classes/kernel-fitimage: add ability to sign individual images

Add the ability to have the kernel, dtb and ramdisk individually signed
by setting FIT_SIGN_INDIVIDUAL = "1". This could be useful if you are
intending to verify signatures before using kexec for example.

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 9661b4ff78713467903ea6928a85d89a22b9af3a..9fa302a5c816efd214e416bd7002772c155023ce 100644 (file)
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -75,6 +75,9 @@ FIT_KEY_SIGN_PKCS ?= "-x509"
 # Description string
 FIT_DESC ?= "U-Boot fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
 
+# Sign individual images as well
+FIT_SIGN_INDIVIDUAL ?= "0"
+
 # mkimage command
 UBOOT_MKIMAGE ?= "uboot-mkimage"
 UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}"
@@ -142,6 +145,8 @@ EOF
 fitimage_emit_section_kernel() {
 
        kernel_csum="${FIT_HASH_ALG}"
+       kernel_sign_algo="${FIT_SIGN_ALG}"
+       kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}"
 
        ENTRYPOINT="${UBOOT_ENTRYPOINT}"
        if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
@@ -164,6 +169,17 @@ fitimage_emit_section_kernel() {
                         };
                 };
 EOF
+
+       if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
+               sed -i '$ d' ${1}
+               cat << EOF >> ${1}
+                        signature@1 {
+                                algo = "${kernel_csum},${kernel_sign_algo}";
+                                key-name-hint = "${kernel_sign_keyname}";
+                        };
+                };
+EOF
+       fi
 }
 
 #
@@ -175,6 +191,8 @@ EOF
 fitimage_emit_section_dtb() {
 
        dtb_csum="${FIT_HASH_ALG}"
+       dtb_sign_algo="${FIT_SIGN_ALG}"
+       dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}"
 
        dtb_loadline=""
        dtb_ext=${DTB##*.}
@@ -198,6 +216,17 @@ fitimage_emit_section_dtb() {
                         };
                 };
 EOF
+
+       if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
+               sed -i '$ d' ${1}
+               cat << EOF >> ${1}
+                        signature@1 {
+                                algo = "${dtb_csum},${dtb_sign_algo}";
+                                key-name-hint = "${dtb_sign_keyname}";
+                        };
+                };
+EOF
+       fi
 }
 
 #
@@ -236,6 +265,8 @@ EOF
 fitimage_emit_section_ramdisk() {
 
        ramdisk_csum="${FIT_HASH_ALG}"
+       ramdisk_sign_algo="${FIT_SIGN_ALG}"
+       ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}"
        ramdisk_loadline=""
        ramdisk_entryline=""
 
@@ -261,6 +292,17 @@ fitimage_emit_section_ramdisk() {
                         };
                 };
 EOF
+
+       if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
+               sed -i '$ d' ${1}
+               cat << EOF >> ${1}
+                        signature@1 {
+                                algo = "${ramdisk_csum},${ramdisk_sign_algo}";
+                                key-name-hint = "${ramdisk_sign_keyname}";
+                        };
+                };
+EOF
+       fi
 }
 
 #