[PATCH 3/4] u-boot: Use a different Key for SPL signing

Dan Zhang dz4list at gmail.com
Tue Mar 16 09:42:07 AEDT 2021 

Hi Klaus,

Can we make the patch not only support sign u-boot fitimage with
different key, but also allow sign later?
Similar to kernel-fitimage.bbclass::fitimage_assemble(), step 1~6
create a "sign-able"  fit-image and step 7 do the sign.

Can we add a new control variable i.e. DO_UBOOT_SIGN which control
whether we sign the image during build time.

It is desired to be able to "just sign" the "sign-able" image with
"any key" later, instead of need rebuilding the whole image.
i.e. Create a signing service, which can accessing to the official
production key, to sign the image. We don't want to have this signing
service setup complex building environment and rebuild the image.

BRs
Dan Zhang

> From: Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>
> To: openembedded-core at lists.openembedded.org
> Cc: joel at jms.id.au, andrew at aj.id.au, openbmc at lists.ozlabs.org, Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>
> Bcc:
> Date: Mon, 15 Mar 2021 13:58:05 -0300
> Subject: [PATCH 3/4] u-boot: Use a different Key for SPL signing
> Duplicate the variables governing u-boot signing so that we can have a
> different set of keys/parameters signing the SPL.
>
> Signed-off-by: Klaus Heinrich Kiwi <klaus at linux.vnet.ibm.com>
> ---
>  meta/classes/uboot-config.bbclass |  2 ++
>  meta/classes/uboot-sign.bbclass   | 55 ++++++++++++++++++++++++-------
>  2 files changed, 46 insertions(+), 11 deletions(-)
>
> diff --git a/meta/classes/uboot-config.bbclass b/meta/classes/uboot-config.bbclass
> index 31487c1418..3bba02828b 100644
> --- a/meta/classes/uboot-config.bbclass
> +++ b/meta/classes/uboot-config.bbclass
> @@ -61,6 +61,7 @@ UBOOT_EXTLINUX_SYMLINK ?= "${UBOOT_EXTLINUX_CONF_NAME}-${MACHINE}-${PR}"
>
>  # Options for the device tree compiler passed to mkimage '-D' feature:
>  UBOOT_MKIMAGE_DTCOPTS ??= ""
> +SPL_MKIMAGE_DTCOPTS ??= ""
>
>  # mkimage command
>  UBOOT_MKIMAGE ?= "uboot-mkimage"
> @@ -68,6 +69,7 @@ UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}"
>
>  # Arguments passed to mkimage for signing
>  UBOOT_MKIMAGE_SIGN_ARGS ?= ""
> +SPL_MKIMAGE_SIGN_ARGS ?= ""
>
>  python () {
>      ubootmachine = d.getVar("UBOOT_MACHINE")
> diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
> index 86380f2234..2ec93e0b8e 100644
> --- a/meta/classes/uboot-sign.bbclass
> +++ b/meta/classes/uboot-sign.bbclass
> @@ -59,27 +59,34 @@ SPL_NODTB_IMAGE ?= "${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[0]}-nodtb-${
>  SPL_NODTB_BINARY ?= "u-boot-spl-nodtb.bin"
>  SPL_NODTB_SYMLINK ?= "${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[0]}-nodtb-${MACHINE}${@os.path.splitext(d.getVar("SPL_BINARYNAME"))[1]}"
>
DO_UBOOT_SIGN ?= "1"
> -# fitImage Hash Algo
> +# Kernel / U-Boot fitImage Hash Algo
>  FIT_HASH_ALG ?= "sha256"
> +UBOOT_FIT_HASH_ALG ?= "sha256"
>
> -# fitImage Signature Algo
> +# Kernel / U-Boot fitImage Signature Algo
>  FIT_SIGN_ALG ?= "rsa2048"
> +UBOOT_FIT_SIGN_ALG ?= "rsa2048"
>
> -# Generate keys for signing fitImage
> +# Generate keys for signing Kernel / U-Boot fitImage
>  FIT_GENERATE_KEYS ?= "0"
> +UBOOT_FIT_GENERATE_KEYS ?= "0"
>
> -# Size of private key in number of bits
> +# Size of private keys in number of bits
>  FIT_SIGN_NUMBITS ?= "2048"
> +UBOOT_FIT_SIGN_NUMBITS ?= "2048"
>
>  # args to openssl genrsa (Default is just the public exponent)
>  FIT_KEY_GENRSA_ARGS ?= "-F4"
> +UBOOT_FIT_KEY_GENRSA_ARGS ?= "-F4"
>
>  # args to openssl req (Default is -batch for non interactive mode and
>  # -new for new certificate)
>  FIT_KEY_REQ_ARGS ?= "-batch -new"
> +UBOOT_FIT_KEY_REQ_ARGS ?= "-batch -new"
>
>  # Standard format for public key certificate
>  FIT_KEY_SIGN_PKCS ?= "-x509"
> +UBOOT_FIT_KEY_SIGN_PKCS ?= "-x509"
>
>  # Functions on this bbclass can apply to either U-boot or Kernel,
>  # depending on the scenario
> @@ -280,6 +287,32 @@ do_generate_rsa_keys() {
>                                 -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
>                 fi
>         fi
> +
> +       if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
> +               bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
> +       fi
> +
> +       if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
> +
> +               # Generate keys only if they don't already exist
> +               if [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key ] || \
> +                       [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt ]; then
> +
> +                       # make directory if it does not already exist
> +                       mkdir -p "${SPL_SIGN_KEYDIR}"
> +
> +                       echo "Generating RSA private key for signing U-Boot fitImage"
> +                       openssl genrsa ${UBOOT_FIT_KEY_GENRSA_ARGS} -out \
> +                               "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
> +                               "${UBOOT_FIT_SIGN_NUMBITS}"
> +
> +                       echo "Generating certificate for signing U-Boot fitImage"
> +                       openssl req ${FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \
> +                               -key "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \
> +                               -out "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt
> +               fi
> +       fi
> +
>  }
>
>  addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
> @@ -292,9 +325,9 @@ uboot_fitimage_assemble() {
>         uboot_dtb="${3}"
>         uboot_bin="${4}"
>         spl_dtb="${5}"
> -       uboot_csum="${FIT_HASH_ALG}"
> -       uboot_sign_algo="${FIT_SIGN_ALG}"
> -       uboot_sign_keyname="${UBOOT_SIGN_KEYNAME}"
> +       uboot_csum="${UBOOT_FIT_HASH_ALG}"
> +       uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}"
> +       uboot_sign_keyname="${SPL_SIGN_KEYNAME}"
>
>         rm -f ${uboot_its} ${uboot_bin}
>
> @@ -349,7 +382,7 @@ EOF
>         # Assemble the U-boot FIT image
>         #
>         ${UBOOT_MKIMAGE} \
> -               ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
> +               ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
>                 -f ${uboot_its} \
>                 ${uboot_bin}
>
> @@ -357,11 +390,11 @@ EOF
>         # Sign the U-boot FIT image and add public key to SPL dtb
>         #
if [ "x${DO_UBOOT_SIGN}" = "x1" ] ; then
>         ${UBOOT_MKIMAGE_SIGN} \
> -               ${@'-D "${UBOOT_MKIMAGE_DTCOPTS}"' if len('${UBOOT_MKIMAGE_DTCOPTS}') else ''} \
> -               -F -k "${UBOOT_SIGN_KEYDIR}" \
> +               ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \
> +               -F -k "${SPL_SIGN_KEYDIR}" \
>                 -K "${spl_dtb}" \
>                 -r ${uboot_bin} \
> -               ${UBOOT_MKIMAGE_SIGN_ARGS}
> +               ${SPL_MKIMAGE_SIGN_ARGS}
>
fi
>  }
>
> --
> 2.25.1
>
>

More information about the openbmc mailing list