Secure boot: Correctly re-sign if signing key changes, better error if missing

2016-11-25 14:13:05 +11:00 · 2016-11-25 14:13:05 +11:00 · a9d5e26748
parent 506c8cd964
commit a9d5e26748
4 changed files with 12 additions and 13 deletions
--- a/components/bootloader_support/Makefile.projbuild
+++ b/components/bootloader_support/Makefile.projbuild
@ -0,0 +1,7 @@
+$(SECURE_BOOT_SIGNING_KEY):
+	@echo "Need to generate secure boot signing key."
+	@echo "One way is to run this command:"
+	@echo "$(ESPSECUREPY) generate_signing_key $@"
+	@echo "Keep key file safe after generating."
+	@echo "(See secure boot documentation for risks & alternatives.)"
+	@exit 1
--- a/components/bootloader_support/component.mk
+++ b/components/bootloader_support/component.mk
@ -17,14 +17,6 @@ ifdef CONFIG_SECURE_BOOT_ENABLED
 # this path is created relative to the component build directory
 SECURE_BOOT_VERIFICATION_KEY := $(abspath signature_verification_key.bin)

-$(SECURE_BOOT_SIGNING_KEY):
-	@echo "Need to generate secure boot signing key."
-	@echo "One way is to run this command:"
-	@echo "$(ESPSECUREPY) generate_signing_key $@"
-	@echo "Keep key file safe after generating."
-	@echo "(See secure boot documentation for risks & alternatives.)"
-	@exit 1
-
 $(SECURE_BOOT_VERIFICATION_KEY): $(SECURE_BOOT_SIGNING_KEY)
 	$(ESPSECUREPY) extract_public_key --keyfile $< $@

--- a/components/esptool_py/Makefile.projbuild
+++ b/components/esptool_py/Makefile.projbuild
@ -33,8 +33,8 @@ ifndef IS_BOOTLOADER_BUILD
 # for secure boot, add a signing step to get from unsiged app to signed app
 APP_BIN_UNSIGNED := $(APP_BIN:.bin=-unsigned.bin)

-$(APP_BIN): $(APP_BIN_UNSIGNED)
-	$(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $^  # signed in-place
+$(APP_BIN): $(APP_BIN_UNSIGNED) $(SECURE_BOOT_SIGNING_KEY)
+	$(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $<
 endif
 endif
 # non-secure boot (or bootloader), both these files are the same
--- a/components/partition_table/Makefile.projbuild
+++ b/components/partition_table/Makefile.projbuild
@ -21,11 +21,11 @@ PARTITION_TABLE_CSV_PATH := $(call dequote,$(abspath $(PARTITION_TABLE_ROOT)/$(s

 PARTITION_TABLE_BIN := $(BUILD_DIR_BASE)/$(notdir $(PARTITION_TABLE_CSV_PATH:.csv=.bin))

-ifdef CONFIG_SECURE_BOOTLOADER_ENABLED
+ifdef CONFIG_SECURE_BOOT_ENABLED
 PARTITION_TABLE_BIN_UNSIGNED := $(PARTITION_TABLE_BIN:.bin=-unsigned.bin)
 # add an extra signing step for secure partition table
-$(PARTITION_TABLE_BIN): $(PARTITION_TABLE_BIN_UNSIGNED)
-	$(Q) $(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $<
+$(PARTITION_TABLE_BIN): $(PARTITION_TABLE_BIN_UNSIGNED) $(SDKCONFIG_MAKEFILE) $(SECURE_BOOT_SIGNING_KEY)
+	$(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $<
 else
 # secure bootloader disabled, both files are the same
 PARTITION_TABLE_BIN_UNSIGNED := $(PARTITION_TABLE_BIN)