diff options
| author |   Usama Arif <usama.arif@arm.com> | 2020-09-30 11:48:00 +0100 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-10-06 23:11:47 +0100 |
| commit | 8dfaf5cd4eb5c8e352e7833ec47db1a14ea58b47 (patch) | |
| tree | 53943ee806cf0e08d848239cf85ab72931aecebc /meta/classes/kernel-fitimage.bbclass | |
| parent | ce265cf467f1c3e5ba2edbfbef2170df1a727a52 (diff) | |
| download | openembedded-core-8dfaf5cd4eb5c8e352e7833ec47db1a14ea58b47.tar.gz | |
kernel-fitimage: generate openssl RSA keys for signing fitimage
The keys are only generated if they dont exist. The key
generation can be turned off by setting FIT_GENERATE_KEYS to "0".
The default key length for private keys is 2048 and the default
format for public key certificate is x.509.
Signed-off-by: Usama Arif <usama.arif@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/kernel-fitimage.bbclass')
| -rw-r--r-- | meta/classes/kernel-fitimage.bbclass | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index fa4ea6feef..bb2f3c4ccc 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -56,6 +56,22 @@ FIT_HASH_ALG ?= "sha256" # fitImage Signature Algo FIT_SIGN_ALG ?= "rsa2048" +# Generate keys for signing fitImage +FIT_GENERATE_KEYS ?= "0" + +# Size of private key in number of bits +FIT_SIGN_NUMBITS ?= "2048" + +# args to openssl genrsa (Default is just the public exponent) +FIT_KEY_GENRSA_ARGS ?= "-F4" + +# args to openssl req (Default is -batch for non interactive mode and +# -new for new certificate) +FIT_KEY_REQ_ARGS ?= "-batch -new" + +# Standard format for public key certificate +FIT_KEY_SIGN_PKCS ?= "-x509" + # # Emit the fitImage ITS header # @@ -522,6 +538,34 @@ do_assemble_fitimage_initramfs() { addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs +do_generate_rsa_keys() { + if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then + bbwarn "FIT_GENERATE_KEYS is set to 1 eventhough UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." + fi + + if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then + + # Generate keys only if they don't already exist + if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \ + [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt]; then + + # make directory if it does not already exist + mkdir -p "${UBOOT_SIGN_KEYDIR}" + + echo "Generating RSA private key for signing fitImage" + openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \ + "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ + "${FIT_SIGN_NUMBITS}" + + echo "Generating certificate for signing fitImage" + openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \ + -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ + -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt + fi + fi +} + +addtask generate_rsa_keys before do_assemble_fitimage after do_compile kernel_do_deploy[vardepsexclude] = "DATETIME" kernel_do_deploy_append() { |