From d37d5515f5b2d31b2875365dd724dd504e136a83 Mon Sep 17 00:00:00 2001 From: Patrick Vogelaar Date: Tue, 9 Jan 2024 15:56:28 +0100 Subject: [PATCH 1/7] feat: set default time for initial startup * all creation dates of the files are set to the 01.01. of the current year * the file /usr/lib/clock-epoch is created. It is used by timedatectl to get the initial time and date (creation time of file). * a sanity check was added to check if the hardcoded timestamp is outdated --- .../classes/coreos-sanity.bbclass | 17 ++++++++++++++--- .../conf/distro/belden-coreos.conf | 5 +++++ .../recipes-core/systemd/systemd_%.bbappend | 10 ++++++++++ 3 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend diff --git a/layers/meta-belden-coreos/classes/coreos-sanity.bbclass b/layers/meta-belden-coreos/classes/coreos-sanity.bbclass index 5c56e3c..44dcf15 100644 --- a/layers/meta-belden-coreos/classes/coreos-sanity.bbclass +++ b/layers/meta-belden-coreos/classes/coreos-sanity.bbclass @@ -13,6 +13,8 @@ addhandler check_coreos_sanity_eventhandler check_coreos_sanity_eventhandler[eventmask] = "bb.event.SanityCheck" python check_coreos_sanity_eventhandler() { + import datetime + # Checks related to the distribution configuration files # ========================================================================== @@ -29,13 +31,22 @@ python check_coreos_sanity_eventhandler() { "systemd is not set as `INIT_MANAGER`. " "Using SystemD is mandatory on CoreOS based distribution" ) - + if e.data.getVar("TCLIBC") != "glibc": bb.fatal( "glibc is not set as `TCLIBC`. " "Using glibc is mandatory on CoreOS based distribution" ) - + + # Check if the timestamp for REPRODUCIBLE_TIMESTAMP_ROOTFS is still up to date + first_of_year = datetime.datetime(datetime.date.today().year, 1, 1, tzinfo=datetime.timezone.utc) + foy_ts = str(int(first_of_year.timestamp())) + if e.data.getVar("REPRODUCIBLE_TIMESTAMP_ROOTFS") != foy_ts: + bb.warn( + "`REPRODUCIBLE_TIMESTAMP_ROOTFS` outdated!" + "Set to current 01. january of the year." + ) + # Checks related to the machine configuration files # ========================================================================== @@ -47,7 +58,7 @@ python check_coreos_sanity_eventhandler() { "CoreOS recommands to use compressed wic image, please add " "`wic.xz` to your machine `IMAGE_FSTYPES` variables" ) - + if not "wic.bmap": bb.warn( "wic image should be flashed with bmaptools, but this require " diff --git a/layers/meta-belden-coreos/conf/distro/belden-coreos.conf b/layers/meta-belden-coreos/conf/distro/belden-coreos.conf index 4eec78e..015caa3 100644 --- a/layers/meta-belden-coreos/conf/distro/belden-coreos.conf +++ b/layers/meta-belden-coreos/conf/distro/belden-coreos.conf @@ -7,3 +7,8 @@ MAINTAINER = "Belden CoreOS Team" DISTRO_VERSION = "0.0.1" DISTRO_CODENAME = "kirkstone" + +# This TS represents 01.01.2024 generating it dynamically would cause a lot of +# things to get re-build, we need a good solution for this or change it every +# year +REPRODUCIBLE_TIMESTAMP_ROOTFS = "1704067200" \ No newline at end of file diff --git a/layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend b/layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 0000000..18d1afc --- /dev/null +++ b/layers/meta-belden-coreos/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1,10 @@ + +do_install:append(){ + # the creation date/time of this file will be used as initial boot time. + # Creation time will be set to REPRODUCIBLE_TIMESTAMP_ROOTFS + # More info about the date/time handling here: + # https://www.freedesktop.org/software/systemd/man/latest/systemd-timesyncd.service.html + touch ${D}/${base_libdir}/clock-epoch +} + +FILES:${PN} += "${base_libdir}/clock-epoch" From 94c8692f439e585ba4115791bd3fb50ebd9f9389 Mon Sep 17 00:00:00 2001 From: Patrick Vogelaar Date: Mon, 15 Jan 2024 11:16:23 +0100 Subject: [PATCH 2/7] feat(userdata): add userdata partition The userdata partition is mounted under /usr/local/data. It is and will stay read-write and its purpose is to store userdata like config, secure-storage. --- .../machine/include/coreos-generic-features/partitions.inc | 4 +++- layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in | 1 + .../meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in | 1 + layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in | 1 + 4 files changed, 6 insertions(+), 1 deletion(-) diff --git a/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc b/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc index 8edba76..88ddf6e 100644 --- a/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc +++ b/layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-features/partitions.inc @@ -6,7 +6,9 @@ WKS_PART_EFIBOOTGUARD_A ??= 'part --source efibootguard-boot --label ebg0 --part WKS_PART_EFIBOOTGUARD_B ??= 'part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI"' WKS_PART_ROOT_A ??= 'part / --source rootfs --fstype=ext4 --label rootfs0' WKS_PART_ROOT_B ??= 'part --fstype=ext4 --label rootfs1' -WKS_PART_ROOT_SIZE ??= '2G' +WKS_PART_ROOT_SIZE ??= '1G' +WKS_PART_USERDATA_SIZE ??= '1G' +WKS_PART_USERDATA ??= 'part /usr/local/data --fstype=btrfs --label userdata' SFDISK_PART_EFI ??= 'type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, name="efi"' SFDISK_PART_EFIBOOTGUARD_A ??= 'type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="ebg0"' diff --git a/layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in b/layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in index 153284a..1716221 100644 --- a/layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in +++ b/layers/meta-belden-coreos-bsp/wic/generic-uefi.wks.in @@ -5,6 +5,7 @@ ${WKS_PART_ROOT_A} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --o ${WKS_PART_ROOT_B} --ondisk sda --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1 ${WKS_PART_EFIBOOTGUARD_A} --ondisk sda --align 1024 --size 128M --extra-space 0 --overhead-factor 1 ${WKS_PART_EFIBOOTGUARD_B} --ondisk sda --align 1024 --size 128M --extra-space 0 --overhead-factor 1 +${WKS_PART_USERDATA} --ondisk sda --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1 part swap --ondisk sda --size 44 --label swap1 --fstype=swap bootloader --ptable gpt diff --git a/layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in b/layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in index 86b43e8..dfcd3d7 100644 --- a/layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in +++ b/layers/meta-belden-coreos-bsp/wic/qemu-efi-coreos-generic.wks.in @@ -7,5 +7,6 @@ part / --source rootfs --fstype=ext4 --label rootfs0 --ondisk mmcblk1 --size ${W part --fstype=ext4 --label rootfs1 --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1 part --source efibootguard-boot --label ebg0 --part-type=0700 --sourceparams "args=coreos.root=rootfs0,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=2,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1 --align 1024 --size 128M --extra-space 0 --overhead-factor 1 part --source efibootguard-boot --label ebg1 --part-type=0700 --sourceparams "args=coreos.root=rootfs1,watchdog=${EFIBOOTGUARD_TIMEOUT},revision=1,kernel=${COREOS_KERNEL_FILENAME};KERNEL.EFI" --ondisk mmcblk1 --align 1024 --size 128M --extra-space 0 --overhead-factor 1 +${WKS_PART_USERDATA} --ondisk mmcblk1 --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1 bootloader --ptable gpt \ No newline at end of file diff --git a/layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in b/layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in index 3ad837f..cb6acf9 100644 --- a/layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in +++ b/layers/meta-belden-marvell-bsp/wic/cn913x-sdcard.wks.in @@ -16,5 +16,6 @@ ${WKS_PART_ROOT_A} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 ${WKS_PART_ROOT_B} --ondisk mmcblk1 --size ${WKS_PART_ROOT_SIZE} --extra-space 0 --overhead-factor 1 ${WKS_PART_EFIBOOTGUARD_A} --ondisk mmcblk1 --align 1024 --size 128M --extra-space 0 --overhead-factor 1 ${WKS_PART_EFIBOOTGUARD_B} --ondisk mmcblk1 --align 1024 --size 128M --extra-space 0 --overhead-factor 1 +${WKS_PART_USERDATA} --ondisk mmcblk1 --size ${WKS_PART_USERDATA_SIZE} --extra-space 0 --overhead-factor 1 bootloader --ptable gpt From fd2a0835ac2feb25564b71f82ae2511f3710a1b4 Mon Sep 17 00:00:00 2001 From: Patrick Vogelaar Date: Mon, 15 Jan 2024 11:19:50 +0100 Subject: [PATCH 3/7] feat(secure-storage): add secure-storage base functionality The secure-storage feature provides a encrypted filesystem to securely store data in rest. It will be auto-mounted under /usr/local/data/secure-storage. The loopbackfile will be stored under /usr/local/data/loopdevices. The keyfile is located under /usr/local/data/.crypto. --- .../files/sec-storage-loopback.sh | 93 +++++++++++++++++++ .../files/secure-storage.service | 12 +++ .../secure-storage/secure-storage_1.0.bb | 34 +++++++ 3 files changed, 139 insertions(+) create mode 100644 layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh create mode 100644 layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service create mode 100644 layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb diff --git a/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh b/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh new file mode 100644 index 0000000..82ba898 --- /dev/null +++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/sec-storage-loopback.sh @@ -0,0 +1,93 @@ +#!/usr/bin/env sh + +loopdir=/usr/local/data/loopdevices +loopfile=$loopdir/crypt.loop + +keyfiledir=/usr/local/data/.crypto +keyfile=$keyfiledir/ss_crypto.keyfile + +#megabytes +loopsize=16 + +#/dev/mapper/xxxxx when open +cryptmapper=secStorage + +makefilesystem=ext4 + +#mountpoint of uncrypted device +mountpoint=/usr/local/data/secure-storage + +create_keyfile() { + # echo "Create key file" + systemd-notify --status="Create key file" + mkdir -p $keyfiledir + dd if=/dev/urandom of=$keyfile bs=1 count=256 + chown root:root $keyfiledir/* + chmod 000 $keyfiledir/* +} + +error() { + echo "Error: $1" + exit $? +} + +#creates a new file +create_loopback_and_open() { + # echo "Creating a file with random bits.. this could take a while..." + systemd-notify --status="Creating a file with random bits.. this could take a while..." + mkdir -p $loopdir || error "Creating loopdir" + mkdir -p $mountpoint || error "Creating mountpoint" + dd if=/dev/urandom of=$loopfile bs=1M count=$loopsize || error "Creating loopfile" + loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device" + echo "Selected loop device: $loopdevice" + cryptsetup luksFormat -q --key-file $keyfile $loopdevice || error "Setting up encrypted loop device" + cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device" + mkfs.$makefilesystem /dev/mapper/$cryptmapper || error "Creating encrypted FS" + mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS" + systemd-notify --ready --status="Sucessfully mounted secure storage" +} + +#mounts crypted loopback file +open() { + #echo "Open secure-storage" + systemd-notify --status="Open secure storage" + loopdevice=$(losetup -f --show $loopfile) || error "Setting up loop device" + echo "Selected loop device: $ld" + cryptsetup open --key-file $keyfile $loopdevice $cryptmapper || error "Opening encrypted loop device" + mount /dev/mapper/$cryptmapper $mountpoint || error "Mounting encrypted FS" + systemd-notify --ready --status="Sucessfully mounted secure storage" +} + +#unmounts previously mounted loopback file +close() { + echo "Close secure-storage" + # get loopdevice + loopdevice=$(losetup --list --noheadings --output NAME,BACK-FILE | grep crypt.loop | awk '{print $1}') + umount $mountpoint + cryptsetup close $cryptmapper + losetup -d $loopdevice +} + +if [ $# -eq 1 ] +then + #echo "Parameter detected" + $1 + exit 0 +fi + +if [ -e $keyfile ] +then + #echo "Key file available" + if [ -e $loopfile ] + then + #echo "Loop file available" + open + else + #echo "Loop file not available" + create_loopback_and_open + fi +else + #echo "Key file not available" + create_keyfile + create_loopback_and_open +fi diff --git a/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service b/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service new file mode 100644 index 0000000..5e0f549 --- /dev/null +++ b/layers/meta-belden-coreos/recipes-security/secure-storage/files/secure-storage.service @@ -0,0 +1,12 @@ +[Unit] +Description=Secure Storage Service +RequiresMountsFor=/usr/local/data + +[Service] +Type=notify +ExecStart=/usr/bin/sec-storage-loopback.sh +TimeoutSec=300 + +[Install] +WantedBy=local-fs.target + diff --git a/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb b/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb new file mode 100644 index 0000000..e1df434 --- /dev/null +++ b/layers/meta-belden-coreos/recipes-security/secure-storage/secure-storage_1.0.bb @@ -0,0 +1,34 @@ +SUMMARY = "Provides a Secure Storage" +DESCRIPTION = "The secure storage is a loopback mount that is encrypted. It protects data in rest" +AUTHOR = "Patrick Vogelaar" +LICENSE = "CLOSED" + +SRC_URI = "\ + file://sec-storage-loopback.sh \ + file://secure-storage.service \ + " + +S = "${WORKDIR}" + +inherit systemd + +FILES:${PN} += "\ + /usr/local/data/ \ + ${systemd_unitdir}/system \ + ${bindir}/sec-storage-loopback.sh \ + ${systemd_unitdir}/system/secure-storage.service \ + " + +do_install() { + install -d ${D}$/usr/local/data/ + install -d ${D}${bindir} + install -m 0731 ${S}/sec-storage-loopback.sh ${D}${bindir}/sec-storage-loopback.sh + + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${S}/secure-storage.service ${D}${systemd_unitdir}/system +} + +SYSTEMD_SERVICE:${PN} = "secure-storage.service" +SYSTEMD_AUTO_ENABLE = "enable" + +RDEPENDS:${PN} += "cryptsetup" From ac8f81d4a1e68373198346af3730aa33ba175450 Mon Sep 17 00:00:00 2001 From: Patrick Vogelaar Date: Mon, 15 Jan 2024 11:37:58 +0100 Subject: [PATCH 4/7] feat(secure-storage): add secure-storage as Coreos base feature Now secure-storage is present on all CoreOS based images. --- layers/meta-belden-coreos/classes/coreos-image.bbclass | 1 + 1 file changed, 1 insertion(+) diff --git a/layers/meta-belden-coreos/classes/coreos-image.bbclass b/layers/meta-belden-coreos/classes/coreos-image.bbclass index 85f7f36..42cc7d7 100644 --- a/layers/meta-belden-coreos/classes/coreos-image.bbclass +++ b/layers/meta-belden-coreos/classes/coreos-image.bbclass @@ -68,6 +68,7 @@ PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTAL COREOS_IMAGE_BASE_INSTALL = "\ packagegroup-coreos-boot \ packagegroup-coreos-base \ + secure-storage \ " COREOS_IMAGE_EXTRA_INSTALL ?= "" From e4fd830aa81a042f51b1cf98cbd83cdeb60c1177 Mon Sep 17 00:00:00 2001 From: Patrick Vogelaar Date: Mon, 15 Jan 2024 18:18:55 +0100 Subject: [PATCH 5/7] feat(secure-storage): add kernel config fragment for dm_crypt --- .../recipes-kernel/linux/linux-netmodule/secure-storage.cfg | 4 ++++ .../recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb | 1 + 2 files changed, 5 insertions(+) create mode 100644 layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/secure-storage.cfg diff --git a/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/secure-storage.cfg b/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/secure-storage.cfg new file mode 100644 index 0000000..628e8cf --- /dev/null +++ b/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule/secure-storage.cfg @@ -0,0 +1,4 @@ +CONFIG_BLK_DEV_DM=y +CONFIG_KEYS=y +CONFIG_ENCRYPTED_KEYS=y +CONFIG_DM_CRYPT=y diff --git a/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb b/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb index 246922a..fe9eba1 100644 --- a/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb +++ b/layers/meta-belden-marvell-bsp/recipes-kernel/linux/linux-netmodule_git-5.15-solidrun.bb @@ -12,6 +12,7 @@ SRC_URI = "git://gitlab.com/netmodule/kernel/linux-netmodule.git;protocol=ssh;us file://0001-fix-phy-support-for-falcon-board.patch \ file://0001-refactor-cn913x-defconfig-cleanup.patch \ file://cn913x_additions.cfg \ + file://secure-storage.cfg \ " SRCREV ?= "be2f2f0c96e85ecec9d807397194e46bb8bea4a5" From 5b23df1199c012bd24470b131e6991acc69bc143 Mon Sep 17 00:00:00 2001 From: Patrick Vogelaar Date: Wed, 17 Jan 2024 16:40:52 +0100 Subject: [PATCH 6/7] feat(certificates-and-keys-native): add developer keys and certificates The certificates and keys are stored in a repository and taken from there. It is a neative repository that puts the keys into the sysroot where other recipes can take them All the key related scripts where deleted or put in the development-keys repository. Basic simplifications where done, there is yet still room for improvement. --- coreos-init-build-env | 15 --- .../classes/coreos-efi-secureboot.bbclass | 28 +---- .../recipes-bsp/u-boot/u-boot-coreos-efi.inc | 2 +- .../recipes-bsp/efi/efi-secureboot-keys.bb | 33 ----- .../efibootguard/efibootguard_%.bbappend | 2 + .../certificates-and-keys-native_1.0.bb | 65 ++++++++++ .../swupdate/swupdate_%.bbappend | 2 + scripts/coreos-get-dev-keys | 88 ------------- scripts/coreos-keygen | 117 ------------------ 9 files changed, 73 insertions(+), 279 deletions(-) delete mode 100644 layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb create mode 100644 layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb delete mode 100755 scripts/coreos-get-dev-keys delete mode 100755 scripts/coreos-keygen diff --git a/coreos-init-build-env b/coreos-init-build-env index 6841e38..63f6f38 100755 --- a/coreos-init-build-env +++ b/coreos-init-build-env @@ -92,18 +92,3 @@ coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers" # stdout is redirected to reduce the amount of output but not stderr # #Note: if a final build is detected all the dev keys are deleted - -if [ "$CreateFinal" = "true" ]; then - echo "\nFinal build detected delete dev keys and dont use or generate them" >&2 - rm -rf "${BUILDDIR}/keys" -else - echo "\nNo final build detected use development keys" >&2 - coreos-get-dev-keys > /dev/null || { - echo "The coreos-get-dev-keys script has failed" >&2 - } - - coreos-keygen > /dev/null || { - echo "The coreos-keygen script has failed" >&2 - return 1 - } -fi diff --git a/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass b/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass index cd54553..23718e5 100644 --- a/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass +++ b/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass @@ -3,7 +3,7 @@ # UEFI Secure boot configuration # ============================================================================== -COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys" +COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys" COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0" # UEFI Secure boot helpers @@ -16,12 +16,12 @@ HOSTTOOLS += "sbsign" # Ensure that the public keys are always deployed to the deploy directory # before running wic -do_image_wic[depends] += "efi-secureboot-keys:do_deploy" +do_image_wic[depends] += "certificates-and-keys-native:do_deploy" COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0" def get_coreos_secureboot_efi_boot_files(d): """ - Return the list of pubkey file inside deploy if + Return the list of pubkey file inside deploy if COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string otherwise """ @@ -31,26 +31,4 @@ def get_coreos_secureboot_efi_boot_files(d): IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}" -def get_coreos_secureboot_keydir_hash(d): - """ - Generate a space separate list, with a value for each file inside of - keydir. Fromat: :md5: - """ - import hashlib - keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR') - value = "" - - for keyname in os.listdir(keydir): - filepath = os.path.join(keydir, keyname) - if os.path.isfile(filepath): - md5 = bb.utils.md5_file(filepath) - value += f"{keyname}:md5:{md5} " - - return value - -# The build system should detect if someone change one of the key inside -# COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that -# depends on this directory -COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}" -COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH" diff --git a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc index 8b66e47..dd25c8e 100644 --- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc +++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc @@ -5,7 +5,7 @@ SRC_URI += " \ file://uefi-secureboot.cfg \ " -DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native" +DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native certificates-and-keys-native" # Generate a ubootefi.var file inside the build directory # diff --git a/layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb b/layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb deleted file mode 100644 index 7cde776..0000000 --- a/layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb +++ /dev/null @@ -1,33 +0,0 @@ -SUMMARY = "A recipe to deploy UEFI public keys update files" -LICENSE = "CLOSED" - - -INHIBIT_DEFAULT_DEPS = "1" -inherit nopackages - -inherit deploy -inherit coreos-efi-secureboot - -# Public key needed by firmware very depending on the implementation -# So we copy all type of public key (*.auth, *.esl, *.crt, *der) -addtask deploy after do_compile -do_deploy() { - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth - - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl - - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt - - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der - - # !SECURITY WARNING! - # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys -} \ No newline at end of file diff --git a/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend b/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend index 2a5b34b..d79a4d6 100644 --- a/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend +++ b/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend @@ -9,6 +9,8 @@ SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.pat # Add signature support # ============================================================================== +DEPENDS:append = " certificates-and-keys-native" + inherit coreos-efi-sbsign require conf/image-uefi.conf diff --git a/layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb b/layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb new file mode 100644 index 0000000..bded77d --- /dev/null +++ b/layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb @@ -0,0 +1,65 @@ +SUMMARY = "Installs certificates and keys" +DESCRIPTION = "Installs certificates and keys that are used during the build" +AUTHOR = "Patrick Vogelaar" +LICENSE = "CLOSED" + +SRC_URI = "git://git@bitbucket.gad.local:7999/ico/development-keys.git;protocol=ssh;branch=master" +SRCREV = "2b5d6941ea8759db90f07e195bb1855f618cccb7" + +S = "${WORKDIR}/git" + +inherit deploy native + +CERTIFICATES_AND_KEYS_DIR ?= "${datadir}/keys/" + +#FILES:${PN} += "${CERTIFICATES_AND_KEYS_DIR}/*" + + +do_install() { + install -d "${D}/${CERTIFICATES_AND_KEYS_DIR}" + install -m 755 ${S}/db.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.auth + install -m 755 ${S}/db.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.crt + install -m 755 ${S}/db.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.der + install -m 755 ${S}/db.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.esl + install -m 755 ${S}/db.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.key + install -m 755 ${S}/KEK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.auth + install -m 755 ${S}/KEK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.crt + install -m 755 ${S}/KEK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.der + install -m 755 ${S}/KEK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.esl + install -m 755 ${S}/KEK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.key + install -m 755 ${S}/PK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.auth + install -m 755 ${S}/PK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.crt + install -m 755 ${S}/PK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.der + install -m 755 ${S}/PK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.esl + install -m 755 ${S}/PK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.key + install -m 755 ${S}/swupdate.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.crt + install -m 755 ${S}/swupdate.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.key + + bbwarn "Development certificates and keys are added into the image (UNSECURE)! This image must not be released!" +} + + +# Public key needed by firmware very depending on the implementation +# So we copy all type of public key (*.auth, *.esl, *.crt, *der) + +addtask deploy after do_compile +do_deploy() { + install -D -m 644 ${S}/KEK.auth ${DEPLOYDIR}/KEK.auth + install -D -m 644 ${S}/db.auth ${DEPLOYDIR}/db.auth + install -D -m 644 ${S}/PK.auth ${DEPLOYDIR}/PK.auth + + install -D -m 644 ${S}/KEK.esl ${DEPLOYDIR}/KEK.esl + install -D -m 644 ${S}/db.esl ${DEPLOYDIR}/db.esl + install -D -m 644 ${S}/PK.esl ${DEPLOYDIR}/PK.esl + + install -D -m 644 ${S}/KEK.crt ${DEPLOYDIR}/KEK.crt + install -D -m 644 ${S}/db.crt ${DEPLOYDIR}/db.crt + install -D -m 644 ${S}/PK.crt ${DEPLOYDIR}/PK.crt + + install -D -m 644 ${S}/KEK.der ${DEPLOYDIR}/KEK.der + install -D -m 644 ${S}/db.der ${DEPLOYDIR}/db.der + install -D -m 644 ${S}/PK.der ${DEPLOYDIR}/PK.der + + # !SECURITY WARNING! + # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys +} \ No newline at end of file diff --git a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend index 3e76bd8..8cdd848 100644 --- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend +++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend @@ -5,6 +5,8 @@ REQUIRED_DISTRO_FEATURES = "swupdate" # same file in meta-swupdate FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:" +DEPENDS += "certificates-and-keys-native" + SRC_URI += "\ file://50-webserver-config.sh \ file://25-sw-collections-config.sh \ diff --git a/scripts/coreos-get-dev-keys b/scripts/coreos-get-dev-keys deleted file mode 100755 index 8673797..0000000 --- a/scripts/coreos-get-dev-keys +++ /dev/null @@ -1,88 +0,0 @@ -#!/usr/bin/env bash - -# This script will get development keys needed by the UEFI secure boot -# implementation from the k-stufen web share and put the under $BUILDDIR/keys -# -# The reason for every developer to have the same keys is that image/update -# filest are interchangable. -# Those developer keys are used for all builds except the ones that are marked -# as final. Here the official keys will be used. -# -# Following keys will be downloaded -# db.auth db.der db.key KEK.crt KEK.esl PK.auth PK.der PK.key -# db.crt db.esl KEK.auth KEK.der KEK.key PK.crt PK.esl - -# This script is used every time the build environment of CoreOS is sourced -# Note: in the build environment stdout is redirected to /dev/null but not -# stderr. - -set -e - -# Logging helper -RED='\033[0;31m' -GREEN='\033[0;32m' -BOLD='\033[1m' -RESET='\033[0m' - -# Ensure that BUILDDIR is defined -# ============================================================================== -# This is usually done inside the coreos-init-build-env script - - -if [ -z "$BUILDDIR" ]; then - echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1 - echo -e "Have you run the coreos-init-buildenv script?" 2>&1 - exit 1 -fi - -# We need the KEYDIR directory to exist -# ============================================================================== - -KEYDIR="${BUILDDIR}/keys" -mkdir -p "${KEYDIR}" -cd "${KEYDIR}" - -# we need wget and tar -# ============================================================================== - -assert_command_in_path() { - if command -v "$1" >/dev/null 2>&1; then - echo -e "✓ Command ${GREEN}${1}${RESET} was found" - else - echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 - echo -e "Please check the coreos-documentation for the list of required packages" >&2 - exit 1 - fi -} - -assert_command_in_path wget -assert_command_in_path tar - - -# Generate all they keys, as needed -# ============================================================================== -# Only generate the file if it's missing and don't fail if the file already -# exist - -check_files_exist() { - RET=0 - for file in "$@"; do - if [ ! -e "$file" ]; then - echo -e "𐄂 File ${RED}${file}${RESET} missing" - RET=1 - else - echo -e "✓ File ${GREEN}${file}${RESET} already exist" - fi - done - return $RET -} - -check_files_exist db.auth db.crt db.der db.esl db.key KEK.auth KEK.crt KEK.der \ - KEK.esl KEK.key PK.auth PK.crt PK.der PK.esl PK.key || \ -{ - echo -e "${RED}Incosistent or no keys.${RESET}" - echo "Downloading Keys" - wget -q https://platform-nas.gad.local/K-Stufen/CoreOS/.signing/coreos_developer_signing.keys.tar.gz && \ - tar -xzf coreos_developer_signing.keys.tar.gz -C ${BUILDDIR}/keys && \ - rm coreos_developer_signing.keys.tar.gz -} diff --git a/scripts/coreos-keygen b/scripts/coreos-keygen deleted file mode 100755 index c3dc725..0000000 --- a/scripts/coreos-keygen +++ /dev/null @@ -1,117 +0,0 @@ -#!/usr/bin/env bash - -# This script will generate key needed by the UEFI secure boot implementation -# under $BUILDDIR/keys -# db.auth db.der db.key KEK.crt KEK.esl PK.auth PK.der PK.key -# db.crt db.esl KEK.auth KEK.der KEK.key PK.crt PK.esl - -# This script is used every time the build environment of CoreOS is sourced -# Note: in the build environment stdout is redirected to /dev/null but not -# stderr. - -set -e - -# Logging helper -RED='\033[0;31m' -GREEN='\033[0;32m' -BOLD='\033[1m' -RESET='\033[0m' - -# Ensure that BUILDDIR is defined -# ============================================================================== -# This is usually done inside the coreos-init-build-env script - - -if [ -z "$BUILDDIR" ]; then - echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1 - echo -e "Have you run the coreos-init-buildenv script?" 2>&1 - exit 1 -fi - -# We need the KEYDIR directory to exist -# ============================================================================== - -KEYDIR="${BUILDDIR}/keys" -mkdir -p "${KEYDIR}" -cd "${KEYDIR}" - -# we need openssl, cert-to-efi-sig-list and sign-efi-sig-list -# ============================================================================== - -assert_command_in_path() { - if command -v "$1" >/dev/null 2>&1; then - echo -e "✓ Command ${GREEN}${1}${RESET} was found" - else - echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 - echo -e "Please check the coreos-documentation for the list of required packages" >&2 - exit 1 - fi -} - -assert_command_in_path openssl -assert_command_in_path cert-to-efi-sig-list -assert_command_in_path sign-efi-sig-list - -# Generate all they keys, as needed -# ============================================================================== -# Only generate the file if it's missing and don't fail if the file already -# exist - -check_files_exist() { - RET=0 - for file in "$@"; do - if [ ! -e "$file" ]; then - echo -e "𐄂 File ${RED}${file}${RESET} missing" - RET=1 - else - echo -e "✓ File ${GREEN}${file}${RESET} already exist" - fi - done - return $RET -} - -echo "Generating private/public keys in .key/.crt format for PK, KEK et db" - -check_files_exist PK.key PK.crt || \ -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ \ - -keyout PK.key -out PK.crt -nodes -days 365 - -check_files_exist KEK.key KEK.crt || \ -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ \ - -keyout KEK.key -out KEK.crt -nodes -days 365 - -check_files_exist db.key db.crt || \ -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ \ - -keyout db.key -out db.crt -nodes -days 365 - - -echo "Generatic EFI signature list file with PK, KEK et db public key" - -check_files_exist PK.esl || \ -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ - PK.crt PK.esl; - -check_files_exist KEK.esl || \ -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ - KEK.crt KEK.esl - -check_files_exist db.esl || \ -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ - db.crt db.esl - -echo "Generatic EFI AUTH file with PK, KEK et db public key" - -check_files_exist PK.auth || sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth -check_files_exist KEK.auth || sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth -check_files_exist db.auth || sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth - -echo "Generatic DER files with PK, KEK et db public key" - -# der certificate are need for OVMF based firmware (virtual machine) -check_files_exist PK.der || openssl x509 -in PK.crt -outform der -out PK.der -check_files_exist KEK.der || openssl x509 -in KEK.crt -outform der -out KEK.der -check_files_exist db.der || openssl x509 -in db.crt -outform der -out db.der - -# keys needed to sign and verify SWUpdate -check_files_exist swupdate.key swupdate.crt || openssl req -x509 -newkey rsa:4096 -nodes -keyout swupdate.key \ - -out swupdate.crt -subj "/O=SWUpdate /CN=target" From c7c3793c9e732c568202262c189014b5b8468320 Mon Sep 17 00:00:00 2001 From: Patrick Vogelaar Date: Wed, 24 Jan 2024 11:58:21 +0100 Subject: [PATCH 7/7] refactor(trusted-firmware-a): update patches and cleanup * update patches so now warning shows during build * remove ssl.patch since it is already applied in the original recipe --- ...-spd-read-failover-to-defualt-config.patch | 11 ++-- ...-sdp-failover-using-crc-verification.patch | 8 ++- .../trusted-firmware-a/files/ssl.patch | 52 ------------------- 3 files changed, 7 insertions(+), 64 deletions(-) delete mode 100644 layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch diff --git a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch index 99ba981..e224054 100644 --- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch +++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0001-ddr-spd-read-failover-to-defualt-config.patch @@ -1,14 +1,14 @@ -From 5aeea052b30604b2f8640960b775cee0f5c877cb Mon Sep 17 00:00:00 2001 +From 3f8f24cf82848ef1778f3e1d0a0607d4860dd4f3 Mon Sep 17 00:00:00 2001 From: Alon Rotman Date: Mon, 22 Nov 2021 13:33:25 +0200 -Subject: [PATCH 2/2] ddr spd read failover to defualt config +Subject: [PATCH] ddr spd read failover to defualt config --- .../octeontx/otx2/t91/t9130/board/dram_port.c | 100 ++++++++++++++++-- 1 file changed, 93 insertions(+), 7 deletions(-) diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c -index 0befadfc6..5de71f095 100644 +index 82ce07b09..bb7814e9b 100644 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c @@ -33,7 +33,7 @@ struct mv_ddr_iface dram_iface_ap0 = { @@ -148,7 +148,7 @@ index 0befadfc6..5de71f095 100644 { struct mv_ddr_topology_map *tm = mv_ddr_topology_map_get(); @@ -152,7 +236,9 @@ void plat_marvell_dram_update_topology(void) - i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 1); + i2c_write(I2C_SPD_P0_ADDR, 0x0, 1, tm->spd_data.all_bytes, 0); /* read data from spd */ - i2c_read(I2C_SPD_ADDR, 0x0, 1, tm->spd_data.all_bytes, @@ -159,6 +159,3 @@ index 0befadfc6..5de71f095 100644 + set_param_based_on_som_strap(); } } --- -2.25.1 - diff --git a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch index c3e6b7a..4a7e406 100644 --- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch +++ b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/0002-som-sdp-failover-using-crc-verification.patch @@ -1,15 +1,16 @@ -From da25bbba607de35267f4dbe74cd772588260de57 Mon Sep 17 00:00:00 2001 +From 6cbb01ba5a5a5ad2b2247c8401d5fac488bf05c3 Mon Sep 17 00:00:00 2001 From: Alon Rotman Date: Mon, 6 Dec 2021 18:34:37 +0200 Subject: [PATCH] som sdp failover using crc verification Signed-off-by: Alon Rotman + --- .../octeontx/otx2/t91/t9130/board/dram_port.c | 63 ++++++++++++------- 1 file changed, 41 insertions(+), 22 deletions(-) diff --git a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c -index 5de71f095..d59b8100d 100644 +index bb7814e9b..772774215 100644 --- a/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c +++ b/plat/marvell/octeontx/otx2/t91/t9130/board/dram_port.c @@ -50,7 +50,7 @@ struct mv_ddr_iface dram_iface_ap0 = { @@ -122,6 +123,3 @@ index 5de71f095..d59b8100d 100644 + } } --- -2.25.1 - diff --git a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch b/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch deleted file mode 100644 index cdabd1b..0000000 --- a/layers/meta-belden-marvell-bsp/recipes-bsp/trusted-firmware-a/files/ssl.patch +++ /dev/null @@ -1,52 +0,0 @@ -fiptool: respect OPENSSL_DIR - -fiptool links to libcrypto, so as with the other tools it should respect -OPENSSL_DIR for include/library paths. - -Upstream-Status: Submitted -Signed-off-by: Ross Burton - -diff --git a/Makefile b/Makefile -index ec6f88585..2d3b9fc26 100644 ---- a/Makefile -+++ b/Makefile -@@ -1388,7 +1388,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME} - - ${FIPTOOL}: FORCE - ifdef UNIX_MK -- ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} --no-print-directory -C ${FIPTOOLPATH} -+ ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH} - else - # Clear the MAKEFLAGS as we do not want - # to pass the gnumake flags to nmake. -diff --git a/tools/fiptool/Makefile b/tools/fiptool/Makefile -index 11d2e7b0b..7c2a08379 100644 ---- a/tools/fiptool/Makefile -+++ b/tools/fiptool/Makefile -@@ -12,6 +12,8 @@ FIPTOOL ?= fiptool${BIN_EXT} - PROJECT := $(notdir ${FIPTOOL}) - OBJECTS := fiptool.o tbbr_config.o - V ?= 0 -+OPENSSL_DIR := /usr -+ - - override CPPFLAGS += -D_GNU_SOURCE -D_XOPEN_SOURCE=700 - HOSTCCFLAGS := -Wall -Werror -pedantic -std=c99 -@@ -20,7 +22,7 @@ ifeq (${DEBUG},1) - else - HOSTCCFLAGS += -O2 - endif --LDLIBS := -lcrypto -+LDLIBS := -L${OPENSSL_DIR}/lib -lcrypto - - ifeq (${V},0) - Q := @ -@@ -28,7 +30,7 @@ else - Q := - endif - --INCLUDE_PATHS := -I../../include/tools_share -+INCLUDE_PATHS := -I../../include/tools_share -I${OPENSSL_DIR}/include - - HOSTCC ?= gcc -