[5/8] classes/kernel-fitimage: add ability to sign individual images

Submitted by Paul Eggleton on Dec. 17, 2020, 2:51 a.m. | Patch ID: 178956

Details

Message ID 80bcf9a995b32f239a043d12cfac44e75f1880a6.1608173226.git.paul.eggleton@linux.microsoft.com
State Accepted
Commit 51b6e87df6babf74e73a6d704f044bd88c277ac9
Headers show

Commit Message

Paul Eggleton Dec. 17, 2020, 2:51 a.m.
From: Luca Boccassi <luca.boccassi@microsoft.com>


Add the ability to have the kernel, dtb and ramdisk individually signed
by setting FIT_SIGN_INDIVIDUAL = "1". This could be useful if you are
intending to verify signatures before using kexec for example.

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>

Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>

---
 meta/classes/kernel-fitimage.bbclass | 42 ++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

-- 
1.8.3.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#145804): https://lists.openembedded.org/g/openembedded-core/message/145804
Mute This Topic: https://lists.openembedded.org/mt/79028971/3616849
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [michael@yoctoproject.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patch hide | download patch | download mbox

diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 9661b4f..9fa302a 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -75,6 +75,9 @@  FIT_KEY_SIGN_PKCS ?= "-x509"
 # Description string
 FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
 
+# Sign individual images as well
+FIT_SIGN_INDIVIDUAL ?= "0"
+
 # mkimage command
 UBOOT_MKIMAGE ?= "uboot-mkimage"
 UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}"
@@ -142,6 +145,8 @@  EOF
 fitimage_emit_section_kernel() {
 
 	kernel_csum="${FIT_HASH_ALG}"
+	kernel_sign_algo="${FIT_SIGN_ALG}"
+	kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}"
 
 	ENTRYPOINT="${UBOOT_ENTRYPOINT}"
 	if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
@@ -164,6 +169,17 @@  fitimage_emit_section_kernel() {
                         };
                 };
 EOF
+
+	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
+		sed -i '$ d' ${1}
+		cat << EOF >> ${1}
+                        signature@1 {
+                                algo = "${kernel_csum},${kernel_sign_algo}";
+                                key-name-hint = "${kernel_sign_keyname}";
+                        };
+                };
+EOF
+	fi
 }
 
 #
@@ -175,6 +191,8 @@  EOF
 fitimage_emit_section_dtb() {
 
 	dtb_csum="${FIT_HASH_ALG}"
+	dtb_sign_algo="${FIT_SIGN_ALG}"
+	dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}"
 
 	dtb_loadline=""
 	dtb_ext=${DTB##*.}
@@ -198,6 +216,17 @@  fitimage_emit_section_dtb() {
                         };
                 };
 EOF
+
+	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
+		sed -i '$ d' ${1}
+		cat << EOF >> ${1}
+                        signature@1 {
+                                algo = "${dtb_csum},${dtb_sign_algo}";
+                                key-name-hint = "${dtb_sign_keyname}";
+                        };
+                };
+EOF
+	fi
 }
 
 #
@@ -236,6 +265,8 @@  EOF
 fitimage_emit_section_ramdisk() {
 
 	ramdisk_csum="${FIT_HASH_ALG}"
+	ramdisk_sign_algo="${FIT_SIGN_ALG}"
+	ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}"
 	ramdisk_loadline=""
 	ramdisk_entryline=""
 
@@ -261,6 +292,17 @@  fitimage_emit_section_ramdisk() {
                         };
                 };
 EOF
+
+	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
+		sed -i '$ d' ${1}
+		cat << EOF >> ${1}
+                        signature@1 {
+                                algo = "${ramdisk_csum},${ramdisk_sign_algo}";
+                                key-name-hint = "${ramdisk_sign_keyname}";
+                        };
+                };
+EOF
+	fi
 }
 
 #