* [OE-core][PATCH] kernel-fitimage: images should not be signed with the same keys as the configurations
@ 2021-08-06 16:10 Thomas Perrot
2021-08-08 19:19 ` Alexandre Belloni
0 siblings, 1 reply; 3+ messages in thread
From: Thomas Perrot @ 2021-08-06 16:10 UTC (permalink / raw)
To: openembedded-core; +Cc: Thomas Perrot
Otherwise the "required" property, from UBOOT_DTB_BINARY, will be set to "conf"
and no error will be raised in case of error.
Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
---
meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++++++++++++++----
1 file changed, 35 insertions(+), 5 deletions(-)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index a9d1002200c9..72f692e40e63 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -60,6 +60,14 @@ FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
# Sign individual images as well
FIT_SIGN_INDIVIDUAL ?= "0"
+# Keys used to sign individually images nodes.
+# The keys to sign images nodes must be different from those used to sign
+# configurations nodes, otherwise the "required" property, from
+# UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image".
+# Then images signature checking will not be mandatory and no error will be
+# raised.
+# UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key")
+
#
# Emit the fitImage ITS header
#
@@ -121,7 +129,7 @@ fitimage_emit_section_kernel() {
kernel_csum="${FIT_HASH_ALG}"
kernel_sign_algo="${FIT_SIGN_ALG}"
- kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+ kernel_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
ENTRYPOINT="${UBOOT_ENTRYPOINT}"
if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
@@ -167,7 +175,7 @@ fitimage_emit_section_dtb() {
dtb_csum="${FIT_HASH_ALG}"
dtb_sign_algo="${FIT_SIGN_ALG}"
- dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+ dtb_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
dtb_loadline=""
dtb_ext=${DTB##*.}
@@ -214,7 +222,7 @@ fitimage_emit_section_boot_script() {
bootscr_csum="${FIT_HASH_ALG}"
bootscr_sign_algo="${FIT_SIGN_ALG}"
- bootscr_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+ bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
cat << EOF >> ${1}
bootscr-${2} {
@@ -278,7 +286,7 @@ fitimage_emit_section_ramdisk() {
ramdisk_csum="${FIT_HASH_ALG}"
ramdisk_sign_algo="${FIT_SIGN_ALG}"
- ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+ ramdisk_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
ramdisk_loadline=""
ramdisk_entryline=""
@@ -475,6 +483,10 @@ fitimage_assemble() {
bootscr_id=""
rm -f ${1} arch/${ARCH}/boot/${2}
+ if [ "${UBOOT_SIGN_KEYNAME}" = "${UBOOT_SIGN_IMG_KEYNAME}" ]; then
+ bbfatal "Keys used to sign images and configuration nodes must be different."
+ fi
+
fitimage_emit_fit_header ${1}
#
@@ -674,7 +686,7 @@ do_kernel_generate_rsa_keys() {
if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
- # Generate keys only if they don't already exist
+ # Generate keys to sign configuration nodes, only if they don't already exist
if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
@@ -691,6 +703,24 @@ do_kernel_generate_rsa_keys() {
-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
fi
+
+ # Generate keys to sign image nodes, only if they don't already exist
+ if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] || \
+ [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then
+
+ # make directory if it does not already exist
+ mkdir -p "${UBOOT_SIGN_KEYDIR}"
+
+ echo "Generating RSA private key for signing fitImage"
+ openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
+ "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
+ "${FIT_SIGN_NUMBITS}"
+
+ echo "Generating certificate for signing fitImage"
+ openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
+ -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
+ -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt
+ fi
fi
}
--
2.31.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core][PATCH] kernel-fitimage: images should not be signed with the same keys as the configurations
2021-08-06 16:10 [OE-core][PATCH] kernel-fitimage: images should not be signed with the same keys as the configurations Thomas Perrot
@ 2021-08-08 19:19 ` Alexandre Belloni
2021-08-09 8:37 ` Thomas Perrot
0 siblings, 1 reply; 3+ messages in thread
From: Alexandre Belloni @ 2021-08-08 19:19 UTC (permalink / raw)
To: Thomas Perrot; +Cc: openembedded-core
Hello,
On 06/08/2021 18:10:38+0200, Thomas Perrot wrote:
> Otherwise the "required" property, from UBOOT_DTB_BINARY, will be set to "conf"
> and no error will be raised in case of error.
>
> Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
> ---
> meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++++++++++++++----
> 1 file changed, 35 insertions(+), 5 deletions(-)
>
> diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> index a9d1002200c9..72f692e40e63 100644
> --- a/meta/classes/kernel-fitimage.bbclass
> +++ b/meta/classes/kernel-fitimage.bbclass
> @@ -60,6 +60,14 @@ FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
> # Sign individual images as well
> FIT_SIGN_INDIVIDUAL ?= "0"
>
> +# Keys used to sign individually images nodes.
> +# The keys to sign images nodes must be different from those used to sign
> +# configurations nodes, otherwise the "required" property, from
> +# UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image".
> +# Then images signature checking will not be mandatory and no error will be
> +# raised.
> +# UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key")
> +
> #
> # Emit the fitImage ITS header
> #
> @@ -121,7 +129,7 @@ fitimage_emit_section_kernel() {
>
> kernel_csum="${FIT_HASH_ALG}"
> kernel_sign_algo="${FIT_SIGN_ALG}"
> - kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}"
> + kernel_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
>
> ENTRYPOINT="${UBOOT_ENTRYPOINT}"
> if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
> @@ -167,7 +175,7 @@ fitimage_emit_section_dtb() {
>
> dtb_csum="${FIT_HASH_ALG}"
> dtb_sign_algo="${FIT_SIGN_ALG}"
> - dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}"
> + dtb_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
>
> dtb_loadline=""
> dtb_ext=${DTB##*.}
> @@ -214,7 +222,7 @@ fitimage_emit_section_boot_script() {
>
> bootscr_csum="${FIT_HASH_ALG}"
> bootscr_sign_algo="${FIT_SIGN_ALG}"
> - bootscr_sign_keyname="${UBOOT_SIGN_KEYNAME}"
> + bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
>
> cat << EOF >> ${1}
> bootscr-${2} {
> @@ -278,7 +286,7 @@ fitimage_emit_section_ramdisk() {
>
> ramdisk_csum="${FIT_HASH_ALG}"
> ramdisk_sign_algo="${FIT_SIGN_ALG}"
> - ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}"
> + ramdisk_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
> ramdisk_loadline=""
> ramdisk_entryline=""
>
> @@ -475,6 +483,10 @@ fitimage_assemble() {
> bootscr_id=""
> rm -f ${1} arch/${ARCH}/boot/${2}
>
> + if [ "${UBOOT_SIGN_KEYNAME}" = "${UBOOT_SIGN_IMG_KEYNAME}" ]; then
> + bbfatal "Keys used to sign images and configuration nodes must be different."
This breaks oe-selftest, as seen in:
https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/2383/steps/14/logs/stdio
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core][PATCH] kernel-fitimage: images should not be signed with the same keys as the configurations
2021-08-08 19:19 ` Alexandre Belloni
@ 2021-08-09 8:37 ` Thomas Perrot
0 siblings, 0 replies; 3+ messages in thread
From: Thomas Perrot @ 2021-08-09 8:37 UTC (permalink / raw)
To: openembedded-core; +Cc: Alexandre Belloni
[-- Attachment #1: Type: text/plain, Size: 3893 bytes --]
Hello Alexandre,
On Sun, 2021-08-08 at 21:19 +0200, Alexandre Belloni wrote:
> Hello,
>
> On 06/08/2021 18:10:38+0200, Thomas Perrot wrote:
> > Otherwise the "required" property, from UBOOT_DTB_BINARY, will be set
> > to "conf"
> > and no error will be raised in case of error.
> >
> > Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
> > ---
> > meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++++++++++++++--
> > --
> > 1 file changed, 35 insertions(+), 5 deletions(-)
> >
> > diff --git a/meta/classes/kernel-fitimage.bbclass
> > b/meta/classes/kernel-fitimage.bbclass
> > index a9d1002200c9..72f692e40e63 100644
> > --- a/meta/classes/kernel-fitimage.bbclass
> > +++ b/meta/classes/kernel-fitimage.bbclass
> > @@ -60,6 +60,14 @@ FIT_DESC ?= "Kernel fitImage for
> > ${DISTRO_NAME}/${PV}/${MACHINE}"
> > # Sign individual images as well
> > FIT_SIGN_INDIVIDUAL ?= "0"
> >
> > +# Keys used to sign individually images nodes.
> > +# The keys to sign images nodes must be different from those used to
> > sign
> > +# configurations nodes, otherwise the "required" property, from
> > +# UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails
> > on "image".
> > +# Then images signature checking will not be mandatory and no error
> > will be
> > +# raised.
> > +# UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg.
> > "dev2.crt", "dev2.key")
> > +
> > #
> > # Emit the fitImage ITS header
> > #
> > @@ -121,7 +129,7 @@ fitimage_emit_section_kernel() {
> >
> > kernel_csum="${FIT_HASH_ALG}"
> > kernel_sign_algo="${FIT_SIGN_ALG}"
> > - kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}"
> > + kernel_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
> >
> > ENTRYPOINT="${UBOOT_ENTRYPOINT}"
> > if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
> > @@ -167,7 +175,7 @@ fitimage_emit_section_dtb() {
> >
> > dtb_csum="${FIT_HASH_ALG}"
> > dtb_sign_algo="${FIT_SIGN_ALG}"
> > - dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}"
> > + dtb_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
> >
> > dtb_loadline=""
> > dtb_ext=${DTB##*.}
> > @@ -214,7 +222,7 @@ fitimage_emit_section_boot_script() {
> >
> > bootscr_csum="${FIT_HASH_ALG}"
> > bootscr_sign_algo="${FIT_SIGN_ALG}"
> > - bootscr_sign_keyname="${UBOOT_SIGN_KEYNAME}"
> > + bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
> >
> > cat << EOF >> ${1}
> > bootscr-${2} {
> > @@ -278,7 +286,7 @@ fitimage_emit_section_ramdisk() {
> >
> > ramdisk_csum="${FIT_HASH_ALG}"
> > ramdisk_sign_algo="${FIT_SIGN_ALG}"
> > - ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}"
> > + ramdisk_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
> > ramdisk_loadline=""
> > ramdisk_entryline=""
> >
> > @@ -475,6 +483,10 @@ fitimage_assemble() {
> > bootscr_id=""
> > rm -f ${1} arch/${ARCH}/boot/${2}
> >
> > + if [ "${UBOOT_SIGN_KEYNAME}" = "${UBOOT_SIGN_IMG_KEYNAME}" ];
> > then
> > + bbfatal "Keys used to sign images and configuration
> > nodes must be different."
>
> This breaks oe-selftest, as seen in:
> https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/2383/steps/14/logs/stdio
>
Thank you for the feedback.
The tests also need to be updated, so I will submit a v2, including the
required changes on the test side.
Best regards,
Thomas Perrot
>
>
>
>
--
Thomas Perrot, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 673 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-09 8:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-06 16:10 [OE-core][PATCH] kernel-fitimage: images should not be signed with the same keys as the configurations Thomas Perrot
2021-08-08 19:19 ` Alexandre Belloni
2021-08-09 8:37 ` Thomas Perrot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.