scottk/wlan-ap
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-ap.git synced 2025-11-03 20:07:59 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity
Files
fbf236413b80cd46645c9fded0c46d10f1c15ec7
wlan-ap/patches/0078-secure-boot-sha256.patch
steven.lin e6f20ce347 mediatek: Add SENAO JEAP6500 
Specifications:
SoC: MediaTek MT7981BA
RF Chipset: MT7976DA @2.4GHz 2T2R
MT7976DA @5ghz 2T2R
RAM: 512MB DDR4 RAM
Flash: SPI-NAND 256 MiB
Ethernet: 2 x 1GbE PHY
Reset Button
Power Source: DC IN 12v, Standard PoE 802.3af/at
LED Indicator: 1 x single color LED (GPIO Control)

Fixes: WIFI-14312
Signed-off-by: steven.lin <steven.lin@senao.com>
2024-12-10 09:48:13 +01:00

116 lines
3.2 KiB
Diff
Raw Blame History

From 95dfd6ea3a2c06a81a4513fe943d640d4d990194 Mon Sep 17 00:00:00 2001
From: "steven.lin" <steven.lin@senao.com>
Date: Mon, 11 Nov 2024 09:28:18 +0800
Subject: [PATCH] secure boot support sha256
---
scripts/mkits-secure_boot.sh | 37 ++++++++++++++++++++++++++++++++----
1 file changed, 33 insertions(+), 4 deletions(-)
diff --git a/scripts/mkits-secure_boot.sh b/scripts/mkits-secure_boot.sh
index 1c7f292618..0a09792971 100755
--- a/scripts/mkits-secure_boot.sh
+++ b/scripts/mkits-secure_boot.sh
@@ -17,7 +17,7 @@
usage() {
printf "Usage: %s -A arch -C comp -a addr -e entry" "$(basename "$0")"
printf " -v version -k kernel [-D name -n address -d dtb] -o its_file"
- printf " [-s script] [-S key_name_hint] [-r ar_ver] [-R rootfs]"
+ printf " [-s script] [-S key_name_hint] [-b key_alg] [-r ar_ver] [-R rootfs] [-m rfsk]"
printf "\n\t-A ==> set architecture to 'arch'"
printf "\n\t-C ==> set compression type 'comp'"
@@ -32,18 +32,21 @@ usage() {
printf "\n\t-o ==> create output file 'its_file'"
printf "\n\t-s ==> include u-boot script 'script'"
printf "\n\t-S ==> add signature at configurations and assign its key_name_hint by 'key_name_hint'"
+ printf "\n\t-b ==> set key algorithm"
printf "\n\t-r ==> set anti-rollback version to 'fw_ar_ver' (dec)"
- printf "\n\t-R ==> specify rootfs file for embedding hash\n"
+ printf "\n\t-R ==> specify rootfs file for embedding hash"
+ printf "\n\t-m ==> include encrypted rootfs key'\n"
exit 1
}
FDTNUM=1
-while getopts ":A:a:c:C:D:d:e:k:n:o:v:s:S:r:R:" OPTION
+while getopts ":A:a:b:c:C:D:d:e:k:n:o:v:s:S:r:R:m:" OPTION
do
case $OPTION in
A ) ARCH=$OPTARG;;
a ) LOAD_ADDR=$OPTARG;;
+ b ) KEY_ALG=$OPTARG;;
c ) CONFIG=$OPTARG;;
C ) COMPRESS=$OPTARG;;
D ) DEVICE=$OPTARG;;
@@ -57,6 +60,7 @@ do
S ) KEY_NAME_HINT=$OPTARG;;
r ) AR_VER=$OPTARG;;
R ) ROOTFS_FILE=$OPTARG;;
+ m ) ROOTFS_KEY=$OPTARG;;
* ) echo "Invalid option passed to '$0' (options:$*)"
usage;;
esac
@@ -91,6 +95,19 @@ if [ -n "${DTB}" ]; then
FDT_PROP="fdt = \"fdt-$FDTNUM\";"
fi
+# Conditionally create encrypted rootfs-key information
+if [ -n "${ROOTFS_KEY}" ]; then
+ RFSK_NODE="
+ rfsk = <$(cat ${ROOTFS_KEY} | od -An -t x1 -w256 | sed 's/ //g; s/.\{8\}/0x& /g; s/.$//g')>;";
+
+ FIT_SECRET_NODE="
+ fit-secrets {
+ ${CONFIG} {
+ };
+ };
+"
+fi
+
# Conditionally create rootfs hash information
if [ -f "${ROOTFS_FILE}" ]; then
ROOTFS_SIZE=$(stat -c %s ${ROOTFS_FILE})
@@ -149,11 +166,20 @@ fi
# Conditionally create signature information
if [ -n "${KEY_NAME_HINT}" ]; then
+ if [[ "${KEY_NAME_HINT}" == "offline,"* ]]; then
+ KEY_NAME_HINT=$(echo -n "${KEY_NAME_HINT}" | sed "s/^.*[,]//g")
+ SIGN_OFFLINE="
+ sign-offline = <1>;"
+ fi
+ if [ -z "${KEY_ALG}" ]; then
+ KEY_ALG="sha256,rsa2048"
+ fi
SIGNATURE="\
signature {
- algo = \"sha1,rsa2048\";
+ algo = \"${KEY_ALG}\";
key-name-hint = \"${KEY_NAME_HINT}\";
${SIGN_IMAGES}
+${SIGN_OFFLINE}
};\
"
fi
@@ -200,12 +226,15 @@ ${ROOTFS}
${CONFIG} {
description = \"OpenWrt\";
${FW_AR_VER}
+${RFSK_NODE}
${LOADABLES}
kernel = \"kernel-1\";
${FDT_PROP}
${SIGNATURE}
};
};
+
+${FIT_SECRET_NODE}
};"
# Write .its file to disk
--
2.43.2
Reference in New Issue View Git Blame Copy Permalink