From 3d3b28ee73e7a7a8b0a477dd921d7403dd4eb742 Mon Sep 17 00:00:00 2001 From: Bence Balogh Date: Wed, 30 Apr 2025 13:47:04 +0200 Subject: [PATCH] arm/classes/tfm_sign_image: Update script so different keys can be used The tfm_sign_image.bbclass was updated so now the used signing key is passed by the caller. This is needed because there can be cases where different images have to be signed with different keys. If no key is passed to the script, then use a default one to keep the backward compatibility. Signed-off-by: Bence Balogh Signed-off-by: Jon Mason --- meta-arm/classes/tfm_sign_image.bbclass | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/meta-arm/classes/tfm_sign_image.bbclass b/meta-arm/classes/tfm_sign_image.bbclass index 44ef3318..3b662e66 100644 --- a/meta-arm/classes/tfm_sign_image.bbclass +++ b/meta-arm/classes/tfm_sign_image.bbclass @@ -40,7 +40,6 @@ export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules" TFM_IMAGE_SIGN_ARGS ?= "\ -v ${RE_LAYOUT_WRAPPER_VERSION} \ --layout "${TFM_IMAGE_SIGN_DIR}/${host_binary_layout}" \ - -k "${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}" \ --public-key-format full \ --align 1 \ --pad \ @@ -63,12 +62,15 @@ TFM_IMAGE_SIGN_ARGS ?= "\ # $1 ... path of binary to sign # $2 ... load address of the given binary # $3 ... signed binary size +# $4 ... signing private key's path # # Note: The signed binary is copied to ${TFM_IMAGE_SIGN_DIR} # sign_host_image() { host_binary_filename="$(basename -s .bin "${1}")" host_binary_layout="${host_binary_filename}_ns" + # If no key was passed then use the ${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY} + signing_key_path="${4:-${RECIPE_SYSROOT_NATIVE}/${TFM_SIGN_PRIVATE_KEY}}" cat << EOF > ${TFM_IMAGE_SIGN_DIR}/${host_binary_layout} enum image_attributes { @@ -81,6 +83,7 @@ EOF ${PYTHON} "${STAGING_LIBDIR_NATIVE}/tfm-scripts/wrapper/wrapper.py" \ ${TFM_IMAGE_SIGN_ARGS} \ + -k "${signing_key_path}" \ "${1}" \ "${host_binary_signed}" }