ref-manual: document authentication key variables

Submitted by Usama Arif on Sept. 8, 2020, 12:29 p.m. | Patch ID: 176168

Details

Message ID 20200908122912.39196-1-usama.arif@arm.com
State New
Headers show

Commit Message

Usama Arif Sept. 8, 2020, 12:29 p.m.
This documents the variables used to create keys for
signing fitImage.

Signed-off-by: Usama Arif <usama.arif@arm.com>
---
 documentation/ref-manual/ref-classes.xml   |  7 ++-
 documentation/ref-manual/ref-variables.xml | 67 ++++++++++++++++++++++
 2 files changed, 73 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/documentation/ref-manual/ref-classes.xml b/documentation/ref-manual/ref-classes.xml
index 1dcd5fdd03..03151c10bf 100644
--- a/documentation/ref-manual/ref-classes.xml
+++ b/documentation/ref-manual/ref-classes.xml
@@ -1953,7 +1953,12 @@  This check was removed for YP 2.3 release
         and
         <filename><link linkend='var-FIT_SIGN_ALG'>FIT_SIGN_ALG</link></filename>
         in <filename>kernel-fitimage</filename> are "sha256" and "rsa2048"
-        respectively.
+        respectively. The keys for signing fitImage can be generated using the
+        <filename>kernel-fitimage</filename> class when both
+        <filename><link linkend='var-FIT_GENERATE_KEYS'>FIT_GENERATE_KEYS</link></filename>
+        and
+        <filename><link linkend='var-UBOOT_SIGN_ENABLE'>UBOOT_SIGN_ENABLE</link></filename>
+        are set to "1".
     </para>
 
 </section>
diff --git a/documentation/ref-manual/ref-variables.xml b/documentation/ref-manual/ref-variables.xml
index a5064807e5..2c9f551077 100644
--- a/documentation/ref-manual/ref-variables.xml
+++ b/documentation/ref-manual/ref-variables.xml
@@ -4991,6 +4991,22 @@ 
             </glossdef>
         </glossentry>
 
+        <glossentry id='var-FIT_GENERATE_KEYS'><glossterm>FIT_GENERATE_KEYS</glossterm>
+            <info>
+               FIT_GENERATE_KEYS[doc] = "Decides whether to generate the keys for signing fitImage"
+            </info>
+            <glossdef>
+                <para role="glossdeffirst">
+                    Decides whether to generate the keys for signing fitImage
+                    if they don't already exist. The keys are created in
+                    <filename><link linkend='var-UBOOT_SIGN_KEYDIR'>UBOOT_SIGN_KEYDIR</link></filename>.
+                    The default value is "1" if
+                    <filename><link linkend='var-UBOOT_SIGN_ENABLE'>UBOOT_SIGN_ENABLE</link></filename>
+                    is set to "1", otherwise "0".
+                </para>
+            </glossdef>
+        </glossentry>
+
         <glossentry id='var-FIT_HASH_ALG'><glossterm>FIT_HASH_ALG</glossterm>
             <info>
                FIT_HASH_ALG[doc] = "Specifies the hash algorithm used in creating the FIT Image."
@@ -5015,6 +5031,57 @@ 
             </glossdef>
         </glossentry>
 
+        <glossentry id='var-FIT_SIGN_NUMBITS'><glossterm>FIT_SIGN_NUMBITS</glossterm>
+            <info>
+               FIT_SIGN_NUMBITS[doc] = "Size of private key in number of bits."
+            </info>
+            <glossdef>
+                <para role="glossdeffirst">
+                    Size of private key in number of bits used in fitImage.
+                    The default value is "2048".
+                </para>
+            </glossdef>
+        </glossentry>
+
+        <glossentry id='var-FIT_KEY_GENRSA_ARGS'><glossterm>FIT_KEY_GENRSA_ARGS</glossterm>
+            <info>
+               FIT_KEY_GENRSA_ARGS[doc] = "Arguments to openssl genrsa for generating RSA private key."
+            </info>
+            <glossdef>
+                <para role="glossdeffirst">
+                    Arguments to openssl genrsa for generating RSA private key
+                    for signing fitImage.
+                    The default value is "-F4". i.e. the public exponent 65537 to use.
+                </para>
+            </glossdef>
+        </glossentry>
+
+        <glossentry id='var-FIT_KEY_REQ_ARGS'><glossterm>FIT_KEY_REQ_ARGS</glossterm>
+            <info>
+               FIT_KEY_REQ_ARGS[doc] = "Arguments to openssl req for generating certificate."
+            </info>
+            <glossdef>
+                <para role="glossdeffirst">
+                    Arguments to openssl req for generating certificate for
+                    signing fitImage.
+                    The default value is "-batch -new". batch for non interactive mode
+                    and new for generating new keys.
+                </para>
+            </glossdef>
+        </glossentry>
+
+        <glossentry id='var-FIT_KEY_SIGN_PKCS'><glossterm>FIT_KEY_SIGN_PKCS</glossterm>
+            <info>
+               FIT_KEY_SIGN_PKCS[doc] = "Format for public key ceritifcate."
+            </info>
+            <glossdef>
+                <para role="glossdeffirst">
+                    Format for public key ceritifcate used in signing fitImage.
+                    The default value is "x509".
+                </para>
+            </glossdef>
+        </glossentry>
+
         <glossentry id='var-FONT_EXTRA_RDEPENDS'><glossterm>FONT_EXTRA_RDEPENDS</glossterm>
             <info>
                 FONT_EXTRA_RDEPENDS[doc] = "When a recipe inherits the fontcache class, this variable specifies runtime dependencies for font packages. This variable defaults to 'fontconfig-utils'."

Comments

Usama Arif Sept. 8, 2020, 2:25 p.m.
The patch that implements these variables is at 
https://lists.openembedded.org/g/openembedded-core/message/142262

On 08/09/2020 13:29, Usama Arif wrote:
> This documents the variables used to create keys for
> signing fitImage.
> 
> Signed-off-by: Usama Arif <usama.arif@arm.com>
> ---
>   documentation/ref-manual/ref-classes.xml   |  7 ++-
>   documentation/ref-manual/ref-variables.xml | 67 ++++++++++++++++++++++
>   2 files changed, 73 insertions(+), 1 deletion(-)
> 
> diff --git a/documentation/ref-manual/ref-classes.xml b/documentation/ref-manual/ref-classes.xml
> index 1dcd5fdd03..03151c10bf 100644
> --- a/documentation/ref-manual/ref-classes.xml
> +++ b/documentation/ref-manual/ref-classes.xml
> @@ -1953,7 +1953,12 @@ This check was removed for YP 2.3 release
>           and
>           <filename><link linkend='var-FIT_SIGN_ALG'>FIT_SIGN_ALG</link></filename>
>           in <filename>kernel-fitimage</filename> are "sha256" and "rsa2048"
> -        respectively.
> +        respectively. The keys for signing fitImage can be generated using the
> +        <filename>kernel-fitimage</filename> class when both
> +        <filename><link linkend='var-FIT_GENERATE_KEYS'>FIT_GENERATE_KEYS</link></filename>
> +        and
> +        <filename><link linkend='var-UBOOT_SIGN_ENABLE'>UBOOT_SIGN_ENABLE</link></filename>
> +        are set to "1".
>       </para>
>   
>   </section>
> diff --git a/documentation/ref-manual/ref-variables.xml b/documentation/ref-manual/ref-variables.xml
> index a5064807e5..2c9f551077 100644
> --- a/documentation/ref-manual/ref-variables.xml
> +++ b/documentation/ref-manual/ref-variables.xml
> @@ -4991,6 +4991,22 @@
>               </glossdef>
>           </glossentry>
>   
> +        <glossentry id='var-FIT_GENERATE_KEYS'><glossterm>FIT_GENERATE_KEYS</glossterm>
> +            <info>
> +               FIT_GENERATE_KEYS[doc] = "Decides whether to generate the keys for signing fitImage"
> +            </info>
> +            <glossdef>
> +                <para role="glossdeffirst">
> +                    Decides whether to generate the keys for signing fitImage
> +                    if they don't already exist. The keys are created in
> +                    <filename><link linkend='var-UBOOT_SIGN_KEYDIR'>UBOOT_SIGN_KEYDIR</link></filename>.
> +                    The default value is "1" if
> +                    <filename><link linkend='var-UBOOT_SIGN_ENABLE'>UBOOT_SIGN_ENABLE</link></filename>
> +                    is set to "1", otherwise "0".
> +                </para>
> +            </glossdef>
> +        </glossentry>
> +
>           <glossentry id='var-FIT_HASH_ALG'><glossterm>FIT_HASH_ALG</glossterm>
>               <info>
>                  FIT_HASH_ALG[doc] = "Specifies the hash algorithm used in creating the FIT Image."
> @@ -5015,6 +5031,57 @@
>               </glossdef>
>           </glossentry>
>   
> +        <glossentry id='var-FIT_SIGN_NUMBITS'><glossterm>FIT_SIGN_NUMBITS</glossterm>
> +            <info>
> +               FIT_SIGN_NUMBITS[doc] = "Size of private key in number of bits."
> +            </info>
> +            <glossdef>
> +                <para role="glossdeffirst">
> +                    Size of private key in number of bits used in fitImage.
> +                    The default value is "2048".
> +                </para>
> +            </glossdef>
> +        </glossentry>
> +
> +        <glossentry id='var-FIT_KEY_GENRSA_ARGS'><glossterm>FIT_KEY_GENRSA_ARGS</glossterm>
> +            <info>
> +               FIT_KEY_GENRSA_ARGS[doc] = "Arguments to openssl genrsa for generating RSA private key."
> +            </info>
> +            <glossdef>
> +                <para role="glossdeffirst">
> +                    Arguments to openssl genrsa for generating RSA private key
> +                    for signing fitImage.
> +                    The default value is "-F4". i.e. the public exponent 65537 to use.
> +                </para>
> +            </glossdef>
> +        </glossentry>
> +
> +        <glossentry id='var-FIT_KEY_REQ_ARGS'><glossterm>FIT_KEY_REQ_ARGS</glossterm>
> +            <info>
> +               FIT_KEY_REQ_ARGS[doc] = "Arguments to openssl req for generating certificate."
> +            </info>
> +            <glossdef>
> +                <para role="glossdeffirst">
> +                    Arguments to openssl req for generating certificate for
> +                    signing fitImage.
> +                    The default value is "-batch -new". batch for non interactive mode
> +                    and new for generating new keys.
> +                </para>
> +            </glossdef>
> +        </glossentry>
> +
> +        <glossentry id='var-FIT_KEY_SIGN_PKCS'><glossterm>FIT_KEY_SIGN_PKCS</glossterm>
> +            <info>
> +               FIT_KEY_SIGN_PKCS[doc] = "Format for public key ceritifcate."
> +            </info>
> +            <glossdef>
> +                <para role="glossdeffirst">
> +                    Format for public key ceritifcate used in signing fitImage.
> +                    The default value is "x509".
> +                </para>
> +            </glossdef>
> +        </glossentry>
> +
>           <glossentry id='var-FONT_EXTRA_RDEPENDS'><glossterm>FONT_EXTRA_RDEPENDS</glossterm>
>               <info>
>                   FONT_EXTRA_RDEPENDS[doc] = "When a recipe inherits the fontcache class, this variable specifies runtime dependencies for font packages. This variable defaults to 'fontconfig-utils'."
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#341): https://lists.yoctoproject.org/g/docs/message/341
Mute This Topic: https://lists.yoctoproject.org/mt/76707464/3617530
Group Owner: docs+owner@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/docs/unsub  [oe-patchwork@oe-patch.openembedded.org]
-=-=-=-=-=-=-=-=-=-=-=-