1*4882a593Smuzhiyun# This file is part of U-Boot verified boot support and is intended to be 2*4882a593Smuzhiyun# inherited from u-boot recipe and from kernel-fitimage.bbclass. 3*4882a593Smuzhiyun# 4*4882a593Smuzhiyun# The signature procedure requires the user to generate an RSA key and 5*4882a593Smuzhiyun# certificate in a directory and to define the following variable: 6*4882a593Smuzhiyun# 7*4882a593Smuzhiyun# UBOOT_SIGN_KEYDIR = "/keys/directory" 8*4882a593Smuzhiyun# UBOOT_SIGN_KEYNAME = "dev" # keys name in keydir (eg. "dev.crt", "dev.key") 9*4882a593Smuzhiyun# UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000" 10*4882a593Smuzhiyun# UBOOT_SIGN_ENABLE = "1" 11*4882a593Smuzhiyun# 12*4882a593Smuzhiyun# As verified boot depends on fitImage generation, following is also required: 13*4882a593Smuzhiyun# 14*4882a593Smuzhiyun# KERNEL_CLASSES ?= " kernel-fitimage " 15*4882a593Smuzhiyun# KERNEL_IMAGETYPE ?= "fitImage" 16*4882a593Smuzhiyun# 17*4882a593Smuzhiyun# The signature support is limited to the use of CONFIG_OF_SEPARATE in U-Boot. 18*4882a593Smuzhiyun# 19*4882a593Smuzhiyun# The tasks sequence is set as below, using DEPLOY_IMAGE_DIR as common place to 20*4882a593Smuzhiyun# treat the device tree blob: 21*4882a593Smuzhiyun# 22*4882a593Smuzhiyun# * u-boot:do_install:append 23*4882a593Smuzhiyun# Install UBOOT_DTB_BINARY to datadir, so that kernel can use it for 24*4882a593Smuzhiyun# signing, and kernel will deploy UBOOT_DTB_BINARY after signs it. 25*4882a593Smuzhiyun# 26*4882a593Smuzhiyun# * virtual/kernel:do_assemble_fitimage 27*4882a593Smuzhiyun# Sign the image 28*4882a593Smuzhiyun# 29*4882a593Smuzhiyun# * u-boot:do_deploy[postfuncs] 30*4882a593Smuzhiyun# Deploy files like UBOOT_DTB_IMAGE, UBOOT_DTB_SYMLINK and others. 31*4882a593Smuzhiyun# 32*4882a593Smuzhiyun# For more details on signature process, please refer to U-Boot documentation. 33*4882a593Smuzhiyun 34*4882a593Smuzhiyun# We need some variables from u-boot-config 35*4882a593Smuzhiyuninherit uboot-config 36*4882a593Smuzhiyun 37*4882a593Smuzhiyun# Enable use of a U-Boot fitImage 38*4882a593SmuzhiyunUBOOT_FITIMAGE_ENABLE ?= "0" 39*4882a593Smuzhiyun 40*4882a593Smuzhiyun# Signature activation - these require their respective fitImages 41*4882a593SmuzhiyunUBOOT_SIGN_ENABLE ?= "0" 42*4882a593SmuzhiyunSPL_SIGN_ENABLE ?= "0" 43*4882a593Smuzhiyun 44*4882a593Smuzhiyun# Default value for deployment filenames. 45*4882a593SmuzhiyunUBOOT_DTB_IMAGE ?= "u-boot-${MACHINE}-${PV}-${PR}.dtb" 46*4882a593SmuzhiyunUBOOT_DTB_BINARY ?= "u-boot.dtb" 47*4882a593SmuzhiyunUBOOT_DTB_SYMLINK ?= "u-boot-${MACHINE}.dtb" 48*4882a593SmuzhiyunUBOOT_NODTB_IMAGE ?= "u-boot-nodtb-${MACHINE}-${PV}-${PR}.bin" 49*4882a593SmuzhiyunUBOOT_NODTB_BINARY ?= "u-boot-nodtb.bin" 50*4882a593SmuzhiyunUBOOT_NODTB_SYMLINK ?= "u-boot-nodtb-${MACHINE}.bin" 51*4882a593SmuzhiyunUBOOT_ITS_IMAGE ?= "u-boot-its-${MACHINE}-${PV}-${PR}" 52*4882a593SmuzhiyunUBOOT_ITS ?= "u-boot.its" 53*4882a593SmuzhiyunUBOOT_ITS_SYMLINK ?= "u-boot-its-${MACHINE}" 54*4882a593SmuzhiyunUBOOT_FITIMAGE_IMAGE ?= "u-boot-fitImage-${MACHINE}-${PV}-${PR}" 55*4882a593SmuzhiyunUBOOT_FITIMAGE_BINARY ?= "u-boot-fitImage" 56*4882a593SmuzhiyunUBOOT_FITIMAGE_SYMLINK ?= "u-boot-fitImage-${MACHINE}" 57*4882a593SmuzhiyunSPL_DIR ?= "spl" 58*4882a593SmuzhiyunSPL_DTB_IMAGE ?= "u-boot-spl-${MACHINE}-${PV}-${PR}.dtb" 59*4882a593SmuzhiyunSPL_DTB_BINARY ?= "u-boot-spl.dtb" 60*4882a593SmuzhiyunSPL_DTB_SYMLINK ?= "u-boot-spl-${MACHINE}.dtb" 61*4882a593SmuzhiyunSPL_NODTB_IMAGE ?= "u-boot-spl-nodtb-${MACHINE}-${PV}-${PR}.bin" 62*4882a593SmuzhiyunSPL_NODTB_BINARY ?= "u-boot-spl-nodtb.bin" 63*4882a593SmuzhiyunSPL_NODTB_SYMLINK ?= "u-boot-spl-nodtb-${MACHINE}.bin" 64*4882a593Smuzhiyun 65*4882a593Smuzhiyun# U-Boot fitImage description 66*4882a593SmuzhiyunUBOOT_FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}" 67*4882a593Smuzhiyun 68*4882a593Smuzhiyun# Kernel / U-Boot fitImage Hash Algo 69*4882a593SmuzhiyunFIT_HASH_ALG ?= "sha256" 70*4882a593SmuzhiyunUBOOT_FIT_HASH_ALG ?= "sha256" 71*4882a593Smuzhiyun 72*4882a593Smuzhiyun# Kernel / U-Boot fitImage Signature Algo 73*4882a593SmuzhiyunFIT_SIGN_ALG ?= "rsa2048" 74*4882a593SmuzhiyunUBOOT_FIT_SIGN_ALG ?= "rsa2048" 75*4882a593Smuzhiyun 76*4882a593Smuzhiyun# Kernel / U-Boot fitImage Padding Algo 77*4882a593SmuzhiyunFIT_PAD_ALG ?= "pkcs-1.5" 78*4882a593Smuzhiyun 79*4882a593Smuzhiyun# Generate keys for signing Kernel / U-Boot fitImage 80*4882a593SmuzhiyunFIT_GENERATE_KEYS ?= "0" 81*4882a593SmuzhiyunUBOOT_FIT_GENERATE_KEYS ?= "0" 82*4882a593Smuzhiyun 83*4882a593Smuzhiyun# Size of private keys in number of bits 84*4882a593SmuzhiyunFIT_SIGN_NUMBITS ?= "2048" 85*4882a593SmuzhiyunUBOOT_FIT_SIGN_NUMBITS ?= "2048" 86*4882a593Smuzhiyun 87*4882a593Smuzhiyun# args to openssl genrsa (Default is just the public exponent) 88*4882a593SmuzhiyunFIT_KEY_GENRSA_ARGS ?= "-F4" 89*4882a593SmuzhiyunUBOOT_FIT_KEY_GENRSA_ARGS ?= "-F4" 90*4882a593Smuzhiyun 91*4882a593Smuzhiyun# args to openssl req (Default is -batch for non interactive mode and 92*4882a593Smuzhiyun# -new for new certificate) 93*4882a593SmuzhiyunFIT_KEY_REQ_ARGS ?= "-batch -new" 94*4882a593SmuzhiyunUBOOT_FIT_KEY_REQ_ARGS ?= "-batch -new" 95*4882a593Smuzhiyun 96*4882a593Smuzhiyun# Standard format for public key certificate 97*4882a593SmuzhiyunFIT_KEY_SIGN_PKCS ?= "-x509" 98*4882a593SmuzhiyunUBOOT_FIT_KEY_SIGN_PKCS ?= "-x509" 99*4882a593Smuzhiyun 100*4882a593Smuzhiyun# Functions on this bbclass can apply to either U-boot or Kernel, 101*4882a593Smuzhiyun# depending on the scenario 102*4882a593SmuzhiyunUBOOT_PN = "${@d.getVar('PREFERRED_PROVIDER_u-boot') or 'u-boot'}" 103*4882a593SmuzhiyunKERNEL_PN = "${@d.getVar('PREFERRED_PROVIDER_virtual/kernel')}" 104*4882a593Smuzhiyun 105*4882a593Smuzhiyun# We need u-boot-tools-native if we're creating a U-Boot fitImage 106*4882a593Smuzhiyunpython() { 107*4882a593Smuzhiyun if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1': 108*4882a593Smuzhiyun depends = d.getVar("DEPENDS") 109*4882a593Smuzhiyun depends = "%s u-boot-tools-native dtc-native" % depends 110*4882a593Smuzhiyun d.setVar("DEPENDS", depends) 111*4882a593Smuzhiyun} 112*4882a593Smuzhiyun 113*4882a593Smuzhiyunconcat_dtb_helper() { 114*4882a593Smuzhiyun if [ -e "${UBOOT_DTB_BINARY}" ]; then 115*4882a593Smuzhiyun ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_BINARY} 116*4882a593Smuzhiyun ln -sf ${UBOOT_DTB_IMAGE} ${DEPLOYDIR}/${UBOOT_DTB_SYMLINK} 117*4882a593Smuzhiyun fi 118*4882a593Smuzhiyun 119*4882a593Smuzhiyun if [ -f "${UBOOT_NODTB_BINARY}" ]; then 120*4882a593Smuzhiyun install ${UBOOT_NODTB_BINARY} ${DEPLOYDIR}/${UBOOT_NODTB_IMAGE} 121*4882a593Smuzhiyun ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_SYMLINK} 122*4882a593Smuzhiyun ln -sf ${UBOOT_NODTB_IMAGE} ${DEPLOYDIR}/${UBOOT_NODTB_BINARY} 123*4882a593Smuzhiyun fi 124*4882a593Smuzhiyun 125*4882a593Smuzhiyun # If we're not using a signed u-boot fit, concatenate SPL w/o DTB & U-Boot DTB 126*4882a593Smuzhiyun # with public key (otherwise it will be deployed by the equivalent 127*4882a593Smuzhiyun # concat_spl_dtb_helper function - cf. kernel-fitimage.bbclass for more details) 128*4882a593Smuzhiyun if [ "${SPL_SIGN_ENABLE}" != "1" ] ; then 129*4882a593Smuzhiyun deployed_uboot_dtb_binary='${DEPLOY_DIR_IMAGE}/${UBOOT_DTB_IMAGE}' 130*4882a593Smuzhiyun if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \ 131*4882a593Smuzhiyun [ -e "$deployed_uboot_dtb_binary" ]; then 132*4882a593Smuzhiyun oe_runmake EXT_DTB=$deployed_uboot_dtb_binary 133*4882a593Smuzhiyun install ${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE} 134*4882a593Smuzhiyun elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e "$deployed_uboot_dtb_binary" ]; then 135*4882a593Smuzhiyun cd ${DEPLOYDIR} 136*4882a593Smuzhiyun cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary | tee ${B}/${CONFIG_B_PATH}/${UBOOT_BINARY} > ${UBOOT_IMAGE} 137*4882a593Smuzhiyun 138*4882a593Smuzhiyun if [ -n "${UBOOT_CONFIG}" ] 139*4882a593Smuzhiyun then 140*4882a593Smuzhiyun i=0 141*4882a593Smuzhiyun j=0 142*4882a593Smuzhiyun for config in ${UBOOT_MACHINE}; do 143*4882a593Smuzhiyun i=$(expr $i + 1); 144*4882a593Smuzhiyun for type in ${UBOOT_CONFIG}; do 145*4882a593Smuzhiyun j=$(expr $j + 1); 146*4882a593Smuzhiyun if [ $j -eq $i ] 147*4882a593Smuzhiyun then 148*4882a593Smuzhiyun cp ${UBOOT_IMAGE} ${B}/${CONFIG_B_PATH}/u-boot-$type.${UBOOT_SUFFIX} 149*4882a593Smuzhiyun fi 150*4882a593Smuzhiyun done 151*4882a593Smuzhiyun done 152*4882a593Smuzhiyun fi 153*4882a593Smuzhiyun else 154*4882a593Smuzhiyun bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available." 155*4882a593Smuzhiyun fi 156*4882a593Smuzhiyun fi 157*4882a593Smuzhiyun} 158*4882a593Smuzhiyun 159*4882a593Smuzhiyunconcat_spl_dtb_helper() { 160*4882a593Smuzhiyun 161*4882a593Smuzhiyun # We only deploy symlinks to the u-boot-spl.dtb,as the KERNEL_PN will 162*4882a593Smuzhiyun # be responsible for deploying the real file 163*4882a593Smuzhiyun if [ -e "${SPL_DIR}/${SPL_DTB_BINARY}" ] ; then 164*4882a593Smuzhiyun ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_SYMLINK} 165*4882a593Smuzhiyun ln -sf ${SPL_DTB_IMAGE} ${DEPLOYDIR}/${SPL_DTB_BINARY} 166*4882a593Smuzhiyun fi 167*4882a593Smuzhiyun 168*4882a593Smuzhiyun # Concatenate the SPL nodtb binary and u-boot.dtb 169*4882a593Smuzhiyun deployed_spl_dtb_binary='${DEPLOY_DIR_IMAGE}/${SPL_DTB_IMAGE}' 170*4882a593Smuzhiyun if [ -e "${DEPLOYDIR}/${SPL_NODTB_IMAGE}" -a -e "$deployed_spl_dtb_binary" ] ; then 171*4882a593Smuzhiyun cd ${DEPLOYDIR} 172*4882a593Smuzhiyun cat ${SPL_NODTB_IMAGE} $deployed_spl_dtb_binary | tee ${B}/${CONFIG_B_PATH}/${SPL_BINARY} > ${SPL_IMAGE} 173*4882a593Smuzhiyun else 174*4882a593Smuzhiyun bbwarn "Failure while adding public key to spl binary. Verified U-Boot boot won't be available." 175*4882a593Smuzhiyun fi 176*4882a593Smuzhiyun} 177*4882a593Smuzhiyun 178*4882a593Smuzhiyun 179*4882a593Smuzhiyunconcat_dtb() { 180*4882a593Smuzhiyun if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${PN}" = "${UBOOT_PN}" -a -n "${UBOOT_DTB_BINARY}" ]; then 181*4882a593Smuzhiyun mkdir -p ${DEPLOYDIR} 182*4882a593Smuzhiyun if [ -n "${UBOOT_CONFIG}" ]; then 183*4882a593Smuzhiyun for config in ${UBOOT_MACHINE}; do 184*4882a593Smuzhiyun CONFIG_B_PATH="$config" 185*4882a593Smuzhiyun cd ${B}/$config 186*4882a593Smuzhiyun concat_dtb_helper 187*4882a593Smuzhiyun done 188*4882a593Smuzhiyun else 189*4882a593Smuzhiyun CONFIG_B_PATH="" 190*4882a593Smuzhiyun cd ${B} 191*4882a593Smuzhiyun concat_dtb_helper 192*4882a593Smuzhiyun fi 193*4882a593Smuzhiyun fi 194*4882a593Smuzhiyun} 195*4882a593Smuzhiyun 196*4882a593Smuzhiyunconcat_spl_dtb() { 197*4882a593Smuzhiyun if [ "${SPL_SIGN_ENABLE}" = "1" -a "${PN}" = "${UBOOT_PN}" -a -n "${SPL_DTB_BINARY}" ]; then 198*4882a593Smuzhiyun mkdir -p ${DEPLOYDIR} 199*4882a593Smuzhiyun if [ -n "${UBOOT_CONFIG}" ]; then 200*4882a593Smuzhiyun for config in ${UBOOT_MACHINE}; do 201*4882a593Smuzhiyun CONFIG_B_PATH="$config" 202*4882a593Smuzhiyun cd ${B}/$config 203*4882a593Smuzhiyun concat_spl_dtb_helper 204*4882a593Smuzhiyun done 205*4882a593Smuzhiyun else 206*4882a593Smuzhiyun CONFIG_B_PATH="" 207*4882a593Smuzhiyun cd ${B} 208*4882a593Smuzhiyun concat_spl_dtb_helper 209*4882a593Smuzhiyun fi 210*4882a593Smuzhiyun fi 211*4882a593Smuzhiyun} 212*4882a593Smuzhiyun 213*4882a593Smuzhiyun 214*4882a593Smuzhiyun# Install UBOOT_DTB_BINARY to datadir, so that kernel can use it for 215*4882a593Smuzhiyun# signing, and kernel will deploy UBOOT_DTB_BINARY after signs it. 216*4882a593Smuzhiyuninstall_helper() { 217*4882a593Smuzhiyun if [ -f "${UBOOT_DTB_BINARY}" ]; then 218*4882a593Smuzhiyun # UBOOT_DTB_BINARY is a symlink to UBOOT_DTB_IMAGE, so we 219*4882a593Smuzhiyun # need both of them. 220*4882a593Smuzhiyun install -Dm 0644 ${UBOOT_DTB_BINARY} ${D}${datadir}/${UBOOT_DTB_IMAGE} 221*4882a593Smuzhiyun ln -sf ${UBOOT_DTB_IMAGE} ${D}${datadir}/${UBOOT_DTB_BINARY} 222*4882a593Smuzhiyun else 223*4882a593Smuzhiyun bbwarn "${UBOOT_DTB_BINARY} not found" 224*4882a593Smuzhiyun fi 225*4882a593Smuzhiyun} 226*4882a593Smuzhiyun 227*4882a593Smuzhiyun# Install SPL dtb and u-boot nodtb to datadir, 228*4882a593Smuzhiyuninstall_spl_helper() { 229*4882a593Smuzhiyun if [ -f "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then 230*4882a593Smuzhiyun install -Dm 0644 ${SPL_DIR}/${SPL_DTB_BINARY} ${D}${datadir}/${SPL_DTB_IMAGE} 231*4882a593Smuzhiyun ln -sf ${SPL_DTB_IMAGE} ${D}${datadir}/${SPL_DTB_BINARY} 232*4882a593Smuzhiyun else 233*4882a593Smuzhiyun bbwarn "${SPL_DTB_BINARY} not found" 234*4882a593Smuzhiyun fi 235*4882a593Smuzhiyun if [ -f "${UBOOT_NODTB_BINARY}" ] ; then 236*4882a593Smuzhiyun install -Dm 0644 ${UBOOT_NODTB_BINARY} ${D}${datadir}/${UBOOT_NODTB_IMAGE} 237*4882a593Smuzhiyun ln -sf ${UBOOT_NODTB_IMAGE} ${D}${datadir}/${UBOOT_NODTB_BINARY} 238*4882a593Smuzhiyun else 239*4882a593Smuzhiyun bbwarn "${UBOOT_NODTB_BINARY} not found" 240*4882a593Smuzhiyun fi 241*4882a593Smuzhiyun 242*4882a593Smuzhiyun # We need to install a 'stub' u-boot-fitimage + its to datadir, 243*4882a593Smuzhiyun # so that the KERNEL_PN can use the correct filename when 244*4882a593Smuzhiyun # assembling and deploying them 245*4882a593Smuzhiyun touch ${D}/${datadir}/${UBOOT_FITIMAGE_IMAGE} 246*4882a593Smuzhiyun touch ${D}/${datadir}/${UBOOT_ITS_IMAGE} 247*4882a593Smuzhiyun} 248*4882a593Smuzhiyun 249*4882a593Smuzhiyundo_install:append() { 250*4882a593Smuzhiyun if [ "${PN}" = "${UBOOT_PN}" ]; then 251*4882a593Smuzhiyun if [ -n "${UBOOT_CONFIG}" ]; then 252*4882a593Smuzhiyun for config in ${UBOOT_MACHINE}; do 253*4882a593Smuzhiyun cd ${B}/$config 254*4882a593Smuzhiyun if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \ 255*4882a593Smuzhiyun [ -n "${UBOOT_DTB_BINARY}" ]; then 256*4882a593Smuzhiyun install_helper 257*4882a593Smuzhiyun fi 258*4882a593Smuzhiyun if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then 259*4882a593Smuzhiyun install_spl_helper 260*4882a593Smuzhiyun fi 261*4882a593Smuzhiyun done 262*4882a593Smuzhiyun else 263*4882a593Smuzhiyun cd ${B} 264*4882a593Smuzhiyun if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \ 265*4882a593Smuzhiyun [ -n "${UBOOT_DTB_BINARY}" ]; then 266*4882a593Smuzhiyun install_helper 267*4882a593Smuzhiyun fi 268*4882a593Smuzhiyun if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ]; then 269*4882a593Smuzhiyun install_spl_helper 270*4882a593Smuzhiyun fi 271*4882a593Smuzhiyun fi 272*4882a593Smuzhiyun fi 273*4882a593Smuzhiyun} 274*4882a593Smuzhiyun 275*4882a593Smuzhiyundo_uboot_generate_rsa_keys() { 276*4882a593Smuzhiyun if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then 277*4882a593Smuzhiyun bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used." 278*4882a593Smuzhiyun fi 279*4882a593Smuzhiyun 280*4882a593Smuzhiyun if [ "${SPL_SIGN_ENABLE}" = "1" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then 281*4882a593Smuzhiyun 282*4882a593Smuzhiyun # Generate keys only if they don't already exist 283*4882a593Smuzhiyun if [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key ] || \ 284*4882a593Smuzhiyun [ ! -f "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt ]; then 285*4882a593Smuzhiyun 286*4882a593Smuzhiyun # make directory if it does not already exist 287*4882a593Smuzhiyun mkdir -p "${SPL_SIGN_KEYDIR}" 288*4882a593Smuzhiyun 289*4882a593Smuzhiyun echo "Generating RSA private key for signing U-Boot fitImage" 290*4882a593Smuzhiyun openssl genrsa ${UBOOT_FIT_KEY_GENRSA_ARGS} -out \ 291*4882a593Smuzhiyun "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \ 292*4882a593Smuzhiyun "${UBOOT_FIT_SIGN_NUMBITS}" 293*4882a593Smuzhiyun 294*4882a593Smuzhiyun echo "Generating certificate for signing U-Boot fitImage" 295*4882a593Smuzhiyun openssl req ${UBOOT_FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \ 296*4882a593Smuzhiyun -key "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \ 297*4882a593Smuzhiyun -out "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt 298*4882a593Smuzhiyun fi 299*4882a593Smuzhiyun fi 300*4882a593Smuzhiyun 301*4882a593Smuzhiyun} 302*4882a593Smuzhiyun 303*4882a593Smuzhiyunaddtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile 304*4882a593Smuzhiyun 305*4882a593Smuzhiyun# Create a ITS file for the U-boot FIT, for use when 306*4882a593Smuzhiyun# we want to sign it so that the SPL can verify it 307*4882a593Smuzhiyunuboot_fitimage_assemble() { 308*4882a593Smuzhiyun uboot_its="$1" 309*4882a593Smuzhiyun uboot_nodtb_bin="$2" 310*4882a593Smuzhiyun uboot_dtb="$3" 311*4882a593Smuzhiyun uboot_bin="$4" 312*4882a593Smuzhiyun spl_dtb="$5" 313*4882a593Smuzhiyun uboot_csum="${UBOOT_FIT_HASH_ALG}" 314*4882a593Smuzhiyun uboot_sign_algo="${UBOOT_FIT_SIGN_ALG}" 315*4882a593Smuzhiyun uboot_sign_keyname="${SPL_SIGN_KEYNAME}" 316*4882a593Smuzhiyun 317*4882a593Smuzhiyun rm -f $uboot_its $uboot_bin 318*4882a593Smuzhiyun 319*4882a593Smuzhiyun # First we create the ITS script 320*4882a593Smuzhiyun cat << EOF >> $uboot_its 321*4882a593Smuzhiyun/dts-v1/; 322*4882a593Smuzhiyun 323*4882a593Smuzhiyun/ { 324*4882a593Smuzhiyun description = "${UBOOT_FIT_DESC}"; 325*4882a593Smuzhiyun #address-cells = <1>; 326*4882a593Smuzhiyun 327*4882a593Smuzhiyun images { 328*4882a593Smuzhiyun uboot { 329*4882a593Smuzhiyun description = "U-Boot image"; 330*4882a593Smuzhiyun data = /incbin/("$uboot_nodtb_bin"); 331*4882a593Smuzhiyun type = "standalone"; 332*4882a593Smuzhiyun os = "u-boot"; 333*4882a593Smuzhiyun arch = "${UBOOT_ARCH}"; 334*4882a593Smuzhiyun compression = "none"; 335*4882a593Smuzhiyun load = <${UBOOT_LOADADDRESS}>; 336*4882a593Smuzhiyun entry = <${UBOOT_ENTRYPOINT}>; 337*4882a593SmuzhiyunEOF 338*4882a593Smuzhiyun 339*4882a593Smuzhiyun if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then 340*4882a593Smuzhiyun cat << EOF >> $uboot_its 341*4882a593Smuzhiyun signature { 342*4882a593Smuzhiyun algo = "$uboot_csum,$uboot_sign_algo"; 343*4882a593Smuzhiyun key-name-hint = "$uboot_sign_keyname"; 344*4882a593Smuzhiyun }; 345*4882a593SmuzhiyunEOF 346*4882a593Smuzhiyun fi 347*4882a593Smuzhiyun 348*4882a593Smuzhiyun cat << EOF >> $uboot_its 349*4882a593Smuzhiyun }; 350*4882a593Smuzhiyun fdt { 351*4882a593Smuzhiyun description = "U-Boot FDT"; 352*4882a593Smuzhiyun data = /incbin/("$uboot_dtb"); 353*4882a593Smuzhiyun type = "flat_dt"; 354*4882a593Smuzhiyun arch = "${UBOOT_ARCH}"; 355*4882a593Smuzhiyun compression = "none"; 356*4882a593SmuzhiyunEOF 357*4882a593Smuzhiyun 358*4882a593Smuzhiyun if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then 359*4882a593Smuzhiyun cat << EOF >> $uboot_its 360*4882a593Smuzhiyun signature { 361*4882a593Smuzhiyun algo = "$uboot_csum,$uboot_sign_algo"; 362*4882a593Smuzhiyun key-name-hint = "$uboot_sign_keyname"; 363*4882a593Smuzhiyun }; 364*4882a593SmuzhiyunEOF 365*4882a593Smuzhiyun fi 366*4882a593Smuzhiyun 367*4882a593Smuzhiyun cat << EOF >> $uboot_its 368*4882a593Smuzhiyun }; 369*4882a593Smuzhiyun }; 370*4882a593Smuzhiyun 371*4882a593Smuzhiyun configurations { 372*4882a593Smuzhiyun default = "conf"; 373*4882a593Smuzhiyun conf { 374*4882a593Smuzhiyun description = "Boot with signed U-Boot FIT"; 375*4882a593Smuzhiyun loadables = "uboot"; 376*4882a593Smuzhiyun fdt = "fdt"; 377*4882a593Smuzhiyun }; 378*4882a593Smuzhiyun }; 379*4882a593Smuzhiyun}; 380*4882a593SmuzhiyunEOF 381*4882a593Smuzhiyun 382*4882a593Smuzhiyun # 383*4882a593Smuzhiyun # Assemble the U-boot FIT image 384*4882a593Smuzhiyun # 385*4882a593Smuzhiyun ${UBOOT_MKIMAGE} \ 386*4882a593Smuzhiyun ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ 387*4882a593Smuzhiyun -f $uboot_its \ 388*4882a593Smuzhiyun $uboot_bin 389*4882a593Smuzhiyun 390*4882a593Smuzhiyun if [ "${SPL_SIGN_ENABLE}" = "1" ] ; then 391*4882a593Smuzhiyun # 392*4882a593Smuzhiyun # Sign the U-boot FIT image and add public key to SPL dtb 393*4882a593Smuzhiyun # 394*4882a593Smuzhiyun ${UBOOT_MKIMAGE_SIGN} \ 395*4882a593Smuzhiyun ${@'-D "${SPL_MKIMAGE_DTCOPTS}"' if len('${SPL_MKIMAGE_DTCOPTS}') else ''} \ 396*4882a593Smuzhiyun -F -k "${SPL_SIGN_KEYDIR}" \ 397*4882a593Smuzhiyun -K "$spl_dtb" \ 398*4882a593Smuzhiyun -r $uboot_bin \ 399*4882a593Smuzhiyun ${SPL_MKIMAGE_SIGN_ARGS} 400*4882a593Smuzhiyun fi 401*4882a593Smuzhiyun 402*4882a593Smuzhiyun} 403*4882a593Smuzhiyun 404*4882a593Smuzhiyundo_uboot_assemble_fitimage() { 405*4882a593Smuzhiyun # This function runs in KERNEL_PN context. The reason for that is that we need to 406*4882a593Smuzhiyun # support the scenario where UBOOT_SIGN_ENABLE is placing the Kernel fitImage's 407*4882a593Smuzhiyun # pubkey in the u-boot.dtb file, so that we can use it when building the U-Boot 408*4882a593Smuzhiyun # fitImage itself. 409*4882a593Smuzhiyun if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \ 410*4882a593Smuzhiyun [ -n "${SPL_DTB_BINARY}" -a "${PN}" = "${KERNEL_PN}" ] ; then 411*4882a593Smuzhiyun if [ "${UBOOT_SIGN_ENABLE}" != "1" ]; then 412*4882a593Smuzhiyun # If we're not signing the Kernel fitImage, that means 413*4882a593Smuzhiyun # we need to copy the u-boot.dtb from staging ourselves 414*4882a593Smuzhiyun cp -P ${STAGING_DATADIR}/u-boot*.dtb ${B} 415*4882a593Smuzhiyun fi 416*4882a593Smuzhiyun # As we are in the kernel context, we need to copy u-boot-spl.dtb from staging first. 417*4882a593Smuzhiyun # Unfortunately, need to glob on top of ${SPL_DTB_BINARY} since _IMAGE and _SYMLINK 418*4882a593Smuzhiyun # will contain U-boot's PV 419*4882a593Smuzhiyun # Similarly, we need to get the filename for the 'stub' u-boot-fitimage + its in 420*4882a593Smuzhiyun # staging so that we can use it for creating the image with the correct filename 421*4882a593Smuzhiyun # in the KERNEL_PN context. 422*4882a593Smuzhiyun # As for the u-boot.dtb (with fitimage's pubkey), it should come from the dependent 423*4882a593Smuzhiyun # do_assemble_fitimage task 424*4882a593Smuzhiyun cp -P ${STAGING_DATADIR}/u-boot-spl*.dtb ${B} 425*4882a593Smuzhiyun cp -P ${STAGING_DATADIR}/u-boot-nodtb*.bin ${B} 426*4882a593Smuzhiyun rm -rf ${B}/u-boot-fitImage-* ${B}/u-boot-its-* 427*4882a593Smuzhiyun kernel_uboot_fitimage_name=`basename ${STAGING_DATADIR}/u-boot-fitImage-*` 428*4882a593Smuzhiyun kernel_uboot_its_name=`basename ${STAGING_DATADIR}/u-boot-its-*` 429*4882a593Smuzhiyun cd ${B} 430*4882a593Smuzhiyun uboot_fitimage_assemble $kernel_uboot_its_name ${UBOOT_NODTB_BINARY} \ 431*4882a593Smuzhiyun ${UBOOT_DTB_BINARY} $kernel_uboot_fitimage_name \ 432*4882a593Smuzhiyun ${SPL_DTB_BINARY} 433*4882a593Smuzhiyun fi 434*4882a593Smuzhiyun} 435*4882a593Smuzhiyun 436*4882a593Smuzhiyunaddtask uboot_assemble_fitimage before do_deploy after do_compile 437*4882a593Smuzhiyun 438*4882a593Smuzhiyundo_deploy:prepend:pn-${UBOOT_PN}() { 439*4882a593Smuzhiyun if [ "${UBOOT_SIGN_ENABLE}" = "1" -a -n "${UBOOT_DTB_BINARY}" ] ; then 440*4882a593Smuzhiyun concat_dtb 441*4882a593Smuzhiyun fi 442*4882a593Smuzhiyun 443*4882a593Smuzhiyun if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] ; then 444*4882a593Smuzhiyun # Deploy the u-boot-nodtb binary and symlinks... 445*4882a593Smuzhiyun if [ -f "${SPL_DIR}/${SPL_NODTB_BINARY}" ] ; then 446*4882a593Smuzhiyun echo "Copying u-boot-nodtb binary..." 447*4882a593Smuzhiyun install -m 0644 ${SPL_DIR}/${SPL_NODTB_BINARY} ${DEPLOYDIR}/${SPL_NODTB_IMAGE} 448*4882a593Smuzhiyun ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_SYMLINK} 449*4882a593Smuzhiyun ln -sf ${SPL_NODTB_IMAGE} ${DEPLOYDIR}/${SPL_NODTB_BINARY} 450*4882a593Smuzhiyun fi 451*4882a593Smuzhiyun 452*4882a593Smuzhiyun 453*4882a593Smuzhiyun # We only deploy the symlinks to the uboot-fitImage and uboot-its 454*4882a593Smuzhiyun # images, as the KERNEL_PN will take care of deploying the real file 455*4882a593Smuzhiyun ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_BINARY} 456*4882a593Smuzhiyun ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_FITIMAGE_SYMLINK} 457*4882a593Smuzhiyun ln -sf ${UBOOT_ITS_IMAGE} ${DEPLOYDIR}/${UBOOT_ITS} 458*4882a593Smuzhiyun ln -sf ${UBOOT_ITS_IMAGE} ${DEPLOYDIR}/${UBOOT_ITS_SYMLINK} 459*4882a593Smuzhiyun fi 460*4882a593Smuzhiyun 461*4882a593Smuzhiyun if [ "${SPL_SIGN_ENABLE}" = "1" -a -n "${SPL_DTB_BINARY}" ] ; then 462*4882a593Smuzhiyun concat_spl_dtb 463*4882a593Smuzhiyun fi 464*4882a593Smuzhiyun 465*4882a593Smuzhiyun 466*4882a593Smuzhiyun} 467*4882a593Smuzhiyun 468*4882a593Smuzhiyundo_deploy:append:pn-${UBOOT_PN}() { 469*4882a593Smuzhiyun # If we're creating a u-boot fitImage, point u-boot.bin 470*4882a593Smuzhiyun # symlink since it might get used by image recipes 471*4882a593Smuzhiyun if [ "${UBOOT_FITIMAGE_ENABLE}" = "1" ] ; then 472*4882a593Smuzhiyun ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_BINARY} 473*4882a593Smuzhiyun ln -sf ${UBOOT_FITIMAGE_IMAGE} ${DEPLOYDIR}/${UBOOT_SYMLINK} 474*4882a593Smuzhiyun fi 475*4882a593Smuzhiyun} 476*4882a593Smuzhiyun 477*4882a593Smuzhiyunpython () { 478*4882a593Smuzhiyun if ( (d.getVar('UBOOT_SIGN_ENABLE') == '1' 479*4882a593Smuzhiyun or d.getVar('UBOOT_FITIMAGE_ENABLE') == '1') 480*4882a593Smuzhiyun and d.getVar('PN') == d.getVar('UBOOT_PN') 481*4882a593Smuzhiyun and d.getVar('UBOOT_DTB_BINARY')): 482*4882a593Smuzhiyun 483*4882a593Smuzhiyun # Make "bitbake u-boot -cdeploy" deploys the signed u-boot.dtb 484*4882a593Smuzhiyun # and/or the U-Boot fitImage 485*4882a593Smuzhiyun d.appendVarFlag('do_deploy', 'depends', ' %s:do_deploy' % d.getVar('KERNEL_PN')) 486*4882a593Smuzhiyun 487*4882a593Smuzhiyun if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' and d.getVar('PN') == d.getVar('KERNEL_PN'): 488*4882a593Smuzhiyun # As the U-Boot fitImage is created by the KERNEL_PN, we need 489*4882a593Smuzhiyun # to make sure that the u-boot-spl.dtb and u-boot-spl-nodtb.bin 490*4882a593Smuzhiyun # files are in the staging dir for it's use 491*4882a593Smuzhiyun d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_populate_sysroot' % d.getVar('UBOOT_PN')) 492*4882a593Smuzhiyun 493*4882a593Smuzhiyun # If the Kernel fitImage is being signed, we need to 494*4882a593Smuzhiyun # create the U-Boot fitImage after it 495*4882a593Smuzhiyun if d.getVar('UBOOT_SIGN_ENABLE') == '1': 496*4882a593Smuzhiyun d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_assemble_fitimage' % d.getVar('KERNEL_PN')) 497*4882a593Smuzhiyun d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' %s:do_assemble_fitimage_initramfs' % d.getVar('KERNEL_PN')) 498*4882a593Smuzhiyun 499*4882a593Smuzhiyun} 500