[PATCH v1] kernel-fit-image: Check signing key files based on algorithm

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v1] kernel-fit-image: Check signing key files based on algorithm
@ 2026-05-15  9:42 Jamin Lin
  0 siblings, 0 replies; only message in thread
From: Jamin Lin @ 2026-05-15  9:42 UTC (permalink / raw)
  To: openembedded-core@lists.openembedded.org; +Cc: Troy Lee, Jamin Lin, Vince Chang

The key file validation in run_mkimage_sign() unconditionally required
.key and .crt regardless of the signing algorithm. This prevented ECDSA
signing which uses a single .pem file.

Extract the check into _check_sign_key_files() and detect the algorithm
from the algo string (e.g. "sha256,ecdsa384") by scanning all
comma-separated parts so field order does not matter:
- ECDSA: requires <keyname>.pem
- RSA  : requires <keyname>.key and <keyname>.crt

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 meta/lib/oe/fitimage.py | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/meta/lib/oe/fitimage.py b/meta/lib/oe/fitimage.py
index 881d0eae0a..e6ff66ca43 100644
--- a/meta/lib/oe/fitimage.py
+++ b/meta/lib/oe/fitimage.py
@@ -574,6 +574,18 @@ class ItsNodeRootKernel(ItsNode):
         except subprocess.CalledProcessError as e:
             bb.fatal(f"Command '{' '.join(cmd)}' failed with return code {e.returncode}\nstdout: {e.stdout.decode()}\nstderr: {e.stderr.decode()}\nitsflile: {os.path.abspath(itsfile)}")
 
+    def _check_sign_key_files(self, key_path, algo):
+        """Check signing key files: ECDSA needs .pem, RSA needs .key + .crt."""
+        algo_parts = [p.strip().lower() for p in algo.split(',')]
+        is_ecdsa = any(p.startswith('ecdsa') for p in algo_parts)
+
+        if is_ecdsa:
+            if not os.path.exists(key_path + '.pem'):
+                bb.fatal("ECDSA signing requires '%s.pem'" % key_path)
+        else:
+            if not os.path.exists(key_path + '.key') or not os.path.exists(key_path + '.crt'):
+                bb.fatal("%s.key or .crt does not exist" % key_path)
+
     def run_mkimage_sign(self, fitfile):
         if not self._sign_enable:
             bb.debug(1, "FIT image signing is disabled. Skipping signing.")
@@ -581,12 +593,10 @@ class ItsNodeRootKernel(ItsNode):
 
         # Some sanity checks because mkimage exits with 0 also without needed keys
         sign_key_path = os.path.join(self._sign_keydir, self._sign_keyname_conf)
-        if not os.path.exists(sign_key_path + '.key') or not os.path.exists(sign_key_path + '.crt'):
-            bb.fatal("%s.key or .crt does not exist" % sign_key_path)
+        self._check_sign_key_files(sign_key_path, self._sign_algo)
         if self._sign_individual:
             sign_key_img_path = os.path.join(self._sign_keydir, self._sign_keyname_img)
-            if not os.path.exists(sign_key_img_path + '.key') or not os.path.exists(sign_key_img_path + '.crt'):
-                bb.fatal("%s.key or .crt does not exist" % sign_key_img_path)
+            self._check_sign_key_files(sign_key_img_path, self._sign_algo)
 
         cmd = [
             self._mkimage_sign,
-- 
2.43.0


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-05-15  9:43 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-15  9:42 [PATCH v1] kernel-fit-image: Check signing key files based on algorithm Jamin Lin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.