RIOT/makefiles/suit.base.inc.mk

#
# path to suit-tool
SUIT_TOOL ?= $(RIOTBASE)/dist/tools/suit/suit-manifest-generator/bin/suit-tool

#
# SUIT encryption keys
#

# Specify key to use.
# Will use $(SUIT_KEY_DIR)/$(SUIT_KEY).pem as combined private/public key
# files.
SUIT_KEY ?= default
XDG_DATA_HOME ?= $(HOME)/.local/share

ifeq (1, $(RIOT_CI_BUILD))
  SUIT_KEY_DIR ?= $(BINDIR)
else
  SUIT_KEY_DIR ?= $(XDG_DATA_HOME)/RIOT/keys
endif

# Enable user to encrypt private key with a password
ifneq (,$(SUIT_SEC_PASSWORD))
  SUIT_TOOL_ARGS += -p $(SUIT_SEC_PASSWORD)
endif

SUIT_SEC ?= $(SUIT_KEY_DIR)/$(SUIT_KEY).pem

SUIT_PUB_HDR = $(BINDIR)/riotbuild/public_key.h
SUIT_PUB_HDR_DIR = $(dir $(SUIT_PUB_HDR))
CFLAGS += -I$(SUIT_PUB_HDR_DIR)
BUILDDEPS += $(SUIT_PUB_HDR)

$(SUIT_SEC): $(CLEAN)
	$(Q)echo suit: generating key in $(SUIT_KEY_DIR)
	$(Q)mkdir -p $(SUIT_KEY_DIR)
	$(Q)$(RIOTBASE)/dist/tools/suit/gen_key.py $(SUIT_SEC) $(SUIT_SEC_PASSWORD)

# set FORCE so switching between keys using "SUIT_KEY=foo make ..."
# triggers a rebuild even if the new key would otherwise not (because the other
# key's mtime is too far back).
$(SUIT_PUB_HDR): $(SUIT_SEC) FORCE | $(CLEAN)
	$(Q)mkdir -p $(SUIT_PUB_HDR_DIR)
	$(Q)$(SUIT_TOOL) pubkey $(SUIT_TOOL_ARGS) -f header -k $(SUIT_SEC) \
	  | '$(LAZYSPONGE)' $(LAZYSPONGE_FLAGS) '$@'

suit/genkey: $(SUIT_SEC)
sys/suit: Add SUIT draft ietf-v3 firmware upgrade module Co-authored-by: Kaspar Schleiser <kaspar@schleiser.de> 2020-02-26 14:48:24 +01:00			`#`
			`# path to suit-tool`
dist/tools/suit: Update suit tooling to IETF-v7 compliance 2020-06-29 15:42:47 +02:00			`SUIT_TOOL ?= $(RIOTBASE)/dist/tools/suit/suit-manifest-generator/bin/suit-tool`
sys/suit: Add SUIT draft ietf-v3 firmware upgrade module Co-authored-by: Kaspar Schleiser <kaspar@schleiser.de> 2020-02-26 14:48:24 +01:00
			`#`
			`# SUIT encryption keys`
			`#`

			`# Specify key to use.`
			`# Will use $(SUIT_KEY_DIR)/$(SUIT_KEY).pem as combined private/public key`
			`# files.`
			`SUIT_KEY ?= default`
makefiles/suit: place keys in $XDG_DATA_HOME Placing the SUIT key in the RIOT repository folder is dangerous as a repo checkout is by most people considered a volatile location. Since all important files are stored in git, deleting the entire folder or it's contents is not an uncommon cleanup operation. If the user is at that point unaware that SUIT key material is stored in that folder, that key will then be lost. Another workflow may involve multiple checkouts of the RIOT repository to multiple folders to work on several features at the same time, or for easy cross-referencing or splitting of off features from an integration into a feature branch. In that case each checkout would use it's own incompatible SUIT key. To avoid all these pitfalls, place the SUIT keys outside the RIOT repository in the $XDG_DATA_HOME directory. 2022-06-02 00:02:26 +02:00			`XDG_DATA_HOME ?= $(HOME)/.local/share`
sys/suit: Add SUIT draft ietf-v3 firmware upgrade module Co-authored-by: Kaspar Schleiser <kaspar@schleiser.de> 2020-02-26 14:48:24 +01:00
			`ifeq (1, $(RIOT_CI_BUILD))`
			`SUIT_KEY_DIR ?= $(BINDIR)`
			`else`
makefiles/suit: place keys in $XDG_DATA_HOME Placing the SUIT key in the RIOT repository folder is dangerous as a repo checkout is by most people considered a volatile location. Since all important files are stored in git, deleting the entire folder or it's contents is not an uncommon cleanup operation. If the user is at that point unaware that SUIT key material is stored in that folder, that key will then be lost. Another workflow may involve multiple checkouts of the RIOT repository to multiple folders to work on several features at the same time, or for easy cross-referencing or splitting of off features from an integration into a feature branch. In that case each checkout would use it's own incompatible SUIT key. To avoid all these pitfalls, place the SUIT keys outside the RIOT repository in the $XDG_DATA_HOME directory. 2022-06-02 00:02:26 +02:00			`SUIT_KEY_DIR ?= $(XDG_DATA_HOME)/RIOT/keys`
sys/suit: Add SUIT draft ietf-v3 firmware upgrade module Co-authored-by: Kaspar Schleiser <kaspar@schleiser.de> 2020-02-26 14:48:24 +01:00			`endif`

makefiles/suit: generate password-protected key file 2022-05-24 01:13:02 +02:00			`# Enable user to encrypt private key with a password`
			`ifneq (,$(SUIT_SEC_PASSWORD))`
			`SUIT_TOOL_ARGS += -p $(SUIT_SEC_PASSWORD)`
			`endif`

sys/suit: Add SUIT draft ietf-v3 firmware upgrade module Co-authored-by: Kaspar Schleiser <kaspar@schleiser.de> 2020-02-26 14:48:24 +01:00			`SUIT_SEC ?= $(SUIT_KEY_DIR)/$(SUIT_KEY).pem`

			`SUIT_PUB_HDR = $(BINDIR)/riotbuild/public_key.h`
			`SUIT_PUB_HDR_DIR = $(dir $(SUIT_PUB_HDR))`
			`CFLAGS += -I$(SUIT_PUB_HDR_DIR)`
			`BUILDDEPS += $(SUIT_PUB_HDR)`

			`$(SUIT_SEC): $(CLEAN)`
makefiles/suit*: use $(Q) to silence output 2021-08-16 11:23:50 +02:00			`$(Q)echo suit: generating key in $(SUIT_KEY_DIR)`
			`$(Q)mkdir -p $(SUIT_KEY_DIR)`
makefiles/suit: generate password-protected key file 2022-05-24 01:13:02 +02:00			`$(Q)$(RIOTBASE)/dist/tools/suit/gen_key.py $(SUIT_SEC) $(SUIT_SEC_PASSWORD)`
sys/suit: Add SUIT draft ietf-v3 firmware upgrade module Co-authored-by: Kaspar Schleiser <kaspar@schleiser.de> 2020-02-26 14:48:24 +01:00
			`# set FORCE so switching between keys using "SUIT_KEY=foo make ..."`
			`# triggers a rebuild even if the new key would otherwise not (because the other`
			`# key's mtime is too far back).`
			`$(SUIT_PUB_HDR): $(SUIT_SEC) FORCE \| $(CLEAN)`
makefiles/suit*: use $(Q) to silence output 2021-08-16 11:23:50 +02:00			`$(Q)mkdir -p $(SUIT_PUB_HDR_DIR)`
makefiles/suit: generate password-protected key file 2022-05-24 01:13:02 +02:00			`$(Q)$(SUIT_TOOL) pubkey $(SUIT_TOOL_ARGS) -f header -k $(SUIT_SEC) \`
sys/suit: Add SUIT draft ietf-v3 firmware upgrade module Co-authored-by: Kaspar Schleiser <kaspar@schleiser.de> 2020-02-26 14:48:24 +01:00			`\| '$(LAZYSPONGE)' $(LAZYSPONGE_FLAGS) '$@'`

			`suit/genkey: $(SUIT_SEC)`