From e8881352c543fcef7c39c828401611a3cca57b30 Mon Sep 17 00:00:00 2001 From: Angus Gratton Date: Tue, 29 Oct 2019 12:46:09 +1100 Subject: [PATCH] secure boot: Fix bug where verification key was not embedded in app --- components/bootloader_support/CMakeLists.txt | 70 +++++++++++++------ tools/cmake/scripts/data_file_embed_asm.cmake | 11 ++- tools/cmake/utilities.cmake | 7 ++ 3 files changed, 65 insertions(+), 23 deletions(-) diff --git a/components/bootloader_support/CMakeLists.txt b/components/bootloader_support/CMakeLists.txt index 038a2aec07..3dc065e664 100644 --- a/components/bootloader_support/CMakeLists.txt +++ b/components/bootloader_support/CMakeLists.txt @@ -36,30 +36,60 @@ idf_component_register(SRCS "${srcs}" REQUIRES "${requires}" PRIV_REQUIRES "${priv_requires}") -if(BOOTLOADER_BUILD AND CONFIG_SECURE_SIGNED_APPS) - # Whether CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES or not, we need verification key to embed - # in the library. - if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES) - # We generate the key from the signing key. The signing key is passed from the main project. - get_filename_component(secure_boot_signing_key - "${SECURE_BOOT_SIGNING_KEY}" - ABSOLUTE BASE_DIR "${project_dir}") - get_filename_component(secure_boot_verification_key - "signature_verification_key.bin" - ABSOLUTE BASE_DIR "${CMAKE_CURRENT_BINARY_DIR}") - add_custom_command(OUTPUT "${secure_boot_verification_key}" - COMMAND ${ESPSECUREPY} +if(CONFIG_SECURE_SIGNED_APPS) + if(BOOTLOADER_BUILD) + # Whether CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES or not, we need verification key to embed + # in the library. + if(CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES) + # We generate the key from the signing key. The signing key is passed from the main project. + get_filename_component(secure_boot_signing_key + "${SECURE_BOOT_SIGNING_KEY}" + ABSOLUTE BASE_DIR "${project_dir}") + get_filename_component(secure_boot_verification_key + "signature_verification_key.bin" + ABSOLUTE BASE_DIR "${CMAKE_CURRENT_BINARY_DIR}") + add_custom_command(OUTPUT "${secure_boot_verification_key}" + COMMAND ${ESPSECUREPY} extract_public_key --keyfile "${secure_boot_signing_key}" "${secure_boot_verification_key}" - VERBATIM) - else() - # We expect to 'inherit' the verification key passed from main project. - get_filename_component(secure_boot_verification_key - ${SECURE_BOOT_VERIFICATION_KEY} - ABSOLUTE BASE_DIR "${project_dir}") + DEPENDS ${secure_boot_signing_key} + VERBATIM) + else() + # We expect to 'inherit' the verification key passed from main project. + get_filename_component(secure_boot_verification_key + ${SECURE_BOOT_VERIFICATION_KEY} + ABSOLUTE BASE_DIR "${project_dir}") + endif() + else() # normal app build + idf_build_get_property(project_dir PROJECT_DIR) + + if(CONFIG_SECURE_BOOT_VERIFICATION_KEY) + # verification-only build supplies verification key + set(secure_boot_verification_key ${CONFIG_SECURE_BOOT_VERIFICATION_KEY}) + get_filename_component(secure_boot_verification_key + ${secure_boot_verification_key} + ABSOLUTE BASE_DIR "${project_dir}") + else() + # sign at build time, extracts key from signing key + set(secure_boot_verification_key "${CMAKE_BINARY_DIR}/signature_verification_key.bin") + get_filename_component(secure_boot_signing_key + ${CONFIG_SECURE_BOOT_SIGNING_KEY} + ABSOLUTE BASE_DIR "${project_dir}") + + add_custom_command(OUTPUT "${secure_boot_verification_key}" + COMMAND ${ESPSECUREPY} + extract_public_key --keyfile "${secure_boot_signing_key}" + "${secure_boot_verification_key}" + WORKING_DIRECTORY ${project_dir} + DEPENDS ${secure_boot_signing_key} + VERBATIM) + endif() endif() - target_add_binary_data(${COMPONENT_LIB} "${secure_boot_verification_key}" "BINARY") + # Embed the verification key in the binary (app & bootloader) + # + target_add_binary_data(${COMPONENT_LIB} "${secure_boot_verification_key}" "BINARY" + RENAME_TO signature_verification_key_bin) set_property(DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}" APPEND PROPERTY ADDITIONAL_MAKE_CLEAN_FILES "${secure_boot_verification_key}") diff --git a/tools/cmake/scripts/data_file_embed_asm.cmake b/tools/cmake/scripts/data_file_embed_asm.cmake index 291f9fea26..cde5b27f76 100644 --- a/tools/cmake/scripts/data_file_embed_asm.cmake +++ b/tools/cmake/scripts/data_file_embed_asm.cmake @@ -38,9 +38,14 @@ string(REGEX REPLACE "[^\n]+$" ".byte \\0\n" data "${data}") string(REGEX REPLACE "[0-9a-f][0-9a-f]" "0x\\0, " data "${data}") # hex formatted C bytes string(REGEX REPLACE ", \n" "\n" data "${data}") # trim the last comma -## Come up with C-friendly symbol name based on source file -get_filename_component(source_filename "${DATA_FILE}" NAME) -string(MAKE_C_IDENTIFIER "${source_filename}" varname) +## Come up with C-friendly variable name based on source file +# unless VARIABLE_BASENAME is set +if(NOT VARIABLE_BASENAME) + get_filename_component(source_filename "${DATA_FILE}" NAME) + string(MAKE_C_IDENTIFIER "${source_filename}" varname) +else() + string(MAKE_C_IDENTIFIER "${VARIABLE_BASENAME}" varname) +endif() function(append str) file(APPEND "${SOURCE_FILE}" "${str}") diff --git a/tools/cmake/utilities.cmake b/tools/cmake/utilities.cmake index 758061307c..dcd4e9fbf5 100644 --- a/tools/cmake/utilities.cmake +++ b/tools/cmake/utilities.cmake @@ -77,6 +77,7 @@ endfunction() # by converting it to a generated source file which is then compiled # to a binary object as part of the build function(target_add_binary_data target embed_file embed_type) + cmake_parse_arguments(_ "" "RENAME_TO" "" ${ARGN}) idf_build_get_property(build_dir BUILD_DIR) idf_build_get_property(idf_path IDF_PATH) @@ -85,10 +86,16 @@ function(target_add_binary_data target embed_file embed_type) get_filename_component(name "${embed_file}" NAME) set(embed_srcfile "${build_dir}/${name}.S") + set(rename_to_arg) + if(__RENAME_TO) # use a predefined variable name + set(rename_to_arg -D "VARIABLE_BASENAME=${__RENAME_TO}") + endif() + add_custom_command(OUTPUT "${embed_srcfile}" COMMAND "${CMAKE_COMMAND}" -D "DATA_FILE=${embed_file}" -D "SOURCE_FILE=${embed_srcfile}" + ${rename_to_arg} -D "FILE_TYPE=${embed_type}" -P "${idf_path}/tools/cmake/scripts/data_file_embed_asm.cmake" MAIN_DEPENDENCY "${embed_file}"