phosphor-image-signing: Add SIGNING_PUBLIC_KEY
Add SIGNING_PUBLIC_KEY so that it installs the public key to the BMC
image.
If it's defined, the user shall not define SIGNING_KEY.
Tested:
* Do not define SIGNING_KEY or SIGNING_PUBLIC_KEY, the build is the same
as before;
* Define SIGNING_PUBLIC_KEY and do not define SIGNING_KEY, the build
installs the SIGNING_PUBLIC_KEY into the BMC image;
* Define SIGNING_KEY and do not define SIGNING_PUBLIC_KEY, the build
installs the public key from SIGNING_KEY;
* Define both SIGNING_PUBLIC_KEY and SIGNING_KEY, the build fails with
below error message:
```
Both SIGNING_KEY and SIGNING_PUBLIC_KEY are defined, expecting only one
```
Signed-off-by: Lei YU <yulei.sh@bytedance.com>
Change-Id: I3f345cc90b82f8964c2b498e8d9616cb20cd65cd
diff --git a/meta-phosphor/recipes-phosphor/flash/phosphor-image-signing.bb b/meta-phosphor/recipes-phosphor/flash/phosphor-image-signing.bb
index cfacfbe..09080bc 100644
--- a/meta-phosphor/recipes-phosphor/flash/phosphor-image-signing.bb
+++ b/meta-phosphor/recipes-phosphor/flash/phosphor-image-signing.bb
@@ -6,6 +6,8 @@
DEPENDS += "${@oe.utils.conditional('INSECURE_KEY', 'True', 'phosphor-insecure-signing-key-native', '', d)}"
PR = "r1"
+SIGNING_PUBLIC_KEY ?= ""
+SIGNING_PUBLIC_KEY_TYPE = "${@os.path.splitext(os.path.basename('${SIGNING_PUBLIC_KEY}'))[0]}"
SIGNING_KEY ?= "${STAGING_DIR_NATIVE}${datadir}/OpenBMC.priv"
SIGNING_KEY_TYPE = "${@os.path.splitext(os.path.basename('${SIGNING_KEY}'))[0]}"
SYSROOT_DIRS:append = " ${sysconfdir}"
@@ -13,9 +15,26 @@
inherit allarch
do_install() {
- openssl pkey -in "${SIGNING_KEY}" -pubout -out ${WORKDIR}/publickey
+ signing_key="${SIGNING_KEY}"
+ if [ "${INSECURE_KEY}" == "True" ] && [ -n "${SIGNING_PUBLIC_KEY}" ]; then
+ echo "Using SIGNING_PUBLIC_KEY"
+ signing_key=""
+ fi
+ if [ -n "${signing_key}" ] && [ -n "${SIGNING_PUBLIC_KEY}" ]; then
+ echo "Both SIGNING_KEY and SIGNING_PUBLIC_KEY are defined, expecting only one"
+ exit 1
+ fi
+ if [ -n "${signing_key}" ]; then
+ openssl pkey -in "${signing_key}" -pubout -out ${WORKDIR}/publickey
+ idir="${D}${sysconfdir}/activationdata/${SIGNING_KEY_TYPE}"
+ elif [ -n "${SIGNING_PUBLIC_KEY}" ]; then
+ cp "${SIGNING_PUBLIC_KEY}" ${WORKDIR}/publickey
+ idir="${D}${sysconfdir}/activationdata/${SIGNING_PUBLIC_KEY_TYPE}"
+ else
+ echo "No SIGNING_KEY or SIGNING_PUBLIC_KEY defined, expecting one"
+ exit 1
+ fi
echo HashType=RSA-SHA256 > "${WORKDIR}/hashfunc"
- idir="${D}${sysconfdir}/activationdata/${SIGNING_KEY_TYPE}"
install -d ${idir}
install -m 644 ${WORKDIR}/publickey ${idir}
install -m 644 ${WORKDIR}/hashfunc ${idir}