From 36208c355b1bd04b29948fd43673a2bc87cbe0dc Mon Sep 17 00:00:00 2001
From: Baikal Electronics <support@baikalelectronics.ru>
Date: Thu, 2 Feb 2023 17:11:58 +0300
Subject: [PATCH] linux-fit.inc: set Signed Configurations.

Unset FIT_SIGN_INDIVIDUAL to avoid signing images.
Repalce hash crc32 to sha1, due to "At present only one class of algorithms
is supported: SHA1 hashing with RSA."
Delete hash for configuration.
Add "ramdisk" to 'sign-images', due to "The default is "kernel,fdt" which
means that these two images will be looked up in the config and signed if
present."
---
 meta-baikal/recipes-kernel/linux/linux-fit.inc | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/meta-baikal/recipes-kernel/linux/linux-fit.inc b/meta-baikal/recipes-kernel/linux/linux-fit.inc
index 9e053c1..0de8d4f 100644
--- a/meta-baikal/recipes-kernel/linux/linux-fit.inc
+++ b/meta-baikal/recipes-kernel/linux/linux-fit.inc
@@ -4,6 +4,7 @@ DEPENDS:append = " u-boot-tools-native dtc-native"
 
 FIT_GENERATE_KEYS = "1"
 UBOOT_SIGN_ENABLE = "1"
+FIT_SIGN_INDIVIDUAL = "0"
 
 FIT_DESC ?= "Kernel fitImage for ${DISTRO_NAME}/${PV}/${MACHINE}"
 FIT_CONF_PREFIX ?= "conf-"
@@ -54,7 +55,7 @@ EOF
 
 fitimage_emit_section_kernel() {
 
-	kernel_csum="crc32"
+	kernel_csum="${FIT_HASH_ALG}"
 	kernel_sign_algo="${FIT_SIGN_ALG}"
 	kernel_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
 
@@ -85,7 +86,7 @@ EOF
 		sed -i '$ d' $1
 		cat << EOF >> $1
                         signature-1 {
-                                algo = "$kernel_csum,$kernel_sign_algo";
+				algo = "$kernel_csum,$kernel_sign_algo";
                                 key-name-hint = "$kernel_sign_keyname";
                         };
                 };
@@ -95,7 +96,7 @@ EOF
 
 fitimage_emit_section_dtb() {
 
-	dtb_csum="crc32"
+	dtb_csum="${FIT_HASH_ALG}"
 	dtb_sign_algo="${FIT_SIGN_ALG}"
 	dtb_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
 
@@ -125,7 +126,7 @@ EOF
 		sed -i '$ d' $1
 		cat << EOF >> $1
                         signature-1 {
-                                algo = "$dtb_csum,$dtb_sign_algo";
+				algo = "$dtb_csum,$dtb_sign_algo";
                                 key-name-hint = "$dtb_sign_keyname";
                         };
                 };
@@ -135,7 +136,7 @@ EOF
 
 fitimage_emit_section_ramdisk() {
 
-	ramdisk_csum="crc32"
+	ramdisk_csum="${FIT_HASH_ALG}"
 	ramdisk_sign_algo="${FIT_SIGN_ALG}"
 	ramdisk_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
 
@@ -228,9 +229,6 @@ fitimage_emit_section_config() {
                         $kernel_line
                         $fdt_line
                         $ramdisk_line
-                        hash-1 {
-                                algo = "$conf_csum";
-                        };
 EOF
 
 	if [ -n "$conf_sign_keyname" ] ; then
@@ -238,6 +236,7 @@ EOF
                         signature-1 {
                                 algo = "$conf_csum,$conf_sign_algo";
                                 key-name-hint = "$conf_sign_keyname";
+				sign-images = "fdt", "kernel", "ramdisk";
                         };
 EOF
 	fi
-- 
2.39.5