Главная Обзор Помощь
Вход
RT-Thread-packages
/
esp-idf
зеркало из https://github-proxy.rt-thread.io/RT-Thread-packages/esp-idf.git
2
0
Ответвить 0
Файлы Задачи 0 Вики
Просмотр исходного кода

Secure boot: Correctly re-sign if signing key changes, better error if missing

Angus Gratton 9 лет назад
Родитель
506c8cd964
Сommit
a9d5e26748
4 измененных файлов с 12 добавлено и 13 удалено
Разделённый вид Показать статистику Diff
  1. 7 0
      components/bootloader_support/Makefile.projbuild
  2. 0 8
      components/bootloader_support/component.mk
  3. 2 2
      components/esptool_py/Makefile.projbuild
  4. 3 3
      components/partition_table/Makefile.projbuild

+ 7 - 0
components/bootloader_support/Makefile.projbuild
Просмотреть файл 

@@ -0,0 +1,7 @@
 
+$(SECURE_BOOT_SIGNING_KEY):
 
+	@echo "Need to generate secure boot signing key."
 
+	@echo "One way is to run this command:"
 
+	@echo "$(ESPSECUREPY) generate_signing_key $@"
 
+	@echo "Keep key file safe after generating."
 
+	@echo "(See secure boot documentation for risks & alternatives.)"
 
+	@exit 1

+ 0 - 8
components/bootloader_support/component.mk
Просмотреть файл 

@@ -17,14 +17,6 @@ ifdef CONFIG_SECURE_BOOT_ENABLED
 
 # this path is created relative to the component build directory
 
 SECURE_BOOT_VERIFICATION_KEY := $(abspath signature_verification_key.bin)
 
 
-$(SECURE_BOOT_SIGNING_KEY):
 
-	@echo "Need to generate secure boot signing key."
 
-	@echo "One way is to run this command:"
 
-	@echo "$(ESPSECUREPY) generate_signing_key $@"
 
-	@echo "Keep key file safe after generating."
 
-	@echo "(See secure boot documentation for risks & alternatives.)"
 
-	@exit 1
 
-
 
 $(SECURE_BOOT_VERIFICATION_KEY): $(SECURE_BOOT_SIGNING_KEY)
 
 	$(ESPSECUREPY) extract_public_key --keyfile $< $@

+ 2 - 2
components/esptool_py/Makefile.projbuild
Просмотреть файл 

@@ -33,8 +33,8 @@ ifndef IS_BOOTLOADER_BUILD
 
 # for secure boot, add a signing step to get from unsiged app to signed app
 
 APP_BIN_UNSIGNED := $(APP_BIN:.bin=-unsigned.bin)
 
 
-$(APP_BIN): $(APP_BIN_UNSIGNED)
 
-	$(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $^  # signed in-place
 
+$(APP_BIN): $(APP_BIN_UNSIGNED) $(SECURE_BOOT_SIGNING_KEY)
 
+	$(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $<
 
 endif
 
 endif
 
 # non-secure boot (or bootloader), both these files are the same

+ 3 - 3
components/partition_table/Makefile.projbuild
Просмотреть файл 

@@ -21,11 +21,11 @@ PARTITION_TABLE_CSV_PATH := $(call dequote,$(abspath $(PARTITION_TABLE_ROOT)/$(s
 
 
 PARTITION_TABLE_BIN := $(BUILD_DIR_BASE)/$(notdir $(PARTITION_TABLE_CSV_PATH:.csv=.bin))
 
 
-ifdef CONFIG_SECURE_BOOTLOADER_ENABLED
 
+ifdef CONFIG_SECURE_BOOT_ENABLED
 
 PARTITION_TABLE_BIN_UNSIGNED := $(PARTITION_TABLE_BIN:.bin=-unsigned.bin)
 
 # add an extra signing step for secure partition table
 
-$(PARTITION_TABLE_BIN): $(PARTITION_TABLE_BIN_UNSIGNED)
 
-	$(Q) $(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $<
 
+$(PARTITION_TABLE_BIN): $(PARTITION_TABLE_BIN_UNSIGNED) $(SDKCONFIG_MAKEFILE) $(SECURE_BOOT_SIGNING_KEY)
 
+	$(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $<
 
 else
 
 # secure bootloader disabled, both files are the same
 
 PARTITION_TABLE_BIN_UNSIGNED := $(PARTITION_TABLE_BIN)