fix: make TF-A use provided OpenSSL binary
Currently Tf-A uses whatever openssl binary is on the system to sign
images. However if OPENSSL_DIR is specified in the build flags this can
lead to linking issues as the system binary can end up being linked
against shared libraries provided in OPENSSL_DIR/lib if both binaries
(the system's and the on in OPENSSL_DIR/bin) are the same version.
This patch ensures that the binary used is always the one given by
OPENSSL_DIR to avoid those link issues.
Signed-off-by: Salome Thirot <salome.thirot@arm.com>
Change-Id: Ib534e06ebc8482e4391e376d3791a87968de4a99
diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk
index fab6bf6..a3ab6c2 100644
--- a/make_helpers/defaults.mk
+++ b/make_helpers/defaults.mk
@@ -415,6 +415,13 @@
# Build option to provide openssl directory path
OPENSSL_DIR := /usr
+# Select the openssl binary provided in OPENSSL_DIR variable
+ifeq ("$(wildcard ${OPENSSL_DIR}/bin)", "")
+ OPENSSL_BIN_PATH = ${OPENSSL_DIR}/apps
+else
+ OPENSSL_BIN_PATH = ${OPENSSL_DIR}/bin
+endif
+
# Build option to use the SP804 timer instead of the generic one
USE_SP804_TIMER := 0
diff --git a/plat/arm/board/common/board_common.mk b/plat/arm/board/common/board_common.mk
index b11811c..1d0eb13 100644
--- a/plat/arm/board/common/board_common.mk
+++ b/plat/arm/board/common/board_common.mk
@@ -53,8 +53,8 @@
ifndef ROT_KEY
$(error Cannot generate hash: no ROT_KEY defined)
endif
- openssl ${CRYPTO_ALG} -in $< -pubout -outform DER | openssl dgst \
- -sha256 -binary > $@
+ ${OPENSSL_BIN_PATH}/openssl ${CRYPTO_ALG} -in $< -pubout -outform DER | \
+ ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@
# Certificate NV-Counters. Use values corresponding to tied off values in
# ARM development platforms
diff --git a/plat/hisilicon/hikey/platform.mk b/plat/hisilicon/hikey/platform.mk
index 3e1771c..2bfc582 100644
--- a/plat/hisilicon/hikey/platform.mk
+++ b/plat/hisilicon/hikey/platform.mk
@@ -154,12 +154,12 @@
certificates: $(ROT_KEY)
$(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@"
- $(Q)openssl genrsa 2048 > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null
$(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@"
- $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
- openssl dgst -sha256 -binary > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+ ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif
# Enable workarounds for selected Cortex-A53 errata.
diff --git a/plat/hisilicon/hikey960/platform.mk b/plat/hisilicon/hikey960/platform.mk
index 608fe09..c8ad66c 100644
--- a/plat/hisilicon/hikey960/platform.mk
+++ b/plat/hisilicon/hikey960/platform.mk
@@ -146,12 +146,12 @@
certificates: $(ROT_KEY)
$(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@"
- $(Q)openssl genrsa 2048 > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null
$(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@"
- $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
- openssl dgst -sha256 -binary > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+ ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif
# Enable workarounds for selected Cortex-A53 errata.
diff --git a/plat/imx/imx7/common/imx7.mk b/plat/imx/imx7/common/imx7.mk
index fdde9a9..f4f5bfc 100644
--- a/plat/imx/imx7/common/imx7.mk
+++ b/plat/imx/imx7/common/imx7.mk
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2018-2020, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2018-2022, ARM Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -80,13 +80,13 @@
$(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@"
@if [ ! -f $(ROT_KEY) ]; then \
- openssl genrsa 2048 > $@ 2>/dev/null; \
+ ${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null; \
fi
$(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@"
- $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
- openssl dgst -sha256 -binary > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+ ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif
# Add the build options to pack BLx images and kernel device tree
diff --git a/plat/imx/imx8m/imx8mm/platform.mk b/plat/imx/imx8m/imx8mm/platform.mk
index 1c6c9f8..e3e5c0c 100644
--- a/plat/imx/imx8m/imx8mm/platform.mk
+++ b/plat/imx/imx8m/imx8mm/platform.mk
@@ -132,13 +132,13 @@
$(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@"
@if [ ! -f $(ROT_KEY) ]; then \
- openssl genrsa 2048 > $@ 2>/dev/null; \
+ ${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null; \
fi
$(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@"
- $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
- openssl dgst -sha256 -binary > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+ ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif
USE_COHERENT_MEM := 1
diff --git a/plat/imx/imx8m/imx8mp/platform.mk b/plat/imx/imx8m/imx8mp/platform.mk
index 45f2972..e8669e5 100644
--- a/plat/imx/imx8m/imx8mp/platform.mk
+++ b/plat/imx/imx8m/imx8mp/platform.mk
@@ -129,13 +129,13 @@
$(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@"
@if [ ! -f $(ROT_KEY) ]; then \
- openssl genrsa 2048 > $@ 2>/dev/null; \
+ ${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null; \
fi
$(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@"
- $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
- openssl dgst -sha256 -binary > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+ ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif
USE_COHERENT_MEM := 1
diff --git a/plat/marvell/armada/a3k/common/a3700_common.mk b/plat/marvell/armada/a3k/common/a3700_common.mk
index d0e8688..5547201 100644
--- a/plat/marvell/armada/a3k/common/a3700_common.mk
+++ b/plat/marvell/armada/a3k/common/a3700_common.mk
@@ -205,12 +205,12 @@
@$(ECHO_BLANK_LINE)
$(Q)cp $(BUILD_PLAT)/wtmi.bin $(BUILD_PLAT)/wtmi-align.bin
$(Q)truncate -s %16 $(BUILD_PLAT)/wtmi-align.bin
- $(Q)openssl enc -aes-256-cbc -e -in $(BUILD_PLAT)/wtmi-align.bin \
+ $(Q)${OPENSSL_BIN_PATH}/openssl enc -aes-256-cbc -e -in $(BUILD_PLAT)/wtmi-align.bin \
-out $(BUILD_PLAT)/$(WTMI_ENC_IMG) \
-K `cat $(IMAGESPATH)/aes-256.txt` -nosalt \
-iv `cat $(IMAGESPATH)/iv.txt` -p
$(Q)truncate -s %16 $(BUILD_PLAT)/$(BOOT_IMAGE);
- $(Q)openssl enc -aes-256-cbc -e -in $(BUILD_PLAT)/$(BOOT_IMAGE) \
+ $(Q)${OPENSSL_BIN_PATH}/openssl enc -aes-256-cbc -e -in $(BUILD_PLAT)/$(BOOT_IMAGE) \
-out $(BUILD_PLAT)/$(BOOT_ENC_IMAGE) \
-K `cat $(IMAGESPATH)/aes-256.txt` -nosalt \
-iv `cat $(IMAGESPATH)/iv.txt` -p
diff --git a/plat/nxp/common/tbbr/tbbr.mk b/plat/nxp/common/tbbr/tbbr.mk
index 7edcfbc..4aac9d6 100644
--- a/plat/nxp/common/tbbr/tbbr.mk
+++ b/plat/nxp/common/tbbr/tbbr.mk
@@ -133,13 +133,13 @@
$(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@"
@if [ ! -f $(ROT_KEY) ]; then \
- openssl genrsa 2048 > $@ 2>/dev/null; \
+ ${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null; \
fi
$(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@"
- $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
- openssl dgst -sha256 -binary > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+ ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif #MBEDTLS_DIR
diff --git a/plat/qemu/qemu/platform.mk b/plat/qemu/qemu/platform.mk
index 8e7f7c8..e0b5271 100644
--- a/plat/qemu/qemu/platform.mk
+++ b/plat/qemu/qemu/platform.mk
@@ -88,12 +88,12 @@
$(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@"
- $(Q)openssl genrsa 2048 > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null
$(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@"
- $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
- openssl dgst -sha256 -binary > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+ ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif
# Include Measured Boot makefile before any Crypto library makefile.
diff --git a/plat/rpi/rpi3/platform.mk b/plat/rpi/rpi3/platform.mk
index 6c23923..53c97e2 100644
--- a/plat/rpi/rpi3/platform.mk
+++ b/plat/rpi/rpi3/platform.mk
@@ -212,10 +212,10 @@
$(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@"
- $(Q)openssl genrsa 2048 > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null
$(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@"
- $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
- openssl dgst -sha256 -binary > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+ ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif
diff --git a/plat/socionext/synquacer/platform.mk b/plat/socionext/synquacer/platform.mk
index 3eab3d6..b76ae88 100644
--- a/plat/socionext/synquacer/platform.mk
+++ b/plat/socionext/synquacer/platform.mk
@@ -73,12 +73,12 @@
certificates: $(ROT_KEY)
$(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@"
- $(Q)openssl genrsa 2048 > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null
$(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@"
- $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
- openssl dgst -sha256 -binary > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+ ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif # TRUSTED_BOARD_BOOT
endif
diff --git a/plat/socionext/uniphier/platform.mk b/plat/socionext/uniphier/platform.mk
index 6edd181..378497a 100644
--- a/plat/socionext/uniphier/platform.mk
+++ b/plat/socionext/uniphier/platform.mk
@@ -107,12 +107,12 @@
certificates: $(ROT_KEY)
$(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@"
- $(Q)openssl genrsa 2048 > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null
$(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@"
- $(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
- openssl dgst -sha256 -binary > $@ 2>/dev/null
+ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
+ ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif