From 5d264e369565b38ca3ac4be8dac7a40912ebff8e Mon Sep 17 00:00:00 2001 From: Jianhui Zhao Date: Wed, 17 May 2023 15:10:40 +0800 Subject: [PATCH 8/9] image: secure boot and anti rollback support Signed-off-by: Jianhui Zhao --- include/image-commands.mk | 7 +++--- include/image.mk | 48 ++++++++++++++++++++++++++++----------- 2 files changed, 39 insertions(+), 16 deletions(-) diff --git a/include/image-commands.mk b/include/image-commands.mk index 4d54a14ba4..8d77d5dc80 100644 --- a/include/image-commands.mk +++ b/include/image-commands.mk @@ -87,7 +87,7 @@ define Build/append-ubi $(if $(UBOOTENV_IN_UBI),--uboot-env) \ $(if $(KERNEL_IN_UBI),--kernel $(IMAGE_KERNEL)) \ $(foreach part,$(UBINIZE_PARTS),--part $(part)) \ - $(IMAGE_ROOTFS) \ + $(call param_get_default,rootfs,$(1),$(IMAGE_ROOTFS)) \ $@.tmp \ -p $(BLOCKSIZE:%k=%KiB) -m $(PAGESIZE) \ $(if $(SUBPAGESIZE),-s $(SUBPAGESIZE)) \ @@ -202,8 +202,9 @@ define Build/fit $(if $(word 2,$(1)),-d $(word 2,$(1))) -C $(word 1,$(1)) \ -a $(KERNEL_LOADADDR) -e $(if $(KERNEL_ENTRY),$(KERNEL_ENTRY),$(KERNEL_LOADADDR)) \ $(if $(DEVICE_FDT_NUM),-n $(DEVICE_FDT_NUM)) \ - -c $(if $(DEVICE_DTS_CONFIG),$(DEVICE_DTS_CONFIG),"config@1") \ - -A $(LINUX_KARCH) -v $(LINUX_VERSION) + -c $(if $(DEVICE_DTS_CONFIG),$(DEVICE_DTS_CONFIG),"config-1") \ + -A $(LINUX_KARCH) -v $(LINUX_VERSION) \ + $(if $(CONFIG_TARGET_ROOTFS_SQUASHFS),-R $(ROOTFS/squashfs/$(DEVICE_NAME))) PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage -f $@.its $@.new @mv $@.new $@ endef diff --git a/include/image.mk b/include/image.mk index b6e8ab3c84..92d343c6b7 100644 --- a/include/image.mk +++ b/include/image.mk @@ -227,8 +227,7 @@ $(eval $(foreach S,$(NAND_BLOCKSIZE),$(call Image/mkfs/jffs2-nand/template,$(S)) define Image/mkfs/squashfs-common $(STAGING_DIR_HOST)/bin/mksquashfs4 $(call mkfs_target_dir,$(1)) $@ \ -nopad -noappend -root-owned \ - -comp $(SQUASHFSCOMP) $(SQUASHFSOPT) \ - -processors 1 + -comp $(SQUASHFSCOMP) $(SQUASHFSOPT) endef ifeq ($(CONFIG_TARGET_ROOTFS_SECURITY_LABELS),y) @@ -441,6 +440,9 @@ else DEVICE_CHECK_PROFILE = $(CONFIG_TARGET_$(if $(CONFIG_TARGET_MULTI_PROFILE),DEVICE_)$(call target_conf,$(BOARD)$(if $(SUBTARGET),_$(SUBTARGET)))_$(1)) endif +DEVICE_CHECK_FIT_KEY = $(if $(wildcard $(FIT_KEY_DIR)/$(FIT_KEY_NAME).key),install-images,install-disabled) +DEVICE_CHECK_FIT_DIR = $(if $(FIT_KEY_DIR),$(DEVICE_CHECK_FIT_KEY),install-images) + DEVICE_EXTRA_PACKAGES = $(call qstrip,$(CONFIG_TARGET_DEVICE_PACKAGES_$(call target_conf,$(BOARD)$(if $(SUBTARGET),_$(SUBTARGET)))_DEVICE_$(1))) define merge_packages @@ -463,7 +465,7 @@ endef define Device/Check $(Device/Check/Common) KDIR_KERNEL_IMAGE := $(KDIR)/$(1)$$(KERNEL_SUFFIX) - _TARGET := $$(if $$(_PROFILE_SET),install-images,install-disabled) + _TARGET := $$(if $$(_PROFILE_SET),$$(DEVICE_CHECK_FIT_DIR),install-disabled) ifndef IB _COMPILE_TARGET := $$(if $(CONFIG_IB)$$(_PROFILE_SET),compile,compile-disabled) endif @@ -525,6 +527,21 @@ define Device/Build/compile endef +define Device/Build/per-device-fs + ROOTFS/$(1)/$(3) := \ + $(KDIR)/root.$(1)$$(strip \ + $$(if $$(FS_OPTIONS/$(1)),+fs=$$(call param_mangle,$$(FS_OPTIONS/$(1)))) \ + )$$(strip \ + $(if $(TARGET_PER_DEVICE_ROOTFS),+pkg=$$(ROOTFS_ID/$(3))) \ + ) + ifndef IB + $$(ROOTFS/$(1)/$(3)): $(if $(TARGET_PER_DEVICE_ROOTFS),target-dir-$$(ROOTFS_ID/$(3))) + endif + + $$(KDIR_KERNEL_IMAGE): $$(ROOTFS/$(1)/$(3)) + +endef + ifndef IB define Device/Build/dtb ifndef BUILD_DTS_$(1) @@ -555,6 +572,16 @@ define Device/Build/kernel ifdef CONFIG_IB install: $$(KDIR_KERNEL_IMAGE) endif + ifneq ($$(filter squashfs,$(2)),) + # Force squashfs to be built before generating kernel image + ROOTFS/squashfs/$(1) := \ + $(KDIR)/root.squashfs$$(strip \ + $$(if $$(FS_OPTIONS/squashfs),+fs=$$(call param_mangle,$$(FS_OPTIONS/squashfs))) \ + )$$(strip \ + $(if $(TARGET_PER_DEVICE_ROOTFS),+pkg=$$(ROOTFS_ID/$(1))) \ + ) + $$(KDIR_KERNEL_IMAGE): $$(ROOTFS/squashfs/$(1)) + endif $$(KDIR_KERNEL_IMAGE): $(KDIR)/$$(KERNEL_NAME) $(CURDIR)/Makefile $$(KERNEL_DEPENDS) image_prepare @rm -f $$@ $$(call concat_cmd,$$(KERNEL)) @@ -569,15 +596,6 @@ define Device/Build/image $(BIN_DIR)/$(call IMAGE_NAME,$(1),$(2))$$(GZ_SUFFIX)) $(eval $(call Device/Export,$(KDIR)/tmp/$(call IMAGE_NAME,$(1),$(2)),$(1))) - ROOTFS/$(1)/$(3) := \ - $(KDIR)/root.$(1)$$(strip \ - $$(if $$(FS_OPTIONS/$(1)),+fs=$$(call param_mangle,$$(FS_OPTIONS/$(1)))) \ - )$$(strip \ - $(if $(TARGET_PER_DEVICE_ROOTFS),+pkg=$$(ROOTFS_ID/$(3))) \ - ) - ifndef IB - $$(ROOTFS/$(1)/$(3)): $(if $(TARGET_PER_DEVICE_ROOTFS),target-dir-$$(ROOTFS_ID/$(3))) - endif $(KDIR)/tmp/$(call IMAGE_NAME,$(1),$(2)): $$(KDIR_KERNEL_IMAGE) $$(ROOTFS/$(1)/$(3)) @rm -f $$@ [ -f $$(word 1,$$^) -a -f $$(word 2,$$^) ] @@ -638,8 +656,12 @@ define Device/Build/artifact endef define Device/Build + $$(eval $$(foreach image,$$(IMAGES), \ + $$(foreach fs,$$(filter $(TARGET_FILESYSTEMS),$$(FILESYSTEMS)), \ + $$(call Device/Build/per-device-fs,$$(fs),$$(image),$(1))))) + $(if $(CONFIG_TARGET_ROOTFS_INITRAMFS),$(call Device/Build/initramfs,$(1))) - $(call Device/Build/kernel,$(1)) + $(call Device/Build/kernel,$(1),$$(filter $(TARGET_FILESYSTEMS),$$(FILESYSTEMS))) $$(eval $$(foreach compile,$$(COMPILE), \ $$(call Device/Build/compile,$$(compile),$(1)))) -- 2.34.1