[v2,04/22] kernel-signing-keys-native: refactor key generation into a new recipe

Message ID	20250513213834.87830-5-adrian.freihofer@siemens.com
State	New
Headers	show Return-Path: <adrian.freihofer@siemens.com> ip: 185.136.64.225, mailfrom: fm-1329275-2025051321403387c0d86629aab090f4-7kwi1a@rts-flowmailer.siemens.com) From: AdrianF <adrian.freihofer@siemens.com> To: openembedded-core@lists.openembedded.org Cc: marex@denx.de, Adrian Freihofer <adrian.freihofer@siemens.com> Subject: [PATCH v2 04/22] kernel-signing-keys-native: refactor key generation into a new recipe Date: Tue, 13 May 2025 23:36:46 +0200 Message-ID: <20250513213834.87830-5-adrian.freihofer@siemens.com> In-Reply-To: <20250513213834.87830-1-adrian.freihofer@siemens.com> References: <20250513213834.87830-1-adrian.freihofer@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-1329275:519-21489:flowmailer
Series	FIT image improvements \| expand [v2,00/22] FIT image improvements [v2,01/22] u-boot: ensure keys are generated before assembling U-Boot FIT image [v2,02/22] oe-selftest: add new ext dtb recipe [v2,03/22] oe-selftest: fitimage: test coverage for ext dtb [v2,04/22] kernel-signing-keys-native: refactor key generation into a new recipe [v2,05/22] kernel-uboot: do not require the kernel build folder [v2,06/22] kernel-devicetree: export dtbs to sysroot [v2,07/22] kernel.bbclass: stage the sysroot-only folder [v2,08/22] kernel-uboot.bbclass: stage the kernel binary [v2,09/22] kernel-fitimage: refactor order in its [v2,10/22] kernel-fit-image.bbclass: add a new FIT image implementation [v2,11/22] maintainers: add myself for linux-yocto-fitimage [v2,12/22] oe-selftest: fitimage add tests for fitimage.py [v2,13/22] oe-selftest: fitimage refactor kernel-fitimage.bbclass [v2,14/22] oe-selftest: fitimage: run all tests for the FIT image recipe [v2,15/22] oe-selftest: fitimage refactor classes [v2,16/22] kernel-fitimage: re-write its code in Python [v2,17/22] kernel.bbclass: remove support for type fitImage [v2,18/22] oe-selftest: fitimage: remove kernel-fitimage tests [v2,19/22] kernel-fitimage.bbclass: remove it [v2,20/22] kernel-uboot.bbclass: merge it into kernel-uimage.bbclass [v2,21/22] oe-selftest: fitimage: drop initramfs bundle test [v2,22/22] kernel-fit-image.bbclass: ignore INITRAMFS_IMAGE_BUNDLE

diff --git a/meta/classes-recipe/kernel-fitimage.bbclass b/meta/classes-recipe/kernel-fitimage.bbclass index 07786647e19..f5f02f30f0a 100644 --- a/meta/classes-recipe/kernel-fitimage.bbclass +++ b/meta/classes-recipe/kernel-fitimage.bbclass @@ -27,7 +27,10 @@ def get_fit_replacement_type(d): return replacementtype KERNEL_IMAGETYPE_REPLACEMENT ?= "${@get_fit_replacement_type(d)}" -DEPENDS:append = " ${@'u-boot-tools-native dtc-native' if 'fitImage' in (d.getVar('KERNEL_IMAGETYPES') or '').split() else ''}" +DEPENDS:append = " \ + ${@'u-boot-tools-native dtc-native' if 'fitImage' in (d.getVar('KERNEL_IMAGETYPES') or '').split() else ''} \ + ${@'kernel-signing-keys-native' if d.getVar('FIT_GENERATE_KEYS') == '1' else ''} \ +" python __anonymous () { # Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal @@ -754,53 +757,6 @@ do_assemble_fitimage_initramfs() { addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs -do_kernel_generate_rsa_keys() { - if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then - bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." - fi - - if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then - - # Generate keys to sign configuration nodes, only if they don't already exist - if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \ - [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then - - # make directory if it does not already exist - mkdir -p "${UBOOT_SIGN_KEYDIR}" - - bbnote "Generating RSA private key for signing fitImage" - openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \ - "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ - "${FIT_SIGN_NUMBITS}" - - bbnote "Generating certificate for signing fitImage" - openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \ - -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ - -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt - fi - - # Generate keys to sign image nodes, only if they don't already exist - if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] || \ - [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then - - # make directory if it does not already exist - mkdir -p "${UBOOT_SIGN_KEYDIR}" - - bbnote "Generating RSA private key for signing fitImage" - openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \ - "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \ - "${FIT_SIGN_NUMBITS}" - - bbnote "Generating certificate for signing fitImage" - openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \ - -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \ - -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt - fi - fi -} - -addtask kernel_generate_rsa_keys before do_assemble_fitimage after do_compile - kernel_do_deploy[vardepsexclude] = "DATETIME" kernel_do_deploy:append() { # Update deploy directory diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass index e0771b54291..ae700515d25 100644 --- a/meta/classes-recipe/uboot-sign.bbclass +++ b/meta/classes-recipe/uboot-sign.bbclass @@ -108,13 +108,14 @@ UBOOT_FIT_CONF_USER_LOADABLES ?= '' UBOOT_FIT_UBOOT_LOADADDRESS ?= "${UBOOT_LOADADDRESS}" UBOOT_FIT_UBOOT_ENTRYPOINT ?= "${UBOOT_ENTRYPOINT}" + +DEPENDS:append = " ${@'kernel-signing-keys-native' if d.getVar('FIT_GENERATE_KEYS') == '1' else ''}" + python() { # We need u-boot-tools-native if we're creating a U-Boot fitImage sign = d.getVar('UBOOT_SIGN_ENABLE') == '1' if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign: d.appendVar('DEPENDS', " u-boot-tools-native dtc-native") - if d.getVar('FIT_GENERATE_KEYS') == '1' and sign: - d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' virtual/kernel:do_kernel_generate_rsa_keys') } concat_dtb() { diff --git a/meta/recipes-kernel/kernel-signing-keys/kernel-signing-keys-native.bb b/meta/recipes-kernel/kernel-signing-keys/kernel-signing-keys-native.bb new file mode 100644 index 00000000000..bc01984d756 --- /dev/null +++ b/meta/recipes-kernel/kernel-signing-keys/kernel-signing-keys-native.bb @@ -0,0 +1,61 @@ +SUMMARY = "Signing keys for the kernel FIT image" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +require conf/image-fitimage.conf + +DEPENDS += "openssl-native" + +inherit native + +do_fetch[noexec] = "1" +do_unpack[noexec] = "1" +do_patch[noexec] = "1" +do_configure[noexec] = "1" +do_install[noexec] = "1" + + +do_compile() { + if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then + bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." + fi + + if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then + + # Generate keys to sign configuration nodes, only if they don't already exist + if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \ + [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then + + # make directory if it does not already exist + mkdir -p "${UBOOT_SIGN_KEYDIR}" + + bbnote "Generating RSA private key for signing fitImage" + openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \ + "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ + "${FIT_SIGN_NUMBITS}" + + bbnote "Generating certificate for signing fitImage" + openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \ + -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \ + -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt + fi + + # Generate keys to sign image nodes, only if they don't already exist + if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] || \ + [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then + + # make directory if it does not already exist + mkdir -p "${UBOOT_SIGN_KEYDIR}" + + bbnote "Generating RSA private key for signing fitImage" + openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \ + "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \ + "${FIT_SIGN_NUMBITS}" + + bbnote "Generating certificate for signing fitImage" + openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \ + -key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \ + -out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt + fi + fi +}

[v2,04/22] kernel-signing-keys-native: refactor key generation into a new recipe

Commit Message

Patch