summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMaik Otto <m.otto@phytec.de>2020-03-06 13:26:07 (GMT)
committerNorbert Wesp <n.wesp@phytec.de>2020-03-11 14:51:43 (GMT)
commit2429d663bbc970e5c655c05b1a377fb69070d2d5 (patch)
tree90ce2faae1aeb6bd7e7cb7a3995a5dc22a266889
parent5338e83c1ac9acbdd04963e636a8c9679abe295b (diff)
downloadmeta-phytec-2429d663bbc970e5c655c05b1a377fb69070d2d5.zip
meta-phytec-2429d663bbc970e5c655c05b1a377fb69070d2d5.tar.bz2
barebox-secureboot: update secureboot for barebox_2019.11+
Add support for parallel building of unsigned, signed and usb signed images. Add using only default environment, if secure boot is activated. Signed-off-by: Maik Otto <m.otto@phytec.de> Signed-off-by: Norbert Wesp <n.wesp@phytec.de>
-rw-r--r--recipes-bsp/barebox/barebox-secureboot.inc85
1 files changed, 57 insertions, 28 deletions
diff --git a/recipes-bsp/barebox/barebox-secureboot.inc b/recipes-bsp/barebox/barebox-secureboot.inc
index 0ac51bb..90d846c 100644
--- a/recipes-bsp/barebox/barebox-secureboot.inc
+++ b/recipes-bsp/barebox/barebox-secureboot.inc
@@ -1,10 +1,16 @@
FILESEXTRAPATHS_prepend := "${THISDIR}/barebox:"
-SRC_URI_append = " \
+SRC_URI_append_secureboot = " \
file://dynamic-config.cfg \
"
-DEPENDS += "nxp-cst-native dtc-native u-boot-mkimage-native"
+DEPENDS_append_secureboot = " nxp-cst-native dtc-native u-boot-mkimage-native"
+do_patch[depends] += "dtc-native:do_populate_sysroot u-boot-mkimage-native:do_populate_sysroot"
+
+BAREBOX_BIN_SIGNED ?= "images/${BAREBOX_BASE_BIN}-s.img"
+BAREBOX_BIN_SIGNEDUSB ?= "images/${BAREBOX_BASE_BIN}-us.img"
+
+BAREBOX_LINK_NAME ?= "barebox"
#Create an empty device tree
def write_signature_node(d):
@@ -82,25 +88,20 @@ def write_command(name,out):
def check_fitimage_keyring(d):
- # check for problematic certificate setups
- shasum = write_command("sha256sum " + d.getVar("FITIMAGE_SIGN_KEY_PATH",True),'')
- if (len(shasum) > 0) and \
- (shasum.split(' ',1)[0] == "fda2863c40b971a6909ff5c278d27988dc14361d10920299c51e9a1a163984dc") :
- bb.warn("!! CRITICAL SECURITY WARNING: You're using Phytec's Development Keyring for Secure Boot in the fit-image. Please create your own!!")
+ # check for problematic certificate setups
+ shasum = write_command("sha256sum " + d.getVar("FITIMAGE_SIGN_KEY_PATH",True),'')
+ if ((len(shasum) > 0) and (shasum.split(' ',1)[0] == "6f92252aab834bbe8090e92c44f051b2c40db8e3953c8c26c04c14e7ae2db7d8")) or \
+ ((len(shasum) > 0) and (shasum.split(' ',1)[0] == "1e3eb95fe6a7d1e45db761bff6eedafb9291661480e1a1ad10eb6f5b8b9961c1")):
+ bb.warn("!! CRITICAL SECURITY WARNING: You're using Phytec's Development Keyring for Secure Boot in the fit-image. Please create your own!!")
def check_bootloader_keyring(d):
- # check for problematic certificate setups
- shasumIMG=write_command("sha256sum " + d.getVar("BAREBOX_SIGN_IMG_PATH", True),'')
- shasumCSF=write_command("sha256sum " + d.getVar("BAREBOX_SIGN_CSF_PATH", True),'')
- shasumSRK=write_command("sha256sum " + d.getVar("BAREBOX_SIGN_SRKFUSE_PATH", True),'')
- if ((len(shasumIMG) > 0) and (shasumIMG.split(' ',1)[0] == "e8cb6f5c1aa9bdeb6229ecf370657ff07a04cdde844398ed1608b133869c207f")) or \
- ((len(shasumCSF) >0) and (shasumCSF.split(' ',1)[0] == "4a88f679dee78597ef7204e6e134047e6428ed83d8b66fd894dbe208a199f6b8")) or \
- ((len(shasumSRK) >0) and (shasumSRK.split(' ',1)[0] == "0d5dbc6ed8b0a55414648b19727e217453c54d1527cef3a62784ae818c9777e7")):
- bb.warn("!! CRITICAL SECURITY WARNING: You're using Phytec's Development Keyring fore Secure Boot in the bootloader. Please create your own!!")
-
-#python do_create_dynamic_cfg () {
-do_patch_append() {
+ # check for problematic certificate setups
+ shasumSRK=write_command("sha256sum "+ d.getVar("BOOTLOADER_SIGN_SRKFUSE_PATH", True),'')
+ if ((len(shasumSRK) >0) and (shasumSRK.split(' ',1)[0] == "0d5dbc6ed8b0a55414648b19727e217453c54d1527cef3a62784ae818c9777e7")):
+ bb.warn("!! CRITICAL SECURITY WARNING: You're using Phytec's Development Keyring fore Secure Boot in the bootloader. Please create your own!!")
+
+do_patch_append_secureboot() {
import os
import subprocess
@@ -112,18 +113,26 @@ do_patch_append() {
# noch Verzeinis Pruefen ansonsten anlegen
file = open(pathCFG,"w")
- #if (d.getVar("BAREBOX_SIGN", True) == "1"):
- if oe.data.typed_value("BAREBOX_SIGN", d):
+ if oe.data.typed_value("BOOTLOADER_SIGN", d):
check_bootloader_keyring(d)
+ #activated HAB
file.write("CONFIG_HAB=y\n")
file.write("CONFIG_HABV4=y\n")
- file.write('CONFIG_HABV4_TABLE_BIN="%s"\n' % d.getVar("BAREBOX_SIGN_SRKFUSE_PATH", True))
- file.write('CONFIG_HABV4_CSF_CRT_PEM="%s"\n' % d.getVar("BAREBOX_SIGN_CSF_PATH", True))
- file.write('CONFIG_HABV4_IMG_CRT_PEM="%s"\n' % d.getVar("BAREBOX_SIGN_IMG_PATH", True))
+ file.write('CONFIG_HABV4_TABLE_BIN="%s"\n' % d.getVar("BOOTLOADER_SIGN_SRKFUSE_PATH", True))
+ file.write('CONFIG_HABV4_CSF_CRT_PEM="%s"\n' % d.getVar("BOOTLOADER_SIGN_CSF_PATH", True))
+ file.write('CONFIG_HABV4_IMG_CRT_PEM="%s"\n' % d.getVar("BOOTLOADER_SIGN_IMG_PATH", True))
+ #add hab command for burning fuses
file.write("CONFIG_CMD_HAB=y\n")
+ #signing images
+ file.write("CONFIG_HABV4_IMAGE_SIGNED=y\n")
+ file.write("CONFIG_HABV4_IMAGE_SIGNED_USB=y\n")
+ #no loading of environment from the flash and use compile in environment
+ file.write("# CONFIG_ENV_HANDLING is not set\n")
+ file.write("CONFIG_DEFAULT_ENVIRONMENT=y\n")
+ file.write("# CONFIG_CMD_SAVEENV is not set\n")
+ file.write("# CONFIG_CMD_LOADENV is not set\n")
- #if (d.getVar("FITIMAGE_SIGN", True) == "1"):
if oe.data.typed_value("FITIMAGE_SIGN", d):
check_fitimage_keyring(d)
file.write("CONFIG_FITIMAGE=y\n")
@@ -141,9 +150,11 @@ do_patch_append() {
file.close()
}
-#addtask do_create_dynamic_cfg before do_configure
-python do_create_dynamic_dtree (){
+python do_create_dynamic_dtree(){
+}
+
+python do_create_dynamic_dtree_append_secureboot (){
import os
pathDD = d.getVar("WORKDIR", True)
@@ -151,7 +162,6 @@ python do_create_dynamic_dtree (){
os.makedirs(pathDD)
#Create Pubkey Signature for Barebox
- #if (d.getVar("FITIMAGE_SIGN", True) == "1"):
if oe.data.typed_value("FITIMAGE_SIGN", d):
write_signature_node(d)
write_signature_creation(d)
@@ -159,8 +169,27 @@ python do_create_dynamic_dtree (){
path, file = os.path.split(d.getVar("FITIMAGE_SIGN_KEY_PATH", True))
write_command("mkimage -f " + pathDD + "/signature_creation.its -k " + path + " -K " + pathDD + "/signature_node.dtb -r " + pathDD + "/dummy.img", '')
write_command("dtc -I dtb " + pathDD + "/signature_node.dtb", d.getVar("FITIMAGE_PUBKEY_SIGNATURE_PATH", True))
-
}
addtask do_create_dynamic_dtree before do_configure after do_patch
+do_install_append_secureboot () {
+ if [ "${PN}" = "barebox" ] ; then
+ bbnote "Installing signed barebox image on target rootfs"
+ install ${B}/${BAREBOX_BIN_SIGNED} ${D}${base_bootdir}/${BAREBOX_IMAGE_NAME}-s.bin
+ ln -sf ${BAREBOX_IMAGE_NAME}-s.bin ${D}${base_bootdir}/${BAREBOX_LINK_NAME}-s.bin
+ install ${B}/${BAREBOX_BIN_SIGNEDUSB} ${D}${base_bootdir}/${BAREBOX_IMAGE_NAME}-us.bin
+ ln -sf ${BAREBOX_IMAGE_NAME}-us.bin ${D}${base_bootdir}/${BAREBOX_LINK_NAME}-us.bin
+ fi
+}
+
+do_deploy_append_secureboot () {
+ if [ "${PN}" = "barebox" ] ; then
+ bbnote "Deploying signed barebox"
+ install -m 644 ${B}/${BAREBOX_BIN_SIGNED} ${DEPLOYDIR}/${BAREBOX_IMAGE_NAME}-s.bin
+ ln -sf ${BAREBOX_IMAGE_NAME}-s.bin ${DEPLOYDIR}/${BAREBOX_LINK_NAME}-s.bin
+ bbnote "Deploying signed USB barebox"
+ install -m 644 ${B}/${BAREBOX_BIN_SIGNEDUSB} ${DEPLOYDIR}/${BAREBOX_IMAGE_NAME}-us.bin
+ ln -sf ${BAREBOX_IMAGE_NAME}-us.bin ${DEPLOYDIR}/${BAREBOX_LINK_NAME}-us.bin
+ fi
+}