[PATCH 5/5] rsatoc: support generating standalone keys unreferenced by FIT keyring
Ahmad Fatoum
a.fatoum at pengutronix.de
Thu Sep 21 03:23:10 PDT 2023
By default, all keys generated by rsatoc and included into barebox,
whether as C code or device tree snippets are added to the single key
ring that's used for FIT image verification. Users may want to add other
keys by the same means, but not have them available to FIT image
verification.
Support this use case by adding a -s option that generates standalone
keys. These are unreferenced by the key ring and automatic DT parsing
and expect the user to manually reference them, either via global
variable with a symbol name equal __key_${hint} or by looking into
/signature-standalone/key-${hint}.
Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
scripts/Makefile.lib | 2 +-
scripts/rsatoc.c | 34 ++++++++++++++++++++++++++--------
2 files changed, 27 insertions(+), 9 deletions(-)
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index fe77c83ba230..680dc486fd76 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -625,7 +625,7 @@ quiet_cmd_b64dec = B64DEC $@
# target file.
quiet_cmd_rsa_keys = RSAKEY $@
cmd_rsa_keys = \
- $(objtree)/scripts/rsatoc -o $@.tmp "$(2)" && \
+ $(objtree)/scripts/rsatoc -o $@.tmp "$(2)" $(3) && \
if cmp -s $@.tmp $@; then \
rm $@.tmp; \
else \
diff --git a/scripts/rsatoc.c b/scripts/rsatoc.c
index f5b0ba27f9bc..6d10dca4169c 100644
--- a/scripts/rsatoc.c
+++ b/scripts/rsatoc.c
@@ -18,7 +18,7 @@
#include <openssl/evp.h>
#include <openssl/engine.h>
-static int dts;
+static int dts, standalone;
static int rsa_err(const char *msg)
{
@@ -454,17 +454,24 @@ static int gen_key(const char *keyname, const char *path)
print_bignum(r_squared, bits);
fprintf(outfilep, "\n};\n\n");
- fprintf(outfilep, "static struct rsa_public_key %s = {\n", key_name_c);
+ if (standalone) {
+ fprintf(outfilep, "struct rsa_public_key __key_%s;\n", key_name_c);
+ fprintf(outfilep, "struct rsa_public_key __key_%s = {\n", key_name_c);
+ } else {
+ fprintf(outfilep, "static struct rsa_public_key %s = {\n", key_name_c);
+ }
+
fprintf(outfilep, "\t.len = %d,\n", bits / 32);
fprintf(outfilep, "\t.n0inv = 0x%0x,\n", n0_inv);
fprintf(outfilep, "\t.modulus = %s_modulus,\n", key_name_c);
fprintf(outfilep, "\t.rr = %s_rr,\n", key_name_c);
fprintf(outfilep, "\t.exponent = 0x%0lx,\n", exponent);
fprintf(outfilep, "\t.key_name_hint = \"%s\",\n", keyname);
- fprintf(outfilep, "};\n\n");
+ fprintf(outfilep, "};\n");
- fprintf(outfilep, "struct rsa_public_key *%sp __attribute__((section(\".rsa_keys.rodata.%s\"))) = &%s;\n",
- key_name_c, key_name_c, key_name_c);
+ if (!standalone)
+ fprintf(outfilep, "\nstruct rsa_public_key *%sp __attribute__((section(\".rsa_keys.rodata.%s\"))) = &%s;\n",
+ key_name_c, key_name_c, key_name_c);
}
return 0;
@@ -478,7 +485,7 @@ int main(int argc, char *argv[])
outfilep = stdout;
- while ((opt = getopt(argc, argv, "o:d")) > 0) {
+ while ((opt = getopt(argc, argv, "o:ds")) > 0) {
switch (opt) {
case 'o':
outfile = optarg;
@@ -486,6 +493,9 @@ int main(int argc, char *argv[])
case 'd':
dts = 1;
break;
+ case 's':
+ standalone = 1;
+ break;
}
}
@@ -499,14 +509,22 @@ int main(int argc, char *argv[])
}
if (optind == argc) {
- fprintf(stderr, "Usage: %s <key_name_hint>:<crt> ...\n", argv[0]);
+ fprintf(stderr, "Usage: %s [-ods] OUTFIE<key_name_hint>:<crt> ...\n", argv[0]);
+ fprintf(stderr, "\t-o FILE\twrite output into FILE instead of stdout\n");
+ fprintf(stderr, "\t-d\tgenerate device tree snippet instead of C code\n");
+ fprintf(stderr, "\t-s\tgenerate standalone key outside FIT image keyring\n");
exit(1);
}
if (dts) {
fprintf(outfilep, "/dts-v1/;\n");
fprintf(outfilep, "/ {\n");
- fprintf(outfilep, "\tsignature {\n");
+ if (standalone)
+ fprintf(outfilep, "\tsignature-standalone {\n");
+ else
+ fprintf(outfilep, "\tsignature {\n");
+ } else if (standalone) {
+ fprintf(outfilep, "#include <rsa.h>\n");
}
for (i = optind; i < argc; i++) {
--
2.39.2
More information about the barebox
mailing list