vincent/meta-pengwyn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

signature via HSM distant et PKCS#11

Browse Source
This commit is contained in:
BENOIT Vincent
2024-02-06 19:04:43 +00:00
parent 90619b9cc7
commit c96a0898a9
18 changed files with 1807 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

830
classes/kernel-fitimage.bbclass Normal file
View File

@@ -0,0 +1,830 @@
inherit kernel-uboot kernel-artifact-names uboot-sign
def get_fit_replacement_type(d):
kerneltypes = d.getVar('KERNEL_IMAGETYPES') or ""
replacementtype = ""
if 'fitImage' in kerneltypes.split():
uarch = d.getVar("UBOOT_ARCH")
if uarch == "arm64":
replacementtype = "Image"
elif uarch == "riscv":
replacementtype = "Image"
elif uarch == "mips":
replacementtype = "vmlinuz.bin"
elif uarch == "x86":
replacementtype = "bzImage"
elif uarch == "microblaze":
replacementtype = "linux.bin"
else:
replacementtype = "zImage"
return replacementtype
KERNEL_IMAGETYPE_REPLACEMENT ?= "${@get_fit_replacement_type(d)}"
DEPENDS:append = " ${@'u-boot-tools-native dtc-native' if 'fitImage' in (d.getVar('KERNEL_IMAGETYPES') or '').split() else ''}"
python __anonymous () {
# Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal
# to kernel.bbclass . We have to override it, since we pack zImage
# (at least for now) into the fitImage .
typeformake = d.getVar("KERNEL_IMAGETYPE_FOR_MAKE") or ""
if 'fitImage' in typeformake.split():
d.setVar('KERNEL_IMAGETYPE_FOR_MAKE', typeformake.replace('fitImage', d.getVar('KERNEL_IMAGETYPE_REPLACEMENT')))
image = d.getVar('INITRAMFS_IMAGE')
if image:
d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete')
ubootenv = d.getVar('UBOOT_ENV')
if ubootenv:
d.appendVarFlag('do_assemble_fitimage', 'depends', ' virtual/bootloader:do_populate_sysroot')
#check if there are any dtb providers
providerdtb = d.getVar("PREFERRED_PROVIDER_virtual/dtb")
if providerdtb:
d.appendVarFlag('do_assemble_fitimage', 'depends', ' virtual/dtb:do_populate_sysroot')
d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' virtual/dtb:do_populate_sysroot')
d.setVar('EXTERNAL_KERNEL_DEVICETREE', "${RECIPE_SYSROOT}/boot/devicetree")
# Verified boot will sign the fitImage and append the public key to
# U-Boot dtb. We ensure the U-Boot dtb is deployed before assembling
# the fitImage:
if d.getVar('UBOOT_SIGN_ENABLE') == "1" and d.getVar('UBOOT_DTB_BINARY'):
uboot_pn = d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'
d.appendVarFlag('do_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % uboot_pn)
if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' %s:do_populate_sysroot' % uboot_pn)
}
# Description string
FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
# Sign individual images as well
FIT_SIGN_INDIVIDUAL ?= "0"
FIT_CONF_PREFIX ?= "conf-"
FIT_CONF_PREFIX[doc] = "Prefix to use for FIT configuration node name"
FIT_SUPPORTED_INITRAMFS_FSTYPES ?= "cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.zst cpio.gz ext2.gz cpio"
# Keys used to sign individually image nodes.
# The keys to sign image nodes must be different from those used to sign
# configuration nodes, otherwise the "required" property, from
# UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image".
# Then the images signature checking will not be mandatory and no error will be
# raised in case of failure.
# UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key")
#
# Emit the fitImage ITS header
#
# $1 ... .its filename
fitimage_emit_fit_header() {
cat << EOF >> $1
/dts-v1/;
/ {
description = "${FIT_DESC}";
#address-cells = <1>;
EOF
}
#
# Emit the fitImage section bits
#
# $1 ... .its filename
# $2 ... Section bit type: imagestart - image section start
# confstart - configuration section start
# sectend - section end
# fitend - fitimage end
#
fitimage_emit_section_maint() {
case $2 in
imagestart)
cat << EOF >> $1
images {
EOF
;;
confstart)
cat << EOF >> $1
configurations {
EOF
;;
sectend)
cat << EOF >> $1
};
EOF
;;
fitend)
cat << EOF >> $1
};
EOF
;;
esac
}
#
# Emit the fitImage ITS kernel section
#
# $1 ... .its filename
# $2 ... Image counter
# $3 ... Path to kernel image
# $4 ... Compression type
fitimage_emit_section_kernel() {
kernel_csum="${FIT_HASH_ALG}"
kernel_sign_algo="${FIT_SIGN_ALG}"
kernel_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
ENTRYPOINT="${UBOOT_ENTRYPOINT}"
if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
ENTRYPOINT=`${HOST_PREFIX}nm vmlinux | \
awk '$3=="${UBOOT_ENTRYSYMBOL}" {print "0x"$1;exit}'`
fi
cat << EOF >> $1
kernel-$2 {
description = "Linux kernel";
data = /incbin/("$3");
type = "${UBOOT_MKIMAGE_KERNEL_TYPE}";
arch = "${UBOOT_ARCH}";
os = "linux";
compression = "$4";
load = <${UBOOT_LOADADDRESS}>;
entry = <$ENTRYPOINT>;
hash-1 {
algo = "$kernel_csum";
};
};
EOF
#key-name-hint = "$kernel_sign_keyname";
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$kernel_sign_keyname" ] ; then
sed -i '$ d' $1
cat << EOF >> $1
signature-1 {
algo = "$kernel_csum,$kernel_sign_algo";
key-name-hint = "Private%20key%20for%20Digital%20Signature";
};
};
EOF
fi
}
#
# Emit the fitImage ITS DTB section
#
# $1 ... .its filename
# $2 ... Image counter
# $3 ... Path to DTB image
fitimage_emit_section_dtb() {
dtb_csum="${FIT_HASH_ALG}"
dtb_sign_algo="${FIT_SIGN_ALG}"
dtb_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
dtb_loadline=""
dtb_ext=${DTB##*.}
if [ "${dtb_ext}" = "dtbo" ]; then
if [ -n "${UBOOT_DTBO_LOADADDRESS}" ]; then
dtb_loadline="load = <${UBOOT_DTBO_LOADADDRESS}>;"
fi
elif [ -n "${UBOOT_DTB_LOADADDRESS}" ]; then
dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
fi
cat << EOF >> $1
fdt-$2 {
description = "Flattened Device Tree blob";
data = /incbin/("$3");
type = "flat_dt";
arch = "${UBOOT_ARCH}";
compression = "none";
$dtb_loadline
hash-1 {
algo = "$dtb_csum";
};
};
EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$dtb_sign_keyname" ] ; then
sed -i '$ d' $1
cat << EOF >> $1
signature-1 {
algo = "$dtb_csum,$dtb_sign_algo";
key-name-hint = "$dtb_sign_keyname";
};
};
EOF
fi
}
#
# Emit the fitImage ITS u-boot script section
#
# $1 ... .its filename
# $2 ... Image counter
# $3 ... Path to boot script image
fitimage_emit_section_boot_script() {
bootscr_csum="${FIT_HASH_ALG}"
bootscr_sign_algo="${FIT_SIGN_ALG}"
bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
cat << EOF >> $1
bootscr-$2 {
description = "U-boot script";
data = /incbin/("$3");
type = "script";
arch = "${UBOOT_ARCH}";
compression = "none";
hash-1 {
algo = "$bootscr_csum";
};
};
EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$bootscr_sign_keyname" ] ; then
sed -i '$ d' $1
cat << EOF >> $1
signature-1 {
algo = "$bootscr_csum,$bootscr_sign_algo";
key-name-hint = "$bootscr_sign_keyname";
};
};
EOF
fi
}
#
# Emit the fitImage ITS setup section
#
# $1 ... .its filename
# $2 ... Image counter
# $3 ... Path to setup image
fitimage_emit_section_setup() {
setup_csum="${FIT_HASH_ALG}"
cat << EOF >> $1
setup-$2 {
description = "Linux setup.bin";
data = /incbin/("$3");
type = "x86_setup";
arch = "${UBOOT_ARCH}";
os = "linux";
compression = "none";
load = <0x00090000>;
entry = <0x00090000>;
hash-1 {
algo = "$setup_csum";
};
};
EOF
}
#
# Emit the fitImage ITS ramdisk section
#
# $1 ... .its filename
# $2 ... Image counter
# $3 ... Path to ramdisk image
fitimage_emit_section_ramdisk() {
ramdisk_csum="${FIT_HASH_ALG}"
ramdisk_sign_algo="${FIT_SIGN_ALG}"
ramdisk_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
ramdisk_loadline=""
ramdisk_entryline=""
if [ -n "${UBOOT_RD_LOADADDRESS}" ]; then
ramdisk_loadline="load = <${UBOOT_RD_LOADADDRESS}>;"
fi
if [ -n "${UBOOT_RD_ENTRYPOINT}" ]; then
ramdisk_entryline="entry = <${UBOOT_RD_ENTRYPOINT}>;"
fi
cat << EOF >> $1
ramdisk-$2 {
description = "${INITRAMFS_IMAGE}";
data = /incbin/("$3");
type = "ramdisk";
arch = "${UBOOT_ARCH}";
os = "linux";
compression = "none";
$ramdisk_loadline
$ramdisk_entryline
hash-1 {
algo = "$ramdisk_csum";
};
};
EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$ramdisk_sign_keyname" ] ; then
sed -i '$ d' $1
cat << EOF >> $1
signature-1 {
algo = "$ramdisk_csum,$ramdisk_sign_algo";
key-name-hint = "$ramdisk_sign_keyname";
};
};
EOF
fi
}
#
# Emit the fitImage ITS configuration section
#
# $1 ... .its filename
# $2 ... Linux kernel ID
# $3 ... DTB image name
# $4 ... ramdisk ID
# $5 ... u-boot script ID
# $6 ... config ID
# $7 ... default flag
fitimage_emit_section_config() {
conf_csum="${FIT_HASH_ALG}"
conf_sign_algo="${FIT_SIGN_ALG}"
conf_padding_algo="${FIT_PAD_ALG}"
if [ "${UBOOT_SIGN_ENABLE}" = "1" ] ; then
conf_sign_keyname="${UBOOT_SIGN_KEYNAME}"
fi
its_file="$1"
kernel_id="$2"
dtb_image="$3"
ramdisk_id="$4"
bootscr_id="$5"
config_id="$6"
default_flag="$7"
# Test if we have any DTBs at all
sep=""
conf_desc=""
conf_node="${FIT_CONF_PREFIX}"
kernel_line=""
fdt_line=""
ramdisk_line=""
bootscr_line=""
setup_line=""
default_line=""
# conf node name is selected based on dtb ID if it is present,
# otherwise its selected based on kernel ID
if [ -n "$dtb_image" ]; then
conf_node=$conf_node$dtb_image
else
conf_node=$conf_node$kernel_id
fi
if [ -n "$kernel_id" ]; then
conf_desc="Linux kernel"
sep=", "
kernel_line="kernel = \"kernel-$kernel_id\";"
fi
if [ -n "$dtb_image" ]; then
conf_desc="$conf_desc${sep}FDT blob"
sep=", "
fdt_line="fdt = \"fdt-$dtb_image\";"
fi
if [ -n "$ramdisk_id" ]; then
conf_desc="$conf_desc${sep}ramdisk"
sep=", "
ramdisk_line="ramdisk = \"ramdisk-$ramdisk_id\";"
fi
if [ -n "$bootscr_id" ]; then
conf_desc="$conf_desc${sep}u-boot script"
sep=", "
bootscr_line="bootscr = \"bootscr-$bootscr_id\";"
fi
if [ -n "$config_id" ]; then
conf_desc="$conf_desc${sep}setup"
setup_line="setup = \"setup-$config_id\";"
fi
if [ "$default_flag" = "1" ]; then
# default node is selected based on dtb ID if it is present,
# otherwise its selected based on kernel ID
if [ -n "$dtb_image" ]; then
default_line="default = \"${FIT_CONF_PREFIX}$dtb_image\";"
else
default_line="default = \"${FIT_CONF_PREFIX}$kernel_id\";"
fi
fi
cat << EOF >> $its_file
$default_line
$conf_node {
description = "$default_flag $conf_desc";
$kernel_line
$fdt_line
$ramdisk_line
$bootscr_line
$setup_line
hash-1 {
algo = "$conf_csum";
};
EOF
if [ -n "$conf_sign_keyname" ] ; then
sign_line="sign-images = "
sep=""
if [ -n "$kernel_id" ]; then
sign_line="$sign_line${sep}\"kernel\""
sep=", "
fi
if [ -n "$dtb_image" ]; then
sign_line="$sign_line${sep}\"fdt\""
sep=", "
fi
if [ -n "$ramdisk_id" ]; then
sign_line="$sign_line${sep}\"ramdisk\""
sep=", "
fi
if [ -n "$bootscr_id" ]; then
sign_line="$sign_line${sep}\"bootscr\""
sep=", "
fi
if [ -n "$config_id" ]; then
sign_line="$sign_line${sep}\"setup\""
fi
sign_line="$sign_line;"
#key-name-hint = "$conf_sign_keyname";
cat << EOF >> $its_file
signature-1 {
algo = "$conf_csum,$conf_sign_algo";
key-name-hint = "Private%20key%20for%20Digital%20Signature";
padding = "$conf_padding_algo";
$sign_line
};
EOF
fi
cat << EOF >> $its_file
};
EOF
}
#
# Assemble fitImage
#
# $1 ... .its filename
# $2 ... fitImage name
# $3 ... include ramdisk
fitimage_assemble() {
kernelcount=1
dtbcount=""
DTBS=""
ramdiskcount=$3
setupcount=""
bootscr_id=""
uboot_sign_expect_file="${UBOOT_EXPECT_FILE}"
rm -f $1 arch/${ARCH}/boot/$2
if [ -n "${UBOOT_SIGN_IMG_KEYNAME}" -a "${UBOOT_SIGN_KEYNAME}" = "${UBOOT_SIGN_IMG_KEYNAME}" ]; then
bbfatal "Keys used to sign images and configuration nodes must be different."
fi
fitimage_emit_fit_header $1
#
# Step 1: Prepare a kernel image section.
#
fitimage_emit_section_maint $1 imagestart
uboot_prep_kimage
fitimage_emit_section_kernel $1 $kernelcount linux.bin "$linux_comp"
#
# Step 2: Prepare a DTB image section
#
if [ -n "${KERNEL_DEVICETREE}" ]; then
dtbcount=1
for DTB in ${KERNEL_DEVICETREE}; do
if echo $DTB | grep -q '/dts/'; then
bbwarn "$DTB contains the full path to the the dts file, but only the dtb name should be used."
DTB=`basename $DTB | sed 's,\.dts$,.dtb,g'`
fi
# Skip ${DTB} if it's also provided in ${EXTERNAL_KERNEL_DEVICETREE}
if [ -n "${EXTERNAL_KERNEL_DEVICETREE}" ] && [ -s ${EXTERNAL_KERNEL_DEVICETREE}/${DTB} ]; then
continue
fi
DTB_PATH="arch/${ARCH}/boot/dts/$DTB"
if [ ! -e "$DTB_PATH" ]; then
DTB_PATH="arch/${ARCH}/boot/$DTB"
fi
DTB=$(echo "$DTB" | tr '/' '_')
# Skip DTB if we've picked it up previously
echo "$DTBS" | tr ' ' '\n' | grep -xq "$DTB" && continue
DTBS="$DTBS $DTB"
fitimage_emit_section_dtb $1 $DTB $DTB_PATH
done
fi
if [ -n "${EXTERNAL_KERNEL_DEVICETREE}" ]; then
dtbcount=1
for DTB in $(find "${EXTERNAL_KERNEL_DEVICETREE}" \( -name '*.dtb' -o -name '*.dtbo' \) -printf '%P\n' | sort); do
DTB=$(echo "$DTB" | tr '/' '_')
# Skip DTB if we've picked it up previously
echo "$DTBS" | tr ' ' '\n' | grep -xq "$DTB" && continue
DTBS="$DTBS $DTB"
fitimage_emit_section_dtb $1 $DTB "${EXTERNAL_KERNEL_DEVICETREE}/$DTB"
done
fi
#
# Step 3: Prepare a u-boot script section
#
if [ -n "${UBOOT_ENV}" ] && [ -d "${STAGING_DIR_HOST}/boot" ]; then
if [ -e "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY}" ]; then
cp ${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} ${B}
bootscr_id="${UBOOT_ENV_BINARY}"
fitimage_emit_section_boot_script $1 "$bootscr_id" ${UBOOT_ENV_BINARY}
else
bbwarn "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} not found."
fi
fi
#
# Step 4: Prepare a setup section. (For x86)
#
if [ -e arch/${ARCH}/boot/setup.bin ]; then
setupcount=1
fitimage_emit_section_setup $1 $setupcount arch/${ARCH}/boot/setup.bin
fi
#
# Step 5: Prepare a ramdisk section.
#
if [ "x${ramdiskcount}" = "x1" ] && [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
# Find and use the first initramfs image archive type we find
found=
for img in ${FIT_SUPPORTED_INITRAMFS_FSTYPES}; do
initramfs_path="${DEPLOY_DIR_IMAGE}/${INITRAMFS_IMAGE_NAME}.$img"
if [ -e "$initramfs_path" ]; then
bbnote "Found initramfs image: $initramfs_path"
found=true
fitimage_emit_section_ramdisk $1 "$ramdiskcount" "$initramfs_path"
break
else
bbnote "Did not find initramfs image: $initramfs_path"
fi
done
if [ -z "$found" ]; then
bbfatal "Could not find a valid initramfs type for ${INITRAMFS_IMAGE_NAME}, the supported types are: ${FIT_SUPPORTED_INITRAMFS_FSTYPES}"
fi
fi
fitimage_emit_section_maint $1 sectend
# Force the first Kernel and DTB in the default config
kernelcount=1
if [ -n "$dtbcount" ]; then
dtbcount=1
fi
#
# Step 6: Prepare a configurations section
#
fitimage_emit_section_maint $1 confstart
# kernel-fitimage.bbclass currently only supports a single kernel (no less or
# more) to be added to the FIT image along with 0 or more device trees and
# 0 or 1 ramdisk.
# It is also possible to include an initramfs bundle (kernel and rootfs in one binary)
# When the initramfs bundle is used ramdisk is disabled.
# If a device tree is to be part of the FIT image, then select
# the default configuration to be used is based on the dtbcount. If there is
# no dtb present than select the default configuation to be based on
# the kernelcount.
if [ -n "$DTBS" ]; then
i=1
for DTB in ${DTBS}; do
dtb_ext=${DTB##*.}
if [ "$dtb_ext" = "dtbo" ]; then
fitimage_emit_section_config $1 "" "$DTB" "" "$bootscr_id" "" "`expr $i = $dtbcount`"
else
fitimage_emit_section_config $1 $kernelcount "$DTB" "$ramdiskcount" "$bootscr_id" "$setupcount" "`expr $i = $dtbcount`"
fi
i=`expr $i + 1`
done
else
defaultconfigcount=1
fitimage_emit_section_config $1 $kernelcount "" "$ramdiskcount" "$bootscr_id" "$setupcount" $defaultconfigcount
fi
fitimage_emit_section_maint $1 sectend
fitimage_emit_section_maint $1 fitend
#
# Step 7: Assemble the image
#
${UBOOT_MKIMAGE} \
${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
-f $1 \
arch/${ARCH}/boot/$2
#
# Step 8: Sign the image and add public key to U-Boot dtb
#
if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then
add_key_to_u_boot=""
if [ -n "${UBOOT_DTB_BINARY}" ]; then
# The u-boot.dtb is a symlink to UBOOT_DTB_IMAGE, so we need copy
# both of them, and don't dereference the symlink.
cp -P ${STAGING_DATADIR}/u-boot*.dtb ${B}
add_key_to_u_boot="-K ${B}/${UBOOT_DTB_BINARY}"
fi
if [ "x${UBOOT_SIGN_PKCS11}" = "x1" ] ; then
bbplain "[SCLE] uboot_sign_expect_file: $uboot_sign_expect_file"
cat << EOF > $uboot_sign_expect_file
#!../recipe-sysroot-native/usr/bin/expect
set PIN [lindex \$argv 0]
set timeout 60
set i 0
spawn /bin/sh -c "OPENSSL_CONF=\"../recipe-sysroot-native/etc/ssl/openssl.cnf\" OPENSSL_ENGINES=\"../recipe-sysroot-native/usr/lib/engines-3\" ${UBOOT_MKIMAGE_SIGN} ${@'-D \"${UBOOT_MKIMAGE_DTCOPTS}\"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} -F -k \"${YUBIKEY_URL}\" $add_key_to_u_boot -N pkcs11 -r arch/${ARCH}/boot/$2 ${UBOOT_MKIMAGE_SIGN_ARGS}"
expect -exact "${YUBIKEY_TOKEN_PIN_ASK}"
send -- "\$PIN\\r"
while {\$i < 2} {
expect -exact "${YUBIKEY_PRIVKEY_PIN_ASK}"
send -- "\$PIN\\r"
incr i
}
expect eof
EOF
expect $uboot_sign_expect_file ${YUBIKEY_PIN}
else
${UBOOT_MKIMAGE_SIGN} \
${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
-F -k "${UBOOT_SIGN_KEYDIR}" \
$add_key_to_u_boot \
-r arch/${ARCH}/boot/$2 \
${UBOOT_MKIMAGE_SIGN_ARGS}
fi
fi
}
do_assemble_fitimage() {
if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then
cd ${B}
fitimage_assemble fit-image.its fitImage ""
fi
}
addtask assemble_fitimage before do_install after do_compile
do_assemble_fitimage_initramfs() {
if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage" && \
test -n "${INITRAMFS_IMAGE}" ; then
cd ${B}
if [ "${INITRAMFS_IMAGE_BUNDLE}" = "1" ]; then
fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage ""
else
fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage-${INITRAMFS_IMAGE} 1
fi
fi
}
addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs
do_kernel_generate_rsa_keys() {
if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
fi
if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
# Generate keys to sign configuration nodes, only if they don't already exist
if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
# make directory if it does not already exist
mkdir -p "${UBOOT_SIGN_KEYDIR}"
bbnote "Generating RSA private key for signing fitImage"
openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
"${FIT_SIGN_NUMBITS}"
bbnote "Generating certificate for signing fitImage"
openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
fi
# Generate keys to sign image nodes, only if they don't already exist
if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] || \
[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then
# make directory if it does not already exist
mkdir -p "${UBOOT_SIGN_KEYDIR}"
bbnote "Generating RSA private key for signing fitImage"
openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
"${FIT_SIGN_NUMBITS}"
bbnote "Generating certificate for signing fitImage"
openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt
fi
fi
}
addtask kernel_generate_rsa_keys before do_assemble_fitimage after do_compile
kernel_do_deploy[vardepsexclude] = "DATETIME"
kernel_do_deploy:append() {
# Update deploy directory
if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then
if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
bbnote "Copying fit-image.its source file..."
install -m 0644 ${B}/fit-image.its "$deployDir/fitImage-its-${KERNEL_FIT_NAME}.its"
if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
ln -snf fitImage-its-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${KERNEL_FIT_LINK_NAME}"
fi
bbnote "Copying linux.bin file..."
install -m 0644 ${B}/linux.bin $deployDir/fitImage-linux.bin-${KERNEL_FIT_NAME}${KERNEL_FIT_BIN_EXT}
if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
ln -snf fitImage-linux.bin-${KERNEL_FIT_NAME}${KERNEL_FIT_BIN_EXT} "$deployDir/fitImage-linux.bin-${KERNEL_FIT_LINK_NAME}"
fi
fi
if [ -n "${INITRAMFS_IMAGE}" ]; then
bbnote "Copying fit-image-${INITRAMFS_IMAGE}.its source file..."
install -m 0644 ${B}/fit-image-${INITRAMFS_IMAGE}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its"
if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
ln -snf fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
fi
if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then
bbnote "Copying fitImage-${INITRAMFS_IMAGE} file..."
install -m 0644 ${B}/arch/${ARCH}/boot/fitImage-${INITRAMFS_IMAGE} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}${KERNEL_FIT_BIN_EXT}"
if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then
ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}${KERNEL_FIT_BIN_EXT} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}"
fi
fi
fi
fi
if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \
[ -n "${UBOOT_DTB_BINARY}" ] ; then
# UBOOT_DTB_IMAGE is a realfile, but we can't use
# ${UBOOT_DTB_IMAGE} since it contains ${PV} which is aimed
# for u-boot, but we are in kernel env now.
install -m 0644 ${B}/u-boot-${MACHINE}*.dtb "$deployDir/"
fi
if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${UBOOT_BINARY}" -a -n "${SPL_DTB_BINARY}" ] ; then
# If we're also creating and/or signing the uboot fit, now we need to
# deploy it, it's its file, as well as u-boot-spl.dtb
install -m 0644 ${B}/u-boot-spl-${MACHINE}*.dtb "$deployDir/"
bbnote "Copying u-boot-fitImage file..."
install -m 0644 ${B}/u-boot-fitImage-* "$deployDir/"
bbnote "Copying u-boot-its file..."
install -m 0644 ${B}/u-boot-its-* "$deployDir/"
fi
}
# The function below performs the following in case of initramfs bundles:
# - Removes do_assemble_fitimage. FIT generation is done through
# do_assemble_fitimage_initramfs. do_assemble_fitimage is not needed
# and should not be part of the tasks to be executed.
# - Since do_kernel_generate_rsa_keys is inserted by default
# between do_compile and do_assemble_fitimage, this is
# not suitable in case of initramfs bundles. do_kernel_generate_rsa_keys
# should be between do_bundle_initramfs and do_assemble_fitimage_initramfs.
python () {
if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
bb.build.deltask('do_assemble_fitimage', d)
bb.build.deltask('kernel_generate_rsa_keys', d)
bb.build.addtask('kernel_generate_rsa_keys', 'do_assemble_fitimage_initramfs', 'do_bundle_initramfs', d)
}

55
classes/uboot-sign.bbclass
View File

@@ -102,6 +102,15 @@ UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
UBOOT_PN = "${@d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'}"
KERNEL_PN = "${@d.getVar('PREFERRED_PROVIDER_virtual/kernel')}"
SPL_SIGN_PKCS11 ?= "1"
UBOOT_SIGN_PKCS11 ?= "1"
YUBIKEY_URL ?= "model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=20682194;token=YubiKey%20PIV%20%2320682194;id=%02"
YUBIKEY_TOKEN_PIN_ASK ?= "Enter PKCS#11 token PIN for YubiKey PIV #20682194:"
YUBIKEY_PRIVKEY_PIN_ASK ?= "Enter PKCS#11 key PIN for Private key for Digital Signature:"
YUBIKEY_PIN ?= "123456"
SPL_EXPECT_FILE ?= "spl_mkimage_expect.exp"
UBOOT_EXPECT_FILE ?= "uboot_mkimage_expect.exp"
# We need u-boot-tools-native if we're creating a U-Boot fitImage
python() {
if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1':
@@ -313,6 +322,7 @@ uboot_fitimage_assemble() {
uboot_csum="${UBOOT_FIT_HASH_ALG}"
uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}"
uboot_sign_keyname="${SPL_SIGN_KEYNAME}"
spl_sign_expect_file="${SPL_EXPECT_FILE}"
rm -f $uboot_its $uboot_bin
@@ -336,11 +346,12 @@ uboot_fitimage_assemble() {
entry = <${UBOOT_ENTRYPOINT}>;
EOF
#key-name-hint = "$uboot_sign_keyname";
if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
cat << EOF >> $uboot_its
signature {
algo = "$uboot_csum,$uboot_sign_algo";
key-name-hint = "$uboot_sign_keyname";
key-name-hint = "Private%20key%20for%20Digital%20Signature";
};
EOF
fi
@@ -355,11 +366,12 @@ EOF
compression = "none";
EOF
#key-name-hint = "$uboot_sign_keyname";
if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then
cat << EOF >> $uboot_its
signature {
algo = "$uboot_csum,$uboot_sign_algo";
key-name-hint = "$uboot_sign_keyname";
key-name-hint = "Private%20key%20for%20Digital%20Signature";
};
EOF
fi
@@ -391,12 +403,39 @@ EOF
#
# Sign the U-boot FIT image and add public key to SPL dtb
#
${UBOOT_MKIMAGE_SIGN} \
${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
-F -k "${SPL_SIGN_KEYDIR}" \
-K "$spl_dtb" \
-r $uboot_bin \
${SPL_MKIMAGE_SIGN_ARGS}
if [ "${SPL_SIGN_PKCS11}" = "1" ] ; then
bbplain "[SCLE CLASS] PWD: $PWD"
bbplain "[SCLE CLASS] spl_dtb: $spl_dtb"
bbplain "[SCLE CLASS] uboot_bin: $uboot_bin"
bbplain "[SCLE CLASS] SPL_MKIMAGE_SIGN_ARGS: ${SPL_MKIMAGE_SIGN_ARGS}"
bbplain "[SCLE CLASS] UBOOT_MKIMAGE_SIGN: ${UBOOT_MKIMAGE_SIGN}"
bbplain "[SCLE CLASS] spl_sign_expect_file: $spl_sign_expect_file"
${UBOOT_MKIMAGE_SIGN} -V
cat << EOF > $spl_sign_expect_file
#!../recipe-sysroot-native/usr/bin/expect
set PIN [lindex \$argv 0]
set timeout 60
set i 0
spawn /bin/sh -c "OPENSSL_CONF=\"../recipe-sysroot-native/etc/ssl/openssl.cnf\" OPENSSL_ENGINES=\"../recipe-sysroot-native/usr/lib/engines-3\" ${UBOOT_MKIMAGE_SIGN} ${@'-D \"${SPL_MKIMAGE_DTCOPTS}\"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} -F -k \"${YUBIKEY_URL}\" -K $spl_dtb -N pkcs11 -r $uboot_bin ${SPL_MKIMAGE_SIGN_ARGS}"
expect -exact "${YUBIKEY_TOKEN_PIN_ASK}"
send -- "\$PIN\\r"
while {\$i < 3} {
expect -exact "${YUBIKEY_PRIVKEY_PIN_ASK}"
send -- "\$PIN\\r"
incr i
}
expect eof
EOF
expect $spl_sign_expect_file ${YUBIKEY_PIN}
else
${UBOOT_MKIMAGE_SIGN} \
${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
-F -k "${SPL_SIGN_KEYDIR}" \
-K "$spl_dtb" \
-r $uboot_bin \
${SPL_MKIMAGE_SIGN_ARGS}
fi
fi
}

101
recipes-bsp/u-boot-tools.inc Normal file
View File

@@ -0,0 +1,101 @@
SUMMARY = "U-Boot bootloader tools"
SECTION = "bootloaders"
DEPENDS = "flex-native bison-native swig-native util-linux gnutls openssl"
LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1"
PE = "1"
BRANCH ?= "master"
UBOOT_GIT_URI = "git://git.ti.com/git/ti-u-boot/ti-u-boot.git"
UBOOT_GIT_PROTOCOL = "https"
SRC_URI = "${UBOOT_GIT_URI};protocol=${UBOOT_GIT_PROTOCOL};branch=${BRANCH}"
PV:append = "+git${SRCPV}"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build"
inherit pkgconfig
do_configure[cleandirs] = "${B}"
PROVIDES = "${MLPREFIX}u-boot-mkimage ${MLPREFIX}u-boot-mkenvimage"
PROVIDES:class-native = "u-boot-mkimage-native u-boot-mkenvimage-native"
PACKAGES += "${PN}-mkimage ${PN}-mkenvimage"
# Required for backward compatibility with "u-boot-mkimage-xxx.bb"
RPROVIDES:${PN}-mkimage = "u-boot-mkimage"
RREPLACES:${PN}-mkimage = "u-boot-mkimage"
RCONFLICTS:${PN}-mkimage = "u-boot-mkimage"
EXTRA_OEMAKE:class-target = 'CROSS_COMPILE="${TARGET_PREFIX}" CC="${CC} ${CFLAGS} ${LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1'
EXTRA_OEMAKE:class-native = 'CC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1'
EXTRA_OEMAKE:class-nativesdk = 'CROSS_COMPILE="${HOST_PREFIX}" CC="${CC} ${CFLAGS} ${LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1'
SED_CONFIG_EFI = '-e "s/CONFIG_EFI_LOADER=.*/# CONFIG_EFI_LOADER is not set/"'
SED_CONFIG_EFI:x86 = ''
SED_CONFIG_EFI:x86-64 = ''
SED_CONFIG_EFI:arm = ''
SED_CONFIG_EFI:armeb = ''
SED_CONFIG_EFI:aarch64 = ''
do_compile () {
# Yes, this is crazy. If you build on a system with git < 2.14 from scratch, the tree will
# be marked as "dirty" and the version will include "-dirty", leading to a reproducibility problem.
# The issue is the inode count for Licnses/README changing due to do_populate_lic hardlinking a
# copy of the file. We avoid this by ensuring the index is updated with a "git diff" before the
# u-boot machinery tries to determine the version.
#
# build$ ../git/scripts/setlocalversion ../git
# ""
# build$ ln ../git/
# build$ ln ../git/README ../foo
# build$ ../git/scripts/setlocalversion ../git
# ""-dirty
# (i.e. creating a hardlink dirties the index)
cd ${S}; git diff; cd ${B}
oe_runmake -C ${S} sandbox_defconfig O=${B}
# Disable CONFIG_CMD_LICENSE, license.h is not used by tools and
# generating it requires bin2header tool, which for target build
# is built with target tools and thus cannot be executed on host.
sed -i -e "s/CONFIG_CMD_LICENSE=.*/# CONFIG_CMD_LICENSE is not set/" ${SED_CONFIG_EFI} ${B}/.config
oe_runmake -C ${S} cross_tools NO_SDL=1 O=${B}
}
do_install () {
install -d ${D}${bindir}
# mkimage
install -m 0755 tools/mkimage ${D}${bindir}/uboot-mkimage
ln -sf uboot-mkimage ${D}${bindir}/mkimage
# mkenvimage
install -m 0755 tools/mkenvimage ${D}${bindir}/uboot-mkenvimage
ln -sf uboot-mkenvimage ${D}${bindir}/mkenvimage
# dumpimage
install -m 0755 tools/dumpimage ${D}${bindir}/uboot-dumpimage
ln -sf uboot-dumpimage ${D}${bindir}/dumpimage
# fit_check_sign
install -m 0755 tools/fit_check_sign ${D}${bindir}/uboot-fit_check_sign
ln -sf uboot-fit_check_sign ${D}${bindir}/fit_check_sign
}
ALLOW_EMPTY:${PN} = "1"
FILES:${PN} = ""
FILES:${PN}-mkimage = "${bindir}/uboot-mkimage ${bindir}/mkimage ${bindir}/uboot-dumpimage ${bindir}/dumpimage ${bindir}/uboot-fit_check_sign ${bindir}/fit_check_sign"
FILES:${PN}-mkenvimage = "${bindir}/uboot-mkenvimage ${bindir}/mkenvimage"
RDEPENDS:${PN}-mkimage += "dtc"
RDEPENDS:${PN} += "${PN}-mkimage ${PN}-mkenvimage"
RDEPENDS:${PN}:class-native = ""
BBCLASSEXTEND = "native nativesdk"

74
recipes-bsp/u-boot-tools_2023.01.bb Normal file
View File

@@ -0,0 +1,74 @@
require u-boot-tools.inc
FILESEXTRAPATHS:prepend := "${THISDIR}/files2:"
SRC_URI = " \
${UBOOT_GIT_URI};protocol=${UBOOT_GIT_PROTOCOL};branch=${BRANCH} \
file://board.c \
file://board.h \
file://Kconfig \
file://MAINTAINERS \
file://Makefile \
file://mux.c \
file://am335x_pengwyn.h \
file://am335x-pengwyn.dts \
file://am335x-pengwyn-u-boot.dtsi \
file://0001-add-pengwyn-dts-to-makefile.patch \
file://0002-add-target-pengwyn.patch \
file://0003-misc-board-failed.patch \
file://0010-log-compile-err.patch \
file://0021-debug.patch \
"
# Pengwyn defconfig
SRC_URI += " \
file://defconfig/pengwyn_fit_kern_defconfig \
file://defconfig/pengwyn_fit_uboot_defconfig \
file://defconfig/pengwyn_fitimage_defconfig \
file://defconfig/pengwyn_dmverity_defconfig \
file://defconfig/pengwyn_defconfig \
"
# U-Boot environment variables file
SRC_URI += " \
file://env/uEnv_fit_kern_verity.txt \
file://env/uEnv_fit_kernel.txt \
file://env/uEnv_verity.txt \
file://env/uEnv.txt \
"
# Tag: v2023.01
SRCREV = "62e2ad1ceafbfdf2c44d3dc1b6efc81e768a96b9"
S = "${WORKDIR}/git"
do_configure:prepend() {
install -d ${S}/board/silica/pengwyn
install -m 0644 ${WORKDIR}/board.c ${S}/board/silica/pengwyn
install -m 0644 ${WORKDIR}/board.h ${S}/board/silica/pengwyn
install -m 0644 ${WORKDIR}/Kconfig ${S}/board/silica/pengwyn
install -m 0644 ${WORKDIR}/MAINTAINERS ${S}/board/silica/pengwyn
install -m 0644 ${WORKDIR}/Makefile ${S}/board/silica/pengwyn
install -m 0644 ${WORKDIR}/mux.c ${S}/board/silica/pengwyn
install -d ${S}/configs
if [ "${SCLE_DM_VERITY}" = '1' ]; then
if [ "${KERNEL_IMAGETYPE}" = "fitImage" ]; then
install -m 0644 ${WORKDIR}/defconfig/pengwyn_fitimage_defconfig ${S}/configs/pengwyn_defconfig
else
install -m 0644 ${WORKDIR}/defconfig/pengwyn_dmverity_defconfig ${S}/configs/pengwyn_defconfig
fi
else
if [ "${KERNEL_IMAGETYPE}" = "fitImage" ]; then
install -m 0644 ${WORKDIR}/defconfig/pengwyn_fitimage_defconfig ${S}/configs/pengwyn_defconfig
else
install -m 0644 ${WORKDIR}/defconfig/pengwyn_defconfig ${S}/configs/pengwyn_defconfig
fi
fi
install -d ${S}/include/configs/
install -m 0644 ${WORKDIR}/am335x_pengwyn.h ${S}/include/configs/
install -d ${S}/arch/arm/dts
install -m 0644 ${WORKDIR}/am335x-pengwyn.dts ${S}/arch/arm/dts
install -m 0644 ${WORKDIR}/am335x-pengwyn-u-boot.dtsi ${S}/arch/arm/dts
}

21
recipes-bsp/u-boot/files2/0020-debug-rsa.patch Normal file
View File

@@ -0,0 +1,21 @@
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index b2a21199e4..2d7034d5e2 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -3,6 +3,7 @@
* Copyright (c) 2013, Google Inc.
*/
+#define DEBUG
#define OPENSSL_API_COMPAT 0x10101000L
#include "mkimage.h"
@@ -317,7 +318,7 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe)
e = ENGINE_by_id(engine_id);
if (!e) {
- fprintf(stderr, "Engine isn't available\n");
+ fprintf(stderr, "Engine (%s) isn't available\n", engine_id);
return -1;
}

83
recipes-bsp/u-boot/files2/0021-debug.patch
View File

@@ -1,20 +1,67 @@
diff --git a/boot/bootm.c b/boot/bootm.c
index a4c0870c0f..6059c73158 100644
--- a/boot/bootm.c
+++ b/boot/bootm.c
@@ -411,6 +411,7 @@ static int bootm_load_os(struct bootm_headers *images, int boot_progress)
void *load_buf, *image_buf;
int err;
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index b2a21199e4..6a338bbf98 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -25,7 +25,7 @@ static int rsa_err(const char *msg)
{
unsigned long sslErr = ERR_get_error();
+ printf("[SCLE] load os : start=%x - len=%d\n", image_start, image_len);
load_buf = map_sysmem(load, 0);
image_buf = map_sysmem(os.image_start, image_len);
err = image_decomp(os.comp, load, os.image_start, os.type,
@@ -1029,6 +1030,7 @@ static int bootm_host_load_image(const void *fit, int req_image_type,
- fprintf(stderr, "%s", msg);
+ fprintf(stderr, "[SCLE RSA_ERR] %s", msg);
fprintf(stderr, ": %s\n",
ERR_error_string(sslErr, 0));
/* Allow the image to expand by a factor of 4, should be safe */
buf_size = (1 << 20) + len * 4;
+ printf("[SCLE] before decompress: buf_size=%d\n", buf_size);
load_buf = malloc(buf_size);
ret = image_decomp(image_comp, 0, data, image_type, load_buf,
(void *)data, len, buf_size, &load_end);
@@ -140,6 +140,7 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
return -ENOTSUP;
}
+ fprintf(stderr, "[SCLE PUBKEY MKIMAGE] key_id: %s - engine_id: %s\n",key_id, engine_id);
key = ENGINE_load_public_key(engine, key_id, NULL, NULL);
if (!key)
return rsa_err("Failure loading public key from engine");
@@ -267,6 +268,7 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
return -ENOTSUP;
}
+ fprintf(stderr, "[SCLE PRIVKEY MKIMAGE] engine: %s - key_id: %s\n", engine_id, key_id);
key = ENGINE_load_private_key(engine, key_id, NULL, NULL);
if (!key)
return rsa_err("Failure loading private key from engine");
@@ -314,25 +316,28 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe)
int ret;
ENGINE_load_builtin_engines();
-
+ fprintf(stderr, "[SCLE MKIMAGE] test1 ...\n");
e = ENGINE_by_id(engine_id);
if (!e) {
fprintf(stderr, "Engine isn't available\n");
return -1;
}
+ fprintf(stderr, "[SCLE MKIMAGE] test2 ...\n");
if (!ENGINE_init(e)) {
fprintf(stderr, "Couldn't initialize engine\n");
ret = -1;
goto err_engine_init;
}
+ fprintf(stderr, "[SCLE MKIMAGE] test3 ...\n");
if (!ENGINE_set_default_RSA(e)) {
fprintf(stderr, "Couldn't set engine as default for RSA\n");
ret = -1;
goto err_set_rsa;
}
+ fprintf(stderr, "[SCLE MKIMAGE] test4 ...\n");
key_pass = getenv("MKIMAGE_SIGN_PIN");
if (key_pass) {
if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) {
@@ -342,6 +347,7 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe)
}
}
+ fprintf(stderr, "[SCLE MKIMAGE] test5 ...\n");
*pe = e;
return 0;

2
recipes-bsp/u-boot/files2/env/uEnv_fit_kernel.txt vendored
View File

@@ -25,7 +25,7 @@ mmcargs=setenv bootargs console=${console} ${optargs} root=${mmcroot} data=${mmc
mmcboot=mmc dev ${mmcdev}; if mmc rescan; then echo SD/MMC found on device ${mmcdev};if run loadbootenv; then echo Loaded environment from ${bootenv};run importbootenv;fi;if test -n $uenvcmd; then echo Running uenvcmd ...;run uenvcmd;fi;if run loadimage; then run mmcloados;fi;fi;
mmcdev=0
mmcloados=run mmcargs; bootm ${loadaddr};
mmcroot=/dev/mmcblk0p2 ro
mmcroot=/dev/mmcblk0p2 rw
mmcdata=/dev/mmcblk0p3
mmcdata2=/dev/mmcblk0p4
mmcrootfstype=ext4 rootwait

3
recipes-bsp/u-boot/u-boot-ti.inc
View File

@@ -23,7 +23,8 @@ SRC_URI = "${UBOOT_GIT_URI};protocol=${UBOOT_GIT_PROTOCOL};branch=${BRANCH}"
PV:append = "+git${SRCPV}"
# u-boot needs devtree compiler to parse dts files
DEPENDS += "dtc-native bc-native lzop-native flex-native bison-native python3-setuptools-native"
# DEPENDS += "dtc-native bc-native lzop-native flex-native bison-native python3-setuptools-native"
DEPENDS += "dtc-native bc-native lzop-native flex-native bison-native python3-setuptools-native libp11-native opensc-native"
DM_FIRMWARE = "ipc_echo_testb_mcu1_0_release_strip.xer5f"

12
recipes-bsp/u-boot/u-boot-tools_%.bbappend Normal file
View File

@@ -0,0 +1,12 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/files2:"
SRC_URI += " \
git://git.ti.com/git/ti-u-boot/ti-u-boot.git;protocol=https;branch=master \
file://0021-debug.patch \
"
# Tag: v2023.01
SRCREV = "62e2ad1ceafbfdf2c44d3dc1b6efc81e768a96b9"
LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1"
#PV:append = "+git${SRCPV}"
DEPENDS += "swig-native gnutls-native"

104
recipes-connectivity/openssl/files/0010-debug-scle.patch Normal file
View File

@@ -0,0 +1,104 @@
diff --color -pruN openssl-3.0.7.orig/crypto/conf/conf_sap.c openssl-3.0.7/crypto/conf/conf_sap.c
--- openssl-3.0.7.orig/crypto/conf/conf_sap.c 2022-11-01 14:14:36.000000000 +0000
+++ openssl-3.0.7/crypto/conf/conf_sap.c 2024-01-15 13:25:28.353053475 +0000
@@ -43,6 +43,7 @@ void OPENSSL_config(const char *appname)
int ossl_config_int(const OPENSSL_INIT_SETTINGS *settings)
{
+ printf("[SCLE] ossl_config_int\r\n");
int ret = 0;
#if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI)
const char *filename;
@@ -50,8 +51,10 @@ int ossl_config_int(const OPENSSL_INIT_S
unsigned long flags;
#endif
- if (openssl_configured)
+ if (openssl_configured) {
+ printf("[SCLE] ossl_config_int -> openssl_configured\r\n");
return 1;
+ }
#if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI)
filename = settings ? settings->filename : NULL;
@@ -64,6 +67,8 @@ int ossl_config_int(const OPENSSL_INIT_S
filename, appname, flags);
#endif
+ printf("[SCLE] OPENSSL_INIT: ossl_config_int(%s, %s, %lu)\r\n",
+ filename, appname, flags);
#ifndef OPENSSL_SYS_UEFI
ret = CONF_modules_load_file(filename, appname, flags);
#endif
diff --color -pruN openssl-3.0.7.orig/crypto/engine/eng_fat.c openssl-3.0.7/crypto/engine/eng_fat.c
--- openssl-3.0.7.orig/crypto/engine/eng_fat.c 2022-11-01 14:14:36.000000000 +0000
+++ openssl-3.0.7/crypto/engine/eng_fat.c 2022-11-01 14:14:36.000000000 +0000
@@ -92,6 +92,7 @@ int ENGINE_set_default_string(ENGINE *e,
int ENGINE_register_complete(ENGINE *e)
{
+ printf("[SCLE] Engine => id:%s - name: %s\r\n", e->id, e->name);
ENGINE_register_ciphers(e);
ENGINE_register_digests(e);
ENGINE_register_RSA(e);
diff --color -pruN openssl-3.0.7.orig/crypto/engine/eng_list.c openssl-3.0.7/crypto/engine/eng_list.c
--- openssl-3.0.7.orig/crypto/engine/eng_list.c 2022-11-01 14:14:36.000000000 +0000
+++ openssl-3.0.7/crypto/engine/eng_list.c 2022-11-01 14:14:36.000000000 +0000
@@ -385,9 +385,12 @@ ENGINE *ENGINE_by_id(const char *id)
if (!CRYPTO_THREAD_write_lock(global_engine_lock))
return NULL;
iterator = engine_list_head;
- while (iterator && (strcmp(id, iterator->id) != 0))
+ while (iterator && (strcmp(id, iterator->id) != 0)) {
+ printf("[SCLE] id:%s/id:%s\r\n", id, iterator->id);
iterator = iterator->next;
+ }
if (iterator != NULL) {
+ printf("[SCLE] id (%s) found !!\r\n", id);
/*
* We need to return a structural reference. If this is an ENGINE
* type that returns copies, make a duplicate - otherwise increment
@@ -415,17 +418,22 @@ ENGINE *ENGINE_by_id(const char *id)
if (strcmp(id, "dynamic")) {
if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == NULL)
load_dir = ENGINESDIR;
+ printf("[SCLE] id : dynamic => load_dir: %s\r\n", load_dir);
iterator = ENGINE_by_id("dynamic");
if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
!ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) ||
!ENGINE_ctrl_cmd_string(iterator, "DIR_ADD",
load_dir, 0) ||
!ENGINE_ctrl_cmd_string(iterator, "LIST_ADD", "1", 0) ||
- !ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0))
+ !ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0)) {
+ printf("[SCLE] id : dynamic => problem !!\r\n");
goto notfound;
+ }
+ printf("[SCLE] return id:%s\r\n", iterator->id);
return iterator;
}
notfound:
+ printf("[SCLE] Engine (%s) not found ...\r\n", id);
ENGINE_free(iterator);
ERR_raise_data(ERR_LIB_ENGINE, ENGINE_R_NO_SUCH_ENGINE, "id=%s", id);
return NULL;
diff --color -pruN openssl-3.0.7.orig/crypto/init.c openssl-3.0.7/crypto/init.c
--- openssl-3.0.7.orig/crypto/init.c 2022-11-01 14:14:36.000000000 +0000
+++ openssl-3.0.7/crypto/init.c 2024-01-15 13:19:37.029947054 +0000
@@ -577,7 +577,7 @@ int OPENSSL_init_crypto(uint64_t opts, c
if (opts & OPENSSL_INIT_LOAD_CONFIG) {
int loading = CRYPTO_THREAD_get_local(&in_init_config_local) != NULL;
-
+ printf("[SCLE] OPENSSL_init_crypto -> OPENSSL_INIT_LOAD_CONFIG: loading: %s\r\n", loading);
/* If called recursively from OBJ_ calls, just skip it. */
if (!loading) {
int ret;
@@ -642,6 +642,7 @@ int OPENSSL_init_crypto(uint64_t opts, c
if (opts & (OPENSSL_INIT_ENGINE_ALL_BUILTIN
| OPENSSL_INIT_ENGINE_OPENSSL
| OPENSSL_INIT_ENGINE_AFALG)) {
+ printf("[SCLE] call ENGINE_register_all_complete (opts: 0x%x)...\r\n", opts);
ENGINE_register_all_complete();
}
#endif

13
recipes-connectivity/openssl/files/0010-debug-scle.patch.marche Normal file
View File

@@ -0,0 +1,13 @@
--- a/include/openssl/crypto.h.in 2022-11-01 14:14:36.000000000 +0000
+++ b/include/openssl/crypto.h.in 2024-01-15 13:16:33.352505585 +0000
@@ -455,7 +455,9 @@ int CRYPTO_memcmp(const void * in_a, con
# define OPENSSL_INIT_ENGINE_ALL_BUILTIN \
(OPENSSL_INIT_ENGINE_RDRAND | OPENSSL_INIT_ENGINE_DYNAMIC \
| OPENSSL_INIT_ENGINE_CRYPTODEV | OPENSSL_INIT_ENGINE_CAPI | \
- OPENSSL_INIT_ENGINE_PADLOCK)
+ OPENSSL_INIT_ENGINE_PADLOCK | OPENSSL_INIT_LOAD_CONFIG | \
+ OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_ADD_ALL_CIPHERS | \
+ OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS)
/* Library initialisation functions */
void OPENSSL_cleanup(void);

76
recipes-connectivity/openssl/files/0011-debug-scle.patch Normal file
View File

@@ -0,0 +1,76 @@
diff --color -pruN openssl-3.0.7.orig/crypto/conf/conf_sap.c openssl-3.0.7/crypto/conf/conf_sap.c
--- openssl-3.0.7.orig/crypto/conf/conf_sap.c 2022-11-01 14:14:36.000000000 +0000
+++ openssl-3.0.7/crypto/conf/conf_sap.c 2022-11-01 14:14:36.000000000 +0000
@@ -43,7 +43,7 @@ void OPENSSL_config(const char *appname)
int ossl_config_int(const OPENSSL_INIT_SETTINGS *settings)
{
- printf("[SCLE] ossl_config_int");
+ printf("[SCLE] ossl_config_int\r\n");
int ret = 0;
#if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI)
const char *filename;
@@ -52,7 +52,7 @@ int ossl_config_int(const OPENSSL_INIT_S
#endif
if (openssl_configured) {
- printf("[SCLE] ossl_config_int -> openssl_configured");
+ printf("[SCLE] ossl_config_int -> openssl_configured\r\n");
return 1;
}
diff --color -pruN openssl-3.0.7.orig/crypto/engine/eng_list.c openssl-3.0.7/crypto/engine/eng_list.c
--- openssl-3.0.7.orig/crypto/engine/eng_list.c 2022-11-01 14:14:36.000000000 +0000
+++ openssl-3.0.7/crypto/engine/eng_list.c 2024-01-17 10:46:03.471272607 +0000
@@ -386,11 +386,11 @@ ENGINE *ENGINE_by_id(const char *id)
return NULL;
iterator = engine_list_head;
while (iterator && (strcmp(id, iterator->id) != 0)) {
- printf("[SCLE] id:%s/id:%s\r\n", id, iterator->id);
+ printf("[SCLE - ENGINE_by_id] id:%s/id:%s\r\n", id, iterator->id);
iterator = iterator->next;
}
if (iterator != NULL) {
- printf("[SCLE] id (%s) found !!\r\n", id);
+ printf("[SCLE - ENGINE_by_id] id (%s) found !!\r\n", id);
/*
* We need to return a structural reference. If this is an ENGINE
* type that returns copies, make a duplicate - otherwise increment
@@ -410,15 +410,17 @@ ENGINE *ENGINE_by_id(const char *id)
}
}
CRYPTO_THREAD_unlock(global_engine_lock);
- if (iterator != NULL)
+ if (iterator != NULL) {
+ printf("[SCLE - ENGINE_by_id] return iterator\r\n");
return iterator;
+ }
/*
* Prevent infinite recursion if we're looking for the dynamic engine.
*/
if (strcmp(id, "dynamic")) {
if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == NULL)
load_dir = ENGINESDIR;
- printf("[SCLE] id : dynamic => load_dir: %s\r\n", load_dir);
+ printf("[SCLE - ENGINE_by_id] id : dynamic => load_dir: %s\r\n", load_dir);
iterator = ENGINE_by_id("dynamic");
if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
!ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) ||
@@ -426,14 +428,14 @@ ENGINE *ENGINE_by_id(const char *id)
load_dir, 0) ||
!ENGINE_ctrl_cmd_string(iterator, "LIST_ADD", "1", 0) ||
!ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0)) {
- printf("[SCLE] id : dynamic => problem !!\r\n");
+ printf("[SCLE - ENGINE_by_id] id : dynamic => problem !!\r\n");
}
goto notfound;
- printf("[SCLE] return id:%s\r\n", iterator->id);
+ printf("[SCLE - ENGINE_by_id] return id:%s\r\n", iterator->id);
return iterator;
}
notfound:
- printf("[SCLE] Engine (%s) not found ...\r\n", id);
+ printf("[SCLE - ENGINE_by_id] Engine (%s) not found ...\r\n", id);
ENGINE_free(iterator);
ERR_raise_data(ERR_LIB_ENGINE, ENGINE_R_NO_SUCH_ENGINE, "id=%s", id);
return NULL;

391
recipes-connectivity/openssl/files/openssl.cnf Normal file
View File

@@ -0,0 +1,391 @@
#
# OpenSSL example configuration file.
# See doc/man5/config.pod for more info.
#
# This is mostly being used for generation of certificate requests,
# but may be used for auto loading of providers
# Note that you can include other files from the main configuration
# file using the .include directive.
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
# Use this in order to automatically load providers.
openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
# Extra OBJECT IDENTIFIER info:
# oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
# For FIPS
# Optionally include a file that is generated by the OpenSSL fipsinstall
# application. This file contains configuration data required by the OpenSSL
# fips provider. It contains a named section e.g. [fips_sect] which is
# referenced from the [provider_sect] below.
# Refer to the OpenSSL security policy for more information.
# .include fipsmodule.cnf
[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl. As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
# activate = 1
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
[insta] # CMP using Insta Demo CA
# Message transfer
server = pki.certificate.fi:8700
# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
# tls_use = 0
path = pkix/
# Server authentication
recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
ignore_keyusage = 1 # potentially needed quirk
unprotected_errors = 1 # potentially needed quirk
extracertsout = insta.extracerts.pem
# Client authentication
ref = 3078 # user identification
secret = pass:insta # can be used for both client and server side
# Generic message options
cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
# Certificate enrollment
subject = "/CN=openssl-cmp-test"
newkey = insta.priv.pem
out_trusted = insta.ca.crt
certout = insta.cert.pem
[pbm] # Password-based protection for Insta CA
# Server and client authentication
ref = $insta::ref # 3078
secret = $insta::secret # pass:insta
[signature] # Signature-based protection for Insta CA
# Server authentication
trusted = insta.ca.crt # does not include keyUsage digitalSignature
# Client authentication
secret = # disable PBM
key = $insta::newkey # insta.priv.pem
cert = $insta::certout # insta.cert.pem
[ir]
cmd = ir
[cr]
cmd = cr
[kur]
# Certificate update
cmd = kur
oldcert = $insta::certout # insta.cert.pem
[rr]
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem
.include ../recipe-sysroot-native/etc/ssl/pkcs11.cnf

17
recipes-connectivity/openssl/openssl_%.bbappend Normal file
View File

@@ -0,0 +1,17 @@
# Copyright (C) 2023 Vincent BENOIT <vincent.benoit@scle.fr>
# Release under the MIT license (see COPYING.MIT for the terms)
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI += " \
file://openssl.cnf \
"
do_install:append:class-native () {
install -d ${D}${sysconfdir}/ssl
install -m 0755 ${WORKDIR}/openssl.cnf ${D}${sysconfdir}/ssl/
}
FILES:${PN}:class-native += " \
${sysconfdir}/ssl/openssl.cnf \
"

13
recipes-connectivity/scle-openssl/files/pkcs11.cnf Normal file
View File

@@ -0,0 +1,13 @@
[openssl_init]
providers = provider_sect
engines = engine_sect
[engine_sect]
pkcs11 = pkcs11_sect
[pkcs11_sect]
engine_id = pkcs11
dynamic_path = ../recipe-sysroot-native/usr/lib/engines-3/pkcs11.so
MODULE_PATH = ../recipe-sysroot-native/usr/lib/pkcs11/p11-kit-client.so
init = 0

11
recipes-connectivity/scle-openssl/files/scle-sign-pkcs11.cnf Normal file
View File

@@ -0,0 +1,11 @@
[openssl_init]
providers = provider_sect
engines = engine_sect
[engine_sect]
pkcs11 = pkcs11_sect
[pkcs11_sect]
engine_id = pkcs11
init = 0

27
recipes-connectivity/scle-openssl/scle-openssl.bb Normal file
View File

@@ -0,0 +1,27 @@
# Copyright (C) 2024 Vincent BENOIT <vincent.benoit@scle.fr>
# Release under the MIT license (see COPYING.MIT for the terms)
SUMMARY = "openssl conf file with PKCS#11"
MAINTAINER = "Vincent BENOIT <vincent.benoit@benserv.fr>"
LICENSE = "CLOSED"
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI += " \
file://pkcs11.cnf \
"
do_install:append:class-native () {
install -d ${D}${sysconfdir}/ssl
install -m 0755 ${WORKDIR}/pkcs11.cnf ${D}${sysconfdir}/ssl/
}
FILES:${PN}:class-native += " \
${sysconfdir}/ssl/pkcs11.cnf \
"
RDEPENDS:${PN}:class-native += " \
libp11-native \
"
BBCLASSEXTEND = "native"

2
recipes-kernel/linux/linux-ti-staging_%.bbappend
View File

@@ -8,4 +8,6 @@ SRC_URI += " \
file://defconfig \
"
DEPENDS += "libp11-native opensc-native p11-kit-native expect-native scle-openssl-native"
KERNEL_FEATURES:append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", "features/device-mapper/dm-verity.scc", "" ,d)}"