From c96a0898a92335ee7b41cadfbfab7630744ead70 Mon Sep 17 00:00:00 2001 From: Vincent BENOIT Date: Tue, 6 Feb 2024 19:04:43 +0000 Subject: [PATCH] signature via HSM distant et PKCS#11 --- classes/kernel-fitimage.bbclass | 830 ++++++++++++++++++ classes/uboot-sign.bbclass | 55 +- recipes-bsp/u-boot-tools.inc | 101 +++ recipes-bsp/u-boot-tools_2023.01.bb | 74 ++ .../u-boot/files2/0020-debug-rsa.patch | 21 + recipes-bsp/u-boot/files2/0021-debug.patch | 83 +- .../u-boot/files2/env/uEnv_fit_kernel.txt | 2 +- recipes-bsp/u-boot/u-boot-ti.inc | 3 +- recipes-bsp/u-boot/u-boot-tools_%.bbappend | 12 + .../openssl/files/0010-debug-scle.patch | 104 +++ .../files/0010-debug-scle.patch.marche | 13 + .../openssl/files/0011-debug-scle.patch | 76 ++ .../openssl/files/openssl.cnf | 391 +++++++++ .../openssl/openssl_%.bbappend | 17 + .../scle-openssl/files/pkcs11.cnf | 13 + .../scle-openssl/files/scle-sign-pkcs11.cnf | 11 + .../scle-openssl/scle-openssl.bb | 27 + .../linux/linux-ti-staging_%.bbappend | 2 + 18 files changed, 1807 insertions(+), 28 deletions(-) create mode 100644 classes/kernel-fitimage.bbclass create mode 100644 recipes-bsp/u-boot-tools.inc create mode 100644 recipes-bsp/u-boot-tools_2023.01.bb create mode 100644 recipes-bsp/u-boot/files2/0020-debug-rsa.patch create mode 100644 recipes-bsp/u-boot/u-boot-tools_%.bbappend create mode 100644 recipes-connectivity/openssl/files/0010-debug-scle.patch create mode 100644 recipes-connectivity/openssl/files/0010-debug-scle.patch.marche create mode 100644 recipes-connectivity/openssl/files/0011-debug-scle.patch create mode 100644 recipes-connectivity/openssl/files/openssl.cnf create mode 100644 recipes-connectivity/openssl/openssl_%.bbappend create mode 100644 recipes-connectivity/scle-openssl/files/pkcs11.cnf create mode 100644 recipes-connectivity/scle-openssl/files/scle-sign-pkcs11.cnf create mode 100644 recipes-connectivity/scle-openssl/scle-openssl.bb diff --git a/classes/kernel-fitimage.bbclass b/classes/kernel-fitimage.bbclass new file mode 100644 index 0000000..2d26c25 --- /dev/null +++ b/classes/kernel-fitimage.bbclass @@ -0,0 +1,830 @@ +inherit kernel-uboot kernel-artifact-names uboot-sign + +def get_fit_replacement_type(d): + kerneltypes = d.getVar('KERNEL_IMAGETYPES') or "" + replacementtype = "" + if 'fitImage' in kerneltypes.split(): + uarch = d.getVar("UBOOT_ARCH") + if uarch == "arm64": + replacementtype = "Image" + elif uarch == "riscv": + replacementtype = "Image" + elif uarch == "mips": + replacementtype = "vmlinuz.bin" + elif uarch == "x86": + replacementtype = "bzImage" + elif uarch == "microblaze": + replacementtype = "linux.bin" + else: + replacementtype = "zImage" + return replacementtype + +KERNEL_IMAGETYPE_REPLACEMENT ?= "${@get_fit_replacement_type(d)}" +DEPENDS:append = " ${@'u-boot-tools-native dtc-native' if 'fitImage' in (d.getVar('KERNEL_IMAGETYPES') or '').split() else ''}" + +python __anonymous () { + # Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal + # to kernel.bbclass . We have to override it, since we pack zImage + # (at least for now) into the fitImage . + typeformake = d.getVar("KERNEL_IMAGETYPE_FOR_MAKE") or "" + if 'fitImage' in typeformake.split(): + d.setVar('KERNEL_IMAGETYPE_FOR_MAKE', typeformake.replace('fitImage', d.getVar('KERNEL_IMAGETYPE_REPLACEMENT'))) + + image = d.getVar('INITRAMFS_IMAGE') + if image: + d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') + + ubootenv = d.getVar('UBOOT_ENV') + if ubootenv: + d.appendVarFlag('do_assemble_fitimage', 'depends', ' virtual/bootloader:do_populate_sysroot') + + #check if there are any dtb providers + providerdtb = d.getVar("PREFERRED_PROVIDER_virtual/dtb") + if providerdtb: + d.appendVarFlag('do_assemble_fitimage', 'depends', ' virtual/dtb:do_populate_sysroot') + d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' virtual/dtb:do_populate_sysroot') + d.setVar('EXTERNAL_KERNEL_DEVICETREE', "${RECIPE_SYSROOT}/boot/devicetree") + + # Verified boot will sign the fitImage and append the public key to + # U-Boot dtb. We ensure the U-Boot dtb is deployed before assembling + # the fitImage: + if d.getVar('UBOOT_SIGN_ENABLE') == "1" and d.getVar('UBOOT_DTB_BINARY'): + uboot_pn = d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot' + d.appendVarFlag('do_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % uboot_pn) + if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1": + d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' %s:do_populate_sysroot' % uboot_pn) +} + + +# Description string +FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" + +# Sign individual images as well +FIT_SIGN_INDIVIDUAL ?= "0" + +FIT_CONF_PREFIX ?= "conf-" +FIT_CONF_PREFIX[doc] = "Prefix to use for FIT configuration node name" + +FIT_SUPPORTED_INITRAMFS_FSTYPES ?= "cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.zst cpio.gz ext2.gz cpio" + +# Keys used to sign individually image nodes. +# The keys to sign image nodes must be different from those used to sign +# configuration nodes, otherwise the "required" property, from +# UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image". +# Then the images signature checking will not be mandatory and no error will be +# raised in case of failure. +# UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key") + +# +# Emit the fitImage ITS header +# +# $1 ... .its filename +fitimage_emit_fit_header() { + cat << EOF >> $1 +/dts-v1/; + +/ { + description = "${FIT_DESC}"; + #address-cells = <1>; +EOF +} + +# +# Emit the fitImage section bits +# +# $1 ... .its filename +# $2 ... Section bit type: imagestart - image section start +# confstart - configuration section start +# sectend - section end +# fitend - fitimage end +# +fitimage_emit_section_maint() { + case $2 in + imagestart) + cat << EOF >> $1 + + images { +EOF + ;; + confstart) + cat << EOF >> $1 + + configurations { +EOF + ;; + sectend) + cat << EOF >> $1 + }; +EOF + ;; + fitend) + cat << EOF >> $1 +}; +EOF + ;; + esac +} + +# +# Emit the fitImage ITS kernel section +# +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to kernel image +# $4 ... Compression type +fitimage_emit_section_kernel() { + + kernel_csum="${FIT_HASH_ALG}" + kernel_sign_algo="${FIT_SIGN_ALG}" + kernel_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}" + + ENTRYPOINT="${UBOOT_ENTRYPOINT}" + if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then + ENTRYPOINT=`${HOST_PREFIX}nm vmlinux | \ + awk '$3=="${UBOOT_ENTRYSYMBOL}" {print "0x"$1;exit}'` + fi + + cat << EOF >> $1 + kernel-$2 { + description = "Linux kernel"; + data = /incbin/("$3"); + type = "${UBOOT_MKIMAGE_KERNEL_TYPE}"; + arch = "${UBOOT_ARCH}"; + os = "linux"; + compression = "$4"; + load = <${UBOOT_LOADADDRESS}>; + entry = <$ENTRYPOINT>; + hash-1 { + algo = "$kernel_csum"; + }; + }; +EOF + + #key-name-hint = "$kernel_sign_keyname"; + if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$kernel_sign_keyname" ] ; then + sed -i '$ d' $1 + cat << EOF >> $1 + signature-1 { + algo = "$kernel_csum,$kernel_sign_algo"; + key-name-hint = "Private%20key%20for%20Digital%20Signature"; + }; + }; +EOF + fi +} + +# +# Emit the fitImage ITS DTB section +# +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to DTB image +fitimage_emit_section_dtb() { + + dtb_csum="${FIT_HASH_ALG}" + dtb_sign_algo="${FIT_SIGN_ALG}" + dtb_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}" + + dtb_loadline="" + dtb_ext=${DTB##*.} + if [ "${dtb_ext}" = "dtbo" ]; then + if [ -n "${UBOOT_DTBO_LOADADDRESS}" ]; then + dtb_loadline="load = <${UBOOT_DTBO_LOADADDRESS}>;" + fi + elif [ -n "${UBOOT_DTB_LOADADDRESS}" ]; then + dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" + fi + cat << EOF >> $1 + fdt-$2 { + description = "Flattened Device Tree blob"; + data = /incbin/("$3"); + type = "flat_dt"; + arch = "${UBOOT_ARCH}"; + compression = "none"; + $dtb_loadline + hash-1 { + algo = "$dtb_csum"; + }; + }; +EOF + + if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$dtb_sign_keyname" ] ; then + sed -i '$ d' $1 + cat << EOF >> $1 + signature-1 { + algo = "$dtb_csum,$dtb_sign_algo"; + key-name-hint = "$dtb_sign_keyname"; + }; + }; +EOF + fi +} + +# +# Emit the fitImage ITS u-boot script section +# +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to boot script image +fitimage_emit_section_boot_script() { + + bootscr_csum="${FIT_HASH_ALG}" + bootscr_sign_algo="${FIT_SIGN_ALG}" + bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}" + + cat << EOF >> $1 + bootscr-$2 { + description = "U-boot script"; + data = /incbin/("$3"); + type = "script"; + arch = "${UBOOT_ARCH}"; + compression = "none"; + hash-1 { + algo = "$bootscr_csum"; + }; + }; +EOF + + if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$bootscr_sign_keyname" ] ; then + sed -i '$ d' $1 + cat << EOF >> $1 + signature-1 { + algo = "$bootscr_csum,$bootscr_sign_algo"; + key-name-hint = "$bootscr_sign_keyname"; + }; + }; +EOF + fi +} + +# +# Emit the fitImage ITS setup section +# +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to setup image +fitimage_emit_section_setup() { + + setup_csum="${FIT_HASH_ALG}" + + cat << EOF >> $1 + setup-$2 { + description = "Linux setup.bin"; + data = /incbin/("$3"); + type = "x86_setup"; + arch = "${UBOOT_ARCH}"; + os = "linux"; + compression = "none"; + load = <0x00090000>; + entry = <0x00090000>; + hash-1 { + algo = "$setup_csum"; + }; + }; +EOF +} + +# +# Emit the fitImage ITS ramdisk section +# +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to ramdisk image +fitimage_emit_section_ramdisk() { + + ramdisk_csum="${FIT_HASH_ALG}" + ramdisk_sign_algo="${FIT_SIGN_ALG}" + ramdisk_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}" + ramdisk_loadline="" + ramdisk_entryline="" + + if [ -n "${UBOOT_RD_LOADADDRESS}" ]; then + ramdisk_loadline="load = <${UBOOT_RD_LOADADDRESS}>;" + fi + if [ -n "${UBOOT_RD_ENTRYPOINT}" ]; then + ramdisk_entryline="entry = <${UBOOT_RD_ENTRYPOINT}>;" + fi + + cat << EOF >> $1 + ramdisk-$2 { + description = "${INITRAMFS_IMAGE}"; + data = /incbin/("$3"); + type = "ramdisk"; + arch = "${UBOOT_ARCH}"; + os = "linux"; + compression = "none"; + $ramdisk_loadline + $ramdisk_entryline + hash-1 { + algo = "$ramdisk_csum"; + }; + }; +EOF + + if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "$ramdisk_sign_keyname" ] ; then + sed -i '$ d' $1 + cat << EOF >> $1 + signature-1 { + algo = "$ramdisk_csum,$ramdisk_sign_algo"; + key-name-hint = "$ramdisk_sign_keyname"; + }; + }; +EOF + fi +} + +# +# Emit the fitImage ITS configuration section +# +# $1 ... .its filename +# $2 ... Linux kernel ID +# $3 ... DTB image name +# $4 ... ramdisk ID +# $5 ... u-boot script ID +# $6 ... config ID +# $7 ... default flag +fitimage_emit_section_config() { + + conf_csum="${FIT_HASH_ALG}" + conf_sign_algo="${FIT_SIGN_ALG}" + conf_padding_algo="${FIT_PAD_ALG}" + if [ "${UBOOT_SIGN_ENABLE}" = "1" ] ; then + conf_sign_keyname="${UBOOT_SIGN_KEYNAME}" + fi + + its_file="$1" + kernel_id="$2" + dtb_image="$3" + ramdisk_id="$4" + bootscr_id="$5" + config_id="$6" + default_flag="$7" + + # Test if we have any DTBs at all + sep="" + conf_desc="" + conf_node="${FIT_CONF_PREFIX}" + kernel_line="" + fdt_line="" + ramdisk_line="" + bootscr_line="" + setup_line="" + default_line="" + + # conf node name is selected based on dtb ID if it is present, + # otherwise its selected based on kernel ID + if [ -n "$dtb_image" ]; then + conf_node=$conf_node$dtb_image + else + conf_node=$conf_node$kernel_id + fi + + if [ -n "$kernel_id" ]; then + conf_desc="Linux kernel" + sep=", " + kernel_line="kernel = \"kernel-$kernel_id\";" + fi + + if [ -n "$dtb_image" ]; then + conf_desc="$conf_desc${sep}FDT blob" + sep=", " + fdt_line="fdt = \"fdt-$dtb_image\";" + fi + + if [ -n "$ramdisk_id" ]; then + conf_desc="$conf_desc${sep}ramdisk" + sep=", " + ramdisk_line="ramdisk = \"ramdisk-$ramdisk_id\";" + fi + + if [ -n "$bootscr_id" ]; then + conf_desc="$conf_desc${sep}u-boot script" + sep=", " + bootscr_line="bootscr = \"bootscr-$bootscr_id\";" + fi + + if [ -n "$config_id" ]; then + conf_desc="$conf_desc${sep}setup" + setup_line="setup = \"setup-$config_id\";" + fi + + if [ "$default_flag" = "1" ]; then + # default node is selected based on dtb ID if it is present, + # otherwise its selected based on kernel ID + if [ -n "$dtb_image" ]; then + default_line="default = \"${FIT_CONF_PREFIX}$dtb_image\";" + else + default_line="default = \"${FIT_CONF_PREFIX}$kernel_id\";" + fi + fi + + cat << EOF >> $its_file + $default_line + $conf_node { + description = "$default_flag $conf_desc"; + $kernel_line + $fdt_line + $ramdisk_line + $bootscr_line + $setup_line + hash-1 { + algo = "$conf_csum"; + }; +EOF + + if [ -n "$conf_sign_keyname" ] ; then + + sign_line="sign-images = " + sep="" + + if [ -n "$kernel_id" ]; then + sign_line="$sign_line${sep}\"kernel\"" + sep=", " + fi + + if [ -n "$dtb_image" ]; then + sign_line="$sign_line${sep}\"fdt\"" + sep=", " + fi + + if [ -n "$ramdisk_id" ]; then + sign_line="$sign_line${sep}\"ramdisk\"" + sep=", " + fi + + if [ -n "$bootscr_id" ]; then + sign_line="$sign_line${sep}\"bootscr\"" + sep=", " + fi + + if [ -n "$config_id" ]; then + sign_line="$sign_line${sep}\"setup\"" + fi + + sign_line="$sign_line;" + + #key-name-hint = "$conf_sign_keyname"; + cat << EOF >> $its_file + signature-1 { + algo = "$conf_csum,$conf_sign_algo"; + key-name-hint = "Private%20key%20for%20Digital%20Signature"; + padding = "$conf_padding_algo"; + $sign_line + }; +EOF + fi + + cat << EOF >> $its_file + }; +EOF +} + +# +# Assemble fitImage +# +# $1 ... .its filename +# $2 ... fitImage name +# $3 ... include ramdisk +fitimage_assemble() { + kernelcount=1 + dtbcount="" + DTBS="" + ramdiskcount=$3 + setupcount="" + bootscr_id="" + uboot_sign_expect_file="${UBOOT_EXPECT_FILE}" + rm -f $1 arch/${ARCH}/boot/$2 + + if [ -n "${UBOOT_SIGN_IMG_KEYNAME}" -a "${UBOOT_SIGN_KEYNAME}" = "${UBOOT_SIGN_IMG_KEYNAME}" ]; then + bbfatal "Keys used to sign images and configuration nodes must be different." + fi + + fitimage_emit_fit_header $1 + + # + # Step 1: Prepare a kernel image section. + # + fitimage_emit_section_maint $1 imagestart + + uboot_prep_kimage + fitimage_emit_section_kernel $1 $kernelcount linux.bin "$linux_comp" + + # + # Step 2: Prepare a DTB image section + # + + if [ -n "${KERNEL_DEVICETREE}" ]; then + dtbcount=1 + for DTB in ${KERNEL_DEVICETREE}; do + if echo $DTB | grep -q '/dts/'; then + bbwarn "$DTB contains the full path to the the dts file, but only the dtb name should be used." + DTB=`basename $DTB | sed 's,\.dts$,.dtb,g'` + fi + + # Skip ${DTB} if it's also provided in ${EXTERNAL_KERNEL_DEVICETREE} + if [ -n "${EXTERNAL_KERNEL_DEVICETREE}" ] && [ -s ${EXTERNAL_KERNEL_DEVICETREE}/${DTB} ]; then + continue + fi + + DTB_PATH="arch/${ARCH}/boot/dts/$DTB" + if [ ! -e "$DTB_PATH" ]; then + DTB_PATH="arch/${ARCH}/boot/$DTB" + fi + + DTB=$(echo "$DTB" | tr '/' '_') + + # Skip DTB if we've picked it up previously + echo "$DTBS" | tr ' ' '\n' | grep -xq "$DTB" && continue + + DTBS="$DTBS $DTB" + fitimage_emit_section_dtb $1 $DTB $DTB_PATH + done + fi + + if [ -n "${EXTERNAL_KERNEL_DEVICETREE}" ]; then + dtbcount=1 + for DTB in $(find "${EXTERNAL_KERNEL_DEVICETREE}" \( -name '*.dtb' -o -name '*.dtbo' \) -printf '%P\n' | sort); do + DTB=$(echo "$DTB" | tr '/' '_') + + # Skip DTB if we've picked it up previously + echo "$DTBS" | tr ' ' '\n' | grep -xq "$DTB" && continue + + DTBS="$DTBS $DTB" + fitimage_emit_section_dtb $1 $DTB "${EXTERNAL_KERNEL_DEVICETREE}/$DTB" + done + fi + + # + # Step 3: Prepare a u-boot script section + # + + if [ -n "${UBOOT_ENV}" ] && [ -d "${STAGING_DIR_HOST}/boot" ]; then + if [ -e "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY}" ]; then + cp ${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} ${B} + bootscr_id="${UBOOT_ENV_BINARY}" + fitimage_emit_section_boot_script $1 "$bootscr_id" ${UBOOT_ENV_BINARY} + else + bbwarn "${STAGING_DIR_HOST}/boot/${UBOOT_ENV_BINARY} not found." + fi + fi + + # + # Step 4: Prepare a setup section. (For x86) + # + if [ -e arch/${ARCH}/boot/setup.bin ]; then + setupcount=1 + fitimage_emit_section_setup $1 $setupcount arch/${ARCH}/boot/setup.bin + fi + + # + # Step 5: Prepare a ramdisk section. + # + if [ "x${ramdiskcount}" = "x1" ] && [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then + # Find and use the first initramfs image archive type we find + found= + for img in ${FIT_SUPPORTED_INITRAMFS_FSTYPES}; do + initramfs_path="${DEPLOY_DIR_IMAGE}/${INITRAMFS_IMAGE_NAME}.$img" + if [ -e "$initramfs_path" ]; then + bbnote "Found initramfs image: $initramfs_path" + found=true + fitimage_emit_section_ramdisk $1 "$ramdiskcount" "$initramfs_path" + break + else + bbnote "Did not find initramfs image: $initramfs_path" + fi + done + + if [ -z "$found" ]; then + bbfatal "Could not find a valid initramfs type for ${INITRAMFS_IMAGE_NAME}, the supported types are: ${FIT_SUPPORTED_INITRAMFS_FSTYPES}" + fi + fi + + fitimage_emit_section_maint $1 sectend + + # Force the first Kernel and DTB in the default config + kernelcount=1 + if [ -n "$dtbcount" ]; then + dtbcount=1 + fi + + # + # Step 6: Prepare a configurations section + # + fitimage_emit_section_maint $1 confstart + + # kernel-fitimage.bbclass currently only supports a single kernel (no less or + # more) to be added to the FIT image along with 0 or more device trees and + # 0 or 1 ramdisk. + # It is also possible to include an initramfs bundle (kernel and rootfs in one binary) + # When the initramfs bundle is used ramdisk is disabled. + # If a device tree is to be part of the FIT image, then select + # the default configuration to be used is based on the dtbcount. If there is + # no dtb present than select the default configuation to be based on + # the kernelcount. + if [ -n "$DTBS" ]; then + i=1 + for DTB in ${DTBS}; do + dtb_ext=${DTB##*.} + if [ "$dtb_ext" = "dtbo" ]; then + fitimage_emit_section_config $1 "" "$DTB" "" "$bootscr_id" "" "`expr $i = $dtbcount`" + else + fitimage_emit_section_config $1 $kernelcount "$DTB" "$ramdiskcount" "$bootscr_id" "$setupcount" "`expr $i = $dtbcount`" + fi + i=`expr $i + 1` + done + else + defaultconfigcount=1 + fitimage_emit_section_config $1 $kernelcount "" "$ramdiskcount" "$bootscr_id" "$setupcount" $defaultconfigcount + fi + + fitimage_emit_section_maint $1 sectend + + fitimage_emit_section_maint $1 fitend + + # + # Step 7: Assemble the image + # + ${UBOOT_MKIMAGE} \ + ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ + -f $1 \ + arch/${ARCH}/boot/$2 + + # + # Step 8: Sign the image and add public key to U-Boot dtb + # + if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then + add_key_to_u_boot="" + if [ -n "${UBOOT_DTB_BINARY}" ]; then + # The u-boot.dtb is a symlink to UBOOT_DTB_IMAGE, so we need copy + # both of them, and don't dereference the symlink. + cp -P ${STAGING_DATADIR}/u-boot*.dtb ${B} + add_key_to_u_boot="-K ${B}/${UBOOT_DTB_BINARY}" + fi + + if [ "x${UBOOT_SIGN_PKCS11}" = "x1" ] ; then + bbplain "[SCLE] uboot_sign_expect_file: $uboot_sign_expect_file" + cat << EOF > $uboot_sign_expect_file +#!../recipe-sysroot-native/usr/bin/expect +set PIN [lindex \$argv 0] +set timeout 60 +set i 0 + +spawn /bin/sh -c "OPENSSL_CONF=\"../recipe-sysroot-native/etc/ssl/openssl.cnf\" OPENSSL_ENGINES=\"../recipe-sysroot-native/usr/lib/engines-3\" ${UBOOT_MKIMAGE_SIGN} ${@'-D \"${UBOOT_MKIMAGE_DTCOPTS}\"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} -F -k \"${YUBIKEY_URL}\" $add_key_to_u_boot -N pkcs11 -r arch/${ARCH}/boot/$2 ${UBOOT_MKIMAGE_SIGN_ARGS}" +expect -exact "${YUBIKEY_TOKEN_PIN_ASK}" +send -- "\$PIN\\r" +while {\$i < 2} { + expect -exact "${YUBIKEY_PRIVKEY_PIN_ASK}" + send -- "\$PIN\\r" + incr i + } +expect eof +EOF + expect $uboot_sign_expect_file ${YUBIKEY_PIN} + else + ${UBOOT_MKIMAGE_SIGN} \ + ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \ + -F -k "${UBOOT_SIGN_KEYDIR}" \ + $add_key_to_u_boot \ + -r arch/${ARCH}/boot/$2 \ + ${UBOOT_MKIMAGE_SIGN_ARGS} + fi + fi +} + +do_assemble_fitimage() { + if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then + cd ${B} + fitimage_assemble fit-image.its fitImage "" + fi +} + +addtask assemble_fitimage before do_install after do_compile + +do_assemble_fitimage_initramfs() { + if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage" && \ + test -n "${INITRAMFS_IMAGE}" ; then + cd ${B} + if [ "${INITRAMFS_IMAGE_BUNDLE}" = "1" ]; then + fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage "" + else + fitimage_assemble fit-image-${INITRAMFS_IMAGE}.its fitImage-${INITRAMFS_IMAGE} 1 + fi + fi +} + +addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs + +do_kernel_generate_rsa_keys() { + if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then + bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." + fi + + if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then + + # Generate keys to sign configuration nodes, only if they don't already exist + if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \ + [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then + + # make directory if it does not already exist + mkdir -p "${UBOOT_SIGN_KEYDIR}" + + bbnote "Generating RSA private key for signing fitImage" + openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \ + "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ + "${FIT_SIGN_NUMBITS}" + + bbnote "Generating certificate for signing fitImage" + openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \ + -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ + -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt + fi + + # Generate keys to sign image nodes, only if they don't already exist + if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] || \ + [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then + + # make directory if it does not already exist + mkdir -p "${UBOOT_SIGN_KEYDIR}" + + bbnote "Generating RSA private key for signing fitImage" + openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \ + "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \ + "${FIT_SIGN_NUMBITS}" + + bbnote "Generating certificate for signing fitImage" + openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \ + -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \ + -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt + fi + fi +} + +addtask kernel_generate_rsa_keys before do_assemble_fitimage after do_compile + +kernel_do_deploy[vardepsexclude] = "DATETIME" +kernel_do_deploy:append() { + # Update deploy directory + if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then + + if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then + bbnote "Copying fit-image.its source file..." + install -m 0644 ${B}/fit-image.its "$deployDir/fitImage-its-${KERNEL_FIT_NAME}.its" + if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then + ln -snf fitImage-its-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${KERNEL_FIT_LINK_NAME}" + fi + + bbnote "Copying linux.bin file..." + install -m 0644 ${B}/linux.bin $deployDir/fitImage-linux.bin-${KERNEL_FIT_NAME}${KERNEL_FIT_BIN_EXT} + if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then + ln -snf fitImage-linux.bin-${KERNEL_FIT_NAME}${KERNEL_FIT_BIN_EXT} "$deployDir/fitImage-linux.bin-${KERNEL_FIT_LINK_NAME}" + fi + fi + + if [ -n "${INITRAMFS_IMAGE}" ]; then + bbnote "Copying fit-image-${INITRAMFS_IMAGE}.its source file..." + install -m 0644 ${B}/fit-image-${INITRAMFS_IMAGE}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its" + if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then + ln -snf fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}.its "$deployDir/fitImage-its-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}" + fi + + if [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ]; then + bbnote "Copying fitImage-${INITRAMFS_IMAGE} file..." + install -m 0644 ${B}/arch/${ARCH}/boot/fitImage-${INITRAMFS_IMAGE} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}${KERNEL_FIT_BIN_EXT}" + if [ -n "${KERNEL_FIT_LINK_NAME}" ] ; then + ln -snf fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_NAME}${KERNEL_FIT_BIN_EXT} "$deployDir/fitImage-${INITRAMFS_IMAGE_NAME}-${KERNEL_FIT_LINK_NAME}" + fi + fi + fi + fi + if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \ + [ -n "${UBOOT_DTB_BINARY}" ] ; then + # UBOOT_DTB_IMAGE is a realfile, but we can't use + # ${UBOOT_DTB_IMAGE} since it contains ${PV} which is aimed + # for u-boot, but we are in kernel env now. + install -m 0644 ${B}/u-boot-${MACHINE}*.dtb "$deployDir/" + fi + if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${UBOOT_BINARY}" -a -n "${SPL_DTB_BINARY}" ] ; then + # If we're also creating and/or signing the uboot fit, now we need to + # deploy it, it's its file, as well as u-boot-spl.dtb + install -m 0644 ${B}/u-boot-spl-${MACHINE}*.dtb "$deployDir/" + bbnote "Copying u-boot-fitImage file..." + install -m 0644 ${B}/u-boot-fitImage-* "$deployDir/" + bbnote "Copying u-boot-its file..." + install -m 0644 ${B}/u-boot-its-* "$deployDir/" + fi +} + +# The function below performs the following in case of initramfs bundles: +# - Removes do_assemble_fitimage. FIT generation is done through +# do_assemble_fitimage_initramfs. do_assemble_fitimage is not needed +# and should not be part of the tasks to be executed. +# - Since do_kernel_generate_rsa_keys is inserted by default +# between do_compile and do_assemble_fitimage, this is +# not suitable in case of initramfs bundles. do_kernel_generate_rsa_keys +# should be between do_bundle_initramfs and do_assemble_fitimage_initramfs. +python () { + if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1": + bb.build.deltask('do_assemble_fitimage', d) + bb.build.deltask('kernel_generate_rsa_keys', d) + bb.build.addtask('kernel_generate_rsa_keys', 'do_assemble_fitimage_initramfs', 'do_bundle_initramfs', d) +} diff --git a/classes/uboot-sign.bbclass b/classes/uboot-sign.bbclass index 7ac6e32..6fa4f9c 100644 --- a/classes/uboot-sign.bbclass +++ b/classes/uboot-sign.bbclass @@ -102,6 +102,15 @@ UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509" UBOOT_PN = "${@d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'}" KERNEL_PN = "${@d.getVar('PREFERRED_PROVIDER_virtual/kernel')}" +SPL_SIGN_PKCS11 ?= "1" +UBOOT_SIGN_PKCS11 ?= "1" +YUBIKEY_URL ?= "model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=20682194;token=YubiKey%20PIV%20%2320682194;id=%02" +YUBIKEY_TOKEN_PIN_ASK ?= "Enter PKCS#11 token PIN for YubiKey PIV #20682194:" +YUBIKEY_PRIVKEY_PIN_ASK ?= "Enter PKCS#11 key PIN for Private key for Digital Signature:" +YUBIKEY_PIN ?= "123456" +SPL_EXPECT_FILE ?= "spl_mkimage_expect.exp" +UBOOT_EXPECT_FILE ?= "uboot_mkimage_expect.exp" + # We need u-boot-tools-native if we're creating a U-Boot fitImage python() { if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1': @@ -313,6 +322,7 @@ uboot_fitimage_assemble() { uboot_csum="${UBOOT_FIT_HASH_ALG}" uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}" uboot_sign_keyname="${SPL_SIGN_KEYNAME}" + spl_sign_expect_file="${SPL_EXPECT_FILE}" rm -f $uboot_its $uboot_bin @@ -336,11 +346,12 @@ uboot_fitimage_assemble() { entry = <${UBOOT_ENTRYPOINT}>; EOF + #key-name-hint = "$uboot_sign_keyname"; if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then cat << EOF >> $uboot_its signature { algo = "$uboot_csum,$uboot_sign_algo"; - key-name-hint = "$uboot_sign_keyname"; + key-name-hint = "Private%20key%20for%20Digital%20Signature"; }; EOF fi @@ -355,11 +366,12 @@ EOF compression = "none"; EOF + #key-name-hint = "$uboot_sign_keyname"; if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then cat << EOF >> $uboot_its signature { algo = "$uboot_csum,$uboot_sign_algo"; - key-name-hint = "$uboot_sign_keyname"; + key-name-hint = "Private%20key%20for%20Digital%20Signature"; }; EOF fi @@ -391,12 +403,39 @@ EOF # # Sign the U-boot FIT image and add public key to SPL dtb # - ${UBOOT_MKIMAGE_SIGN} \ - ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ - -F -k "${SPL_SIGN_KEYDIR}" \ - -K "$spl_dtb" \ - -r $uboot_bin \ - ${SPL_MKIMAGE_SIGN_ARGS} + if [ "${SPL_SIGN_PKCS11}" = "1" ] ; then + bbplain "[SCLE CLASS] PWD: $PWD" + bbplain "[SCLE CLASS] spl_dtb: $spl_dtb" + bbplain "[SCLE CLASS] uboot_bin: $uboot_bin" + bbplain "[SCLE CLASS] SPL_MKIMAGE_SIGN_ARGS: ${SPL_MKIMAGE_SIGN_ARGS}" + bbplain "[SCLE CLASS] UBOOT_MKIMAGE_SIGN: ${UBOOT_MKIMAGE_SIGN}" + bbplain "[SCLE CLASS] spl_sign_expect_file: $spl_sign_expect_file" + ${UBOOT_MKIMAGE_SIGN} -V + cat << EOF > $spl_sign_expect_file +#!../recipe-sysroot-native/usr/bin/expect +set PIN [lindex \$argv 0] +set timeout 60 +set i 0 + +spawn /bin/sh -c "OPENSSL_CONF=\"../recipe-sysroot-native/etc/ssl/openssl.cnf\" OPENSSL_ENGINES=\"../recipe-sysroot-native/usr/lib/engines-3\" ${UBOOT_MKIMAGE_SIGN} ${@'-D \"${SPL_MKIMAGE_DTCOPTS}\"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} -F -k \"${YUBIKEY_URL}\" -K $spl_dtb -N pkcs11 -r $uboot_bin ${SPL_MKIMAGE_SIGN_ARGS}" +expect -exact "${YUBIKEY_TOKEN_PIN_ASK}" +send -- "\$PIN\\r" +while {\$i < 3} { + expect -exact "${YUBIKEY_PRIVKEY_PIN_ASK}" + send -- "\$PIN\\r" + incr i + } +expect eof +EOF + expect $spl_sign_expect_file ${YUBIKEY_PIN} + else + ${UBOOT_MKIMAGE_SIGN} \ + ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ + -F -k "${SPL_SIGN_KEYDIR}" \ + -K "$spl_dtb" \ + -r $uboot_bin \ + ${SPL_MKIMAGE_SIGN_ARGS} + fi fi } diff --git a/recipes-bsp/u-boot-tools.inc b/recipes-bsp/u-boot-tools.inc new file mode 100644 index 0000000..5e2a774 --- /dev/null +++ b/recipes-bsp/u-boot-tools.inc @@ -0,0 +1,101 @@ +SUMMARY = "U-Boot bootloader tools" + +SECTION = "bootloaders" +DEPENDS = "flex-native bison-native swig-native util-linux gnutls openssl" + +LICENSE = "GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1" +PE = "1" + +BRANCH ?= "master" +UBOOT_GIT_URI = "git://git.ti.com/git/ti-u-boot/ti-u-boot.git" +UBOOT_GIT_PROTOCOL = "https" +SRC_URI = "${UBOOT_GIT_URI};protocol=${UBOOT_GIT_PROTOCOL};branch=${BRANCH}" + +PV:append = "+git${SRCPV}" + +S = "${WORKDIR}/git" +B = "${WORKDIR}/build" + +inherit pkgconfig + +do_configure[cleandirs] = "${B}" + +PROVIDES = "${MLPREFIX}u-boot-mkimage ${MLPREFIX}u-boot-mkenvimage" +PROVIDES:class-native = "u-boot-mkimage-native u-boot-mkenvimage-native" + +PACKAGES += "${PN}-mkimage ${PN}-mkenvimage" + +# Required for backward compatibility with "u-boot-mkimage-xxx.bb" +RPROVIDES:${PN}-mkimage = "u-boot-mkimage" +RREPLACES:${PN}-mkimage = "u-boot-mkimage" +RCONFLICTS:${PN}-mkimage = "u-boot-mkimage" + +EXTRA_OEMAKE:class-target = 'CROSS_COMPILE="${TARGET_PREFIX}" CC="${CC} ${CFLAGS} ${LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1' +EXTRA_OEMAKE:class-native = 'CC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1' +EXTRA_OEMAKE:class-nativesdk = 'CROSS_COMPILE="${HOST_PREFIX}" CC="${CC} ${CFLAGS} ${LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1' + +SED_CONFIG_EFI = '-e "s/CONFIG_EFI_LOADER=.*/# CONFIG_EFI_LOADER is not set/"' +SED_CONFIG_EFI:x86 = '' +SED_CONFIG_EFI:x86-64 = '' +SED_CONFIG_EFI:arm = '' +SED_CONFIG_EFI:armeb = '' +SED_CONFIG_EFI:aarch64 = '' + +do_compile () { + # Yes, this is crazy. If you build on a system with git < 2.14 from scratch, the tree will + # be marked as "dirty" and the version will include "-dirty", leading to a reproducibility problem. + # The issue is the inode count for Licnses/README changing due to do_populate_lic hardlinking a + # copy of the file. We avoid this by ensuring the index is updated with a "git diff" before the + # u-boot machinery tries to determine the version. + # + # build$ ../git/scripts/setlocalversion ../git + # "" + # build$ ln ../git/ + # build$ ln ../git/README ../foo + # build$ ../git/scripts/setlocalversion ../git + # ""-dirty + # (i.e. creating a hardlink dirties the index) + cd ${S}; git diff; cd ${B} + + oe_runmake -C ${S} sandbox_defconfig O=${B} + + # Disable CONFIG_CMD_LICENSE, license.h is not used by tools and + # generating it requires bin2header tool, which for target build + # is built with target tools and thus cannot be executed on host. + sed -i -e "s/CONFIG_CMD_LICENSE=.*/# CONFIG_CMD_LICENSE is not set/" ${SED_CONFIG_EFI} ${B}/.config + + oe_runmake -C ${S} cross_tools NO_SDL=1 O=${B} +} + +do_install () { + install -d ${D}${bindir} + + # mkimage + install -m 0755 tools/mkimage ${D}${bindir}/uboot-mkimage + ln -sf uboot-mkimage ${D}${bindir}/mkimage + + # mkenvimage + install -m 0755 tools/mkenvimage ${D}${bindir}/uboot-mkenvimage + ln -sf uboot-mkenvimage ${D}${bindir}/mkenvimage + + # dumpimage + install -m 0755 tools/dumpimage ${D}${bindir}/uboot-dumpimage + ln -sf uboot-dumpimage ${D}${bindir}/dumpimage + + # fit_check_sign + install -m 0755 tools/fit_check_sign ${D}${bindir}/uboot-fit_check_sign + ln -sf uboot-fit_check_sign ${D}${bindir}/fit_check_sign +} + +ALLOW_EMPTY:${PN} = "1" +FILES:${PN} = "" +FILES:${PN}-mkimage = "${bindir}/uboot-mkimage ${bindir}/mkimage ${bindir}/uboot-dumpimage ${bindir}/dumpimage ${bindir}/uboot-fit_check_sign ${bindir}/fit_check_sign" +FILES:${PN}-mkenvimage = "${bindir}/uboot-mkenvimage ${bindir}/mkenvimage" + +RDEPENDS:${PN}-mkimage += "dtc" +RDEPENDS:${PN} += "${PN}-mkimage ${PN}-mkenvimage" +RDEPENDS:${PN}:class-native = "" + +BBCLASSEXTEND = "native nativesdk" + diff --git a/recipes-bsp/u-boot-tools_2023.01.bb b/recipes-bsp/u-boot-tools_2023.01.bb new file mode 100644 index 0000000..4ffd3fe --- /dev/null +++ b/recipes-bsp/u-boot-tools_2023.01.bb @@ -0,0 +1,74 @@ +require u-boot-tools.inc + +FILESEXTRAPATHS:prepend := "${THISDIR}/files2:" + +SRC_URI = " \ + ${UBOOT_GIT_URI};protocol=${UBOOT_GIT_PROTOCOL};branch=${BRANCH} \ + file://board.c \ + file://board.h \ + file://Kconfig \ + file://MAINTAINERS \ + file://Makefile \ + file://mux.c \ + file://am335x_pengwyn.h \ + file://am335x-pengwyn.dts \ + file://am335x-pengwyn-u-boot.dtsi \ + file://0001-add-pengwyn-dts-to-makefile.patch \ + file://0002-add-target-pengwyn.patch \ + file://0003-misc-board-failed.patch \ + file://0010-log-compile-err.patch \ + file://0021-debug.patch \ + " + +# Pengwyn defconfig +SRC_URI += " \ + file://defconfig/pengwyn_fit_kern_defconfig \ + file://defconfig/pengwyn_fit_uboot_defconfig \ + file://defconfig/pengwyn_fitimage_defconfig \ + file://defconfig/pengwyn_dmverity_defconfig \ + file://defconfig/pengwyn_defconfig \ + " + +# U-Boot environment variables file +SRC_URI += " \ + file://env/uEnv_fit_kern_verity.txt \ + file://env/uEnv_fit_kernel.txt \ + file://env/uEnv_verity.txt \ + file://env/uEnv.txt \ + " +# Tag: v2023.01 +SRCREV = "62e2ad1ceafbfdf2c44d3dc1b6efc81e768a96b9" + +S = "${WORKDIR}/git" + +do_configure:prepend() { + install -d ${S}/board/silica/pengwyn + install -m 0644 ${WORKDIR}/board.c ${S}/board/silica/pengwyn + install -m 0644 ${WORKDIR}/board.h ${S}/board/silica/pengwyn + install -m 0644 ${WORKDIR}/Kconfig ${S}/board/silica/pengwyn + install -m 0644 ${WORKDIR}/MAINTAINERS ${S}/board/silica/pengwyn + install -m 0644 ${WORKDIR}/Makefile ${S}/board/silica/pengwyn + install -m 0644 ${WORKDIR}/mux.c ${S}/board/silica/pengwyn + + install -d ${S}/configs + if [ "${SCLE_DM_VERITY}" = '1' ]; then + if [ "${KERNEL_IMAGETYPE}" = "fitImage" ]; then + install -m 0644 ${WORKDIR}/defconfig/pengwyn_fitimage_defconfig ${S}/configs/pengwyn_defconfig + else + install -m 0644 ${WORKDIR}/defconfig/pengwyn_dmverity_defconfig ${S}/configs/pengwyn_defconfig + fi + else + if [ "${KERNEL_IMAGETYPE}" = "fitImage" ]; then + install -m 0644 ${WORKDIR}/defconfig/pengwyn_fitimage_defconfig ${S}/configs/pengwyn_defconfig + else + install -m 0644 ${WORKDIR}/defconfig/pengwyn_defconfig ${S}/configs/pengwyn_defconfig + fi + fi + + install -d ${S}/include/configs/ + install -m 0644 ${WORKDIR}/am335x_pengwyn.h ${S}/include/configs/ + + install -d ${S}/arch/arm/dts + install -m 0644 ${WORKDIR}/am335x-pengwyn.dts ${S}/arch/arm/dts + install -m 0644 ${WORKDIR}/am335x-pengwyn-u-boot.dtsi ${S}/arch/arm/dts +} diff --git a/recipes-bsp/u-boot/files2/0020-debug-rsa.patch b/recipes-bsp/u-boot/files2/0020-debug-rsa.patch new file mode 100644 index 0000000..b387c16 --- /dev/null +++ b/recipes-bsp/u-boot/files2/0020-debug-rsa.patch @@ -0,0 +1,21 @@ +diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c +index b2a21199e4..2d7034d5e2 100644 +--- a/lib/rsa/rsa-sign.c ++++ b/lib/rsa/rsa-sign.c +@@ -3,6 +3,7 @@ + * Copyright (c) 2013, Google Inc. + */ + ++#define DEBUG + #define OPENSSL_API_COMPAT 0x10101000L + + #include "mkimage.h" +@@ -317,7 +318,7 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe) + + e = ENGINE_by_id(engine_id); + if (!e) { +- fprintf(stderr, "Engine isn't available\n"); ++ fprintf(stderr, "Engine (%s) isn't available\n", engine_id); + return -1; + } + diff --git a/recipes-bsp/u-boot/files2/0021-debug.patch b/recipes-bsp/u-boot/files2/0021-debug.patch index 878dc5b..32aea45 100644 --- a/recipes-bsp/u-boot/files2/0021-debug.patch +++ b/recipes-bsp/u-boot/files2/0021-debug.patch @@ -1,20 +1,67 @@ -diff --git a/boot/bootm.c b/boot/bootm.c -index a4c0870c0f..6059c73158 100644 ---- a/boot/bootm.c -+++ b/boot/bootm.c -@@ -411,6 +411,7 @@ static int bootm_load_os(struct bootm_headers *images, int boot_progress) - void *load_buf, *image_buf; - int err; +diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c +index b2a21199e4..6a338bbf98 100644 +--- a/lib/rsa/rsa-sign.c ++++ b/lib/rsa/rsa-sign.c +@@ -25,7 +25,7 @@ static int rsa_err(const char *msg) + { + unsigned long sslErr = ERR_get_error(); -+ printf("[SCLE] load os : start=%x - len=%d\n", image_start, image_len); - load_buf = map_sysmem(load, 0); - image_buf = map_sysmem(os.image_start, image_len); - err = image_decomp(os.comp, load, os.image_start, os.type, -@@ -1029,6 +1030,7 @@ static int bootm_host_load_image(const void *fit, int req_image_type, +- fprintf(stderr, "%s", msg); ++ fprintf(stderr, "[SCLE RSA_ERR] %s", msg); + fprintf(stderr, ": %s\n", + ERR_error_string(sslErr, 0)); - /* Allow the image to expand by a factor of 4, should be safe */ - buf_size = (1 << 20) + len * 4; -+ printf("[SCLE] before decompress: buf_size=%d\n", buf_size); - load_buf = malloc(buf_size); - ret = image_decomp(image_comp, 0, data, image_type, load_buf, - (void *)data, len, buf_size, &load_end); +@@ -140,6 +140,7 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name, + return -ENOTSUP; + } + ++ fprintf(stderr, "[SCLE PUBKEY MKIMAGE] key_id: %s - engine_id: %s\n",key_id, engine_id); + key = ENGINE_load_public_key(engine, key_id, NULL, NULL); + if (!key) + return rsa_err("Failure loading public key from engine"); +@@ -267,6 +268,7 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name, + return -ENOTSUP; + } + ++ fprintf(stderr, "[SCLE PRIVKEY MKIMAGE] engine: %s - key_id: %s\n", engine_id, key_id); + key = ENGINE_load_private_key(engine, key_id, NULL, NULL); + if (!key) + return rsa_err("Failure loading private key from engine"); +@@ -314,25 +316,28 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe) + int ret; + + ENGINE_load_builtin_engines(); +- ++ fprintf(stderr, "[SCLE MKIMAGE] test1 ...\n"); + e = ENGINE_by_id(engine_id); + if (!e) { + fprintf(stderr, "Engine isn't available\n"); + return -1; + } + ++ fprintf(stderr, "[SCLE MKIMAGE] test2 ...\n"); + if (!ENGINE_init(e)) { + fprintf(stderr, "Couldn't initialize engine\n"); + ret = -1; + goto err_engine_init; + } + ++ fprintf(stderr, "[SCLE MKIMAGE] test3 ...\n"); + if (!ENGINE_set_default_RSA(e)) { + fprintf(stderr, "Couldn't set engine as default for RSA\n"); + ret = -1; + goto err_set_rsa; + } + ++ fprintf(stderr, "[SCLE MKIMAGE] test4 ...\n"); + key_pass = getenv("MKIMAGE_SIGN_PIN"); + if (key_pass) { + if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) { +@@ -342,6 +347,7 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe) + } + } + ++ fprintf(stderr, "[SCLE MKIMAGE] test5 ...\n"); + *pe = e; + + return 0; diff --git a/recipes-bsp/u-boot/files2/env/uEnv_fit_kernel.txt b/recipes-bsp/u-boot/files2/env/uEnv_fit_kernel.txt index 8839fb8..50d3285 100644 --- a/recipes-bsp/u-boot/files2/env/uEnv_fit_kernel.txt +++ b/recipes-bsp/u-boot/files2/env/uEnv_fit_kernel.txt @@ -25,7 +25,7 @@ mmcargs=setenv bootargs console=${console} ${optargs} root=${mmcroot} data=${mmc mmcboot=mmc dev ${mmcdev}; if mmc rescan; then echo SD/MMC found on device ${mmcdev};if run loadbootenv; then echo Loaded environment from ${bootenv};run importbootenv;fi;if test -n $uenvcmd; then echo Running uenvcmd ...;run uenvcmd;fi;if run loadimage; then run mmcloados;fi;fi; mmcdev=0 mmcloados=run mmcargs; bootm ${loadaddr}; -mmcroot=/dev/mmcblk0p2 ro +mmcroot=/dev/mmcblk0p2 rw mmcdata=/dev/mmcblk0p3 mmcdata2=/dev/mmcblk0p4 mmcrootfstype=ext4 rootwait diff --git a/recipes-bsp/u-boot/u-boot-ti.inc b/recipes-bsp/u-boot/u-boot-ti.inc index de3adf6..6deddb3 100644 --- a/recipes-bsp/u-boot/u-boot-ti.inc +++ b/recipes-bsp/u-boot/u-boot-ti.inc @@ -23,7 +23,8 @@ SRC_URI = "${UBOOT_GIT_URI};protocol=${UBOOT_GIT_PROTOCOL};branch=${BRANCH}" PV:append = "+git${SRCPV}" # u-boot needs devtree compiler to parse dts files -DEPENDS += "dtc-native bc-native lzop-native flex-native bison-native python3-setuptools-native" +# DEPENDS += "dtc-native bc-native lzop-native flex-native bison-native python3-setuptools-native" +DEPENDS += "dtc-native bc-native lzop-native flex-native bison-native python3-setuptools-native libp11-native opensc-native" DM_FIRMWARE = "ipc_echo_testb_mcu1_0_release_strip.xer5f" diff --git a/recipes-bsp/u-boot/u-boot-tools_%.bbappend b/recipes-bsp/u-boot/u-boot-tools_%.bbappend new file mode 100644 index 0000000..06458a2 --- /dev/null +++ b/recipes-bsp/u-boot/u-boot-tools_%.bbappend @@ -0,0 +1,12 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/files2:" +SRC_URI += " \ + git://git.ti.com/git/ti-u-boot/ti-u-boot.git;protocol=https;branch=master \ + file://0021-debug.patch \ + " + +# Tag: v2023.01 +SRCREV = "62e2ad1ceafbfdf2c44d3dc1b6efc81e768a96b9" + +LIC_FILES_CHKSUM = "file://Licenses/README;md5=2ca5f2c35c8cc335f0a19756634782f1" +#PV:append = "+git${SRCPV}" +DEPENDS += "swig-native gnutls-native" diff --git a/recipes-connectivity/openssl/files/0010-debug-scle.patch b/recipes-connectivity/openssl/files/0010-debug-scle.patch new file mode 100644 index 0000000..30c4cac --- /dev/null +++ b/recipes-connectivity/openssl/files/0010-debug-scle.patch @@ -0,0 +1,104 @@ +diff --color -pruN openssl-3.0.7.orig/crypto/conf/conf_sap.c openssl-3.0.7/crypto/conf/conf_sap.c +--- openssl-3.0.7.orig/crypto/conf/conf_sap.c 2022-11-01 14:14:36.000000000 +0000 ++++ openssl-3.0.7/crypto/conf/conf_sap.c 2024-01-15 13:25:28.353053475 +0000 +@@ -43,6 +43,7 @@ void OPENSSL_config(const char *appname) + + int ossl_config_int(const OPENSSL_INIT_SETTINGS *settings) + { ++ printf("[SCLE] ossl_config_int\r\n"); + int ret = 0; + #if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI) + const char *filename; +@@ -50,8 +51,10 @@ int ossl_config_int(const OPENSSL_INIT_S + unsigned long flags; + #endif + +- if (openssl_configured) ++ if (openssl_configured) { ++ printf("[SCLE] ossl_config_int -> openssl_configured\r\n"); + return 1; ++ } + + #if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI) + filename = settings ? settings->filename : NULL; +@@ -64,6 +67,8 @@ int ossl_config_int(const OPENSSL_INIT_S + filename, appname, flags); + #endif + ++ printf("[SCLE] OPENSSL_INIT: ossl_config_int(%s, %s, %lu)\r\n", ++ filename, appname, flags); + #ifndef OPENSSL_SYS_UEFI + ret = CONF_modules_load_file(filename, appname, flags); + #endif +diff --color -pruN openssl-3.0.7.orig/crypto/engine/eng_fat.c openssl-3.0.7/crypto/engine/eng_fat.c +--- openssl-3.0.7.orig/crypto/engine/eng_fat.c 2022-11-01 14:14:36.000000000 +0000 ++++ openssl-3.0.7/crypto/engine/eng_fat.c 2022-11-01 14:14:36.000000000 +0000 +@@ -92,6 +92,7 @@ int ENGINE_set_default_string(ENGINE *e, + + int ENGINE_register_complete(ENGINE *e) + { ++ printf("[SCLE] Engine => id:%s - name: %s\r\n", e->id, e->name); + ENGINE_register_ciphers(e); + ENGINE_register_digests(e); + ENGINE_register_RSA(e); +diff --color -pruN openssl-3.0.7.orig/crypto/engine/eng_list.c openssl-3.0.7/crypto/engine/eng_list.c +--- openssl-3.0.7.orig/crypto/engine/eng_list.c 2022-11-01 14:14:36.000000000 +0000 ++++ openssl-3.0.7/crypto/engine/eng_list.c 2022-11-01 14:14:36.000000000 +0000 +@@ -385,9 +385,12 @@ ENGINE *ENGINE_by_id(const char *id) + if (!CRYPTO_THREAD_write_lock(global_engine_lock)) + return NULL; + iterator = engine_list_head; +- while (iterator && (strcmp(id, iterator->id) != 0)) ++ while (iterator && (strcmp(id, iterator->id) != 0)) { ++ printf("[SCLE] id:%s/id:%s\r\n", id, iterator->id); + iterator = iterator->next; ++ } + if (iterator != NULL) { ++ printf("[SCLE] id (%s) found !!\r\n", id); + /* + * We need to return a structural reference. If this is an ENGINE + * type that returns copies, make a duplicate - otherwise increment +@@ -415,17 +418,22 @@ ENGINE *ENGINE_by_id(const char *id) + if (strcmp(id, "dynamic")) { + if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == NULL) + load_dir = ENGINESDIR; ++ printf("[SCLE] id : dynamic => load_dir: %s\r\n", load_dir); + iterator = ENGINE_by_id("dynamic"); + if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || + !ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) || + !ENGINE_ctrl_cmd_string(iterator, "DIR_ADD", + load_dir, 0) || + !ENGINE_ctrl_cmd_string(iterator, "LIST_ADD", "1", 0) || +- !ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0)) ++ !ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0)) { ++ printf("[SCLE] id : dynamic => problem !!\r\n"); + goto notfound; ++ } ++ printf("[SCLE] return id:%s\r\n", iterator->id); + return iterator; + } + notfound: ++ printf("[SCLE] Engine (%s) not found ...\r\n", id); + ENGINE_free(iterator); + ERR_raise_data(ERR_LIB_ENGINE, ENGINE_R_NO_SUCH_ENGINE, "id=%s", id); + return NULL; +diff --color -pruN openssl-3.0.7.orig/crypto/init.c openssl-3.0.7/crypto/init.c +--- openssl-3.0.7.orig/crypto/init.c 2022-11-01 14:14:36.000000000 +0000 ++++ openssl-3.0.7/crypto/init.c 2024-01-15 13:19:37.029947054 +0000 +@@ -577,7 +577,7 @@ int OPENSSL_init_crypto(uint64_t opts, c + + if (opts & OPENSSL_INIT_LOAD_CONFIG) { + int loading = CRYPTO_THREAD_get_local(&in_init_config_local) != NULL; +- ++ printf("[SCLE] OPENSSL_init_crypto -> OPENSSL_INIT_LOAD_CONFIG: loading: %s\r\n", loading); + /* If called recursively from OBJ_ calls, just skip it. */ + if (!loading) { + int ret; +@@ -642,6 +642,7 @@ int OPENSSL_init_crypto(uint64_t opts, c + if (opts & (OPENSSL_INIT_ENGINE_ALL_BUILTIN + | OPENSSL_INIT_ENGINE_OPENSSL + | OPENSSL_INIT_ENGINE_AFALG)) { ++ printf("[SCLE] call ENGINE_register_all_complete (opts: 0x%x)...\r\n", opts); + ENGINE_register_all_complete(); + } + #endif diff --git a/recipes-connectivity/openssl/files/0010-debug-scle.patch.marche b/recipes-connectivity/openssl/files/0010-debug-scle.patch.marche new file mode 100644 index 0000000..1b2d9a3 --- /dev/null +++ b/recipes-connectivity/openssl/files/0010-debug-scle.patch.marche @@ -0,0 +1,13 @@ +--- a/include/openssl/crypto.h.in 2022-11-01 14:14:36.000000000 +0000 ++++ b/include/openssl/crypto.h.in 2024-01-15 13:16:33.352505585 +0000 +@@ -455,7 +455,9 @@ int CRYPTO_memcmp(const void * in_a, con + # define OPENSSL_INIT_ENGINE_ALL_BUILTIN \ + (OPENSSL_INIT_ENGINE_RDRAND | OPENSSL_INIT_ENGINE_DYNAMIC \ + | OPENSSL_INIT_ENGINE_CRYPTODEV | OPENSSL_INIT_ENGINE_CAPI | \ +- OPENSSL_INIT_ENGINE_PADLOCK) ++ OPENSSL_INIT_ENGINE_PADLOCK | OPENSSL_INIT_LOAD_CONFIG | \ ++ OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_ADD_ALL_CIPHERS | \ ++ OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS) + + /* Library initialisation functions */ + void OPENSSL_cleanup(void); diff --git a/recipes-connectivity/openssl/files/0011-debug-scle.patch b/recipes-connectivity/openssl/files/0011-debug-scle.patch new file mode 100644 index 0000000..1f9e9dc --- /dev/null +++ b/recipes-connectivity/openssl/files/0011-debug-scle.patch @@ -0,0 +1,76 @@ +diff --color -pruN openssl-3.0.7.orig/crypto/conf/conf_sap.c openssl-3.0.7/crypto/conf/conf_sap.c +--- openssl-3.0.7.orig/crypto/conf/conf_sap.c 2022-11-01 14:14:36.000000000 +0000 ++++ openssl-3.0.7/crypto/conf/conf_sap.c 2022-11-01 14:14:36.000000000 +0000 +@@ -43,7 +43,7 @@ void OPENSSL_config(const char *appname) + + int ossl_config_int(const OPENSSL_INIT_SETTINGS *settings) + { +- printf("[SCLE] ossl_config_int"); ++ printf("[SCLE] ossl_config_int\r\n"); + int ret = 0; + #if defined(OPENSSL_INIT_DEBUG) || !defined(OPENSSL_SYS_UEFI) + const char *filename; +@@ -52,7 +52,7 @@ int ossl_config_int(const OPENSSL_INIT_S + #endif + + if (openssl_configured) { +- printf("[SCLE] ossl_config_int -> openssl_configured"); ++ printf("[SCLE] ossl_config_int -> openssl_configured\r\n"); + return 1; + } + +diff --color -pruN openssl-3.0.7.orig/crypto/engine/eng_list.c openssl-3.0.7/crypto/engine/eng_list.c +--- openssl-3.0.7.orig/crypto/engine/eng_list.c 2022-11-01 14:14:36.000000000 +0000 ++++ openssl-3.0.7/crypto/engine/eng_list.c 2024-01-17 10:46:03.471272607 +0000 +@@ -386,11 +386,11 @@ ENGINE *ENGINE_by_id(const char *id) + return NULL; + iterator = engine_list_head; + while (iterator && (strcmp(id, iterator->id) != 0)) { +- printf("[SCLE] id:%s/id:%s\r\n", id, iterator->id); ++ printf("[SCLE - ENGINE_by_id] id:%s/id:%s\r\n", id, iterator->id); + iterator = iterator->next; + } + if (iterator != NULL) { +- printf("[SCLE] id (%s) found !!\r\n", id); ++ printf("[SCLE - ENGINE_by_id] id (%s) found !!\r\n", id); + /* + * We need to return a structural reference. If this is an ENGINE + * type that returns copies, make a duplicate - otherwise increment +@@ -410,15 +410,17 @@ ENGINE *ENGINE_by_id(const char *id) + } + } + CRYPTO_THREAD_unlock(global_engine_lock); +- if (iterator != NULL) ++ if (iterator != NULL) { ++ printf("[SCLE - ENGINE_by_id] return iterator\r\n"); + return iterator; ++ } + /* + * Prevent infinite recursion if we're looking for the dynamic engine. + */ + if (strcmp(id, "dynamic")) { + if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == NULL) + load_dir = ENGINESDIR; +- printf("[SCLE] id : dynamic => load_dir: %s\r\n", load_dir); ++ printf("[SCLE - ENGINE_by_id] id : dynamic => load_dir: %s\r\n", load_dir); + iterator = ENGINE_by_id("dynamic"); + if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) || + !ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) || +@@ -426,14 +428,14 @@ ENGINE *ENGINE_by_id(const char *id) + load_dir, 0) || + !ENGINE_ctrl_cmd_string(iterator, "LIST_ADD", "1", 0) || + !ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0)) { +- printf("[SCLE] id : dynamic => problem !!\r\n"); ++ printf("[SCLE - ENGINE_by_id] id : dynamic => problem !!\r\n"); + } + goto notfound; +- printf("[SCLE] return id:%s\r\n", iterator->id); ++ printf("[SCLE - ENGINE_by_id] return id:%s\r\n", iterator->id); + return iterator; + } + notfound: +- printf("[SCLE] Engine (%s) not found ...\r\n", id); ++ printf("[SCLE - ENGINE_by_id] Engine (%s) not found ...\r\n", id); + ENGINE_free(iterator); + ERR_raise_data(ERR_LIB_ENGINE, ENGINE_R_NO_SUCH_ENGINE, "id=%s", id); + return NULL; diff --git a/recipes-connectivity/openssl/files/openssl.cnf b/recipes-connectivity/openssl/files/openssl.cnf new file mode 100644 index 0000000..b6c6c6f --- /dev/null +++ b/recipes-connectivity/openssl/files/openssl.cnf @@ -0,0 +1,391 @@ +# +# OpenSSL example configuration file. +# See doc/man5/config.pod for more info. +# +# This is mostly being used for generation of certificate requests, +# but may be used for auto loading of providers + +# Note that you can include other files from the main configuration +# file using the .include directive. + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . + + # Use this in order to automatically load providers. +openssl_conf = openssl_init + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + +# Extra OBJECT IDENTIFIER info: +# oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +# For FIPS +# Optionally include a file that is generated by the OpenSSL fipsinstall +# application. This file contains configuration data required by the OpenSSL +# fips provider. It contains a named section e.g. [fips_sect] which is +# referenced from the [provider_sect] below. +# Refer to the OpenSSL security policy for more information. +# .include fipsmodule.cnf + +[openssl_init] +providers = provider_sect + +# List of providers to load +[provider_sect] +default = default_sect +# The fips section name should match the section name inside the +# included fipsmodule.cnf. +# fips = fips_sect + +# If no providers are activated explicitly, the default one is activated implicitly. +# See man 7 OSSL_PROVIDER-default for more details. +# +# If you add a section explicitly activating any other provider(s), you most +# probably need to explicitly activate the default provider, otherwise it +# becomes unavailable in openssl. As a consequence applications depending on +# OpenSSL may not work correctly which could lead to significant system +# problems including inability to remotely access the system. +[default_sect] +# activate = 1 + + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) + +[insta] # CMP using Insta Demo CA +# Message transfer +server = pki.certificate.fi:8700 +# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080 +# tls_use = 0 +path = pkix/ + +# Server authentication +recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer +ignore_keyusage = 1 # potentially needed quirk +unprotected_errors = 1 # potentially needed quirk +extracertsout = insta.extracerts.pem + +# Client authentication +ref = 3078 # user identification +secret = pass:insta # can be used for both client and server side + +# Generic message options +cmd = ir # default operation, can be overridden on cmd line with, e.g., kur + +# Certificate enrollment +subject = "/CN=openssl-cmp-test" +newkey = insta.priv.pem +out_trusted = insta.ca.crt +certout = insta.cert.pem + +[pbm] # Password-based protection for Insta CA +# Server and client authentication +ref = $insta::ref # 3078 +secret = $insta::secret # pass:insta + +[signature] # Signature-based protection for Insta CA +# Server authentication +trusted = insta.ca.crt # does not include keyUsage digitalSignature + +# Client authentication +secret = # disable PBM +key = $insta::newkey # insta.priv.pem +cert = $insta::certout # insta.cert.pem + +[ir] +cmd = ir + +[cr] +cmd = cr + +[kur] +# Certificate update +cmd = kur +oldcert = $insta::certout # insta.cert.pem + +[rr] +# Certificate revocation +cmd = rr +oldcert = $insta::certout # insta.cert.pem + +.include ../recipe-sysroot-native/etc/ssl/pkcs11.cnf diff --git a/recipes-connectivity/openssl/openssl_%.bbappend b/recipes-connectivity/openssl/openssl_%.bbappend new file mode 100644 index 0000000..5cfc39c --- /dev/null +++ b/recipes-connectivity/openssl/openssl_%.bbappend @@ -0,0 +1,17 @@ +# Copyright (C) 2023 Vincent BENOIT +# Release under the MIT license (see COPYING.MIT for the terms) + +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +SRC_URI += " \ + file://openssl.cnf \ + " + +do_install:append:class-native () { + install -d ${D}${sysconfdir}/ssl + install -m 0755 ${WORKDIR}/openssl.cnf ${D}${sysconfdir}/ssl/ +} + +FILES:${PN}:class-native += " \ + ${sysconfdir}/ssl/openssl.cnf \ + " diff --git a/recipes-connectivity/scle-openssl/files/pkcs11.cnf b/recipes-connectivity/scle-openssl/files/pkcs11.cnf new file mode 100644 index 0000000..bd30fc4 --- /dev/null +++ b/recipes-connectivity/scle-openssl/files/pkcs11.cnf @@ -0,0 +1,13 @@ +[openssl_init] +providers = provider_sect +engines = engine_sect + +[engine_sect] +pkcs11 = pkcs11_sect + +[pkcs11_sect] +engine_id = pkcs11 +dynamic_path = ../recipe-sysroot-native/usr/lib/engines-3/pkcs11.so +MODULE_PATH = ../recipe-sysroot-native/usr/lib/pkcs11/p11-kit-client.so +init = 0 + diff --git a/recipes-connectivity/scle-openssl/files/scle-sign-pkcs11.cnf b/recipes-connectivity/scle-openssl/files/scle-sign-pkcs11.cnf new file mode 100644 index 0000000..296e66f --- /dev/null +++ b/recipes-connectivity/scle-openssl/files/scle-sign-pkcs11.cnf @@ -0,0 +1,11 @@ +[openssl_init] +providers = provider_sect +engines = engine_sect + +[engine_sect] +pkcs11 = pkcs11_sect + +[pkcs11_sect] +engine_id = pkcs11 +init = 0 + diff --git a/recipes-connectivity/scle-openssl/scle-openssl.bb b/recipes-connectivity/scle-openssl/scle-openssl.bb new file mode 100644 index 0000000..e231536 --- /dev/null +++ b/recipes-connectivity/scle-openssl/scle-openssl.bb @@ -0,0 +1,27 @@ +# Copyright (C) 2024 Vincent BENOIT +# Release under the MIT license (see COPYING.MIT for the terms) + +SUMMARY = "openssl conf file with PKCS#11" +MAINTAINER = "Vincent BENOIT " +LICENSE = "CLOSED" + +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + +SRC_URI += " \ + file://pkcs11.cnf \ + " + +do_install:append:class-native () { + install -d ${D}${sysconfdir}/ssl + install -m 0755 ${WORKDIR}/pkcs11.cnf ${D}${sysconfdir}/ssl/ +} + +FILES:${PN}:class-native += " \ + ${sysconfdir}/ssl/pkcs11.cnf \ + " + +RDEPENDS:${PN}:class-native += " \ + libp11-native \ + " + +BBCLASSEXTEND = "native" diff --git a/recipes-kernel/linux/linux-ti-staging_%.bbappend b/recipes-kernel/linux/linux-ti-staging_%.bbappend index 342b23e..38c40c1 100644 --- a/recipes-kernel/linux/linux-ti-staging_%.bbappend +++ b/recipes-kernel/linux/linux-ti-staging_%.bbappend @@ -8,4 +8,6 @@ SRC_URI += " \ file://defconfig \ " +DEPENDS += "libp11-native opensc-native p11-kit-native expect-native scle-openssl-native" + KERNEL_FEATURES:append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", "features/device-mapper/dm-verity.scc", "" ,d)}"