From: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> To: openembedded-core@lists.openembedded.org Cc: andrew@aj.id.au, klaus@linux.vnet.ibm.com, openbmc@lists.ozlabs.org Subject: [PATCH v2 3/4] u-boot: Use a different Key for SPL signing Date: Fri, 26 Mar 2021 17:14:09 -0300 [thread overview] Message-ID: <20210326201410.13906-4-klaus@linux.vnet.ibm.com> (raw) In-Reply-To: <20210326201410.13906-1-klaus@linux.vnet.ibm.com> Duplicate the variables governing u-boot signing so that we can have a different set of keys/parameters signing the SPL. Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> --- meta/classes/uboot-config.bbclass | 2 ++ meta/classes/uboot-sign.bbclass | 53 +++++++++++++++++++++++++------ 2 files changed, 45 insertions(+), 10 deletions(-) diff --git a/meta/classes/uboot-config.bbclass b/meta/classes/uboot-config.bbclass index 31487c1418..3bba02828b 100644 --- a/meta/classes/uboot-config.bbclass +++ b/meta/classes/uboot-config.bbclass @@ -61,6 +61,7 @@ UBOOT_EXTLINUX_SYMLINK ?= "${UBOOT_EXTLINUX_CONF_NAME}-${MACHINE}-${PR}" # Options for the device tree compiler passed to mkimage '-D' feature: UBOOT_MKIMAGE_DTCOPTS ??= "" +SPL_MKIMAGE_DTCOPTS ??= "" # mkimage command UBOOT_MKIMAGE ?= "uboot-mkimage" @@ -68,6 +69,7 @@ UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}" # Arguments passed to mkimage for signing UBOOT_MKIMAGE_SIGN_ARGS ?= "" +SPL_MKIMAGE_SIGN_ARGS ?= "" python () { ubootmachine = d.getVar("UBOOT_MACHINE") diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass index 30ccebe94a..5f1750fdcc 100644 --- a/meta/classes/uboot-sign.bbclass +++ b/meta/classes/uboot-sign.bbclass @@ -65,27 +65,34 @@ SPL_NODTB_SYMLINK ?= "u-boot-spl-nodtb-${MACHINE}.bin" # U-Boot fitImage description UBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" -# fitImage Hash Algo +# Kernel / U-Boot fitImage Hash Algo FIT_HASH_ALG ?= "sha256" +UBOOT_FIT_HASH_ALG ?= "sha256" -# fitImage Signature Algo +# Kernel / U-Boot fitImage Signature Algo FIT_SIGN_ALG ?= "rsa2048" +UBOOT_FIT_SIGN_ALG ?= "rsa2048" -# Generate keys for signing fitImage +# Generate keys for signing Kernel / U-Boot fitImage FIT_GENERATE_KEYS ?= "0" +UBOOT_FIT_GENERATE_KEYS ?= "0" -# Size of private key in number of bits +# Size of private keys in number of bits FIT_SIGN_NUMBITS ?= "2048" +UBOOT_FIT_SIGN_NUMBITS ?= "2048" # args to openssl genrsa (Default is just the public exponent) FIT_KEY_GENRSA_ARGS ?= "-F4" +UBOOT_FIT_KEY_GENRSA_ARGS ?= "-F4" # args to openssl req (Default is -batch for non interactive mode and # -new for new certificate) FIT_KEY_REQ_ARGS ?= "-batch -new" +UBOOT_FIT_KEY_REQ_ARGS ?= "-batch -new" # Standard format for public key certificate FIT_KEY_SIGN_PKCS ?= "-x509" +UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509" # Functions on this bbclass can apply to either U-boot or Kernel, # depending on the scenario @@ -280,6 +287,32 @@ do_generate_rsa_keys() { -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt fi fi + + if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then + bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." + fi + + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then + + # Generate keys only if they don't already exist + if [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key ] || \ + [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt ]; then + + # make directory if it does not already exist + mkdir -p "${SPL_SIGN_KEYDIR}" + + echo "Generating RSA private key for signing U-Boot fitImage" + openssl genrsa ${UBOOT_FIT_KEY_GENRSA_ARGS} -out \ + "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \ + "${UBOOT_FIT_SIGN_NUMBITS}" + + echo "Generating certificate for signing U-Boot fitImage" + openssl req ${FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \ + -key "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \ + -out "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt + fi + fi + } addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile @@ -292,9 +325,9 @@ uboot_fitimage_assemble() { uboot_dtb="${3}" uboot_bin="${4}" spl_dtb="${5}" - uboot_csum="${FIT_HASH_ALG}" - uboot_sign_algo="${FIT_SIGN_ALG}" - uboot_sign_keyname="${UBOOT_SIGN_KEYNAME}" + uboot_csum="${UBOOT_FIT_HASH_ALG}" + uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}" + uboot_sign_keyname="${SPL_SIGN_KEYNAME}" rm -f ${uboot_its} ${uboot_bin} @@ -365,7 +398,7 @@ EOF # Assemble the U-boot FIT image # ${UBOOT_MKIMAGE} \ - ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ + ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ -f ${uboot_its} \ ${uboot_bin} @@ -374,11 +407,11 @@ EOF # Sign the U-boot FIT image and add public key to SPL dtb # ${UBOOT_MKIMAGE_SIGN} \ - ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ + ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ -F -k "${SPL_SIGN_KEYDIR}" \ -K "${spl_dtb}" \ -r ${uboot_bin} \ - ${UBOOT_MKIMAGE_SIGN_ARGS} + ${SPL_MKIMAGE_SIGN_ARGS} fi } -- 2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: "Klaus Heinrich Kiwi" <klaus@linux.vnet.ibm.com> To: openembedded-core@lists.openembedded.org Cc: joel@jms.id.au, andrew@aj.id.au, klaus@linux.vnet.ibm.com, openbmc@lists.ozlabs.org Subject: [PATCH v2 3/4] u-boot: Use a different Key for SPL signing Date: Fri, 26 Mar 2021 17:14:09 -0300 [thread overview] Message-ID: <20210326201410.13906-4-klaus@linux.vnet.ibm.com> (raw) In-Reply-To: <20210326201410.13906-1-klaus@linux.vnet.ibm.com> Duplicate the variables governing u-boot signing so that we can have a different set of keys/parameters signing the SPL. Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> --- meta/classes/uboot-config.bbclass | 2 ++ meta/classes/uboot-sign.bbclass | 53 +++++++++++++++++++++++++------ 2 files changed, 45 insertions(+), 10 deletions(-) diff --git a/meta/classes/uboot-config.bbclass b/meta/classes/uboot-config.bbclass index 31487c1418..3bba02828b 100644 --- a/meta/classes/uboot-config.bbclass +++ b/meta/classes/uboot-config.bbclass @@ -61,6 +61,7 @@ UBOOT_EXTLINUX_SYMLINK ?= "${UBOOT_EXTLINUX_CONF_NAME}-${MACHINE}-${PR}" # Options for the device tree compiler passed to mkimage '-D' feature: UBOOT_MKIMAGE_DTCOPTS ??= "" +SPL_MKIMAGE_DTCOPTS ??= "" # mkimage command UBOOT_MKIMAGE ?= "uboot-mkimage" @@ -68,6 +69,7 @@ UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}" # Arguments passed to mkimage for signing UBOOT_MKIMAGE_SIGN_ARGS ?= "" +SPL_MKIMAGE_SIGN_ARGS ?= "" python () { ubootmachine = d.getVar("UBOOT_MACHINE") diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass index 30ccebe94a..5f1750fdcc 100644 --- a/meta/classes/uboot-sign.bbclass +++ b/meta/classes/uboot-sign.bbclass @@ -65,27 +65,34 @@ SPL_NODTB_SYMLINK ?= "u-boot-spl-nodtb-${MACHINE}.bin" # U-Boot fitImage description UBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" -# fitImage Hash Algo +# Kernel / U-Boot fitImage Hash Algo FIT_HASH_ALG ?= "sha256" +UBOOT_FIT_HASH_ALG ?= "sha256" -# fitImage Signature Algo +# Kernel / U-Boot fitImage Signature Algo FIT_SIGN_ALG ?= "rsa2048" +UBOOT_FIT_SIGN_ALG ?= "rsa2048" -# Generate keys for signing fitImage +# Generate keys for signing Kernel / U-Boot fitImage FIT_GENERATE_KEYS ?= "0" +UBOOT_FIT_GENERATE_KEYS ?= "0" -# Size of private key in number of bits +# Size of private keys in number of bits FIT_SIGN_NUMBITS ?= "2048" +UBOOT_FIT_SIGN_NUMBITS ?= "2048" # args to openssl genrsa (Default is just the public exponent) FIT_KEY_GENRSA_ARGS ?= "-F4" +UBOOT_FIT_KEY_GENRSA_ARGS ?= "-F4" # args to openssl req (Default is -batch for non interactive mode and # -new for new certificate) FIT_KEY_REQ_ARGS ?= "-batch -new" +UBOOT_FIT_KEY_REQ_ARGS ?= "-batch -new" # Standard format for public key certificate FIT_KEY_SIGN_PKCS ?= "-x509" +UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509" # Functions on this bbclass can apply to either U-boot or Kernel, # depending on the scenario @@ -280,6 +287,32 @@ do_generate_rsa_keys() { -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt fi fi + + if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then + bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." + fi + + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then + + # Generate keys only if they don't already exist + if [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key ] || \ + [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt ]; then + + # make directory if it does not already exist + mkdir -p "${SPL_SIGN_KEYDIR}" + + echo "Generating RSA private key for signing U-Boot fitImage" + openssl genrsa ${UBOOT_FIT_KEY_GENRSA_ARGS} -out \ + "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \ + "${UBOOT_FIT_SIGN_NUMBITS}" + + echo "Generating certificate for signing U-Boot fitImage" + openssl req ${FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \ + -key "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \ + -out "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt + fi + fi + } addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile @@ -292,9 +325,9 @@ uboot_fitimage_assemble() { uboot_dtb="${3}" uboot_bin="${4}" spl_dtb="${5}" - uboot_csum="${FIT_HASH_ALG}" - uboot_sign_algo="${FIT_SIGN_ALG}" - uboot_sign_keyname="${UBOOT_SIGN_KEYNAME}" + uboot_csum="${UBOOT_FIT_HASH_ALG}" + uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}" + uboot_sign_keyname="${SPL_SIGN_KEYNAME}" rm -f ${uboot_its} ${uboot_bin} @@ -365,7 +398,7 @@ EOF # Assemble the U-boot FIT image # ${UBOOT_MKIMAGE} \ - ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ + ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ -f ${uboot_its} \ ${uboot_bin} @@ -374,11 +407,11 @@ EOF # Sign the U-boot FIT image and add public key to SPL dtb # ${UBOOT_MKIMAGE_SIGN} \ - ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ + ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ -F -k "${SPL_SIGN_KEYDIR}" \ -K "${spl_dtb}" \ -r ${uboot_bin} \ - ${UBOOT_MKIMAGE_SIGN_ARGS} + ${SPL_MKIMAGE_SIGN_ARGS} fi } -- 2.25.1
next prev parent reply other threads:[~2021-03-26 20:16 UTC|newest] Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-03-26 20:14 [PATCH v2 0/4] u-boot: Support for SPL verified boot Klaus Heinrich Kiwi 2021-03-26 20:14 ` Klaus Heinrich Kiwi 2021-03-26 20:14 ` [PATCH v2 1/4] u-boot: Move definitions to common locations Klaus Heinrich Kiwi 2021-03-26 20:14 ` Klaus Heinrich Kiwi 2021-03-26 20:14 ` [PATCH v2 2/4] u-boot: Add infrastructure to SPL verified boot Klaus Heinrich Kiwi 2021-03-26 20:14 ` Klaus Heinrich Kiwi 2021-03-26 20:14 ` Klaus Heinrich Kiwi [this message] 2021-03-26 20:14 ` [PATCH v2 3/4] u-boot: Use a different Key for SPL signing Klaus Heinrich Kiwi 2021-03-26 20:14 ` [PATCH v2 4/4] oe-selftest: Add U-Boot fitImage signing testcases Klaus Heinrich Kiwi 2021-03-26 20:14 ` Klaus Heinrich Kiwi 2021-04-06 10:57 ` [OE-core] [PATCH v2 0/4] u-boot: Support for SPL verified boot Richard Purdie 2021-04-06 10:57 ` Richard Purdie 2021-04-06 13:21 ` Klaus Heinrich Kiwi 2021-04-06 13:21 ` Klaus Heinrich Kiwi 2021-04-06 13:56 ` Richard Purdie 2021-04-06 13:56 ` Richard Purdie
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210326201410.13906-4-klaus@linux.vnet.ibm.com \ --to=klaus@linux.vnet.ibm.com \ --cc=andrew@aj.id.au \ --cc=openbmc@lists.ozlabs.org \ --cc=openembedded-core@lists.openembedded.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.