mirror of
https://git.yoctoproject.org/poky
synced 2026-03-06 23:39:40 +01:00
29a931bfbf
The do_kernel_generate_rsa_keys function from kernel-fitimage.bbclass is moved to a new recipe, kernel-signing-keys-native.bb. This refactoring introduces no functional changes. Intention this change: - Remove the dependency of uboot-sign.bbclass on kernel-fitimage.bbclass. - Simplify the use of custom key generation implementations by isolating the functionality into a separate recipe. Known limitations of this (and also the previous) implementation: - When generating from an existing TMPDIR, the existing key is reused. However, when generating from an empty TMPDIR or an SDK using the sstate-cache, a new key is generated, which may lead to inconsistencies. - The use of random keys (via FIT_GENERATE_KEYS) is convenient for experiments but unsuitable for production environments requiring deterministic and secure key management. Future improvements to consider: - Ensure reproducibility, even when using the sstate-cache. However, simply storing the private key in a potentially shared sstate artifact may not always be ideal from a security perspective. - Support encrypted keys via `SRC_URI` for reliable key updates. - Enable signing with an HSM (Hardware Security Module) through mechanisms like PKCS#11 or post-processing scripts. (From OE-Core rev: 88736bb53fd2f0ffa1d249fc1a37897d10c8be18) Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>