedded-core; +Cc: nd
On Tue, 2020-09-08 at 13:28 +0100, Usama Arif wrote:
> The keys are only generated if they dont exist. The key
> generation can be turned off by setting FIT_GENERATE_KEYS to "0".
> The default key length for private keys is 2048 and the default
> format for public key certificate is x.509.
>
> Signed-off-by: Usama Arif <usama.arif@arm.com>
> ---
> meta/classes/kernel-fitimage.bbclass | 44 ++++++++++++++++++++++++++++
> 1 file changed, 44 insertions(+)
I'm worried about this as keys are generally something the user needs
to handle carefully. Making it all "magic" means that a missing key
might not throw an error when it should and also, someone might not
save the keys when they might need to.
Perhaps this code should need to be explicitly enabled?
Cheers,
Richard
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [OE-core] [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage
2020-09-21 13:03 ` Richard Purdie
@ 2020-09-21 13:24 ` Usama Arif
[not found] ` <1636CF692A74423D.559@lists.openembedded.org>
1 sibling, 0 replies; 8+ messages in thread
From: Usama Arif @ 2020-09-21 13:24 UTC (permalink / raw)
To: Richard Purdie, openembedded-core; +Cc: nd
On 21/09/2020 14:03, Richard Purdie wrote:
> On Tue, 2020-09-08 at 13:28 +0100, Usama Arif wrote:
>> The keys are only generated if they dont exist. The key
>> generation can be turned off by setting FIT_GENERATE_KEYS to "0".
>> The default key length for private keys is 2048 and the default
>> format for public key certificate is x.509.
>>
>> Signed-off-by: Usama Arif <usama.arif@arm.com>
>> ---
>> meta/classes/kernel-fitimage.bbclass | 44 ++++++++++++++++++++++++++++
>> 1 file changed, 44 insertions(+)
>
> I'm worried about this as keys are generally something the user needs
> to handle carefully. Making it all "magic" means that a missing key
> might not throw an error when it should and also, someone might not
> save the keys when they might need to.
>
To make sure the keys exists, we could check in step 7 of
fitimage_assemble that ${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key
and ${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt exist if
UBOOT_SIGN_ENABLE is set to 1?
> Perhaps this code should need to be explicitly enabled?
By explicitly enable do you mean change the ?= to = in the below line?
FIT_GENERATE_KEYS ?= "${@bb.utils.contains('UBOOT_SIGN_ENABLE', '1',
'1', '0', d)}"
I actually think that keeping ?= is a good idea as users might want to
use some other key not generated by oe-core, so they can choose to
disable FIT_GENERATE_KEYS.
Thanks for the review!
Usama
>
> Cheers,
>
> Richard
>
^ permalink raw reply [flat|nested] 8+ messages in thread[parent not found: <1636CF692A74423D.559@lists.openembedded.org>]
* Re: [OE-core] [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage
[not found] ` <1636CF692A74423D.559@lists.openembedded.org>
@ 2020-09-30 10:14 ` Usama Arif
2020-09-30 10:22 ` Richard Purdie
0 siblings, 1 reply; 8+ messages in thread
From: Usama Arif @ 2020-09-30 10:14 UTC (permalink / raw)
To: Richard Purdie, openembedded-core; +Cc: nd
On 21/09/2020 14:24, Usama Arif via lists.openembedded.org wrote:
>
> On 21/09/2020 14:03, Richard Purdie wrote:
>> On Tue, 2020-09-08 at 13:28 +0100, Usama Arif wrote:
>>> The keys are only generated if they dont exist. The key
>>> generation can be turned off by setting FIT_GENERATE_KEYS to "0".
>>> The default key length for private keys is 2048 and the default
>>> format for public key certificate is x.509.
>>>
>>> Signed-off-by: Usama Arif <usama.arif@arm.com>
>>> ---
>>> meta/classes/kernel-fitimage.bbclass | 44 ++++++++++++++++++++++++++++
>>> 1 file changed, 44 insertions(+)
>>
>> I'm worried about this as keys are generally something the user needs
>> to handle carefully. Making it all "magic" means that a missing key
>> might not throw an error when it should and also, someone might not
>> save the keys when they might need to.
>>
> To make sure the keys exists, we could check in step 7 of
> fitimage_assemble that ${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key
> and ${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt exist if
> UBOOT_SIGN_ENABLE is set to 1?
>
>> Perhaps this code should need to be explicitly enabled?
>
> By explicitly enable do you mean change the ?= to = in the below line?
>
> FIT_GENERATE_KEYS ?= "${@bb.utils.contains('UBOOT_SIGN_ENABLE', '1',
> '1', '0', d)}"
>
> I actually think that keeping ?= is a good idea as users might want to
> use some other key not generated by oe-core, so they can choose to
> disable FIT_GENERATE_KEYS.
>
> Thanks for the review!
> Usama
>
Hi,
Just wanted to check if there were any more review comments or anymore
comments on above, i.e. would you like me to add a check in step 7 to
make sure the keys exist and do you think its a good idea to use =
instead of ?= for setting FIT_GENERTATE_KEYS?
Thanks,
Usama
>>
>> Cheers,
>>
>> Richard
>>
>
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [OE-core] [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage
2020-09-30 10:14 ` Usama Arif
@ 2020-09-30 10:22 ` Richard Purdie
2020-09-30 10:48 ` Usama Arif
0 siblings, 1 reply; 8+ messages in thread
From: Richard Purdie @ 2020-09-30 10:22 UTC (permalink / raw)
To: Usama Arif, openembedded-core; +Cc: nd
On Wed, 2020-09-30 at 11:14 +0100, Usama Arif wrote:
>
> On 21/09/2020 14:24, Usama Arif via lists.openembedded.org wrote:
> > On 21/09/2020 14:03, Richard Purdie wrote:
> > > On Tue, 2020-09-08 at 13:28 +0100, Usama Arif wrote:
> > > > The keys are only generated if they dont exist. The key
> > > > generation can be turned off by setting FIT_GENERATE_KEYS to
> > > > "0".
> > > > The default key length for private keys is 2048 and the default
> > > > format for public key certificate is x.509.
> > > >
> > > > Signed-off-by: Usama Arif <usama.arif@arm.com>
> > > > ---
> > > > meta/classes/kernel-fitimage.bbclass | 44
> > > > ++++++++++++++++++++++++++++
> > > > 1 file changed, 44 insertions(+)
> > >
> > > I'm worried about this as keys are generally something the user
> > > needs
> > > to handle carefully. Making it all "magic" means that a missing
> > > key
> > > might not throw an error when it should and also, someone might
> > > not
> > > save the keys when they might need to.
> > >
> > To make sure the keys exists, we could check in step 7 of
> > fitimage_assemble that
> > ${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key
> > and ${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt exist if
> > UBOOT_SIGN_ENABLE is set to 1?
> >
> > > Perhaps this code should need to be explicitly enabled?
> >
> > By explicitly enable do you mean change the ?= to = in the below
> > line?
> >
> > FIT_GENERATE_KEYS ?= "${@bb.utils.contains('UBOOT_SIGN_ENABLE',
> > '1',
> > '1', '0', d)}"
> >
> > I actually think that keeping ?= is a good idea as users might want
> > to
> > use some other key not generated by oe-core, so they can choose to
> > disable FIT_GENERATE_KEYS.
> >
> > Thanks for the review!
> > Usama
> >
>
> Hi,
>
> Just wanted to check if there were any more review comments or
> anymore
> comments on above, i.e. would you like me to add a check in step 7
> to
> make sure the keys exist and do you think its a good idea to use =
> instead of ?= for setting FIT_GENERTATE_KEYS?
What I meant in my previous reply was setting:
FIT_GENERATE_KEYS ?= "0"
as the default and requiring the user to set it to something else to
enable the key generation.
I'm worried that otherwise, users won't realise keys are being
generated and they won't be managing them appropriately. Keys are
probably something you should be preserving between builds for example?
Cheers,
Richard
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [OE-core] [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage
2020-09-30 10:22 ` Richard Purdie
@ 2020-09-30 10:48 ` Usama Arif
0 siblings, 0 replies; 8+ messages in thread
From: Usama Arif @ 2020-09-30 10:48 UTC (permalink / raw)
To: richard.purdie, openembedded-core; +Cc: nd
On 30/09/2020 11:22, Richard Purdie via lists.openembedded.org wrote:
> On Wed, 2020-09-30 at 11:14 +0100, Usama Arif wrote:
>>
>> On 21/09/2020 14:24, Usama Arif via lists.openembedded.org wrote:
>>> On 21/09/2020 14:03, Richard Purdie wrote:
>>>> On Tue, 2020-09-08 at 13:28 +0100, Usama Arif wrote:
>>>>> The keys are only generated if they dont exist. The key
>>>>> generation can be turned off by setting FIT_GENERATE_KEYS to
>>>>> "0".
>>>>> The default key length for private keys is 2048 and the default
>>>>> format for public key certificate is x.509.
>>>>>
>>>>> Signed-off-by: Usama Arif <usama.arif@arm.com>
>>>>> ---
>>>>> meta/classes/kernel-fitimage.bbclass | 44
>>>>> ++++++++++++++++++++++++++++
>>>>> 1 file changed, 44 insertions(+)
>>>>
>>>> I'm worried about this as keys are generally something the user
>>>> needs
>>>> to handle carefully. Making it all "magic" means that a missing
>>>> key
>>>> might not throw an error when it should and also, someone might
>>>> not
>>>> save the keys when they might need to.
>>>>
>>> To make sure the keys exists, we could check in step 7 of
>>> fitimage_assemble that
>>> ${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key
>>> and ${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt exist if
>>> UBOOT_SIGN_ENABLE is set to 1?
>>>
>>>> Perhaps this code should need to be explicitly enabled?
>>>
>>> By explicitly enable do you mean change the ?= to = in the below
>>> line?
>>>
>>> FIT_GENERATE_KEYS ?= "${@bb.utils.contains('UBOOT_SIGN_ENABLE',
>>> '1',
>>> '1', '0', d)}"
>>>
>>> I actually think that keeping ?= is a good idea as users might want
>>> to
>>> use some other key not generated by oe-core, so they can choose to
>>> disable FIT_GENERATE_KEYS.
>>>
>>> Thanks for the review!
>>> Usama
>>>
>>
>> Hi,
>>
>> Just wanted to check if there were any more review comments or
>> anymore
>> comments on above, i.e. would you like me to add a check in step 7
>> to
>> make sure the keys exist and do you think its a good idea to use =
>> instead of ?= for setting FIT_GENERTATE_KEYS?
>
> What I meant in my previous reply was setting:
>
> FIT_GENERATE_KEYS ?= "0"
>
> as the default and requiring the user to set it to something else to
> enable the key generation.
>
> I'm worried that otherwise, users won't realise keys are being
> generated and they won't be managing them appropriately. Keys are
> probably something you should be preserving between builds for example?
>
> Cheers,
>
> Richard
>
>
Hi,
Thanks for the reply. I have set FIT_GENERATE_KEYS ?= "0" in v2 of the
patch.
In both v1 and v2 of the patch i have the following check before
generating keys:
# Generate keys only if they don't already exist
if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt]; then
which will make sure that keys are not generated if they already exist
and are therefore preserved between builds.
Thanks,
Usama
>
>
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-09-30 10:48 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-08 12:28 [PATCH] kernel-fitimage: generate openssl RSA keys for signing fitimage Usama Arif
2020-09-08 12:43 ` Usama Arif
[not found] ` <1632CF861F095801.32160@lists.openembedded.org>
2020-09-21 9:47 ` [OE-core] " Usama Arif
2020-09-21 13:03 ` Richard Purdie
2020-09-21 13:24 ` Usama Arif
[not found] ` <1636CF692A74423D.559@lists.openembedded.org>
2020-09-30 10:14 ` Usama Arif
2020-09-30 10:22 ` Richard Purdie
2020-09-30 10:48 ` Usama Arif
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.