Etusivu Tutki Apua
Kirjaudu sisään
RT-Thread-packages
/
esp-idf
peilaus alkaen https://github-proxy.rt-thread.io/RT-Thread-packages/esp-idf.git
2
0
Haarauta 0
Tiedostot Esitykset 0 Wiki
Selaa lähdekoodia

secure boot: Fix bug where verification key was not embedded in app

Angus Gratton 6 vuotta sitten
vanhempi
4c4b1da7e7
sitoutus
90568fbf00
3 muutettua tiedostoa jossa 65 lisäystä ja 23 poistoa
Jaettu näkymä Näytä diff tilastot
  1. 50 20
      components/bootloader_support/CMakeLists.txt
  2. 8 3
      tools/cmake/scripts/data_file_embed_asm.cmake
  3. 7 0
      tools/cmake/utilities.cmake

+ 50 - 20
components/bootloader_support/CMakeLists.txt
Näytä tiedosto 

@@ -36,30 +36,60 @@ idf_component_register(SRCS "${srcs}"
 
                     REQUIRES "${requires}"
 
                     PRIV_REQUIRES "${priv_requires}")
 
 
-if(BOOTLOADER_BUILD AND CONFIG_SECURE_SIGNED_APPS)
 
-    # Whether CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES or not, we need verification key to embed
 
-    # in the library.
 
-    if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
 
-        # We generate the key from the signing key. The signing key is passed from the main project.
 
-        get_filename_component(secure_boot_signing_key
 
-            "${SECURE_BOOT_SIGNING_KEY}"
 
-            ABSOLUTE BASE_DIR "${project_dir}")
 
-        get_filename_component(secure_boot_verification_key
 
-            "signature_verification_key.bin"
 
-            ABSOLUTE BASE_DIR "${CMAKE_CURRENT_BINARY_DIR}")
 
-        add_custom_command(OUTPUT "${secure_boot_verification_key}"
 
-            COMMAND ${ESPSECUREPY}
 
+if(CONFIG_SECURE_SIGNED_APPS)
 
+    if(BOOTLOADER_BUILD)
 
+        # Whether CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES or not, we need verification key to embed
 
+        # in the library.
 
+        if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
 
+            # We generate the key from the signing key. The signing key is passed from the main project.
 
+            get_filename_component(secure_boot_signing_key
 
+                "${SECURE_BOOT_SIGNING_KEY}"
 
+                ABSOLUTE BASE_DIR "${project_dir}")
 
+            get_filename_component(secure_boot_verification_key
 
+                "signature_verification_key.bin"
 
+                ABSOLUTE BASE_DIR "${CMAKE_CURRENT_BINARY_DIR}")
 
+            add_custom_command(OUTPUT "${secure_boot_verification_key}"
 
+                COMMAND ${ESPSECUREPY}
 
                 extract_public_key --keyfile "${secure_boot_signing_key}"
 
                 "${secure_boot_verification_key}"
 
-            VERBATIM)
 
-    else()
 
-        # We expect to 'inherit' the verification key passed from main project.
 
-        get_filename_component(secure_boot_verification_key
 
-            ${SECURE_BOOT_VERIFICATION_KEY}
 
-            ABSOLUTE BASE_DIR "${project_dir}")
 
+                DEPENDS ${secure_boot_signing_key}
 
+                VERBATIM)
 
+        else()
 
+            # We expect to 'inherit' the verification key passed from main project.
 
+            get_filename_component(secure_boot_verification_key
 
+                ${SECURE_BOOT_VERIFICATION_KEY}
 
+                ABSOLUTE BASE_DIR "${project_dir}")
 
+        endif()
 
+    else()  # normal app build
 
+        idf_build_get_property(project_dir PROJECT_DIR)
 
+
 
+        if(CONFIG_SECURE_BOOT_VERIFICATION_KEY)
 
+            # verification-only build supplies verification key
 
+            set(secure_boot_verification_key ${CONFIG_SECURE_BOOT_VERIFICATION_KEY})
 
+            get_filename_component(secure_boot_verification_key
 
+                ${secure_boot_verification_key}
 
+                ABSOLUTE BASE_DIR "${project_dir}")
 
+        else()
 
+            # sign at build time, extracts key from signing key
 
+            set(secure_boot_verification_key "${CMAKE_BINARY_DIR}/signature_verification_key.bin")
 
+            get_filename_component(secure_boot_signing_key
 
+                ${CONFIG_SECURE_BOOT_SIGNING_KEY}
 
+                ABSOLUTE BASE_DIR "${project_dir}")
 
+
 
+            add_custom_command(OUTPUT "${secure_boot_verification_key}"
 
+                COMMAND ${ESPSECUREPY}
 
+                extract_public_key --keyfile "${secure_boot_signing_key}"
 
+                "${secure_boot_verification_key}"
 
+                WORKING_DIRECTORY ${project_dir}
 
+                DEPENDS ${secure_boot_signing_key}
 
+                VERBATIM)
 
+        endif()
 
     endif()
 
 
-    target_add_binary_data(${COMPONENT_LIB} "${secure_boot_verification_key}" "BINARY")
 
+    # Embed the verification key in the binary (app & bootloader)
 
+    #
 
+    target_add_binary_data(${COMPONENT_LIB} "${secure_boot_verification_key}" "BINARY"
 
+        RENAME_TO signature_verification_key_bin)
 
     set_property(DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
 
         APPEND PROPERTY ADDITIONAL_MAKE_CLEAN_FILES
 
         "${secure_boot_verification_key}")

+ 8 - 3
tools/cmake/scripts/data_file_embed_asm.cmake
Näytä tiedosto 

@@ -38,9 +38,14 @@ string(REGEX REPLACE "[^\n]+$" ".byte \\0\n" data "${data}")
 
 string(REGEX REPLACE "[0-9a-f][0-9a-f]" "0x\\0, " data "${data}")                      # hex formatted C bytes
 
 string(REGEX REPLACE ", \n" "\n" data "${data}")                                       # trim the last comma
 
 
-## Come up with C-friendly symbol name based on source file
 
-get_filename_component(source_filename "${DATA_FILE}" NAME)
 
-string(MAKE_C_IDENTIFIER "${source_filename}" varname)
 
+## Come up with C-friendly variable name based on source file
 
+# unless VARIABLE_BASENAME is set
 
+if(NOT VARIABLE_BASENAME)
 
+    get_filename_component(source_filename "${DATA_FILE}" NAME)
 
+    string(MAKE_C_IDENTIFIER "${source_filename}" varname)
 
+else()
 
+    string(MAKE_C_IDENTIFIER "${VARIABLE_BASENAME}" varname)
 
+endif()
 
 
 function(append str)
 
     file(APPEND "${SOURCE_FILE}" "${str}")

+ 7 - 0
tools/cmake/utilities.cmake
Näytä tiedosto 

@@ -77,6 +77,7 @@ endfunction()
 
 # by converting it to a generated source file which is then compiled
 
 # to a binary object as part of the build
 
 function(target_add_binary_data target embed_file embed_type)
 
+    cmake_parse_arguments(_ "" "RENAME_TO" "" ${ARGN})
 
     idf_build_get_property(build_dir BUILD_DIR)
 
     idf_build_get_property(idf_path IDF_PATH)
 
 
@@ -85,10 +86,16 @@ function(target_add_binary_data target embed_file embed_type)
 
     get_filename_component(name "${embed_file}" NAME)
 
     set(embed_srcfile "${build_dir}/${name}.S")
 
 
+    set(rename_to_arg)
 
+    if(__RENAME_TO)  # use a predefined variable name
 
+        set(rename_to_arg -D "VARIABLE_BASENAME=${__RENAME_TO}")
 
+    endif()
 
+
 
     add_custom_command(OUTPUT "${embed_srcfile}"
 
         COMMAND "${CMAKE_COMMAND}"
 
         -D "DATA_FILE=${embed_file}"
 
         -D "SOURCE_FILE=${embed_srcfile}"
 
+        ${rename_to_arg}
 
         -D "FILE_TYPE=${embed_type}"
 
         -P "${idf_path}/tools/cmake/scripts/data_file_embed_asm.cmake"
 
         MAIN_DEPENDENCY "${embed_file}"