Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-26 23:04:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: make TF-A use provided OpenSSL binary

Browse source 
Currently Tf-A uses whatever openssl binary is on the system to sign
images. However if OPENSSL_DIR is specified in the build flags this can
lead to linking issues as the system binary can end up being linked
against shared libraries provided in OPENSSL_DIR/lib if both binaries
(the system's and the on in OPENSSL_DIR/bin) are the same version.
This patch ensures that the binary used is always the one given by
OPENSSL_DIR to avoid those link issues.

Signed-off-by: Salome Thirot <salome.thirot@arm.com>
Change-Id: Ib534e06ebc8482e4391e376d3791a87968de4a99
This commit is contained in:
Salome Thirot 2022-07-14 16:14:15 +01:00
parent 17e76b5eb7
commit e95abc4c01
13 changed files with 42 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
make_helpers/defaults.mk
View file

@ -415,6 +415,13 @@ COT_DESC_IN_DTB := 0
# Build option to provide openssl directory path # Build option to provide openssl directory path
OPENSSL_DIR := /usr OPENSSL_DIR := /usr
# Select the openssl binary provided in OPENSSL_DIR variable
ifeq ("$(wildcard ${OPENSSL_DIR}/bin)", "")
OPENSSL_BIN_PATH = ${OPENSSL_DIR}/apps
else
OPENSSL_BIN_PATH = ${OPENSSL_DIR}/bin
endif
# Build option to use the SP804 timer instead of the generic one # Build option to use the SP804 timer instead of the generic one
USE_SP804_TIMER := 0 USE_SP804_TIMER := 0

4
plat/arm/board/common/board_common.mk
View file

@ -53,8 +53,8 @@ $(ARM_ROTPK_HASH) : $(HASH_PREREQUISITES)
ifndef ROT_KEY ifndef ROT_KEY
$(error Cannot generate hash: no ROT_KEY defined) $(error Cannot generate hash: no ROT_KEY defined)
endif endif
openssl ${CRYPTO_ALG} -in $< -pubout -outform DER | openssl dgst \ ${OPENSSL_BIN_PATH}/openssl ${CRYPTO_ALG} -in $< -pubout -outform DER | \
-sha256 -binary > $@ ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@
# Certificate NV-Counters. Use values corresponding to tied off values in # Certificate NV-Counters. Use values corresponding to tied off values in
# ARM development platforms # ARM development platforms

6
plat/hisilicon/hikey/platform.mk
View file

@ -154,12 +154,12 @@ $(BUILD_PLAT)/bl2/hikey_rotpk.o: $(ROTPK_HASH)
certificates: $(ROT_KEY) certificates: $(ROT_KEY)
$(ROT_KEY): | $(BUILD_PLAT) $(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl genrsa 2048 > $@ 2>/dev/null $(Q)${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null
$(ROTPK_HASH): $(ROT_KEY) $(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
openssl dgst -sha256 -binary > $@ 2>/dev/null ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif endif
# Enable workarounds for selected Cortex-A53 errata. # Enable workarounds for selected Cortex-A53 errata.

6
plat/hisilicon/hikey960/platform.mk
View file

@ -146,12 +146,12 @@ $(BUILD_PLAT)/bl2/hikey960_rotpk.o: $(ROTPK_HASH)
certificates: $(ROT_KEY) certificates: $(ROT_KEY)
$(ROT_KEY): | $(BUILD_PLAT) $(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl genrsa 2048 > $@ 2>/dev/null $(Q)${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null
$(ROTPK_HASH): $(ROT_KEY) $(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
openssl dgst -sha256 -binary > $@ 2>/dev/null ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif endif
# Enable workarounds for selected Cortex-A53 errata. # Enable workarounds for selected Cortex-A53 errata.

8
plat/imx/imx7/common/imx7.mk
View file

@ -1,5 +1,5 @@
# #
# Copyright (c) 2018-2020, ARM Limited and Contributors. All rights reserved. # Copyright (c) 2018-2022, ARM Limited and Contributors. All rights reserved.
# #
# SPDX-License-Identifier: BSD-3-Clause # SPDX-License-Identifier: BSD-3-Clause
# #
@ -80,13 +80,13 @@ certificates: $(ROT_KEY)
$(ROT_KEY): | $(BUILD_PLAT) $(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@" @echo " OPENSSL $@"
@if [ ! -f $(ROT_KEY) ]; then \ @if [ ! -f $(ROT_KEY) ]; then \
openssl genrsa 2048 > $@ 2>/dev/null; \ ${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null; \
fi fi
$(ROTPK_HASH): $(ROT_KEY) $(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
openssl dgst -sha256 -binary > $@ 2>/dev/null ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif endif
# Add the build options to pack BLx images and kernel device tree # Add the build options to pack BLx images and kernel device tree

6
plat/imx/imx8m/imx8mm/platform.mk
View file

@ -132,13 +132,13 @@ certificates: $(ROT_KEY)
$(ROT_KEY): | $(BUILD_PLAT) $(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@" @echo " OPENSSL $@"
@if [ ! -f $(ROT_KEY) ]; then \ @if [ ! -f $(ROT_KEY) ]; then \
openssl genrsa 2048 > $@ 2>/dev/null; \ ${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null; \
fi fi
$(ROTPK_HASH): $(ROT_KEY) $(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
openssl dgst -sha256 -binary > $@ 2>/dev/null ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif endif
USE_COHERENT_MEM := 1 USE_COHERENT_MEM := 1

6
plat/imx/imx8m/imx8mp/platform.mk
View file

@ -129,13 +129,13 @@ certificates: $(ROT_KEY)
$(ROT_KEY): | $(BUILD_PLAT) $(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@" @echo " OPENSSL $@"
@if [ ! -f $(ROT_KEY) ]; then \ @if [ ! -f $(ROT_KEY) ]; then \
openssl genrsa 2048 > $@ 2>/dev/null; \ ${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null; \
fi fi
$(ROTPK_HASH): $(ROT_KEY) $(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
openssl dgst -sha256 -binary > $@ 2>/dev/null ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif endif
USE_COHERENT_MEM := 1 USE_COHERENT_MEM := 1

4
plat/marvell/armada/a3k/common/a3700_common.mk
View file

@ -205,12 +205,12 @@ ifeq ($(MARVELL_SECURE_BOOT),1)
@$(ECHO_BLANK_LINE) @$(ECHO_BLANK_LINE)
$(Q)cp $(BUILD_PLAT)/wtmi.bin $(BUILD_PLAT)/wtmi-align.bin $(Q)cp $(BUILD_PLAT)/wtmi.bin $(BUILD_PLAT)/wtmi-align.bin
$(Q)truncate -s %16 $(BUILD_PLAT)/wtmi-align.bin $(Q)truncate -s %16 $(BUILD_PLAT)/wtmi-align.bin
$(Q)openssl enc -aes-256-cbc -e -in $(BUILD_PLAT)/wtmi-align.bin \ $(Q)${OPENSSL_BIN_PATH}/openssl enc -aes-256-cbc -e -in $(BUILD_PLAT)/wtmi-align.bin \
-out $(BUILD_PLAT)/$(WTMI_ENC_IMG) \ -out $(BUILD_PLAT)/$(WTMI_ENC_IMG) \
-K `cat $(IMAGESPATH)/aes-256.txt` -nosalt \ -K `cat $(IMAGESPATH)/aes-256.txt` -nosalt \
-iv `cat $(IMAGESPATH)/iv.txt` -p -iv `cat $(IMAGESPATH)/iv.txt` -p
$(Q)truncate -s %16 $(BUILD_PLAT)/$(BOOT_IMAGE); $(Q)truncate -s %16 $(BUILD_PLAT)/$(BOOT_IMAGE);
$(Q)openssl enc -aes-256-cbc -e -in $(BUILD_PLAT)/$(BOOT_IMAGE) \ $(Q)${OPENSSL_BIN_PATH}/openssl enc -aes-256-cbc -e -in $(BUILD_PLAT)/$(BOOT_IMAGE) \
-out $(BUILD_PLAT)/$(BOOT_ENC_IMAGE) \ -out $(BUILD_PLAT)/$(BOOT_ENC_IMAGE) \
-K `cat $(IMAGESPATH)/aes-256.txt` -nosalt \ -K `cat $(IMAGESPATH)/aes-256.txt` -nosalt \
-iv `cat $(IMAGESPATH)/iv.txt` -p -iv `cat $(IMAGESPATH)/iv.txt` -p

6
plat/nxp/common/tbbr/tbbr.mk
View file

@ -133,13 +133,13 @@ else
$(ROT_KEY): | $(BUILD_PLAT) $(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@" @echo " OPENSSL $@"
@if [ ! -f $(ROT_KEY) ]; then \ @if [ ! -f $(ROT_KEY) ]; then \
openssl genrsa 2048 > $@ 2>/dev/null; \ ${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null; \
fi fi
$(ROTPK_HASH): $(ROT_KEY) $(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
openssl dgst -sha256 -binary > $@ 2>/dev/null ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif #MBEDTLS_DIR endif #MBEDTLS_DIR

6
plat/qemu/qemu/platform.mk
View file

@ -88,12 +88,12 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
$(ROT_KEY): | $(BUILD_PLAT) $(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl genrsa 2048 > $@ 2>/dev/null $(Q)${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null
$(ROTPK_HASH): $(ROT_KEY) $(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
openssl dgst -sha256 -binary > $@ 2>/dev/null ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif endif
# Include Measured Boot makefile before any Crypto library makefile. # Include Measured Boot makefile before any Crypto library makefile.

6
plat/rpi/rpi3/platform.mk
View file

@ -212,10 +212,10 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
$(ROT_KEY): | $(BUILD_PLAT) $(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl genrsa 2048 > $@ 2>/dev/null $(Q)${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null
$(ROTPK_HASH): $(ROT_KEY) $(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
openssl dgst -sha256 -binary > $@ 2>/dev/null ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif endif

6
plat/socionext/synquacer/platform.mk
View file

@ -73,12 +73,12 @@ $(BUILD_PLAT)/bl2/sq_rotpk.o: $(ROTPK_HASH)
certificates: $(ROT_KEY) certificates: $(ROT_KEY)
$(ROT_KEY): | $(BUILD_PLAT) $(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl genrsa 2048 > $@ 2>/dev/null $(Q)${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null
$(ROTPK_HASH): $(ROT_KEY) $(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
openssl dgst -sha256 -binary > $@ 2>/dev/null ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif # TRUSTED_BOARD_BOOT endif # TRUSTED_BOARD_BOOT
endif endif

6
plat/socionext/uniphier/platform.mk
View file

@ -107,12 +107,12 @@ $(BUILD_PLAT)/bl2/uniphier_rotpk.o: $(ROTPK_HASH)
certificates: $(ROT_KEY) certificates: $(ROT_KEY)
$(ROT_KEY): | $(BUILD_PLAT) $(ROT_KEY): | $(BUILD_PLAT)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl genrsa 2048 > $@ 2>/dev/null $(Q)${OPENSSL_BIN_PATH}/openssl genrsa 2048 > $@ 2>/dev/null
$(ROTPK_HASH): $(ROT_KEY) $(ROTPK_HASH): $(ROT_KEY)
@echo " OPENSSL $@" @echo " OPENSSL $@"
$(Q)openssl rsa -in $< -pubout -outform DER 2>/dev/null |\ $(Q)${OPENSSL_BIN_PATH}/openssl rsa -in $< -pubout -outform DER 2>/dev/null |\
openssl dgst -sha256 -binary > $@ 2>/dev/null ${OPENSSL_BIN_PATH}/openssl dgst -sha256 -binary > $@ 2>/dev/null
endif endif