[PATCH] kbuild: make FIT public key overwritable

Stefano Manni stefano.manni at gmail.com
Wed Jul 20 03:15:22 PDT 2022 

The path to the public key used to verify FIT images can be
specified with Kconfig variable. For a better build system
integration we also want to be able to specify the path in
environment variables.

Signed-off-by: Stefano Manni <stefano.manni at gmail.com>
---
 common/Kconfig       | 17 +++++++++++++++++
 scripts/Makefile.lib |  8 +++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/common/Kconfig b/common/Kconfig
index 658437f..ceacf28 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -643,6 +643,21 @@ config BOOTM_FITIMAGE_SIGNATURE
 	  Additionally the barebox device tree needs a /signature node with the
 	  public key with which the image has been signed.
 
+config BOOTM_FITIMAGE_PUBKEY_ENV
+	bool "Specify path to public key in environment"
+	depends on BOOTM_FITIMAGE_SIGNATURE
+	help
+	  If this option is enabled the path to the public key for verifying
+	  FIT images signature is taken from environment which allows for
+	  better integration with build systems.
+
+	  The environment variable has the same name as the corresponding
+	  Kconfig variable:
+
+	  CONFIG_BOOTM_FITIMAGE_PUBKEY
+
+if BOOTM_FITIMAGE_SIGNATURE && !BOOTM_FITIMAGE_PUBKEY_ENV
+
 config BOOTM_FITIMAGE_PUBKEY
 	string "Path to dtsi containing pubkey"
 	default "../fit/pubkey.dtsi"
@@ -652,6 +667,8 @@ config BOOTM_FITIMAGE_PUBKEY
 	  snippet can then be included in a device tree with
 	  "#include CONFIG_BOOTM_FITIMAGE_PUBKEY".
 
+endif
+
 config BOOTM_FORCE_SIGNED_IMAGES
 	bool
 	prompt "Force booting of signed images"
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 3799e77..891b8dd 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -479,6 +479,11 @@ overwrite-hab-env = $(shell set -e; \
       test -n "$$$(1)"; \
       echo -D$(1)=\\\"$(shell echo $$$(1))\\\")
 
+overwrite-fit-env = $(shell set -e; \
+      test -n "$(CONFIG_BOOTM_FITIMAGE_PUBKEY_ENV)"; \
+      test -n "$$$(1)"; \
+      echo -D$(1)=\\\"$(shell echo $$$(1))\\\")
+
 imxcfg_cpp_flags  = -Wp,-MD,$(depfile) -nostdinc -x assembler-with-cpp \
       -I $(srctree)/include -I $(srctree)/arch/arm/mach-imx/include \
       -include include/generated/autoconf.h \
@@ -487,7 +492,8 @@ imxcfg_cpp_flags  = -Wp,-MD,$(depfile) -nostdinc -x assembler-with-cpp \
       $(call overwrite-hab-env,CONFIG_HABV3_IMG_CRT_DER) \
       $(call overwrite-hab-env,CONFIG_HABV4_TABLE_BIN) \
       $(call overwrite-hab-env,CONFIG_HABV4_CSF_CRT_PEM) \
-      $(call overwrite-hab-env,CONFIG_HABV4_IMG_CRT_PEM)
+      $(call overwrite-hab-env,CONFIG_HABV4_IMG_CRT_PEM) \
+      $(call overwrite-fit-env,CONFIG_BOOTM_FITIMAGE_PUBKEY) \
 
 dcd-tmp = $(subst $(comma),_,$(dot-target).dcd.tmp)
 
-- 
2.7.4

More information about the barebox mailing list