* [PATCH 0/2] Sign the image nodes with keys different from those for configuration nodes.
@ 2021-08-10 12:30 Thomas Perrot
2021-08-10 12:30 ` [PATCH 1/2] kernel-fitimage: images should not be signed with the same keys as the configurations Thomas Perrot
2021-08-10 12:30 ` [PATCH 2/2] oeqa/selftest/fitimage: update tests to use two keys Thomas Perrot
0 siblings, 2 replies; 3+ messages in thread
From: Thomas Perrot @ 2021-08-10 12:30 UTC (permalink / raw)
To: openembedded-core; +Cc: alexandre.belloni, Thomas Perrot
The keys to sign image nodes must be different from those used to sign
configuration nodes, otherwise the "required" property, from UBOOT_DTB_BINARY,
will be set to "conf", because "conf" prevails on "image". Then the images
signature checking will not be mandatory and no error will be raised in case of
failure.
Thomas Perrot (2):
kernel-fitimage: images should not be signed with the same keys as the
configurations
oeqa/selftest/fitimage: update tests to use two keys
meta/classes/kernel-fitimage.bbclass | 40 +++++++++++++++++++++---
meta/lib/oeqa/selftest/cases/fitimage.py | 21 ++++++++-----
2 files changed, 49 insertions(+), 12 deletions(-)
--
2.31.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] kernel-fitimage: images should not be signed with the same keys as the configurations
2021-08-10 12:30 [PATCH 0/2] Sign the image nodes with keys different from those for configuration nodes Thomas Perrot
@ 2021-08-10 12:30 ` Thomas Perrot
2021-08-10 12:30 ` [PATCH 2/2] oeqa/selftest/fitimage: update tests to use two keys Thomas Perrot
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Perrot @ 2021-08-10 12:30 UTC (permalink / raw)
To: openembedded-core; +Cc: alexandre.belloni, Thomas Perrot
Otherwise the "required" property, from UBOOT_DTB_BINARY, will be set to "conf"
and no error will be raised in case of error.
Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
---
meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++++++++++++++----
1 file changed, 35 insertions(+), 5 deletions(-)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index a9d1002200c9..2ef8f06b1428 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -60,6 +60,14 @@ FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
# Sign individual images as well
FIT_SIGN_INDIVIDUAL ?= "0"
+# Keys used to sign individually image nodes.
+# The keys to sign image nodes must be different from those used to sign
+# configuration nodes, otherwise the "required" property, from
+# UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image".
+# Then the images signature checking will not be mandatory and no error will be
+# raised in case of failure.
+# UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key")
+
#
# Emit the fitImage ITS header
#
@@ -121,7 +129,7 @@ fitimage_emit_section_kernel() {
kernel_csum="${FIT_HASH_ALG}"
kernel_sign_algo="${FIT_SIGN_ALG}"
- kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+ kernel_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
ENTRYPOINT="${UBOOT_ENTRYPOINT}"
if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
@@ -167,7 +175,7 @@ fitimage_emit_section_dtb() {
dtb_csum="${FIT_HASH_ALG}"
dtb_sign_algo="${FIT_SIGN_ALG}"
- dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+ dtb_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
dtb_loadline=""
dtb_ext=${DTB##*.}
@@ -214,7 +222,7 @@ fitimage_emit_section_boot_script() {
bootscr_csum="${FIT_HASH_ALG}"
bootscr_sign_algo="${FIT_SIGN_ALG}"
- bootscr_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+ bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
cat << EOF >> ${1}
bootscr-${2} {
@@ -278,7 +286,7 @@ fitimage_emit_section_ramdisk() {
ramdisk_csum="${FIT_HASH_ALG}"
ramdisk_sign_algo="${FIT_SIGN_ALG}"
- ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+ ramdisk_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
ramdisk_loadline=""
ramdisk_entryline=""
@@ -475,6 +483,10 @@ fitimage_assemble() {
bootscr_id=""
rm -f ${1} arch/${ARCH}/boot/${2}
+ if [ ! -z "${UBOOT_SIGN_IMG_KEYNAME}" -a "${UBOOT_SIGN_KEYNAME}" = "${UBOOT_SIGN_IMG_KEYNAME}" ]; then
+ bbfatal "Keys used to sign images and configuration nodes must be different."
+ fi
+
fitimage_emit_fit_header ${1}
#
@@ -674,7 +686,7 @@ do_kernel_generate_rsa_keys() {
if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
- # Generate keys only if they don't already exist
+ # Generate keys to sign configuration nodes, only if they don't already exist
if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
@@ -691,6 +703,24 @@ do_kernel_generate_rsa_keys() {
-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
fi
+
+ # Generate keys to sign image nodes, only if they don't already exist
+ if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] || \
+ [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then
+
+ # make directory if it does not already exist
+ mkdir -p "${UBOOT_SIGN_KEYDIR}"
+
+ echo "Generating RSA private key for signing fitImage"
+ openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
+ "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
+ "${FIT_SIGN_NUMBITS}"
+
+ echo "Generating certificate for signing fitImage"
+ openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
+ -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
+ -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt
+ fi
fi
}
--
2.31.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] oeqa/selftest/fitimage: update tests to use two keys
2021-08-10 12:30 [PATCH 0/2] Sign the image nodes with keys different from those for configuration nodes Thomas Perrot
2021-08-10 12:30 ` [PATCH 1/2] kernel-fitimage: images should not be signed with the same keys as the configurations Thomas Perrot
@ 2021-08-10 12:30 ` Thomas Perrot
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Perrot @ 2021-08-10 12:30 UTC (permalink / raw)
To: openembedded-core; +Cc: alexandre.belloni, Thomas Perrot
Other keys (UBOOT_SIGN_IMG_KEYNAME) are required to sign individually the images
nodes, and these keys must be different from the ones used to sign the
configurations nodes (UBOOT_SIGN_KEYNAME), then fitimage tests need to be
updated.
Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
---
meta/lib/oeqa/selftest/cases/fitimage.py | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
index 815ee48c0541..184c8778d23f 100644
--- a/meta/lib/oeqa/selftest/cases/fitimage.py
+++ b/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -114,7 +114,8 @@ KERNEL_CLASSES = " kernel-fitimage test-mkimage-wrapper "
UBOOT_SIGN_ENABLE = "1"
FIT_GENERATE_KEYS = "1"
UBOOT_SIGN_KEYDIR = "${TOPDIR}/signing-keys"
-UBOOT_SIGN_KEYNAME = "oe-selftest"
+UBOOT_SIGN_IMG_KEYNAME = "img-oe-selftest"
+UBOOT_SIGN_KEYNAME = "cfg-oe-selftest"
FIT_SIGN_INDIVIDUAL = "1"
UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
"""
@@ -173,11 +174,11 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
reqsigvalues_image = {
'algo': '"sha256,rsa2048"',
- 'key-name-hint': '"oe-selftest"',
+ 'key-name-hint': '"img-oe-selftest"',
}
reqsigvalues_config = {
'algo': '"sha256,rsa2048"',
- 'key-name-hint': '"oe-selftest"',
+ 'key-name-hint': '"cfg-oe-selftest"',
'sign-images': '"kernel", "fdt"',
}
@@ -215,7 +216,10 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
self.assertIn('conf-am335x-boneblack.dtb', signed_sections)
for signed_section, values in signed_sections.items():
value = values.get('Sign algo', None)
- self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section)
+ if signed_section.startswith("conf"):
+ self.assertEqual(value, 'sha256,rsa2048:cfg-oe-selftest', 'Signature algorithm for %s not expected value' % signed_section)
+ else:
+ self.assertEqual(value, 'sha256,rsa2048:img-oe-selftest', 'Signature algorithm for %s not expected value' % signed_section)
value = values.get('Sign value', None)
self.assertEqual(len(value), 512, 'Signature value for section %s not expected length' % signed_section)
@@ -266,7 +270,8 @@ KERNEL_CLASSES = " kernel-fitimage"
UBOOT_SIGN_ENABLE = "1"
FIT_GENERATE_KEYS = "1"
UBOOT_SIGN_KEYDIR = "${TOPDIR}/signing-keys"
-UBOOT_SIGN_KEYNAME = "oe-selftest"
+UBOOT_SIGN_IMG_KEYNAME = "img-oe-selftest"
+UBOOT_SIGN_KEYNAME = "cfg-oe-selftest"
FIT_SIGN_INDIVIDUAL = "1"
"""
self.write_config(config)
@@ -348,7 +353,8 @@ KERNEL_CLASSES = " kernel-fitimage test-mkimage-wrapper "
UBOOT_SIGN_ENABLE = "1"
FIT_GENERATE_KEYS = "1"
UBOOT_SIGN_KEYDIR = "${TOPDIR}/signing-keys"
-UBOOT_SIGN_KEYNAME = "oe-selftest"
+UBOOT_SIGN_IMG_KEYNAME = "img-oe-selftest"
+UBOOT_SIGN_KEYNAME = "cfg-oe-selftest"
FIT_SIGN_INDIVIDUAL = "1"
UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart U-Boot comment'"
"""
@@ -592,7 +598,8 @@ KERNEL_CLASSES = " kernel-fitimage test-mkimage-wrapper "
UBOOT_SIGN_ENABLE = "1"
FIT_GENERATE_KEYS = "1"
UBOOT_SIGN_KEYDIR = "${TOPDIR}/signing-keys"
-UBOOT_SIGN_KEYNAME = "kernel-oe-selftest"
+UBOOT_SIGN_IMG_KEYNAME = "img-oe-selftest"
+UBOOT_SIGN_KEYNAME = "cfg-oe-selftest"
FIT_SIGN_INDIVIDUAL = "1"
"""
self.write_config(config)
--
2.31.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-10 12:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-10 12:30 [PATCH 0/2] Sign the image nodes with keys different from those for configuration nodes Thomas Perrot
2021-08-10 12:30 ` [PATCH 1/2] kernel-fitimage: images should not be signed with the same keys as the configurations Thomas Perrot
2021-08-10 12:30 ` [PATCH 2/2] oeqa/selftest/fitimage: update tests to use two keys Thomas Perrot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.