Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cmake script to update otp.json from privateaes.bin #536

Merged
merged 1 commit into from
Oct 1, 2024
Merged

Add cmake script to update otp.json from privateaes.bin #536

merged 1 commit into from
Oct 1, 2024

Conversation

will-v-pi
Copy link
Contributor

Currently, any changes to the key in privateaes.bin will not be reflected in the otp.json file, which could lead to issues if that is written to OTP.

This adds a cmake script using the JSON string handling to update the otp.json file if privateaes.bin is modified, before copying it to the binary directory. This fixes #528

This will not work on cmake versions prior to 3.19, as those don't support JSON string handling, so instead it throws a warning if the file has been changed. This should only throw the warning if privateaes.json has been changed from the default.

@will-v-pi will-v-pi added this to the 2.0.1 milestone Aug 27, 2024
@will-v-pi will-v-pi requested a review from kilograham August 27, 2024 11:37
kilograham
kilograham reviewed Aug 27, 2024
View reviewed changes
bootloaders/encrypted/update-key.cmake
file(READ ${CMAKE_CURRENT_LIST_DIR}/privateaes.bin key_file HEX)
if (NOT ${key_file} STREQUAL "000102030405060708090a0b0c0d0e0f00102030405060708090a0b0c0d0e0f0")
message(WARNING
"Encrypted bootloader AES key not updated in otp.json file, as CMake version is < 3.19"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe this should be a fatal error?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is a fatal error then I don't think it will work if the key file has been changed with older CMake versions, as this script gets run whenever the file is changed (and on first build), and on older CMake versions it has no way to parse the JSON file to check if the key in the JSON file matches the privateaes.bin file

@Octopus1633 Octopus1633 mentioned this pull request Sep 29, 2024
Open
@kilograham kilograham merged commit da4e50d into raspberrypi:develop Oct 1, 2024
1 check passed
@will-v-pi will-v-pi deleted the aes-otp-update branch October 30, 2024 11:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kilograham kilograham kilograham approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@will-v-pi @kilograham