mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
secure boot: Fix bug where verification key was not embedded in app
This commit is contained in:
parent
4c4b1da7e7
commit
90568fbf00
@ -36,30 +36,60 @@ idf_component_register(SRCS "${srcs}"
|
|||||||
REQUIRES "${requires}"
|
REQUIRES "${requires}"
|
||||||
PRIV_REQUIRES "${priv_requires}")
|
PRIV_REQUIRES "${priv_requires}")
|
||||||
|
|
||||||
if(BOOTLOADER_BUILD AND CONFIG_SECURE_SIGNED_APPS)
|
if(CONFIG_SECURE_SIGNED_APPS)
|
||||||
# Whether CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES or not, we need verification key to embed
|
if(BOOTLOADER_BUILD)
|
||||||
# in the library.
|
# Whether CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES or not, we need verification key to embed
|
||||||
if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
|
# in the library.
|
||||||
# We generate the key from the signing key. The signing key is passed from the main project.
|
if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
|
||||||
get_filename_component(secure_boot_signing_key
|
# We generate the key from the signing key. The signing key is passed from the main project.
|
||||||
"${SECURE_BOOT_SIGNING_KEY}"
|
get_filename_component(secure_boot_signing_key
|
||||||
ABSOLUTE BASE_DIR "${project_dir}")
|
"${SECURE_BOOT_SIGNING_KEY}"
|
||||||
get_filename_component(secure_boot_verification_key
|
ABSOLUTE BASE_DIR "${project_dir}")
|
||||||
"signature_verification_key.bin"
|
get_filename_component(secure_boot_verification_key
|
||||||
ABSOLUTE BASE_DIR "${CMAKE_CURRENT_BINARY_DIR}")
|
"signature_verification_key.bin"
|
||||||
add_custom_command(OUTPUT "${secure_boot_verification_key}"
|
ABSOLUTE BASE_DIR "${CMAKE_CURRENT_BINARY_DIR}")
|
||||||
COMMAND ${ESPSECUREPY}
|
add_custom_command(OUTPUT "${secure_boot_verification_key}"
|
||||||
|
COMMAND ${ESPSECUREPY}
|
||||||
extract_public_key --keyfile "${secure_boot_signing_key}"
|
extract_public_key --keyfile "${secure_boot_signing_key}"
|
||||||
"${secure_boot_verification_key}"
|
"${secure_boot_verification_key}"
|
||||||
VERBATIM)
|
DEPENDS ${secure_boot_signing_key}
|
||||||
else()
|
VERBATIM)
|
||||||
# We expect to 'inherit' the verification key passed from main project.
|
else()
|
||||||
get_filename_component(secure_boot_verification_key
|
# We expect to 'inherit' the verification key passed from main project.
|
||||||
${SECURE_BOOT_VERIFICATION_KEY}
|
get_filename_component(secure_boot_verification_key
|
||||||
ABSOLUTE BASE_DIR "${project_dir}")
|
${SECURE_BOOT_VERIFICATION_KEY}
|
||||||
|
ABSOLUTE BASE_DIR "${project_dir}")
|
||||||
|
endif()
|
||||||
|
else() # normal app build
|
||||||
|
idf_build_get_property(project_dir PROJECT_DIR)
|
||||||
|
|
||||||
|
if(CONFIG_SECURE_BOOT_VERIFICATION_KEY)
|
||||||
|
# verification-only build supplies verification key
|
||||||
|
set(secure_boot_verification_key ${CONFIG_SECURE_BOOT_VERIFICATION_KEY})
|
||||||
|
get_filename_component(secure_boot_verification_key
|
||||||
|
${secure_boot_verification_key}
|
||||||
|
ABSOLUTE BASE_DIR "${project_dir}")
|
||||||
|
else()
|
||||||
|
# sign at build time, extracts key from signing key
|
||||||
|
set(secure_boot_verification_key "${CMAKE_BINARY_DIR}/signature_verification_key.bin")
|
||||||
|
get_filename_component(secure_boot_signing_key
|
||||||
|
${CONFIG_SECURE_BOOT_SIGNING_KEY}
|
||||||
|
ABSOLUTE BASE_DIR "${project_dir}")
|
||||||
|
|
||||||
|
add_custom_command(OUTPUT "${secure_boot_verification_key}"
|
||||||
|
COMMAND ${ESPSECUREPY}
|
||||||
|
extract_public_key --keyfile "${secure_boot_signing_key}"
|
||||||
|
"${secure_boot_verification_key}"
|
||||||
|
WORKING_DIRECTORY ${project_dir}
|
||||||
|
DEPENDS ${secure_boot_signing_key}
|
||||||
|
VERBATIM)
|
||||||
|
endif()
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
target_add_binary_data(${COMPONENT_LIB} "${secure_boot_verification_key}" "BINARY")
|
# Embed the verification key in the binary (app & bootloader)
|
||||||
|
#
|
||||||
|
target_add_binary_data(${COMPONENT_LIB} "${secure_boot_verification_key}" "BINARY"
|
||||||
|
RENAME_TO signature_verification_key_bin)
|
||||||
set_property(DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
|
set_property(DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
|
||||||
APPEND PROPERTY ADDITIONAL_MAKE_CLEAN_FILES
|
APPEND PROPERTY ADDITIONAL_MAKE_CLEAN_FILES
|
||||||
"${secure_boot_verification_key}")
|
"${secure_boot_verification_key}")
|
||||||
|
@ -38,9 +38,14 @@ string(REGEX REPLACE "[^\n]+$" ".byte \\0\n" data "${data}")
|
|||||||
string(REGEX REPLACE "[0-9a-f][0-9a-f]" "0x\\0, " data "${data}") # hex formatted C bytes
|
string(REGEX REPLACE "[0-9a-f][0-9a-f]" "0x\\0, " data "${data}") # hex formatted C bytes
|
||||||
string(REGEX REPLACE ", \n" "\n" data "${data}") # trim the last comma
|
string(REGEX REPLACE ", \n" "\n" data "${data}") # trim the last comma
|
||||||
|
|
||||||
## Come up with C-friendly symbol name based on source file
|
## Come up with C-friendly variable name based on source file
|
||||||
get_filename_component(source_filename "${DATA_FILE}" NAME)
|
# unless VARIABLE_BASENAME is set
|
||||||
string(MAKE_C_IDENTIFIER "${source_filename}" varname)
|
if(NOT VARIABLE_BASENAME)
|
||||||
|
get_filename_component(source_filename "${DATA_FILE}" NAME)
|
||||||
|
string(MAKE_C_IDENTIFIER "${source_filename}" varname)
|
||||||
|
else()
|
||||||
|
string(MAKE_C_IDENTIFIER "${VARIABLE_BASENAME}" varname)
|
||||||
|
endif()
|
||||||
|
|
||||||
function(append str)
|
function(append str)
|
||||||
file(APPEND "${SOURCE_FILE}" "${str}")
|
file(APPEND "${SOURCE_FILE}" "${str}")
|
||||||
|
@ -77,6 +77,7 @@ endfunction()
|
|||||||
# by converting it to a generated source file which is then compiled
|
# by converting it to a generated source file which is then compiled
|
||||||
# to a binary object as part of the build
|
# to a binary object as part of the build
|
||||||
function(target_add_binary_data target embed_file embed_type)
|
function(target_add_binary_data target embed_file embed_type)
|
||||||
|
cmake_parse_arguments(_ "" "RENAME_TO" "" ${ARGN})
|
||||||
idf_build_get_property(build_dir BUILD_DIR)
|
idf_build_get_property(build_dir BUILD_DIR)
|
||||||
idf_build_get_property(idf_path IDF_PATH)
|
idf_build_get_property(idf_path IDF_PATH)
|
||||||
|
|
||||||
@ -85,10 +86,16 @@ function(target_add_binary_data target embed_file embed_type)
|
|||||||
get_filename_component(name "${embed_file}" NAME)
|
get_filename_component(name "${embed_file}" NAME)
|
||||||
set(embed_srcfile "${build_dir}/${name}.S")
|
set(embed_srcfile "${build_dir}/${name}.S")
|
||||||
|
|
||||||
|
set(rename_to_arg)
|
||||||
|
if(__RENAME_TO) # use a predefined variable name
|
||||||
|
set(rename_to_arg -D "VARIABLE_BASENAME=${__RENAME_TO}")
|
||||||
|
endif()
|
||||||
|
|
||||||
add_custom_command(OUTPUT "${embed_srcfile}"
|
add_custom_command(OUTPUT "${embed_srcfile}"
|
||||||
COMMAND "${CMAKE_COMMAND}"
|
COMMAND "${CMAKE_COMMAND}"
|
||||||
-D "DATA_FILE=${embed_file}"
|
-D "DATA_FILE=${embed_file}"
|
||||||
-D "SOURCE_FILE=${embed_srcfile}"
|
-D "SOURCE_FILE=${embed_srcfile}"
|
||||||
|
${rename_to_arg}
|
||||||
-D "FILE_TYPE=${embed_type}"
|
-D "FILE_TYPE=${embed_type}"
|
||||||
-P "${idf_path}/tools/cmake/scripts/data_file_embed_asm.cmake"
|
-P "${idf_path}/tools/cmake/scripts/data_file_embed_asm.cmake"
|
||||||
MAIN_DEPENDENCY "${embed_file}"
|
MAIN_DEPENDENCY "${embed_file}"
|
||||||
|
Loading…
Reference in New Issue
Block a user