With CONFIG_HAB_CERTS_ENV=y, paths and PKCS#11 URIs to the HAB
certificates are taken from environment variables (allowing for better
integration with build systems). In this case these values are passed
internally via compiler macros (-D) to the imx-image host tool. PKCS#11
URIs usually contain semicolons. Semicolons, however, cannot be passed
via compiler macros and cannot be escaped.
To compensate for that, replace ';' with the substitute character '\x1a'
(with sed) before adding it as a macro and do the reverse in imx-image
while creating the CSF to be passed to NXP's cst. Ultimatively, this
allows using CONFIG_HAB_CERTS_ENV=y with PKCS#11 URIs, so build systems
do not need to set CONFIG_HABV4_* in barebox configs via tools like sed.
Note that this breaks use cases where literal substitute characters are
passed or are part of the CSF. But that shouldn't happen anyway.
An alternative approach would be base64 encoding the value before passing
it as a macro and decoding it in imx-image. But there seems to be no easy
way to encode before the kconfig variables are expanded in the CSF
template.
Signed-off-by: Bastian Krause <bst@xxxxxxxxxxxxxx>
---
scripts/Makefile.lib | 2 +-
scripts/imx/imx.c | 35 +++++++++++++++++++++++++++--------
2 files changed, 28 insertions(+), 9 deletions(-)
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index c32adf07cc5..dd720228408 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -556,7 +556,7 @@ cmd_imximage_S_dcd= \
overwrite-hab-env = $(shell set -e; \
test -n "$(CONFIG_HAB_CERTS_ENV)"; \
test -n "$$$(1)"; \
- echo -D$(1)=\\\"$(shell echo $$$(1))\\\")
+ echo -D$(1)=\\\"$(shell echo $$$(1) | sed 's/;/\x1a/g')\\\")
overwrite-fit-env = $(shell set -e; \
test -n "$(CONFIG_BOOTM_FITIMAGE_PUBKEY_ENV)"; \
diff --git a/scripts/imx/imx.c b/scripts/imx/imx.c
index 5ccc116cfe3..f16bb8a26af 100644
--- a/scripts/imx/imx.c
+++ b/scripts/imx/imx.c
@@ -318,18 +318,37 @@ static int do_hab_qspi(struct config_data *data, int argc, char *argv[])
static int hab_add_str(struct config_data *data, const char *str)
{
- data->csf = strcata(data->csf, str);
- if (!data->csf)
- return -ENOMEM;
+ int ret = 0;
+ char *str_replaced = strdup(str);
+
+ /*
+ * Since semicolons cannot be passed via compiler macro (-D), these
+ * were replaced with substitute chars (\x1a) before. Now reverse the
+ * replacement.
+ */
+ for (char *p = str_replaced; *p != '\0'; ++p) {
+ if (*p == '\x1a')
+ *p = ';';
+ }
+
+ data->csf = strcata(data->csf, str_replaced);
+ if (!data->csf) {
+ ret = -ENOMEM;
+ goto cleanup;
+ }
if (!data->hab_qspi_support)
- return 0;
+ goto cleanup;
- data->flexspi_csf = strcata(data->flexspi_csf, str);
- if (!data->flexspi_csf)
- return -ENOMEM;
+ data->flexspi_csf = strcata(data->flexspi_csf, str_replaced);
+ if (!data->flexspi_csf) {
+ ret = -ENOMEM;
+ goto cleanup;
+ }
- return 0;
+cleanup:
+ free(str_replaced);
+ return ret;
}
static int hab_add_barebox_blocks(struct config_data *data,
--
2.39.5
