diff options
| author | Vincent Palatin <vpalatin@chromium.org> | 2014-09-26 15:20:42 -0700 |
|---|---|---|
| committer | chrome-internal-fetch <chrome-internal-fetch@google.com> | 2014-10-02 23:18:25 +0000 |
| commit | beaddbf1a365463cdef3ed9dd1d093ff6ff80d70 (patch) | |
| tree | 2f6f7aeda02e320b0962da0a901bb67b3bbf753e /Makefile.rules | |
| parent | 0330d9adf2602c44201d5e1b842747caf7dd83b1 (diff) | |
| download | chrome-ec-beaddbf1a365463cdef3ed9dd1d093ff6ff80d70.tar.gz | |
zinger: check RW firmware signature
The Zinger RW is now signed with 2048-bit RSA key (using SHA-256 as
digest).
This CL implements the verification mechanism.
note: the RSA key used for signing must be provided as a .pem file.
The path to .pem file must be provided in the PEM environment variable.
By default, it's using the dev key stored in zinger_dev_key.pem.
Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
BRANCH=samus
BUG=chrome-os-partner:28336
TEST=on Zinger, run with properly signed RW firmware and corrupted
firmware and check the serial traces.
Change-Id: Ia58482458904a3ed72d6b0e95996cae86a0ead83
Reviewed-on: https://chromium-review.googlesource.com/220178
Commit-Queue: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Alec Berg <alecaberg@chromium.org>
Diffstat (limited to 'Makefile.rules')
| -rw-r--r-- | Makefile.rules | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/Makefile.rules b/Makefile.rules index e5279d8097..4a19e0a3b3 100644 --- a/Makefile.rules +++ b/Makefile.rules @@ -30,6 +30,7 @@ section_is = $(subst .,,SECTION_IS_$(suffix $(1))) # Decrease verbosity unless you pass V=1 quiet = $(if $(V),,@echo ' $(2)' $(subst $(out)/,,$@) ; )$(cmd_$(1)) silent = $(if $(V),,1>/dev/null) +silent_err = $(if $(V),,2>/dev/null) # commands to build all targets cmd_lds = $(CPP) -P -C -MMD -MF $@.d -MT $@ $(CPPFLAGS) \ @@ -52,11 +53,14 @@ cmd_c_to_host = $(HOSTCC) $(HOST_CFLAGS) -MMD -MF $@.d -o $@ \ cmd_host_test = ./util/run_host_test $* $(silent) cmd_version = ./util/getversion.sh > $@ cmd_mv_from_tmp = mv $(out)/$*.bin.tmp $(out)/$*.bin -cmd_extractrw-y = cd $(out) && \ - dump_fmap -x $(PROJECT).bin.tmp RW_SECTION_A $(silent) && \ - mv RW_SECTION_A $(PROJECT).RW.bin +cmd_extractrw-y = dd if=$(out)/$(PROJECT).bin.tmp of=$(out)/$(PROJECT).RW.bin \ + bs=1 count=$(_rw_size) skip=$(_rw_off) $(silent_err) cmd_copyrw-y = cd $(out) && cp $(PROJECT).RW.flat $(PROJECT).RW.bin +# commands for RSA signature +cmd_pubkey = ./util/pem_extract_pubkey.py $(PEM) > $@ +cmd_rsasign = ./util/ec_sign_rsa.py $(PEM) $(out)/$*.bin.tmp + # commands to build optional xref files cmd_deps_to_list = cat $(deps) | tr -d ':\\' | tr ' ' '\012' \ | egrep '\.[chS]$$' | sort | uniq > $@ @@ -65,7 +69,6 @@ cmd_ctags = ctags -o $@ $(shell cat $<) targ_if_prog = $(if $(shell which $(1) 2>/dev/null),$(2),) .PHONY: all tests utils hosttests -all: $(out)/$(PROJECT).bin utils buildall: $(foreach b, $(boards), proj-$(b)) runtests @touch .tests-passed @@ -138,8 +141,8 @@ $(out)/%.lds: core/$(CORE)/ec.lds.S $(out)/%.bin: $(out)/%.obj $(call quiet,obj_to_bin,OBJCOPY) - $(if $(sign-y),$(call quiet,sign,SIGN ),) - $(if $(sign-y),$(call quiet,extractrw-y,EXTR_RW), \ + $(if $(wildcard $(PEM)),$(call quiet,rsasign,SIGN ),) + $(if $(wildcard $(PEM)),$(call quiet,extractrw-y,EXTR_RW), \ $(call quiet,copyrw-y,COPY_RW)) $(call quiet,mv_from_tmp,MV ) @@ -173,6 +176,9 @@ $(out)/common/version.o: $(out)/ec_version.h $(out)/ec_version.h: $(filter-out $(out)/common/version.o,$(objs)) $(call quiet,version,VERSION) +$(out)/gen_pub_key.h: $(PEM) + $(call quiet,pubkey,PUBKEY ) + $(build-utils): $(out)/%:$(build-srcs) $(call quiet,c_to_build,BUILDCC) |