mirror of
https://git.yoctoproject.org/poky
synced 2026-04-29 18:32:20 +02:00
uboot-sign/kernel-fitimage: split generate_rsa_keys task
Currently generate_rsa_keys tasks are being executed parallelly in kernel and uboot's task list, and both of them are calling openssl to generate rsa keys in same path, this can lead to race condition. Let's split it to kernel_generate_rsa_keys and uboot_generate_rsa_keys. (From OE-Core rev: 36814f5467c9abd84aeb05916b4fd49f766f4f9f) Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ming Liu
@@ -667,7 +667,34 @@ do_assemble_fitimage_initramfs() {
|
||||
|
||||
addtask assemble_fitimage_initramfs before do_deploy after do_bundle_initramfs
|
||||
|
||||
addtask generate_rsa_keys before do_assemble_fitimage after do_compile
|
||||
do_kernel_generate_rsa_keys() {
|
||||
if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
|
||||
bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
|
||||
fi
|
||||
|
||||
if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
|
||||
|
||||
# Generate keys only if they don't already exist
|
||||
if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
|
||||
[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
|
||||
|
||||
# make directory if it does not already exist
|
||||
mkdir -p "${UBOOT_SIGN_KEYDIR}"
|
||||
|
||||
echo "Generating RSA private key for signing fitImage"
|
||||
openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
|
||||
"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
|
||||
"${FIT_SIGN_NUMBITS}"
|
||||
|
||||
echo "Generating certificate for signing fitImage"
|
||||
openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
|
||||
-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
|
||||
-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
addtask kernel_generate_rsa_keys before do_assemble_fitimage after do_compile
|
||||
|
||||
kernel_do_deploy[vardepsexclude] = "DATETIME"
|
||||
kernel_do_deploy_append() {
|
||||
@@ -718,13 +745,13 @@ kernel_do_deploy_append() {
|
||||
# - Removes do_assemble_fitimage. FIT generation is done through
|
||||
# do_assemble_fitimage_initramfs. do_assemble_fitimage is not needed
|
||||
# and should not be part of the tasks to be executed.
|
||||
# - Since do_generate_rsa_keys is inserted by default
|
||||
# - Since do_kernel_generate_rsa_keys is inserted by default
|
||||
# between do_compile and do_assemble_fitimage, this is
|
||||
# not suitable in case of initramfs bundles. do_generate_rsa_keys
|
||||
# not suitable in case of initramfs bundles. do_kernel_generate_rsa_keys
|
||||
# should be between do_bundle_initramfs and do_assemble_fitimage_initramfs.
|
||||
python () {
|
||||
if d.getVar('INITRAMFS_IMAGE_BUNDLE') == "1":
|
||||
bb.build.deltask('do_assemble_fitimage', d)
|
||||
bb.build.deltask('generate_rsa_keys', d)
|
||||
bb.build.addtask('generate_rsa_keys', 'do_assemble_fitimage_initramfs', 'do_bundle_initramfs', d)
|
||||
bb.build.deltask('kernel_generate_rsa_keys', d)
|
||||
bb.build.addtask('kernel_generate_rsa_keys', 'do_assemble_fitimage_initramfs', 'do_bundle_initramfs', d)
|
||||
}
|
||||
|
||||
@@ -255,32 +255,7 @@ do_install_append() {
|
||||
fi
|
||||
}
|
||||
|
||||
do_generate_rsa_keys() {
|
||||
if [ "${UBOOT_SIGN_ENABLE}" = "0" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
|
||||
bbwarn "FIT_GENERATE_KEYS is set to 1 even though UBOOT_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
|
||||
fi
|
||||
|
||||
if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
|
||||
|
||||
# Generate keys only if they don't already exist
|
||||
if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
|
||||
[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
|
||||
|
||||
# make directory if it does not already exist
|
||||
mkdir -p "${UBOOT_SIGN_KEYDIR}"
|
||||
|
||||
echo "Generating RSA private key for signing fitImage"
|
||||
openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
|
||||
"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
|
||||
"${FIT_SIGN_NUMBITS}"
|
||||
|
||||
echo "Generating certificate for signing fitImage"
|
||||
openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
|
||||
-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
|
||||
-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
|
||||
fi
|
||||
fi
|
||||
|
||||
do_uboot_generate_rsa_keys() {
|
||||
if [ "${SPL_SIGN_ENABLE}" = "0" ] && [ "${UBOOT_FIT_GENERATE_KEYS}" = "1" ]; then
|
||||
bbwarn "UBOOT_FIT_GENERATE_KEYS is set to 1 eventhough SPL_SIGN_ENABLE is set to 0. The keys will not be generated as they won't be used."
|
||||
fi
|
||||
@@ -308,7 +283,7 @@ do_generate_rsa_keys() {
|
||||
|
||||
}
|
||||
|
||||
addtask generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
|
||||
addtask uboot_generate_rsa_keys before do_uboot_assemble_fitimage after do_compile
|
||||
|
||||
# Create a ITS file for the U-boot FIT, for use when
|
||||
# we want to sign it so that the SPL can verify it
|
||||
|
||||
Reference in New Issue
Block a user