RepoMirrors/openwrt
1
0
Fork 0
mirror of git://git.openwrt.org/openwrt/openwrt.git synced 2024-12-15 03:14:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
4a45e69d19
openwrt/include/image-commands.mk
Paul Spooren 4a45e69d19 build: separate signing logic 
This separates the options for signature creation and verification

* SIGNED_PACKAGES create Packages.sig
* SIGNED_IMAGES add ucert signature to created images
* CHECK_SIGNATURE add verification capabilities to images
* INSTALL_LOCAL_KEY add local key-build to /etc/opkg/keys

Right now the buildbot.git contains some hacks to create images that
have signature verification capabilities while not storing private keys
on buildbot slaves. This commit allows to disable these steps for the
buildbots and only perform signing on the master.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2019-10-21 14:06:42 +02:00

391 lines
10 KiB
Makefile
Raw Blame History

# Build commands that can be called from Device/* templates
IMAGE_KERNEL = $(word 1,$^)
IMAGE_ROOTFS = $(word 2,$^)
define Build/uImage
mkimage -A $(LINUX_KARCH) \
-O linux -T kernel \
-C $(1) -a $(KERNEL_LOADADDR) -e $(if $(KERNEL_ENTRY),$(KERNEL_ENTRY),$(KERNEL_LOADADDR)) \
-n '$(if $(UIMAGE_NAME),$(UIMAGE_NAME),$(call toupper,$(LINUX_KARCH)) $(VERSION_DIST) Linux-$(LINUX_VERSION))' -d $@ $@.new
mv $@.new $@
endef
define Build/buffalo-enc
$(eval product=$(word 1,$(1)))
$(eval version=$(word 2,$(1)))
$(eval args=$(wordlist 3,$(words $(1)),$(1)))
$(STAGING_DIR_HOST)/bin/buffalo-enc \
-p $(product) -v $(version) $(args) \
-i $@ -o $@.new
mv $@.new $@
endef
define Build/buffalo-enc-tag
$(call Build/buffalo-enc,'' '' -S 152 $(1))
endef
define Build/buffalo-tag-dhp
$(eval product=$(word 1,$(1)))
$(eval region=$(word 2,$(1)))
$(eval language=$(word 3,$(1)))
$(STAGING_DIR_HOST)/bin/buffalo-tag \
-d 0x01000000 -w 1 \
-a $(BUFFALO_TAG_PLATFORM) \
-v $(BUFFALO_TAG_VERSION) -m $(BUFFALO_TAG_MINOR) \
-b $(product) -p $(product) \
-r $(region) -r $(region) -l $(language) \
-I $@ -o $@.new
mv $@.new $@
endef
define Build/buffalo-dhp-image
$(STAGING_DIR_HOST)/bin/mkdhpimg $@ $@.new
mv $@.new $@
endef
define Build/eva-image
$(STAGING_DIR_HOST)/bin/lzma2eva $(KERNEL_LOADADDR) $(KERNEL_LOADADDR) $@ $@.new
mv $@.new $@
endef
define Build/seama
$(STAGING_DIR_HOST)/bin/seama -i $@ \
-m "dev=/dev/mtdblock/$(SEAMA_MTDBLOCK)" -m "type=firmware"
mv $@.seama $@
endef
define Build/seama-seal
$(STAGING_DIR_HOST)/bin/seama -i $@ -s $@.seama \
-m "signature=$(SEAMA_SIGNATURE)"
mv $@.seama $@
endef
define Build/zyxel-ras-image
let \
newsize="$(subst k,* 1024,$(RAS_ROOTFS_SIZE))"; \
$(STAGING_DIR_HOST)/bin/mkrasimage \
-b $(RAS_BOARD) \
-v $(RAS_VERSION) \
-r $@ \
-s $$newsize \
-o $@.new \
$(if $(findstring separate-kernel,$(word 1,$(1))),-k $(IMAGE_KERNEL)) \
&& mv $@.new $@
endef
define Build/netgear-chk
$(STAGING_DIR_HOST)/bin/mkchkimg \
-o $@.new \
-k $@ \
-b $(NETGEAR_BOARD_ID) \
$(if $(NETGEAR_REGION),-r $(NETGEAR_REGION),)
mv $@.new $@
endef
define Build/netgear-dni
$(STAGING_DIR_HOST)/bin/mkdniimg \
-B $(NETGEAR_BOARD_ID) -v $(VERSION_DIST).$(firstword $(subst -, ,$(REVISION))) \
$(if $(NETGEAR_HW_ID),-H $(NETGEAR_HW_ID)) \
-r "$(1)" \
-i $@ -o $@.new
mv $@.new $@
endef
define Build/append-squashfs-fakeroot-be
rm -rf $@.fakefs $@.fakesquashfs
mkdir $@.fakefs
$(STAGING_DIR_HOST)/bin/mksquashfs-lzma \
$@.fakefs $@.fakesquashfs \
-noappend -root-owned -be -nopad -b 65536 \
$(if $(SOURCE_DATE_EPOCH),-fixed-time $(SOURCE_DATE_EPOCH))
cat $@.fakesquashfs >> $@
endef
define Build/append-string
echo -n $(1) >> $@
endef
# append a fake/empty uImage header, to fool bootloaders rootfs integrity check
# for example
define Build/append-uImage-fakehdr
$(eval type=$(word 1,$(1)))
$(eval magic=$(word 2,$(1)))
touch $@.fakehdr
$(STAGING_DIR_HOST)/bin/mkimage \
-A $(LINUX_KARCH) -O linux -T $(type) -C none \
-n '$(VERSION_DIST) fake $(type)' \
$(if $(magic),-M $(magic)) \
-d $@.fakehdr \
-s \
$@.fakehdr
cat $@.fakehdr >> $@
endef
define Build/tplink-safeloader
-$(STAGING_DIR_HOST)/bin/tplink-safeloader \
-B $(TPLINK_BOARD_ID) \
-V $(REVISION) \
-k $(IMAGE_KERNEL) \
-r $@ \
-o $@.new \
-j \
$(wordlist 2,$(words $(1)),$(1)) \
$(if $(findstring sysupgrade,$(word 1,$(1))),-S) && mv $@.new $@ || rm -f $@
endef
define Build/append-dtb
cat $(KDIR)/image-$(firstword $(DEVICE_DTS)).dtb >> $@
endef
define Build/install-dtb
$(call locked, \
$(foreach dts,$(DEVICE_DTS), \
$(CP) \
$(DTS_DIR)/$(dts).dtb \
$(BIN_DIR)/$(IMG_PREFIX)-$(dts).dtb; \
), \
install-dtb-$(IMG_PREFIX) \
)
endef
define Build/fit
$(TOPDIR)/scripts/mkits.sh \
-D $(DEVICE_NAME) -o $@.its -k $@ \
$(if $(word 2,$(1)),-d $(word 2,$(1))) -C $(word 1,$(1)) \
-a $(KERNEL_LOADADDR) -e $(if $(KERNEL_ENTRY),$(KERNEL_ENTRY),$(KERNEL_LOADADDR)) \
-c $(if $(DEVICE_DTS_CONFIG),$(DEVICE_DTS_CONFIG),"config@1") \
-A $(LINUX_KARCH) -v $(LINUX_VERSION)
PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage -f $@.its $@.new
@mv $@.new $@
endef
define Build/lzma
$(call Build/lzma-no-dict,-lc1 -lp2 -pb2 $(1))
endef
define Build/lzma-no-dict
$(STAGING_DIR_HOST)/bin/lzma e $@ $(1) $@.new
@mv $@.new $@
endef
define Build/gzip
gzip -f -9n -c $@ $(1) > $@.new
@mv $@.new $@
endef
define Build/zip
mkdir $@.tmp
mv $@ $@.tmp/$(1)
zip -j -X \
$(if $(SOURCE_DATE_EPOCH),--mtime="$(SOURCE_DATE_EPOCH)") \
$@ $@.tmp/$(if $(1),$(1),$@)
rm -rf $@.tmp
endef
define Build/jffs2
rm -rf $(KDIR_TMP)/$(DEVICE_NAME)/jffs2 && \
mkdir -p $(KDIR_TMP)/$(DEVICE_NAME)/jffs2/$$(dirname $(1)) && \
cp $@ $(KDIR_TMP)/$(DEVICE_NAME)/jffs2/$(1) && \
$(STAGING_DIR_HOST)/bin/mkfs.jffs2 --pad \
$(if $(CONFIG_BIG_ENDIAN),--big-endian,--little-endian) \
--squash-uids -v -e $(patsubst %k,%KiB,$(BLOCKSIZE)) \
-o $@.new \
-d $(KDIR_TMP)/$(DEVICE_NAME)/jffs2 \
2>&1 1>/dev/null | awk '/^.+$$$$/' && \
$(STAGING_DIR_HOST)/bin/padjffs2 $@.new -J $(patsubst %k,,$(BLOCKSIZE))
-rm -rf $(KDIR_TMP)/$(DEVICE_NAME)/jffs2/
@mv $@.new $@
endef
define Build/kernel-bin
rm -f $@
cp $< $@
endef
define Build/patch-cmdline
$(STAGING_DIR_HOST)/bin/patch-cmdline $@ '$(CMDLINE)'
endef
define Build/append-kernel
dd if=$(IMAGE_KERNEL) >> $@
endef
define Build/append-rootfs
dd if=$(IMAGE_ROOTFS) >> $@
endef
define Build/append-ubi
sh $(TOPDIR)/scripts/ubinize-image.sh \
$(if $(UBOOTENV_IN_UBI),--uboot-env) \
$(if $(KERNEL_IN_UBI),--kernel $(IMAGE_KERNEL)) \
$(foreach part,$(UBINIZE_PARTS),--part $(part)) \
$(IMAGE_ROOTFS) \
$@.tmp \
-p $(BLOCKSIZE:%k=%KiB) -m $(PAGESIZE) \
$(if $(SUBPAGESIZE),-s $(SUBPAGESIZE)) \
$(if $(VID_HDR_OFFSET),-O $(VID_HDR_OFFSET)) \
$(UBINIZE_OPTS)
cat $@.tmp >> $@
rm $@.tmp
endef
define Build/append-uboot
dd if=$(UBOOT_PATH) >> $@
endef
define Build/pad-to
$(call Image/pad-to,$@,$(1))
endef
define Build/pad-extra
dd if=/dev/zero bs=$(1) count=1 >> $@
endef
define Build/pad-rootfs
$(STAGING_DIR_HOST)/bin/padjffs2 $@ $(1) \
$(if $(BLOCKSIZE),$(BLOCKSIZE:%k=%),4 8 16 64 128 256)
endef
define Build/pad-offset
let \
size="$$(stat -c%s $@)" \
pad="$(subst k,* 1024,$(word 1, $(1)))" \
offset="$(subst k,* 1024,$(word 2, $(1)))" \
pad="(pad - ((size + offset) % pad)) % pad" \
newsize='size + pad'; \
dd if=$@ of=$@.new bs=$$newsize count=1 conv=sync
mv $@.new $@
endef
define Build/xor-image
$(STAGING_DIR_HOST)/bin/xorimage -i $@ -o $@.xor $(1)
mv $@.xor $@
endef
define Build/check-size
@[ $$(($(subst k,* 1024,$(subst m, * 1024k,$(1))))) -ge "$$(stat -c%s $@)" ] || { \
echo "WARNING: Image file $@ is too big" >&2; \
rm -f $@; \
}
endef
define Build/combined-image
-sh $(TOPDIR)/scripts/combined-image.sh \
"$(IMAGE_KERNEL)" \
"$@" \
"$@.new"
@mv $@.new $@
endef
define Build/linksys-image
$(TOPDIR)/scripts/linksys-image.sh \
"$(call param_get_default,type,$(1),$(DEVICE_NAME))" \
$@ $@.new
mv $@.new $@
endef
define Build/openmesh-image
$(TOPDIR)/scripts/om-fwupgradecfg-gen.sh \
"$(call param_get_default,ce_type,$(1),$(DEVICE_NAME))" \
"$@-fwupgrade.cfg" \
"$(call param_get_default,kernel,$(1),$(IMAGE_KERNEL))" \
"$(call param_get_default,rootfs,$(1),$@)"
$(TOPDIR)/scripts/combined-ext-image.sh \
"$(call param_get_default,ce_type,$(1),$(DEVICE_NAME))" "$@" \
"$@-fwupgrade.cfg" "fwupgrade.cfg" \
"$(call param_get_default,kernel,$(1),$(IMAGE_KERNEL))" "kernel" \
"$(call param_get_default,rootfs,$(1),$@)" "rootfs"
endef
define Build/qsdk-ipq-factory-nand
$(TOPDIR)/scripts/mkits-qsdk-ipq-image.sh \
$@.its ubi $@
PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage -f $@.its $@.new
@mv $@.new $@
endef
define Build/qsdk-ipq-factory-nor
$(TOPDIR)/scripts/mkits-qsdk-ipq-image.sh \
$@.its hlos $(IMAGE_KERNEL) rootfs $(IMAGE_ROOTFS)
PATH=$(LINUX_DIR)/scripts/dtc:$(PATH) mkimage -f $@.its $@.new
@mv $@.new $@
endef
define Build/senao-header
$(STAGING_DIR_HOST)/bin/mksenaofw $(1) -e $@ -o $@.new
mv $@.new $@
endef
define Build/sysupgrade-tar
sh $(TOPDIR)/scripts/sysupgrade-tar.sh \
--board $(if $(BOARD_NAME),$(BOARD_NAME),$(DEVICE_NAME)) \
--kernel $(call param_get_default,kernel,$(1),$(IMAGE_KERNEL)) \
--rootfs $(call param_get_default,rootfs,$(1),$(IMAGE_ROOTFS)) \
$@
endef
define Build/tplink-v1-header
$(STAGING_DIR_HOST)/bin/mktplinkfw \
-c -H $(TPLINK_HWID) -W $(TPLINK_HWREV) -L $(KERNEL_LOADADDR) \
-E $(if $(KERNEL_ENTRY),$(KERNEL_ENTRY),$(KERNEL_LOADADDR)) \
-m $(TPLINK_HEADER_VERSION) -N "$(VERSION_DIST)" -V $(REVISION) \
-k $@ -o $@.new $(1)
@mv $@.new $@
endef
define Build/tplink-v2-header
$(STAGING_DIR_HOST)/bin/mktplinkfw2 \
-c -H $(TPLINK_HWID) -W $(TPLINK_HWREV) -L $(KERNEL_LOADADDR) \
-E $(if $(KERNEL_ENTRY),$(KERNEL_ENTRY),$(KERNEL_LOADADDR)) \
-w $(TPLINK_HWREVADD) -F "$(TPLINK_FLASHLAYOUT)" \
-T $(TPLINK_HVERSION) -V "ver. 2.0" \
-k $@ -o $@.new $(1)
@mv $@.new $@
endef
define Build/tplink-v2-image
$(STAGING_DIR_HOST)/bin/mktplinkfw2 \
-H $(TPLINK_HWID) -W $(TPLINK_HWREV) \
-w $(TPLINK_HWREVADD) -F "$(TPLINK_FLASHLAYOUT)" \
-T $(TPLINK_HVERSION) -V "ver. 2.0" -a 0x4 -j \
-k $(IMAGE_KERNEL) -r $(IMAGE_ROOTFS) -o $@.new $(1)
cat $@.new >> $@
rm -rf $@.new
endef
json_quote=$(subst ','\'',$(subst ",\",$(1)))
#")')
metadata_devices=$(if $(1),$(subst "$(space)","$(comma)",$(strip $(foreach v,$(1),"$(call json_quote,$(v))"))))
metadata_json = \
'{ $(if $(IMAGE_METADATA),$(IMAGE_METADATA)$(comma)) \
"metadata_version": "1.0", \
"supported_devices":[$(call metadata_devices,$(1))], \
"version": { \
"dist": "$(call json_quote,$(VERSION_DIST))", \
"version": "$(call json_quote,$(VERSION_NUMBER))", \
"revision": "$(call json_quote,$(REVISION))", \
"target": "$(call json_quote,$(TARGETID))", \
"board": "$(call json_quote,$(if $(BOARD_NAME),$(BOARD_NAME),$(DEVICE_NAME)))" \
} \
}'
define Build/append-metadata
$(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@)
[ -z "$(SIGNED_IMAGES)" \
-o ! -s "$(BUILD_KEY)" \
-o ! -s "$(BUILD_KEY).ucert" \
-o ! -s "$@" ] || { \
cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
ucert -A -c "$@.ucert" -x "$@.sig" ;\
fwtool -S "$@.ucert" "$@" ;\
}
endef
define Build/kernel2minor
kernel2minor -k $@ -r $@.new $(1)
mv $@.new $@
endef
Reference in New Issue View Git Blame Copy Permalink