From: Jamin Lin <jamin_lin@aspeedtech.com>
To: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Cc: Troy Lee <troy_lee@aspeedtech.com>,
Jamin Lin <jamin_lin@aspeedtech.com>,
Vince Chang <vince_chang@aspeedtech.com>
Subject: [PATCH v1] kernel-fit-image: Check signing key files based on algorithm
Date: Fri, 15 May 2026 09:42:51 +0000 [thread overview]
Message-ID: <20260515094251.433364-1-jamin_lin@aspeedtech.com> (raw)
The key file validation in run_mkimage_sign() unconditionally required
.key and .crt regardless of the signing algorithm. This prevented ECDSA
signing which uses a single .pem file.
Extract the check into _check_sign_key_files() and detect the algorithm
from the algo string (e.g. "sha256,ecdsa384") by scanning all
comma-separated parts so field order does not matter:
- ECDSA: requires <keyname>.pem
- RSA : requires <keyname>.key and <keyname>.crt
Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
meta/lib/oe/fitimage.py | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/meta/lib/oe/fitimage.py b/meta/lib/oe/fitimage.py
index 881d0eae0a..e6ff66ca43 100644
--- a/meta/lib/oe/fitimage.py
+++ b/meta/lib/oe/fitimage.py
@@ -574,6 +574,18 @@ class ItsNodeRootKernel(ItsNode):
except subprocess.CalledProcessError as e:
bb.fatal(f"Command '{' '.join(cmd)}' failed with return code {e.returncode}\nstdout: {e.stdout.decode()}\nstderr: {e.stderr.decode()}\nitsflile: {os.path.abspath(itsfile)}")
+ def _check_sign_key_files(self, key_path, algo):
+ """Check signing key files: ECDSA needs .pem, RSA needs .key + .crt."""
+ algo_parts = [p.strip().lower() for p in algo.split(',')]
+ is_ecdsa = any(p.startswith('ecdsa') for p in algo_parts)
+
+ if is_ecdsa:
+ if not os.path.exists(key_path + '.pem'):
+ bb.fatal("ECDSA signing requires '%s.pem'" % key_path)
+ else:
+ if not os.path.exists(key_path + '.key') or not os.path.exists(key_path + '.crt'):
+ bb.fatal("%s.key or .crt does not exist" % key_path)
+
def run_mkimage_sign(self, fitfile):
if not self._sign_enable:
bb.debug(1, "FIT image signing is disabled. Skipping signing.")
@@ -581,12 +593,10 @@ class ItsNodeRootKernel(ItsNode):
# Some sanity checks because mkimage exits with 0 also without needed keys
sign_key_path = os.path.join(self._sign_keydir, self._sign_keyname_conf)
- if not os.path.exists(sign_key_path + '.key') or not os.path.exists(sign_key_path + '.crt'):
- bb.fatal("%s.key or .crt does not exist" % sign_key_path)
+ self._check_sign_key_files(sign_key_path, self._sign_algo)
if self._sign_individual:
sign_key_img_path = os.path.join(self._sign_keydir, self._sign_keyname_img)
- if not os.path.exists(sign_key_img_path + '.key') or not os.path.exists(sign_key_img_path + '.crt'):
- bb.fatal("%s.key or .crt does not exist" % sign_key_img_path)
+ self._check_sign_key_files(sign_key_img_path, self._sign_algo)
cmd = [
self._mkimage_sign,
--
2.43.0
reply other threads:[~2026-05-15 9:43 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515094251.433364-1-jamin_lin@aspeedtech.com \
--to=jamin_lin@aspeedtech.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=troy_lee@aspeedtech.com \
--cc=vince_chang@aspeedtech.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.