From: Marta Rybczynska <[email protected]> The SPL FIT signing path was signing individual images, but not the configuration.
Introduce signing of configuration with images under a separate option SPL_SIGN_CONF, enabled by default. It implies changes in the DTB content. The old behaviour is possible with SPL_SIGN_INDIVIDUAL, but should be removed in a subsequent patch. Signed-off-by: Marta Rybczynska <[email protected]> --- meta/classes-recipe/uboot-sign.bbclass | 86 ++++++++++++++++++++++++-- 1 file changed, 82 insertions(+), 4 deletions(-) diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index 9cb5c6ccf3..3729dcd9c8 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -34,6 +34,16 @@ UBOOT_FITIMAGE_ENABLE ?= "0" # Signature activation - this requires UBOOT_FITIMAGE_ENABLE = "1" SPL_SIGN_ENABLE ?= "0" +# Sign the FIT configuration in the SPL signing flow. Configuration +# signatures bind the selected images and boot metadata together. +SPL_SIGN_CONF ?= "1" + +# Legacy compatibility knob for per-image signatures in the SPL FIT path. +# Individual image signatures do not protect the configuration metadata +# which selects and parameterizes the boot images. +# INSECURE, use at your own risk +SPL_SIGN_INDIVIDUAL ?= "0" + # Default value for deployment filenames. UBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb" UBOOT_DTB_BINARY ?= "u-boot.dtb" @@ -325,7 +335,15 @@ uboot_fitimage_atf() { entry = <${UBOOT_FIT_ARM_TRUSTED_FIRMWARE_ENTRYPOINT}>; compression = "none"; EOF - if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + hash-1 { + algo = "${UBOOT_FIT_HASH_ALG}"; + }; +EOF + fi + + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then cat << EOF >> ${UBOOT_ITS} signature { algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; @@ -352,7 +370,15 @@ uboot_fitimage_tee() { entry = <${UBOOT_FIT_TEE_ENTRYPOINT}>; compression = "none"; EOF - if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + hash-1 { + algo = "${UBOOT_FIT_HASH_ALG}"; + }; +EOF + fi + + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then cat << EOF >> ${UBOOT_ITS} signature { algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; @@ -393,7 +419,15 @@ uboot_fitimage_assemble() { entry = <${UBOOT_FIT_UBOOT_ENTRYPOINT}>; EOF - if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + hash-1 { + algo = "${UBOOT_FIT_HASH_ALG}"; + }; +EOF + fi + + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then cat << EOF >> ${UBOOT_ITS} signature { algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; @@ -412,7 +446,15 @@ EOF compression = "none"; EOF - if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + hash-1 { + algo = "${UBOOT_FIT_HASH_ALG}"; + }; +EOF + fi + + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then cat << EOF >> ${UBOOT_ITS} signature { algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; @@ -442,9 +484,20 @@ EOF conf_loadables="${conf_loadables}${UBOOT_FIT_CONF_USER_LOADABLES}" fi + conf_sign_images="" + conf_sign_images_sep="" + if [ -n "${UBOOT_FIT_CONF_FIRMWARE}" ] ; then conf_firmware="firmware = \"${UBOOT_FIT_CONF_FIRMWARE}\";" + conf_sign_images="${conf_sign_images}${conf_sign_images_sep}\"firmware\"" + conf_sign_images_sep=", " + fi + + if [ -n "${conf_loadables}" ] ; then + conf_sign_images="${conf_sign_images}${conf_sign_images_sep}\"loadables\"" + conf_sign_images_sep=", " fi + conf_sign_images="${conf_sign_images}${conf_sign_images_sep}\"fdt\"" cat << EOF >> ${UBOOT_ITS} }; @@ -456,6 +509,19 @@ EOF ${conf_firmware} loadables = ${conf_loadables}; fdt = "fdt"; +EOF + + if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${SPL_SIGN_CONF}" = "1" ] ; then + cat << EOF >> ${UBOOT_ITS} + signature { + algo = "${UBOOT_FIT_HASH_ALG},${UBOOT_FIT_SIGN_ALG}"; + key-name-hint = "${SPL_SIGN_KEYNAME}"; + sign-images = ${conf_sign_images}; + }; +EOF + fi + + cat << EOF >> ${UBOOT_ITS} }; }; }; @@ -470,6 +536,18 @@ EOF ${UBOOT_FITIMAGE_BINARY} if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then + if [ "${SPL_SIGN_CONF}" != "1" ] && [ "${SPL_SIGN_INDIVIDUAL}" != "1" ] ; then + bbfatal "SPL_SIGN_ENABLE=1 requires SPL_SIGN_CONF=1 or SPL_SIGN_INDIVIDUAL=1" + fi + + if [ "${SPL_SIGN_CONF}" != "1" ] ; then + bbwarn "SPL_SIGN_CONF is disabled. FIT configuration signing is recommended for SPL verified boot." + fi + + if [ "${SPL_SIGN_INDIVIDUAL}" = "1" ] ; then + bbwarn "SPL_SIGN_INDIVIDUAL=1 is enabled for compatibility only. It is INSECURE. Individual image signatures do not replace configuration signing." + fi + if [ -n "${SPL_DTB_BINARY}" ] ; then # # Sign the U-boot FIT image and add public key to SPL dtb -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238091): https://lists.openembedded.org/g/openembedded-core/message/238091 Mute This Topic: https://lists.openembedded.org/mt/119626513/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
