secure boot: Fix bug where verification key was not embedded in app

This commit is contained in:
Angus Gratton 2019-10-29 12:46:09 +11:00 committed by Angus Gratton
parent 4c4b1da7e7
commit 90568fbf00
3 changed files with 65 additions and 23 deletions

View File

@ -36,30 +36,60 @@ idf_component_register(SRCS "${srcs}"
REQUIRES "${requires}" REQUIRES "${requires}"
PRIV_REQUIRES "${priv_requires}") PRIV_REQUIRES "${priv_requires}")
if(BOOTLOADER_BUILD AND CONFIG_SECURE_SIGNED_APPS) if(CONFIG_SECURE_SIGNED_APPS)
# Whether CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES or not, we need verification key to embed if(BOOTLOADER_BUILD)
# in the library. # Whether CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES or not, we need verification key to embed
if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES) # in the library.
# We generate the key from the signing key. The signing key is passed from the main project. if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
get_filename_component(secure_boot_signing_key # We generate the key from the signing key. The signing key is passed from the main project.
"${SECURE_BOOT_SIGNING_KEY}" get_filename_component(secure_boot_signing_key
ABSOLUTE BASE_DIR "${project_dir}") "${SECURE_BOOT_SIGNING_KEY}"
get_filename_component(secure_boot_verification_key ABSOLUTE BASE_DIR "${project_dir}")
"signature_verification_key.bin" get_filename_component(secure_boot_verification_key
ABSOLUTE BASE_DIR "${CMAKE_CURRENT_BINARY_DIR}") "signature_verification_key.bin"
add_custom_command(OUTPUT "${secure_boot_verification_key}" ABSOLUTE BASE_DIR "${CMAKE_CURRENT_BINARY_DIR}")
COMMAND ${ESPSECUREPY} add_custom_command(OUTPUT "${secure_boot_verification_key}"
COMMAND ${ESPSECUREPY}
extract_public_key --keyfile "${secure_boot_signing_key}" extract_public_key --keyfile "${secure_boot_signing_key}"
"${secure_boot_verification_key}" "${secure_boot_verification_key}"
VERBATIM) DEPENDS ${secure_boot_signing_key}
else() VERBATIM)
# We expect to 'inherit' the verification key passed from main project. else()
get_filename_component(secure_boot_verification_key # We expect to 'inherit' the verification key passed from main project.
${SECURE_BOOT_VERIFICATION_KEY} get_filename_component(secure_boot_verification_key
ABSOLUTE BASE_DIR "${project_dir}") ${SECURE_BOOT_VERIFICATION_KEY}
ABSOLUTE BASE_DIR "${project_dir}")
endif()
else() # normal app build
idf_build_get_property(project_dir PROJECT_DIR)
if(CONFIG_SECURE_BOOT_VERIFICATION_KEY)
# verification-only build supplies verification key
set(secure_boot_verification_key ${CONFIG_SECURE_BOOT_VERIFICATION_KEY})
get_filename_component(secure_boot_verification_key
${secure_boot_verification_key}
ABSOLUTE BASE_DIR "${project_dir}")
else()
# sign at build time, extracts key from signing key
set(secure_boot_verification_key "${CMAKE_BINARY_DIR}/signature_verification_key.bin")
get_filename_component(secure_boot_signing_key
${CONFIG_SECURE_BOOT_SIGNING_KEY}
ABSOLUTE BASE_DIR "${project_dir}")
add_custom_command(OUTPUT "${secure_boot_verification_key}"
COMMAND ${ESPSECUREPY}
extract_public_key --keyfile "${secure_boot_signing_key}"
"${secure_boot_verification_key}"
WORKING_DIRECTORY ${project_dir}
DEPENDS ${secure_boot_signing_key}
VERBATIM)
endif()
endif() endif()
target_add_binary_data(${COMPONENT_LIB} "${secure_boot_verification_key}" "BINARY") # Embed the verification key in the binary (app & bootloader)
#
target_add_binary_data(${COMPONENT_LIB} "${secure_boot_verification_key}" "BINARY"
RENAME_TO signature_verification_key_bin)
set_property(DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}" set_property(DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
APPEND PROPERTY ADDITIONAL_MAKE_CLEAN_FILES APPEND PROPERTY ADDITIONAL_MAKE_CLEAN_FILES
"${secure_boot_verification_key}") "${secure_boot_verification_key}")

View File

@ -38,9 +38,14 @@ string(REGEX REPLACE "[^\n]+$" ".byte \\0\n" data "${data}")
string(REGEX REPLACE "[0-9a-f][0-9a-f]" "0x\\0, " data "${data}") # hex formatted C bytes string(REGEX REPLACE "[0-9a-f][0-9a-f]" "0x\\0, " data "${data}") # hex formatted C bytes
string(REGEX REPLACE ", \n" "\n" data "${data}") # trim the last comma string(REGEX REPLACE ", \n" "\n" data "${data}") # trim the last comma
## Come up with C-friendly symbol name based on source file ## Come up with C-friendly variable name based on source file
get_filename_component(source_filename "${DATA_FILE}" NAME) # unless VARIABLE_BASENAME is set
string(MAKE_C_IDENTIFIER "${source_filename}" varname) if(NOT VARIABLE_BASENAME)
get_filename_component(source_filename "${DATA_FILE}" NAME)
string(MAKE_C_IDENTIFIER "${source_filename}" varname)
else()
string(MAKE_C_IDENTIFIER "${VARIABLE_BASENAME}" varname)
endif()
function(append str) function(append str)
file(APPEND "${SOURCE_FILE}" "${str}") file(APPEND "${SOURCE_FILE}" "${str}")

View File

@ -77,6 +77,7 @@ endfunction()
# by converting it to a generated source file which is then compiled # by converting it to a generated source file which is then compiled
# to a binary object as part of the build # to a binary object as part of the build
function(target_add_binary_data target embed_file embed_type) function(target_add_binary_data target embed_file embed_type)
cmake_parse_arguments(_ "" "RENAME_TO" "" ${ARGN})
idf_build_get_property(build_dir BUILD_DIR) idf_build_get_property(build_dir BUILD_DIR)
idf_build_get_property(idf_path IDF_PATH) idf_build_get_property(idf_path IDF_PATH)
@ -85,10 +86,16 @@ function(target_add_binary_data target embed_file embed_type)
get_filename_component(name "${embed_file}" NAME) get_filename_component(name "${embed_file}" NAME)
set(embed_srcfile "${build_dir}/${name}.S") set(embed_srcfile "${build_dir}/${name}.S")
set(rename_to_arg)
if(__RENAME_TO) # use a predefined variable name
set(rename_to_arg -D "VARIABLE_BASENAME=${__RENAME_TO}")
endif()
add_custom_command(OUTPUT "${embed_srcfile}" add_custom_command(OUTPUT "${embed_srcfile}"
COMMAND "${CMAKE_COMMAND}" COMMAND "${CMAKE_COMMAND}"
-D "DATA_FILE=${embed_file}" -D "DATA_FILE=${embed_file}"
-D "SOURCE_FILE=${embed_srcfile}" -D "SOURCE_FILE=${embed_srcfile}"
${rename_to_arg}
-D "FILE_TYPE=${embed_type}" -D "FILE_TYPE=${embed_type}"
-P "${idf_path}/tools/cmake/scripts/data_file_embed_asm.cmake" -P "${idf_path}/tools/cmake/scripts/data_file_embed_asm.cmake"
MAIN_DEPENDENCY "${embed_file}" MAIN_DEPENDENCY "${embed_file}"