diff options
author | Bastian Krause <bst@pengutronix.de> | 2020-05-15 16:26:39 +0200 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2020-05-15 17:22:07 +0200 |
commit | c420c0745b568fbf2ab2d0f7394c27935ed7faf2 (patch) | |
tree | 3bbddb3be682c7171f3a3d2346bdd69b538d11c8 /rules/image-rauc.make | |
parent | c691a61e4b244d30b046289655228981d27adc2c (diff) | |
download | ptxdist-c420c0745b568fbf2ab2d0f7394c27935ed7faf2.tar.gz ptxdist-c420c0745b568fbf2ab2d0f7394c27935ed7faf2.tar.xz |
rauc/image-rauc: use code signing infrastructure for key retrieval
Use the keys provided by the currently active key provider via PKCS#11
instead of key files placed in the platform config directory. In order
to make sure the new mechanics are used after a BSP update the rauc.key
file is no longer allowed to exist in the platformconfig directory.
Note: requires genimage v13 or later and ptx-code-signing-dev 0.4 or
later
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20200515142641.812-14-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'rules/image-rauc.make')
-rw-r--r-- | rules/image-rauc.make | 36 |
1 files changed, 5 insertions, 31 deletions
diff --git a/rules/image-rauc.make b/rules/image-rauc.make index 839cb400b..d85b88cc2 100644 --- a/rules/image-rauc.make +++ b/rules/image-rauc.make @@ -26,46 +26,20 @@ IMAGE_RAUC_CONFIG := rauc.config ifdef PTXCONF_IMAGE_RAUC -IMAGE_RAUC_KEY := $(call ptx/in-platformconfigdir, config/rauc/rauc.key.pem) -IMAGE_RAUC_CERT := $(call ptx/in-platformconfigdir, config/rauc/rauc.cert.pem) - -IMAGE_RAUC_ENV := \ +IMAGE_RAUC_ENV = \ + $(CODE_SIGNING_ENV) \ RAUC_BUNDLE_COMPATIBLE="$(call remove_quotes,$(PTXCONF_RAUC_COMPATIBLE))" \ RAUC_BUNDLE_VERSION="$(call remove_quotes, $(PTXCONF_RAUC_BUNDLE_VERSION))" \ RAUC_BUNDLE_BUILD=$(call ptx/sh, date +%FT%T%z) \ RAUC_BUNDLE_DESCRIPTION=$(PTXCONF_IMAGE_RAUC_DESCRIPTION) \ - RAUC_KEY=$(IMAGE_RAUC_KEY) \ - RAUC_CERT=$(IMAGE_RAUC_CERT) + RAUC_KEY="$(shell cs_get_uri update)" \ + RAUC_CERT="$(shell cs_get_uri update)" -$(IMAGE_RAUC_IMAGE): $(IMAGE_RAUC_KEY) $(IMAGE_RAUC_CERT) +$(IMAGE_RAUC_IMAGE): @$(call targetinfo) @$(call image/genimage, IMAGE_RAUC) @$(call finish) -$(IMAGE_RAUC_KEY): - @echo - @echo "****************************************************************************" - @echo "******** Please place your signing key in config/rauc/rauc.key.pem. ********" - @echo "* *" - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *" - @echo "* from the scripts/ folder of your PTXdist installation *" - @echo "****************************************************************************" - @echo - @echo - @exit 1 - -$(IMAGE_RAUC_CERT): - @echo - @echo "****************************************************************************" - @echo "**** Please place your signing certificate in config/rauc/rauc.cert.pem. ***" - @echo "* *" - @echo "* Note: For test-purpose you can create one by running rauc-gen-certs.sh *" - @echo "* from the scripts/ folder of your PTXdist installation *" - @echo "****************************************************************************" - @echo - @echo - @exit 1 - endif # vim: syntax=make |