kconfig: Add option for encryption of binaries
Introduce new Kconfig option MCUBOOT_ENCRYPTION_KEY_FILE. If the string is not empty Cmake will try to encrypt the final binaries using the given key file. Signed-off-by: Helge Juul <helge@fastmail.com>
This commit is contained in:
parent
936f3523d3
commit
8749cd4d76
2 changed files with 63 additions and 24 deletions
|
@ -535,16 +535,43 @@ config MCUBOOT_SIGNATURE_KEY_FILE
|
|||
The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
|
||||
and CONFIG_BUILD_OUTPUT_HEX.
|
||||
|
||||
This option should contain an absolute path to the same file
|
||||
as the BOOT_SIGNATURE_KEY_FILE option in your MCUboot
|
||||
.config. (The MCUboot config option is used for the MCUboot
|
||||
bootloader image; this option is for your application which
|
||||
is to be loaded by MCUboot. The MCUboot config option can be
|
||||
a relative path from the MCUboot repository root; this option's
|
||||
behavior is undefined for relative paths.)
|
||||
This option should contain a path to the same file as the
|
||||
BOOT_SIGNATURE_KEY_FILE option in your MCUboot .config. The path
|
||||
may be absolute or relative to the west workspace topdir. (The MCUboot
|
||||
config option is used for the MCUboot bootloader image; this option is
|
||||
for your application which is to be loaded by MCUboot. The MCUboot
|
||||
config option can be a relative path from the MCUboot repository
|
||||
root.)
|
||||
|
||||
If left empty, you must sign the Zephyr binaries manually.
|
||||
|
||||
config MCUBOOT_ENCRYPTION_KEY_FILE
|
||||
string "Path to the mcuboot encryption key file"
|
||||
default ""
|
||||
depends on MCUBOOT_SIGNATURE_KEY_FILE != ""
|
||||
help
|
||||
The file contains the public key that is used to encrypt the
|
||||
ephemeral key that encrypts the image. The corresponding
|
||||
private key is hard coded in the MCUboot source code and is
|
||||
used to decrypt the ephemeral key that is embedded in the
|
||||
image. The file is in PEM format.
|
||||
|
||||
If set to a non-empty value, the build system tries to
|
||||
sign and encrypt the final binaries using a 'west sign -t imgtool'
|
||||
command. The binaries are placed in the build directory at
|
||||
zephyr/zephyr.signed.encrypted.bin and
|
||||
zephyr/zephyr.signed.encrypted.hex.
|
||||
|
||||
The file names can be customized with CONFIG_KERNEL_BIN_NAME.
|
||||
The existence of bin and hex files depends on CONFIG_BUILD_OUTPUT_BIN
|
||||
and CONFIG_BUILD_OUTPUT_HEX.
|
||||
|
||||
This option should either be an absolute path or a path relative to
|
||||
the west workspace topdir.
|
||||
Example: './bootloader/mcuboot/enc-rsa2048-pub.pem'
|
||||
|
||||
If left empty, you must encrypt the Zephyr binaries manually.
|
||||
|
||||
config MCUBOOT_EXTRA_IMGTOOL_ARGS
|
||||
string "Extra arguments to pass to imgtool"
|
||||
default ""
|
||||
|
|
|
@ -18,6 +18,7 @@ endfunction()
|
|||
|
||||
function(zephyr_mcuboot_tasks)
|
||||
set(keyfile "${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}")
|
||||
set(keyfile_enc "${CONFIG_MCUBOOT_ENCRYPTION_KEY_FILE}")
|
||||
|
||||
# Check for misconfiguration.
|
||||
if("${keyfile}" STREQUAL "")
|
||||
|
@ -31,24 +32,20 @@ function(zephyr_mcuboot_tasks)
|
|||
message(FATAL_ERROR "Can't sign images for MCUboot: west not found. To fix, install west and ensure it's on PATH.")
|
||||
endif()
|
||||
|
||||
if(NOT IS_ABSOLUTE "${keyfile}")
|
||||
# Relative paths are relative to 'west topdir'.
|
||||
set(keyfile "${WEST_TOPDIR}/${keyfile}")
|
||||
set(keyfile_relative TRUE)
|
||||
else()
|
||||
set(keyfile_relative FALSE)
|
||||
endif()
|
||||
foreach(file keyfile keyfile_enc)
|
||||
if(NOT "${${file}}" STREQUAL "")
|
||||
if(NOT IS_ABSOLUTE "${${file}}")
|
||||
# Relative paths are relative to 'west topdir'.
|
||||
set(${file} "${WEST_TOPDIR}/${${file}}")
|
||||
endif()
|
||||
|
||||
if(NOT EXISTS "${keyfile}")
|
||||
if(keyfile_relative)
|
||||
set(relative_msg " Note: relative paths are relative to the west workspace topdir \"${WEST_TOPDIR}\".")
|
||||
else()
|
||||
set(relative_msg "")
|
||||
if(NOT EXISTS "${${file}}")
|
||||
message(FATAL_ERROR "west sign can't find file ${${file}} (Note: Relative paths are relative to the west workspace topdir \"${WEST_TOPDIR}\")")
|
||||
elseif(NOT (CONFIG_BUILD_OUTPUT_BIN OR CONFIG_BUILD_OUTPUT_HEX))
|
||||
message(FATAL_ERROR "Can't sign images for MCUboot: Neither CONFIG_BUILD_OUTPUT_BIN nor CONFIG_BUILD_OUTPUT_HEX is enabled, so there's nothing to sign.")
|
||||
endif()
|
||||
endif()
|
||||
message(FATAL_ERROR "Can't sign images for MCUboot: CONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"${CONFIG_MCUBOOT_SIGNATURE_KEY_FILE}\" not found.${relative_msg}")
|
||||
elseif(NOT (CONFIG_BUILD_OUTPUT_BIN OR CONFIG_BUILD_OUTPUT_HEX))
|
||||
message(FATAL_ERROR "Can't sign images for MCUboot: Neither CONFIG_BUILD_OUTPUT_BIN nor CONFIG_BUILD_OUTPUT_HEX is enabled, so there's nothing to sign.")
|
||||
endif()
|
||||
endforeach()
|
||||
|
||||
# Find imgtool. Even though west is installed, imgtool might not be.
|
||||
# The user may also have a custom manifest which doesn't include
|
||||
|
@ -95,9 +92,10 @@ function(zephyr_mcuboot_tasks)
|
|||
# List of additional build byproducts.
|
||||
set(byproducts)
|
||||
|
||||
# 'west sign' arguments for confirmed and unconfirmed images.
|
||||
# 'west sign' arguments for confirmed, unconfirmed and encrypted images.
|
||||
set(unconfirmed_args)
|
||||
set(confirmed_args)
|
||||
set(encrypted_args)
|
||||
|
||||
# Set up .bin outputs.
|
||||
if(CONFIG_BUILD_OUTPUT_BIN)
|
||||
|
@ -109,6 +107,11 @@ function(zephyr_mcuboot_tasks)
|
|||
list(APPEND confirmed_args --bin --sbin ${output}.signed.confirmed.bin)
|
||||
list(APPEND byproducts ${output}.signed.confirmed.bin)
|
||||
endif()
|
||||
|
||||
if(NOT "${keyfile_enc}" STREQUAL "")
|
||||
list(APPEND encrypted_args --bin --sbin ${output}.signed.encrypted.bin)
|
||||
list(APPEND byproducts ${output}.signed.encrypted.bin)
|
||||
endif()
|
||||
endif()
|
||||
|
||||
# Set up .hex outputs.
|
||||
|
@ -121,6 +124,11 @@ function(zephyr_mcuboot_tasks)
|
|||
list(APPEND confirmed_args --hex --shex ${output}.signed.confirmed.hex)
|
||||
list(APPEND byproducts ${output}.signed.confirmed.hex)
|
||||
endif()
|
||||
|
||||
if(NOT "${keyfile_enc}" STREQUAL "")
|
||||
list(APPEND encrypted_args --hex --shex ${output}.signed.encrypted.hex)
|
||||
list(APPEND byproducts ${output}.signed.encrypted.hex)
|
||||
endif()
|
||||
endif()
|
||||
|
||||
# Add the west sign calls and their byproducts to the post-processing
|
||||
|
@ -136,6 +144,10 @@ function(zephyr_mcuboot_tasks)
|
|||
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
|
||||
${west_sign} ${confirmed_args} ${imgtool_args} --pad --confirm)
|
||||
endif()
|
||||
if(encrypted_args)
|
||||
set_property(GLOBAL APPEND PROPERTY extra_post_build_commands COMMAND
|
||||
${west_sign} ${encrypted_args} ${imgtool_args} --encrypt "${keyfile_enc}")
|
||||
endif()
|
||||
set_property(GLOBAL APPEND PROPERTY extra_post_build_byproducts ${byproducts})
|
||||
endfunction()
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue