openwrt_patches-21.02/9989-sbc-secure-boot-and-anti-rollback-support.patch - openwrt/feeds/mtk-openwrt-feeds - Gitiles

 --- a/include/image.mk
 +++ b/include/image.mk
 @@ -227,8 +227,7 @@ $(eval $(foreach S,$(NAND_BLOCKSIZE),$(c
  define Image/mkfs/squashfs-common
  	$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
  		-nopad -noappend -root-owned \
 -		-comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \
 -		-processors 1
 +		-comp $(SQUASHFSCOMP) $(SQUASHFSOPT)
  endef

  ifeq ($(CONFIG_TARGET_ROOTFS_SECURITY_LABELS),y)
 @@ -441,6 +440,9 @@ else
    DEVICE_CHECK_PROFILE = $(CONFIG_TARGET_$(if $(CONFIG_TARGET_MULTI_PROFILE),DEVICE_)$(call target_conf,$(BOARD)$(if $(SUBTARGET),_$(SUBTARGET)))_$(1))
  endif

 +DEVICE_CHECK_FIT_KEY = $(if $(wildcard $(FIT_KEY_DIR)/$(FIT_KEY_NAME).key),install-images,install-disabled)
 +DEVICE_CHECK_FIT_DIR = $(if $(FIT_KEY_DIR),$(DEVICE_CHECK_FIT_KEY),install-images)
 +
  DEVICE_EXTRA_PACKAGES = $(call qstrip,$(CONFIG_TARGET_DEVICE_PACKAGES_$(call target_conf,$(BOARD)$(if $(SUBTARGET),_$(SUBTARGET)))_DEVICE_$(1)))

  define merge_packages
 @@ -463,7 +465,7 @@ endef
  define Device/Check
    $(Device/Check/Common)
    KDIR_KERNEL_IMAGE := $(KDIR)/$(1)$$(KERNEL_SUFFIX)
 -  _TARGET := $$(if $$(_PROFILE_SET),install-images,install-disabled)
 +  _TARGET := $$(if $$(_PROFILE_SET),$$(DEVICE_CHECK_FIT_DIR),install-disabled)
    ifndef IB
      _COMPILE_TARGET := $$(if $(CONFIG_IB)$$(_PROFILE_SET),compile,compile-disabled)
    endif
 --- a/scripts/mkits.sh
 +++ b/scripts/mkits.sh
 @@ -17,6 +17,7 @@
  usage() {
  	printf "Usage: %s -A arch -C comp -a addr -e entry" "$(basename "$0")"
  	printf " -v version -k kernel [-D name -n address -d dtb] -o its_file"
 +	printf " [-s script] [-S key_name_hint] [-r ar_ver]"

  	printf "\n\t-A ==> set architecture to 'arch'"
  	printf "\n\t-C ==> set compression type 'comp'"
 @@ -28,13 +29,16 @@ usage() {
  	printf "\n\t-D ==> human friendly Device Tree Blob 'name'"
  	printf "\n\t-n ==> fdt unit-address 'address'"
  	printf "\n\t-d ==> include Device Tree Blob 'dtb'"
 -	printf "\n\t-o ==> create output file 'its_file'\n"
 +	printf "\n\t-o ==> create output file 'its_file'"
 +	printf "\n\t-s ==> include u-boot script 'script'"
 +	printf "\n\t-S ==> add signature at configurations and assign its key_name_hint by 'key_name_hint'"
 +	printf "\n\t-r ==> set anti-rollback version to 'fw_ar_ver' (dec)\n"
  	exit 1
  }

  FDTNUM=1

 -while getopts ":A:a:c:C:D:d:e:k:n:o:v:" OPTION
 +while getopts ":A:a:c:C:D:d:e:k:n:o:v:s:S:r:" OPTION
  do
  	case $OPTION in
  		A ) ARCH=$OPTARG;;
 @@ -48,6 +52,9 @@ do
  		n ) FDTNUM=$OPTARG;;
  		o ) OUTPUT=$OPTARG;;
  		v ) VERSION=$OPTARG;;
 +		s ) UBOOT_SCRIPT=$OPTARG;;
 +		S ) KEY_NAME_HINT=$OPTARG;;
 +		r ) AR_VER=$OPTARG;;
  		* ) echo "Invalid option passed to '$0' (options:$*)"
  		usage;;
  	esac
 @@ -132,6 +139,56 @@ if [ -n "${AR_VER}" ]; then
  "
  fi

 +# Conditionally create script information
 +if [ -n "${UBOOT_SCRIPT}" ]; then
 +	SCRIPT="\
 +		script@1 {
 +			description = \"U-Boot Script\";
 +			data = /incbin/(\"${UBOOT_SCRIPT}\");
 +			type = \"script\";
 +			arch = \"${ARCH}\";
 +			os = \"linux\";
 +			load = <0>;
 +			entry = <0>;
 +			compression = \"none\";
 +			hash@1 {
 +				algo = \"crc32\";
 +			};
 +			hash@2 {
 +				algo = \"sha1\";
 +			};
 +		};\
 +"
 +	LOADABLES="\
 +			loadables = \"script@1\";\
 +"
 +	SIGN_IMAGES="\
 +				sign-images = \"fdt\", \"kernel\", \"loadables\";\
 +"
 +else
 +	SIGN_IMAGES="\
 +				sign-images = \"fdt\", \"kernel\";\
 +"
 +fi
 +
 +# Conditionally create signature information
 +if [ -n "${KEY_NAME_HINT}" ]; then
 +	SIGNATURE="\
 +			signature {
 +				algo = \"sha1,rsa2048\";
 +				key-name-hint = \"${KEY_NAME_HINT}\";
 +${SIGN_IMAGES}
 +			};\
 +"
 +fi
 +
 +# Conditionally create anti-rollback version information
 +if [ -n "${AR_VER}" ]; then
 +	FW_AR_VER="\
 +			fw_ar_ver = <${AR_VER}>;\
 +"
 +fi
 +
  # Create a default, fully populated DTS file
  DATA="/dts-v1/;

 @@ -157,14 +214,18 @@ DATA="/dts-v1/;
  			};
  		};
  ${FDT_NODE}
 +${SCRIPT}
  	};

  	configurations {
  		default = \"${CONFIG}\";
  		${CONFIG} {
  			description = \"OpenWrt\";
 +${FW_AR_VER}
 +${LOADABLES}
  			kernel = \"kernel@1\";
  			${FDT_PROP}
 +${SIGNATURE}
  		};
  	};
  };"
 --- a/target/linux/mediatek/image/Makefile
 +++ b/target/linux/mediatek/image/Makefile
 @@ -16,6 +16,55 @@ define Build/sysupgrade-emmc
  		$(IMAGE_ROOTFS)
  endef

 +# build squashfs-hashed
 +define Build/squashfs-hashed
 +	$(CP) $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME)) $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed
 +	$(TOPDIR)/scripts/make-squashfs-hashed.sh \
 +		$(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed \
 +		$(STAGING_DIR_HOST) \
 +		$(TOPDIR) \
 +		$(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-summary
 +	cat $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-summary | \
 +		$(TOPDIR)/scripts/prepare-dm-verity-uboot-script.sh \
 +		"$(HASHED_BOOT_DEVICE)" \
 +		"$(BASIC_KERNEL_CMDLINE)" \
 +		> $(KDIR)/$(DEVICE_NAME)-u-boot-script
 +endef
 +
 +# build fw-ar-ver
 +get_fw_ar_ver = \
 +  $(if $(wildcard $(2)),$(shell rm -rf $(2))) \
 +  $(if $(wildcard $(1)),$(info $(shell $(STAGING_DIR_HOST)/bin/ar-tool fw_ar_table create_ar_conf $(1) $(2)))) \
 +  $(if $(wildcard $(2)),$(eval include $(2))) \
 +  $(if $(FW_AR_VER),$(info FW_AR_VER = $(FW_AR_VER)))
 +
 +define Build/fw-ar-ver
 +	$(call get_fw_ar_ver,$(ANTI_ROLLBACK_TABLE),$(AUTO_AR_CONF))
 +endef
 +
 +# build signed fit
 +define Build/fit-sign
 +	$(TOPDIR)/scripts/mkits.sh \
 +		-D $(DEVICE_NAME) \
 +		-o $@.its \
 +		-k $@ \
 +		$(if $(word 2,$(1)),-d $(word 2,$(1))) -C $(word 1,$(1)) \
 +		-a $(KERNEL_LOADADDR) \
 +		-e $(if $(KERNEL_ENTRY),$(KERNEL_ENTRY),$(KERNEL_LOADADDR)) \
 +		-c $(if $(DEVICE_DTS_CONFIG),$(DEVICE_DTS_CONFIG),"config-1") \
 +		-A $(LINUX_KARCH) \
 +		-v $(LINUX_VERSION) \
 +		-s $(KDIR)/$(DEVICE_NAME)-u-boot-script \
 +		$(if $(FIT_KEY_NAME),-S $(FIT_KEY_NAME)) \
 +		$(if $(FW_AR_VER),-r $(FW_AR_VER))
 +	PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage \
 +		-f $@.its \
 +		$(if $(FIT_KEY_DIR),-k $(FIT_KEY_DIR)) \
 +		-r \
 +		$@.new
 +	@mv $@.new $@
 +endef
 +
  # default all platform image(fit) build
  define Device/Default
    PROFILES = Default $$(DEVICE_NAME)
 @@ -29,6 +78,8 @@ define Device/Default
    IMAGES := sysupgrade.bin
    IMAGE/sysupgrade.bin := append-kernel | pad-to 128k | append-rootfs | \
  	pad-rootfs | append-metadata
 +  FIT_KEY_DIR :=
 +  FIT_KEY_NAME :=
  endef

  include $(SUBTARGET).mk
	--- a/include/image.mk
	+++ b/include/image.mk
	@@ -227,8 +227,7 @@ $(eval $(foreach S,$(NAND_BLOCKSIZE),$(c
	define Image/mkfs/squashfs-common
	$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
	-nopad -noappend -root-owned \
	- -comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \
	- -processors 1
	+ -comp $(SQUASHFSCOMP) $(SQUASHFSOPT)
	endef

	ifeq ($(CONFIG_TARGET_ROOTFS_SECURITY_LABELS),y)
	@@ -441,6 +440,9 @@ else
	DEVICE_CHECK_PROFILE = $(CONFIG_TARGET_$(if $(CONFIG_TARGET_MULTI_PROFILE),DEVICE_)$(call target_conf,$(BOARD)$(if $(SUBTARGET),_$(SUBTARGET)))_$(1))
	endif

	+DEVICE_CHECK_FIT_KEY = $(if $(wildcard $(FIT_KEY_DIR)/$(FIT_KEY_NAME).key),install-images,install-disabled)
	+DEVICE_CHECK_FIT_DIR = $(if $(FIT_KEY_DIR),$(DEVICE_CHECK_FIT_KEY),install-images)
	+
	DEVICE_EXTRA_PACKAGES = $(call qstrip,$(CONFIG_TARGET_DEVICE_PACKAGES_$(call target_conf,$(BOARD)$(if $(SUBTARGET),_$(SUBTARGET)))_DEVICE_$(1)))

	define merge_packages
	@@ -463,7 +465,7 @@ endef
	define Device/Check
	$(Device/Check/Common)
	KDIR_KERNEL_IMAGE := $(KDIR)/$(1)$$(KERNEL_SUFFIX)
	- _TARGET := $$(if $$(_PROFILE_SET),install-images,install-disabled)
	+ _TARGET := $$(if $$(_PROFILE_SET),$$(DEVICE_CHECK_FIT_DIR),install-disabled)
	ifndef IB
	_COMPILE_TARGET := $$(if $(CONFIG_IB)$$(_PROFILE_SET),compile,compile-disabled)
	endif
	--- a/scripts/mkits.sh
	+++ b/scripts/mkits.sh
	@@ -17,6 +17,7 @@
	usage() {
	printf "Usage: %s -A arch -C comp -a addr -e entry" "$(basename "$0")"
	printf " -v version -k kernel [-D name -n address -d dtb] -o its_file"
	+ printf " [-s script] [-S key_name_hint] [-r ar_ver]"

	printf "\n\t-A ==> set architecture to 'arch'"
	printf "\n\t-C ==> set compression type 'comp'"
	@@ -28,13 +29,16 @@ usage() {
	printf "\n\t-D ==> human friendly Device Tree Blob 'name'"
	printf "\n\t-n ==> fdt unit-address 'address'"
	printf "\n\t-d ==> include Device Tree Blob 'dtb'"
	- printf "\n\t-o ==> create output file 'its_file'\n"
	+ printf "\n\t-o ==> create output file 'its_file'"
	+ printf "\n\t-s ==> include u-boot script 'script'"
	+ printf "\n\t-S ==> add signature at configurations and assign its key_name_hint by 'key_name_hint'"
	+ printf "\n\t-r ==> set anti-rollback version to 'fw_ar_ver' (dec)\n"
	exit 1
	}

	FDTNUM=1

	-while getopts ":A:a:c:C:D:d:e:k:n:o:v:" OPTION
	+while getopts ":A:a:c:C:D:d:e:k:n:o:v:s:S:r:" OPTION
	do
	case $OPTION in
	A ) ARCH=$OPTARG;;
	@@ -48,6 +52,9 @@ do
	n ) FDTNUM=$OPTARG;;
	o ) OUTPUT=$OPTARG;;
	v ) VERSION=$OPTARG;;
	+ s ) UBOOT_SCRIPT=$OPTARG;;
	+ S ) KEY_NAME_HINT=$OPTARG;;
	+ r ) AR_VER=$OPTARG;;
	* ) echo "Invalid option passed to '$0' (options:$*)"
	usage;;
	esac
	@@ -132,6 +139,56 @@ if [ -n "${AR_VER}" ]; then
	"
	fi

	+# Conditionally create script information
	+if [ -n "${UBOOT_SCRIPT}" ]; then
	+ SCRIPT="\
	+ script@1 {
	+ description = \"U-Boot Script\";
	+ data = /incbin/(\"${UBOOT_SCRIPT}\");
	+ type = \"script\";
	+ arch = \"${ARCH}\";
	+ os = \"linux\";
	+ load = <0>;
	+ entry = <0>;
	+ compression = \"none\";
	+ hash@1 {
	+ algo = \"crc32\";
	+ };
	+ hash@2 {
	+ algo = \"sha1\";
	+ };
	+ };\
	+"
	+ LOADABLES="\
	+ loadables = \"script@1\";\
	+"
	+ SIGN_IMAGES="\
	+ sign-images = \"fdt\", \"kernel\", \"loadables\";\
	+"
	+else
	+ SIGN_IMAGES="\
	+ sign-images = \"fdt\", \"kernel\";\
	+"
	+fi
	+
	+# Conditionally create signature information
	+if [ -n "${KEY_NAME_HINT}" ]; then
	+ SIGNATURE="\
	+ signature {
	+ algo = \"sha1,rsa2048\";
	+ key-name-hint = \"${KEY_NAME_HINT}\";
	+${SIGN_IMAGES}
	+ };\
	+"
	+fi
	+
	+# Conditionally create anti-rollback version information
	+if [ -n "${AR_VER}" ]; then
	+ FW_AR_VER="\
	+ fw_ar_ver = <${AR_VER}>;\
	+"
	+fi
	+
	# Create a default, fully populated DTS file
	DATA="/dts-v1/;

	@@ -157,14 +214,18 @@ DATA="/dts-v1/;
	};
	};
	${FDT_NODE}
	+${SCRIPT}
	};

	configurations {
	default = \"${CONFIG}\";
	${CONFIG} {
	description = \"OpenWrt\";
	+${FW_AR_VER}
	+${LOADABLES}
	kernel = \"kernel@1\";
	${FDT_PROP}
	+${SIGNATURE}
	};
	};
	};"
	--- a/target/linux/mediatek/image/Makefile
	+++ b/target/linux/mediatek/image/Makefile
	@@ -16,6 +16,55 @@ define Build/sysupgrade-emmc
	$(IMAGE_ROOTFS)
	endef

	+# build squashfs-hashed
	+define Build/squashfs-hashed
	+ $(CP) $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME)) $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed
	+ $(TOPDIR)/scripts/make-squashfs-hashed.sh \
	+ $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed \
	+ $(STAGING_DIR_HOST) \
	+ $(TOPDIR) \
	+ $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-summary
	+ cat $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-summary \| \
	+ $(TOPDIR)/scripts/prepare-dm-verity-uboot-script.sh \
	+ "$(HASHED_BOOT_DEVICE)" \
	+ "$(BASIC_KERNEL_CMDLINE)" \
	+ > $(KDIR)/$(DEVICE_NAME)-u-boot-script
	+endef
	+
	+# build fw-ar-ver
	+get_fw_ar_ver = \
	+ $(if $(wildcard $(2)),$(shell rm -rf $(2))) \
	+ $(if $(wildcard $(1)),$(info $(shell $(STAGING_DIR_HOST)/bin/ar-tool fw_ar_table create_ar_conf $(1) $(2)))) \
	+ $(if $(wildcard $(2)),$(eval include $(2))) \
	+ $(if $(FW_AR_VER),$(info FW_AR_VER = $(FW_AR_VER)))
	+
	+define Build/fw-ar-ver
	+ $(call get_fw_ar_ver,$(ANTI_ROLLBACK_TABLE),$(AUTO_AR_CONF))
	+endef
	+
	+# build signed fit
	+define Build/fit-sign
	+ $(TOPDIR)/scripts/mkits.sh \
	+ -D $(DEVICE_NAME) \
	+ -o $@.its \
	+ -k $@ \
	+ $(if $(word 2,$(1)),-d $(word 2,$(1))) -C $(word 1,$(1)) \
	+ -a $(KERNEL_LOADADDR) \
	+ -e $(if $(KERNEL_ENTRY),$(KERNEL_ENTRY),$(KERNEL_LOADADDR)) \
	+ -c $(if $(DEVICE_DTS_CONFIG),$(DEVICE_DTS_CONFIG),"config-1") \
	+ -A $(LINUX_KARCH) \
	+ -v $(LINUX_VERSION) \
	+ -s $(KDIR)/$(DEVICE_NAME)-u-boot-script \
	+ $(if $(FIT_KEY_NAME),-S $(FIT_KEY_NAME)) \
	+ $(if $(FW_AR_VER),-r $(FW_AR_VER))
	+ PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage \
	+ -f $@.its \
	+ $(if $(FIT_KEY_DIR),-k $(FIT_KEY_DIR)) \
	+ -r \
	+ $@.new
	+ @mv $@.new $@
	+endef
	+
	# default all platform image(fit) build
	define Device/Default
	PROFILES = Default $$(DEVICE_NAME)
	@@ -29,6 +78,8 @@ define Device/Default
	IMAGES := sysupgrade.bin
	IMAGE/sysupgrade.bin := append-kernel \| pad-to 128k \| append-rootfs \| \
	pad-rootfs \| append-metadata
	+ FIT_KEY_DIR :=
	+ FIT_KEY_NAME :=
	endef

	include $(SUBTARGET).mk