mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-30 12:29:55 +00:00
Code Issues Projects Releases Wiki Activity

classes/kernel-fitimage: add ability to sign individual images

Browse Source 
Add the ability to have the kernel, dtb and ramdisk individually signed
by setting FIT_SIGN_INDIVIDUAL = "1". This could be useful if you are
intending to verify signatures before using kexec for example.

(From OE-Core rev: 51b6e87df6babf74e73a6d704f044bd88c277ac9)

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Luca Boccassi
2020-12-16 18:51:39 -08:00
committed by Richard Purdie
parent 5a25585437
commit a49a29892e
1 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/classes/kernel-fitimage.bbclass
+42
View File
@@ -75,6 +75,9 @@ FIT_KEY_SIGN_PKCS ?= "-x509"
# Description string # Description string
FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
# Sign individual images as well
FIT_SIGN_INDIVIDUAL ?= "0"
# mkimage command # mkimage command
UBOOT_MKIMAGE ?= "uboot-mkimage" UBOOT_MKIMAGE ?= "uboot-mkimage"
UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}" UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}"
@@ -142,6 +145,8 @@ EOF
fitimage_emit_section_kernel() { fitimage_emit_section_kernel() {
kernel_csum="${FIT_HASH_ALG}" kernel_csum="${FIT_HASH_ALG}"
kernel_sign_algo="${FIT_SIGN_ALG}"
kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}"
ENTRYPOINT="${UBOOT_ENTRYPOINT}" ENTRYPOINT="${UBOOT_ENTRYPOINT}"
if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
@@ -164,6 +169,17 @@ fitimage_emit_section_kernel() {
}; };
}; };
EOF EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
signature@1 {
algo = "${kernel_csum},${kernel_sign_algo}";
key-name-hint = "${kernel_sign_keyname}";
};
};
EOF
fi
} }
# #
@@ -175,6 +191,8 @@ EOF
fitimage_emit_section_dtb() { fitimage_emit_section_dtb() {
dtb_csum="${FIT_HASH_ALG}" dtb_csum="${FIT_HASH_ALG}"
dtb_sign_algo="${FIT_SIGN_ALG}"
dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}"
dtb_loadline="" dtb_loadline=""
dtb_ext=${DTB##*.} dtb_ext=${DTB##*.}
@@ -198,6 +216,17 @@ fitimage_emit_section_dtb() {
}; };
}; };
EOF EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
signature@1 {
algo = "${dtb_csum},${dtb_sign_algo}";
key-name-hint = "${dtb_sign_keyname}";
};
};
EOF
fi
} }
# #
@@ -236,6 +265,8 @@ EOF
fitimage_emit_section_ramdisk() { fitimage_emit_section_ramdisk() {
ramdisk_csum="${FIT_HASH_ALG}" ramdisk_csum="${FIT_HASH_ALG}"
ramdisk_sign_algo="${FIT_SIGN_ALG}"
ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}"
ramdisk_loadline="" ramdisk_loadline=""
ramdisk_entryline="" ramdisk_entryline=""
@@ -261,6 +292,17 @@ fitimage_emit_section_ramdisk() {
}; };
}; };
EOF EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
signature@1 {
algo = "${ramdisk_csum},${ramdisk_sign_algo}";
key-name-hint = "${ramdisk_sign_keyname}";
};
};
EOF
fi
} }
# #