Crash_Override/OVMS3-idf
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

secure boot: Fix bug where verification key was not embedded in app

Browse source
This commit is contained in:
Angus Gratton 2019-10-29 12:46:09 +11:00 committed by Angus Gratton
parent 4c4b1da7e7
commit 90568fbf00
3 changed files with 65 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

70
components/bootloader_support/CMakeLists.txt
View file

@ -36,30 +36,60 @@ idf_component_register(SRCS "${srcs}"
REQUIRES "${requires}"
PRIV_REQUIRES "${priv_requires}")
if(BOOTLOADER_BUILD AND CONFIG_SECURE_SIGNED_APPS)
# Whether CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES or not, we need verification key to embed
# in the library.
if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
# We generate the key from the signing key. The signing key is passed from the main project.
get_filename_component(secure_boot_signing_key
"${SECURE_BOOT_SIGNING_KEY}"
ABSOLUTE BASE_DIR "${project_dir}")
get_filename_component(secure_boot_verification_key
"signature_verification_key.bin"
ABSOLUTE BASE_DIR "${CMAKE_CURRENT_BINARY_DIR}")
add_custom_command(OUTPUT "${secure_boot_verification_key}"
COMMAND ${ESPSECUREPY}
if(CONFIG_SECURE_SIGNED_APPS)
if(BOOTLOADER_BUILD)
# Whether CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES or not, we need verification key to embed
# in the library.
if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
# We generate the key from the signing key. The signing key is passed from the main project.
get_filename_component(secure_boot_signing_key
"${SECURE_BOOT_SIGNING_KEY}"
ABSOLUTE BASE_DIR "${project_dir}")
get_filename_component(secure_boot_verification_key
"signature_verification_key.bin"
ABSOLUTE BASE_DIR "${CMAKE_CURRENT_BINARY_DIR}")
add_custom_command(OUTPUT "${secure_boot_verification_key}"
COMMAND ${ESPSECUREPY}
extract_public_key --keyfile "${secure_boot_signing_key}"
"${secure_boot_verification_key}"
VERBATIM)
else()
# We expect to 'inherit' the verification key passed from main project.
get_filename_component(secure_boot_verification_key
${SECURE_BOOT_VERIFICATION_KEY}
ABSOLUTE BASE_DIR "${project_dir}")
DEPENDS ${secure_boot_signing_key}
VERBATIM)
else()
# We expect to 'inherit' the verification key passed from main project.
get_filename_component(secure_boot_verification_key
${SECURE_BOOT_VERIFICATION_KEY}
ABSOLUTE BASE_DIR "${project_dir}")
endif()
else() # normal app build
idf_build_get_property(project_dir PROJECT_DIR)
if(CONFIG_SECURE_BOOT_VERIFICATION_KEY)
# verification-only build supplies verification key
set(secure_boot_verification_key ${CONFIG_SECURE_BOOT_VERIFICATION_KEY})
get_filename_component(secure_boot_verification_key
${secure_boot_verification_key}
ABSOLUTE BASE_DIR "${project_dir}")
else()
# sign at build time, extracts key from signing key
set(secure_boot_verification_key "${CMAKE_BINARY_DIR}/signature_verification_key.bin")
get_filename_component(secure_boot_signing_key
${CONFIG_SECURE_BOOT_SIGNING_KEY}
ABSOLUTE BASE_DIR "${project_dir}")
add_custom_command(OUTPUT "${secure_boot_verification_key}"
COMMAND ${ESPSECUREPY}
extract_public_key --keyfile "${secure_boot_signing_key}"
"${secure_boot_verification_key}"
WORKING_DIRECTORY ${project_dir}
DEPENDS ${secure_boot_signing_key}
VERBATIM)
endif()
endif()
target_add_binary_data(${COMPONENT_LIB} "${secure_boot_verification_key}" "BINARY")
# Embed the verification key in the binary (app & bootloader)
#
target_add_binary_data(${COMPONENT_LIB} "${secure_boot_verification_key}" "BINARY"
RENAME_TO signature_verification_key_bin)
set_property(DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
APPEND PROPERTY ADDITIONAL_MAKE_CLEAN_FILES
"${secure_boot_verification_key}")

11
tools/cmake/scripts/data_file_embed_asm.cmake
View file

@ -38,9 +38,14 @@ string(REGEX REPLACE "[^\n]+$" ".byte \\0\n" data "${data}")
string(REGEX REPLACE "[0-9a-f][0-9a-f]" "0x\\0, " data "${data}") # hex formatted C bytes
string(REGEX REPLACE ", \n" "\n" data "${data}") # trim the last comma
## Come up with C-friendly symbol name based on source file
get_filename_component(source_filename "${DATA_FILE}" NAME)
string(MAKE_C_IDENTIFIER "${source_filename}" varname)
## Come up with C-friendly variable name based on source file
# unless VARIABLE_BASENAME is set
if(NOT VARIABLE_BASENAME)
get_filename_component(source_filename "${DATA_FILE}" NAME)
string(MAKE_C_IDENTIFIER "${source_filename}" varname)
else()
string(MAKE_C_IDENTIFIER "${VARIABLE_BASENAME}" varname)
endif()
function(append str)
file(APPEND "${SOURCE_FILE}" "${str}")

7
tools/cmake/utilities.cmake
View file

@ -77,6 +77,7 @@ endfunction()
# by converting it to a generated source file which is then compiled
# to a binary object as part of the build
function(target_add_binary_data target embed_file embed_type)
cmake_parse_arguments(_ "" "RENAME_TO" "" ${ARGN})
idf_build_get_property(build_dir BUILD_DIR)
idf_build_get_property(idf_path IDF_PATH)
@ -85,10 +86,16 @@ function(target_add_binary_data target embed_file embed_type)
get_filename_component(name "${embed_file}" NAME)
set(embed_srcfile "${build_dir}/${name}.S")
set(rename_to_arg)
if(__RENAME_TO) # use a predefined variable name
set(rename_to_arg -D "VARIABLE_BASENAME=${__RENAME_TO}")
endif()
add_custom_command(OUTPUT "${embed_srcfile}"
COMMAND "${CMAKE_COMMAND}"
-D "DATA_FILE=${embed_file}"
-D "SOURCE_FILE=${embed_srcfile}"
${rename_to_arg}
-D "FILE_TYPE=${embed_type}"
-P "${idf_path}/tools/cmake/scripts/data_file_embed_asm.cmake"
MAIN_DEPENDENCY "${embed_file}"