From a9d5e2674831e174ee160e8eabd369ccc06c8397 Mon Sep 17 00:00:00 2001 From: Angus Gratton Date: Fri, 25 Nov 2016 14:13:05 +1100 Subject: [PATCH] Secure boot: Correctly re-sign if signing key changes, better error if missing --- components/bootloader_support/Makefile.projbuild | 7 +++++++ components/bootloader_support/component.mk | 8 -------- components/esptool_py/Makefile.projbuild | 4 ++-- components/partition_table/Makefile.projbuild | 6 +++--- 4 files changed, 12 insertions(+), 13 deletions(-) create mode 100644 components/bootloader_support/Makefile.projbuild diff --git a/components/bootloader_support/Makefile.projbuild b/components/bootloader_support/Makefile.projbuild new file mode 100644 index 0000000000..ee62930c60 --- /dev/null +++ b/components/bootloader_support/Makefile.projbuild @@ -0,0 +1,7 @@ +$(SECURE_BOOT_SIGNING_KEY): + @echo "Need to generate secure boot signing key." + @echo "One way is to run this command:" + @echo "$(ESPSECUREPY) generate_signing_key $@" + @echo "Keep key file safe after generating." + @echo "(See secure boot documentation for risks & alternatives.)" + @exit 1 diff --git a/components/bootloader_support/component.mk b/components/bootloader_support/component.mk index c3ece6dca9..1435dbb76b 100755 --- a/components/bootloader_support/component.mk +++ b/components/bootloader_support/component.mk @@ -17,14 +17,6 @@ ifdef CONFIG_SECURE_BOOT_ENABLED # this path is created relative to the component build directory SECURE_BOOT_VERIFICATION_KEY := $(abspath signature_verification_key.bin) -$(SECURE_BOOT_SIGNING_KEY): - @echo "Need to generate secure boot signing key." - @echo "One way is to run this command:" - @echo "$(ESPSECUREPY) generate_signing_key $@" - @echo "Keep key file safe after generating." - @echo "(See secure boot documentation for risks & alternatives.)" - @exit 1 - $(SECURE_BOOT_VERIFICATION_KEY): $(SECURE_BOOT_SIGNING_KEY) $(ESPSECUREPY) extract_public_key --keyfile $< $@ diff --git a/components/esptool_py/Makefile.projbuild b/components/esptool_py/Makefile.projbuild index 4930ded38d..54221f1795 100644 --- a/components/esptool_py/Makefile.projbuild +++ b/components/esptool_py/Makefile.projbuild @@ -33,8 +33,8 @@ ifndef IS_BOOTLOADER_BUILD # for secure boot, add a signing step to get from unsiged app to signed app APP_BIN_UNSIGNED := $(APP_BIN:.bin=-unsigned.bin) -$(APP_BIN): $(APP_BIN_UNSIGNED) - $(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $^ # signed in-place +$(APP_BIN): $(APP_BIN_UNSIGNED) $(SECURE_BOOT_SIGNING_KEY) + $(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $< endif endif # non-secure boot (or bootloader), both these files are the same diff --git a/components/partition_table/Makefile.projbuild b/components/partition_table/Makefile.projbuild index 8808a1bed9..dbc9d36053 100644 --- a/components/partition_table/Makefile.projbuild +++ b/components/partition_table/Makefile.projbuild @@ -21,11 +21,11 @@ PARTITION_TABLE_CSV_PATH := $(call dequote,$(abspath $(PARTITION_TABLE_ROOT)/$(s PARTITION_TABLE_BIN := $(BUILD_DIR_BASE)/$(notdir $(PARTITION_TABLE_CSV_PATH:.csv=.bin)) -ifdef CONFIG_SECURE_BOOTLOADER_ENABLED +ifdef CONFIG_SECURE_BOOT_ENABLED PARTITION_TABLE_BIN_UNSIGNED := $(PARTITION_TABLE_BIN:.bin=-unsigned.bin) # add an extra signing step for secure partition table -$(PARTITION_TABLE_BIN): $(PARTITION_TABLE_BIN_UNSIGNED) - $(Q) $(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $< +$(PARTITION_TABLE_BIN): $(PARTITION_TABLE_BIN_UNSIGNED) $(SDKCONFIG_MAKEFILE) $(SECURE_BOOT_SIGNING_KEY) + $(ESPSECUREPY) sign_data --keyfile $(SECURE_BOOT_SIGNING_KEY) -o $@ $< else # secure bootloader disabled, both files are the same PARTITION_TABLE_BIN_UNSIGNED := $(PARTITION_TABLE_BIN)