Blame - openwrt_patches-21.02/9989-sbc-secure-boot-and-anti-rollback-support.patch - openwrt/feeds/mtk-openwrt-feeds

blob: 6bce579f506c56e7cb74d8f27f57f526e9043c4d [file] [log] [blame]

developer	36a86e1	2022-03-03 18:28:11 +0800	[diff] [blame]	1	--- a/include/image.mk
				2	+++ b/include/image.mk
				3	@@ -227,8 +227,7 @@ $(eval $(foreach S,$(NAND_BLOCKSIZE),$(c
				4	define Image/mkfs/squashfs-common
				5	$(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \
				6	-nopad -noappend -root-owned \
				7	- -comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \
				8	- -processors 1
				9	+ -comp $(SQUASHFSCOMP) $(SQUASHFSOPT)
				10	endef
				11
				12	ifeq ($(CONFIG_TARGET_ROOTFS_SECURITY_LABELS),y)
				13	@@ -441,6 +440,9 @@ else
				14	DEVICE_CHECK_PROFILE = $(CONFIG_TARGET_$(if $(CONFIG_TARGET_MULTI_PROFILE),DEVICE_)$(call target_conf,$(BOARD)$(if $(SUBTARGET),_$(SUBTARGET)))_$(1))
				15	endif
				16
				17	+DEVICE_CHECK_FIT_KEY = $(if $(wildcard $(FIT_KEY_DIR)/$(FIT_KEY_NAME).key),install-images,install-disabled)
				18	+DEVICE_CHECK_FIT_DIR = $(if $(FIT_KEY_DIR),$(DEVICE_CHECK_FIT_KEY),install-images)
				19	+
				20	DEVICE_EXTRA_PACKAGES = $(call qstrip,$(CONFIG_TARGET_DEVICE_PACKAGES_$(call target_conf,$(BOARD)$(if $(SUBTARGET),_$(SUBTARGET)))_DEVICE_$(1)))
				21
				22	define merge_packages
				23	@@ -463,7 +465,7 @@ endef
				24	define Device/Check
				25	$(Device/Check/Common)
				26	KDIR_KERNEL_IMAGE := $(KDIR)/$(1)$$(KERNEL_SUFFIX)
				27	- _TARGET := $$(if $$(_PROFILE_SET),install-images,install-disabled)
				28	+ _TARGET := $$(if $$(_PROFILE_SET),$$(DEVICE_CHECK_FIT_DIR),install-disabled)
				29	ifndef IB
				30	_COMPILE_TARGET := $$(if $(CONFIG_IB)$$(_PROFILE_SET),compile,compile-disabled)
				31	endif
				32	--- a/scripts/mkits.sh
				33	+++ b/scripts/mkits.sh
				34	@@ -17,6 +17,7 @@
				35	usage() {
				36	printf "Usage: %s -A arch -C comp -a addr -e entry" "$(basename "$0")"
				37	printf " -v version -k kernel [-D name -n address -d dtb] -o its_file"
				38	+ printf " [-s script] [-S key_name_hint] [-r ar_ver]"
				39
				40	printf "\n\t-A ==> set architecture to 'arch'"
				41	printf "\n\t-C ==> set compression type 'comp'"
				42	@@ -28,13 +29,16 @@ usage() {
				43	printf "\n\t-D ==> human friendly Device Tree Blob 'name'"
				44	printf "\n\t-n ==> fdt unit-address 'address'"
				45	printf "\n\t-d ==> include Device Tree Blob 'dtb'"
				46	- printf "\n\t-o ==> create output file 'its_file'\n"
				47	+ printf "\n\t-o ==> create output file 'its_file'"
				48	+ printf "\n\t-s ==> include u-boot script 'script'"
				49	+ printf "\n\t-S ==> add signature at configurations and assign its key_name_hint by 'key_name_hint'"
				50	+ printf "\n\t-r ==> set anti-rollback version to 'fw_ar_ver' (dec)\n"
				51	exit 1
				52	}
				53
				54	FDTNUM=1
				55
				56	-while getopts ":A:a:c:C:D:d:e:k:n:o:v:" OPTION
				57	+while getopts ":A:a:c:C:D:d:e:k:n:o:v:s:S:r:" OPTION
				58	do
				59	case $OPTION in
				60	A ) ARCH=$OPTARG;;
				61	@@ -48,6 +52,9 @@ do
				62	n ) FDTNUM=$OPTARG;;
				63	o ) OUTPUT=$OPTARG;;
				64	v ) VERSION=$OPTARG;;
				65	+ s ) UBOOT_SCRIPT=$OPTARG;;
				66	+ S ) KEY_NAME_HINT=$OPTARG;;
				67	+ r ) AR_VER=$OPTARG;;
				68	* ) echo "Invalid option passed to '$0' (options:$*)"
				69	usage;;
				70	esac
				71	@@ -132,6 +139,56 @@ if [ -n "${AR_VER}" ]; then
				72	"
				73	fi
				74
				75	+# Conditionally create script information
				76	+if [ -n "${UBOOT_SCRIPT}" ]; then
				77	+ SCRIPT="\
				78	+ script@1 {
				79	+ description = \"U-Boot Script\";
				80	+ data = /incbin/(\"${UBOOT_SCRIPT}\");
				81	+ type = \"script\";
				82	+ arch = \"${ARCH}\";
				83	+ os = \"linux\";
				84	+ load = <0>;
				85	+ entry = <0>;
				86	+ compression = \"none\";
				87	+ hash@1 {
				88	+ algo = \"crc32\";
				89	+ };
				90	+ hash@2 {
				91	+ algo = \"sha1\";
				92	+ };
				93	+ };\
				94	+"
				95	+ LOADABLES="\
				96	+ loadables = \"script@1\";\
				97	+"
				98	+ SIGN_IMAGES="\
				99	+ sign-images = \"fdt\", \"kernel\", \"loadables\";\
				100	+"
				101	+else
				102	+ SIGN_IMAGES="\
				103	+ sign-images = \"fdt\", \"kernel\";\
				104	+"
				105	+fi
				106	+
				107	+# Conditionally create signature information
				108	+if [ -n "${KEY_NAME_HINT}" ]; then
				109	+ SIGNATURE="\
				110	+ signature {
				111	+ algo = \"sha1,rsa2048\";
				112	+ key-name-hint = \"${KEY_NAME_HINT}\";
				113	+${SIGN_IMAGES}
				114	+ };\
				115	+"
				116	+fi
				117	+
				118	+# Conditionally create anti-rollback version information
				119	+if [ -n "${AR_VER}" ]; then
				120	+ FW_AR_VER="\
				121	+ fw_ar_ver = <${AR_VER}>;\
				122	+"
				123	+fi
				124	+
				125	# Create a default, fully populated DTS file
				126	DATA="/dts-v1/;
				127
				128	@@ -157,14 +214,18 @@ DATA="/dts-v1/;
				129	};
				130	};
				131	${FDT_NODE}
				132	+${SCRIPT}
				133	};
				134
				135	configurations {
				136	default = \"${CONFIG}\";
				137	${CONFIG} {
				138	description = \"OpenWrt\";
				139	+${FW_AR_VER}
				140	+${LOADABLES}
				141	kernel = \"kernel@1\";
				142	${FDT_PROP}
				143	+${SIGNATURE}
				144	};
				145	};
				146	};"
				147	--- a/target/linux/mediatek/image/Makefile
				148	+++ b/target/linux/mediatek/image/Makefile
				149	@@ -16,6 +16,55 @@ define Build/sysupgrade-emmc
				150	$(IMAGE_ROOTFS)
				151	endef
				152
				153	+# build squashfs-hashed
				154	+define Build/squashfs-hashed
				155	+ $(CP) $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME)) $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed
				156	+ $(TOPDIR)/scripts/make-squashfs-hashed.sh \
				157	+ $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed \
				158	+ $(STAGING_DIR_HOST) \
				159	+ $(TOPDIR) \
				160	+ $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-summary
				161	+ cat $(ROOTFS/$(FILESYSTEMS)/$(DEVICE_NAME))-hashed-summary \| \
				162	+ $(TOPDIR)/scripts/prepare-dm-verity-uboot-script.sh \
				163	+ "$(HASHED_BOOT_DEVICE)" \
				164	+ "$(BASIC_KERNEL_CMDLINE)" \
				165	+ > $(KDIR)/$(DEVICE_NAME)-u-boot-script
				166	+endef
				167	+
				168	+# build fw-ar-ver
				169	+get_fw_ar_ver = \
				170	+ $(if $(wildcard $(2)),$(shell rm -rf $(2))) \
				171	+ $(if $(wildcard $(1)),$(info $(shell $(STAGING_DIR_HOST)/bin/ar-tool fw_ar_table create_ar_conf $(1) $(2)))) \
				172	+ $(if $(wildcard $(2)),$(eval include $(2))) \
				173	+ $(if $(FW_AR_VER),$(info FW_AR_VER = $(FW_AR_VER)))
				174	+
				175	+define Build/fw-ar-ver
				176	+ $(call get_fw_ar_ver,$(ANTI_ROLLBACK_TABLE),$(AUTO_AR_CONF))
				177	+endef
				178	+
				179	+# build signed fit
				180	+define Build/fit-sign
				181	+ $(TOPDIR)/scripts/mkits.sh \
				182	+ -D $(DEVICE_NAME) \
				183	+ -o $@.its \
				184	+ -k $@ \
				185	+ $(if $(word 2,$(1)),-d $(word 2,$(1))) -C $(word 1,$(1)) \
				186	+ -a $(KERNEL_LOADADDR) \
				187	+ -e $(if $(KERNEL_ENTRY),$(KERNEL_ENTRY),$(KERNEL_LOADADDR)) \
				188	+ -c $(if $(DEVICE_DTS_CONFIG),$(DEVICE_DTS_CONFIG),"config-1") \
				189	+ -A $(LINUX_KARCH) \
				190	+ -v $(LINUX_VERSION) \
				191	+ -s $(KDIR)/$(DEVICE_NAME)-u-boot-script \
				192	+ $(if $(FIT_KEY_NAME),-S $(FIT_KEY_NAME)) \
				193	+ $(if $(FW_AR_VER),-r $(FW_AR_VER))
				194	+ PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage \
				195	+ -f $@.its \
				196	+ $(if $(FIT_KEY_DIR),-k $(FIT_KEY_DIR)) \
				197	+ -r \
				198	+ $@.new
				199	+ @mv $@.new $@
				200	+endef
				201	+
				202	# default all platform image(fit) build
				203	define Device/Default
				204	PROFILES = Default $$(DEVICE_NAME)
				205	@@ -29,6 +78,8 @@ define Device/Default
				206	IMAGES := sysupgrade.bin
				207	IMAGE/sysupgrade.bin := append-kernel \| pad-to 128k \| append-rootfs \| \
				208	pad-rootfs \| append-metadata
				209	+ FIT_KEY_DIR :=
				210	+ FIT_KEY_NAME :=
				211	endef
				212
				213	include $(SUBTARGET).mk