From: "Paul Eggleton" <paul.eggleton@linux.microsoft.com>
To: openembedded-core@lists.openembedded.org
Cc: Usama Arif <usama.arif@arm.com>
Subject: [PATCH 5/8] classes/kernel-fitimage: add ability to sign individual images
Date: Wed, 16 Dec 2020 18:51:39 -0800 [thread overview]
Message-ID: <80bcf9a995b32f239a043d12cfac44e75f1880a6.1608173226.git.paul.eggleton@linux.microsoft.com> (raw)
In-Reply-To: <cover.1608173226.git.paul.eggleton@linux.microsoft.com>
From: Luca Boccassi <luca.boccassi@microsoft.com>
Add the ability to have the kernel, dtb and ramdisk individually signed
by setting FIT_SIGN_INDIVIDUAL = "1". This could be useful if you are
intending to verify signatures before using kexec for example.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
---
meta/classes/kernel-fitimage.bbclass | 42 ++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 9661b4f..9fa302a 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -75,6 +75,9 @@ FIT_KEY_SIGN_PKCS ?= "-x509"
# Description string
FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
+# Sign individual images as well
+FIT_SIGN_INDIVIDUAL ?= "0"
+
# mkimage command
UBOOT_MKIMAGE ?= "uboot-mkimage"
UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}"
@@ -142,6 +145,8 @@ EOF
fitimage_emit_section_kernel() {
kernel_csum="${FIT_HASH_ALG}"
+ kernel_sign_algo="${FIT_SIGN_ALG}"
+ kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}"
ENTRYPOINT="${UBOOT_ENTRYPOINT}"
if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
@@ -164,6 +169,17 @@ fitimage_emit_section_kernel() {
};
};
EOF
+
+ if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
+ sed -i '$ d' ${1}
+ cat << EOF >> ${1}
+ signature@1 {
+ algo = "${kernel_csum},${kernel_sign_algo}";
+ key-name-hint = "${kernel_sign_keyname}";
+ };
+ };
+EOF
+ fi
}
#
@@ -175,6 +191,8 @@ EOF
fitimage_emit_section_dtb() {
dtb_csum="${FIT_HASH_ALG}"
+ dtb_sign_algo="${FIT_SIGN_ALG}"
+ dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}"
dtb_loadline=""
dtb_ext=${DTB##*.}
@@ -198,6 +216,17 @@ fitimage_emit_section_dtb() {
};
};
EOF
+
+ if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
+ sed -i '$ d' ${1}
+ cat << EOF >> ${1}
+ signature@1 {
+ algo = "${dtb_csum},${dtb_sign_algo}";
+ key-name-hint = "${dtb_sign_keyname}";
+ };
+ };
+EOF
+ fi
}
#
@@ -236,6 +265,8 @@ EOF
fitimage_emit_section_ramdisk() {
ramdisk_csum="${FIT_HASH_ALG}"
+ ramdisk_sign_algo="${FIT_SIGN_ALG}"
+ ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}"
ramdisk_loadline=""
ramdisk_entryline=""
@@ -261,6 +292,17 @@ fitimage_emit_section_ramdisk() {
};
};
EOF
+
+ if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
+ sed -i '$ d' ${1}
+ cat << EOF >> ${1}
+ signature@1 {
+ algo = "${ramdisk_csum},${ramdisk_sign_algo}";
+ key-name-hint = "${ramdisk_sign_keyname}";
+ };
+ };
+EOF
+ fi
}
#
--
1.8.3.1
next prev parent reply other threads:[~2020-12-17 2:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-17 2:51 [PATCH 0/8] kernel-fitimage extensions Paul Eggleton
2020-12-17 2:51 ` [PATCH 1/8] classes/kernel-fitimage: add variable for description Paul Eggleton
2020-12-17 2:51 ` [PATCH 2/8] classes/kernel-fitimage: make fitimage_emit_section_config more readable Paul Eggleton
2020-12-17 2:51 ` [PATCH 3/8] classes/kernel-fitimage: allow substituting mkimage command Paul Eggleton
2020-12-17 2:51 ` [PATCH 4/8] classes/kernel-fitimage: add ability to add additional signing options Paul Eggleton
2020-12-17 2:51 ` Paul Eggleton [this message]
2020-12-17 2:51 ` [PATCH 6/8] oe-selftest: move FIT image tests to their own module Paul Eggleton
2020-12-17 2:51 ` [PATCH 7/8] oe-selftest: fitimage: Test for FIT_DESC Paul Eggleton
2020-12-17 2:51 ` [PATCH 8/8] oe-selftest: fitimage: add test for signing FIT images Paul Eggleton
2021-01-01 13:33 ` [PATCH 0/8] kernel-fitimage extensions Usama Arif
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=80bcf9a995b32f239a043d12cfac44e75f1880a6.1608173226.git.paul.eggleton@linux.microsoft.com \
--to=paul.eggleton@linux.microsoft.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=usama.arif@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox