2020-02-26 14:48:24 +01:00
|
|
|
#
|
|
|
|
|
# path to suit-tool
|
2020-06-29 15:42:47 +02:00
|
|
|
SUIT_TOOL ?= $(RIOTBASE)/dist/tools/suit/suit-manifest-generator/bin/suit-tool
|
2020-02-26 14:48:24 +01:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# SUIT encryption keys
|
|
|
|
|
#
|
|
|
|
|
|
2024-09-11 11:13:15 +02:00
|
|
|
# Specify key(s) to use.
|
2020-02-26 14:48:24 +01:00
|
|
|
# Will use $(SUIT_KEY_DIR)/$(SUIT_KEY).pem as combined private/public key
|
|
|
|
|
# files.
|
2024-09-11 11:13:15 +02:00
|
|
|
# Multiple keys can be specified, that means that the firmware will accept
|
|
|
|
|
# updates signed with either one of those keys.
|
|
|
|
|
# If the firmware accepts multiple keys, let the first key be the signing key.
|
2020-02-26 14:48:24 +01:00
|
|
|
SUIT_KEY ?= default
|
2024-09-11 11:13:15 +02:00
|
|
|
SUIT_KEY_SIGN ?= $(word 1, $(SUIT_KEY))
|
2022-06-02 00:02:26 +02:00
|
|
|
XDG_DATA_HOME ?= $(HOME)/.local/share
|
2020-02-26 14:48:24 +01:00
|
|
|
|
|
|
|
|
ifeq (1, $(RIOT_CI_BUILD))
|
|
|
|
|
SUIT_KEY_DIR ?= $(BINDIR)
|
|
|
|
|
else
|
2022-06-02 00:02:26 +02:00
|
|
|
SUIT_KEY_DIR ?= $(XDG_DATA_HOME)/RIOT/keys
|
2020-02-26 14:48:24 +01:00
|
|
|
endif
|
|
|
|
|
|
2024-09-09 19:28:59 +02:00
|
|
|
# we may accept multiple keys for the firmware
|
|
|
|
|
SUIT_SEC ?= $(foreach item,$(SUIT_KEY),$(SUIT_KEY_DIR)/$(item).pem)
|
2024-09-11 11:13:15 +02:00
|
|
|
# but there can only be one signing key
|
|
|
|
|
SUIT_SEC_SIGN ?= $(SUIT_KEY_DIR)/$(SUIT_KEY_SIGN).pem
|
2020-02-26 14:48:24 +01:00
|
|
|
|
2024-09-09 19:28:59 +02:00
|
|
|
# generate a list of the public keys
|
|
|
|
|
SUIT_PUBS ?= $(SUIT_SEC:.pem=.pem.pub)
|
2022-08-15 19:32:19 +02:00
|
|
|
|
2020-02-26 14:48:24 +01:00
|
|
|
SUIT_PUB_HDR = $(BINDIR)/riotbuild/public_key.h
|
|
|
|
|
SUIT_PUB_HDR_DIR = $(dir $(SUIT_PUB_HDR))
|
|
|
|
|
CFLAGS += -I$(SUIT_PUB_HDR_DIR)
|
|
|
|
|
BUILDDEPS += $(SUIT_PUB_HDR)
|
|
|
|
|
|
2024-09-12 00:06:06 +02:00
|
|
|
# OpenSSL leaves an empty file if key generation fails - remove it manually
|
|
|
|
|
# see https://github.com/openssl/openssl/issues/25440
|
2022-07-20 12:35:33 +02:00
|
|
|
$(SUIT_SEC): | $(CLEAN)
|
2021-08-16 11:23:50 +02:00
|
|
|
$(Q)echo suit: generating key in $(SUIT_KEY_DIR)
|
|
|
|
|
$(Q)mkdir -p $(SUIT_KEY_DIR)
|
2024-09-12 00:06:06 +02:00
|
|
|
$(Q)( \
|
|
|
|
|
printf "0) none\n"; \
|
|
|
|
|
printf "1) aes-256-cbc\n"; \
|
|
|
|
|
printf "Choose encryption for key file $@: "; \
|
|
|
|
|
if [ -z "$(RIOT_CI_BUILD)" ]; then read encryption; else encryption=0; fi; \
|
|
|
|
|
case $$encryption in \
|
|
|
|
|
0) \
|
|
|
|
|
openssl genpkey -algorithm ed25519 -out $@; \
|
|
|
|
|
;; \
|
|
|
|
|
1) \
|
|
|
|
|
openssl genpkey -algorithm ed25519 -aes-256-cbc -out $@ || :; \
|
|
|
|
|
;; \
|
|
|
|
|
*) \
|
|
|
|
|
echo "Invalid choice"; \
|
|
|
|
|
exit 1; \
|
|
|
|
|
;; \
|
|
|
|
|
esac; \
|
|
|
|
|
)
|
|
|
|
|
$(Q)if [ ! -s $@ ]; then rm $@; fi
|
2020-02-26 14:48:24 +01:00
|
|
|
|
2024-09-09 19:28:59 +02:00
|
|
|
%.pem.pub: %.pem
|
|
|
|
|
$(Q)openssl ec -inform pem -in $< -outform pem -pubout -out $@
|
|
|
|
|
|
|
|
|
|
# Convert public keys to C headers - only last 32 bytes are key material
|
|
|
|
|
#
|
2020-02-26 14:48:24 +01:00
|
|
|
# set FORCE so switching between keys using "SUIT_KEY=foo make ..."
|
|
|
|
|
# triggers a rebuild even if the new key would otherwise not (because the other
|
|
|
|
|
# key's mtime is too far back).
|
2024-09-09 19:28:59 +02:00
|
|
|
$(SUIT_PUB_HDR): $(SUIT_PUBS) FORCE | $(CLEAN)
|
2021-08-16 11:23:50 +02:00
|
|
|
$(Q)mkdir -p $(SUIT_PUB_HDR_DIR)
|
2022-08-15 19:32:19 +02:00
|
|
|
$(Q)( \
|
|
|
|
|
echo "const uint8_t public_key[][32] = {"; \
|
2024-09-09 19:28:59 +02:00
|
|
|
for i in $(SUIT_PUBS); do \
|
|
|
|
|
echo " {"; \
|
|
|
|
|
openssl ec -inform pem -pubin -in $$i -outform der | tail -c 32 | xxd -i; \
|
|
|
|
|
echo " },"; \
|
2022-08-15 19:32:19 +02:00
|
|
|
done; \
|
|
|
|
|
echo "};" \
|
|
|
|
|
) | '$(LAZYSPONGE)' $(LAZYSPONGE_FLAGS) '$@'
|
2020-02-26 14:48:24 +01:00
|
|
|
|
|
|
|
|
suit/genkey: $(SUIT_SEC)
|
