add flags to allow the override of the keys used to sign and encrypt a binary for the boards that support the secure boot

Author: umbynos

cli/arguments/arguments.go

@@ -37,3 +37,15 @@ func CheckFlagsConflicts(command *cobra.Command, flagNames ...string) {
 	feedback.Errorf(tr("Can't use %s flags at the same time.", "--"+strings.Join(flagNames, " "+tr("and")+" --")))
 	os.Exit(errorcodes.ErrBadArgument)
 }
+
+// CheckFlagsMandatory is a helper function useful to report errors when at least one flag is not used in a group of "required" flags
+func CheckFlagsMandatory(command *cobra.Command, flagNames ...string) {
+	for _, flagName := range flagNames {
+		if command.Flag(flagName).Changed {
+			continue
+		} else {
+			feedback.Errorf(tr("Please use also %s flag when using %s flags at the same time.", "--"+flagName, "--"+strings.Join(flagNames, " "+tr("and")+" --")))
+			os.Exit(errorcodes.ErrBadArgument)
+		}
+	}
+}

cli/compile/compile.go

@@ -53,6 +53,9 @@ var (
 	buildCachePath          string               // Builds of 'core.a' are saved into this path to be cached and reused.
 	buildPath               string               // Path where to save compiled files.
 	buildProperties         []string             // List of custom build properties separated by commas. Or can be used multiple times for multiple properties.
+	keysDir                 string               // The path of the dir where to search for the custom keys to sign and encrypt a binary. Used only by the platforms that supports it
+	signKeyName             string               // The name of the custom signing key to use to sign a binary during the compile process. Used only by the platforms that supports it
+	encryptKeyName          string               // The name of the custom encryption key to use to encrypt a binary during the compile process. Used only by the platforms that supports it
 	warnings                string               // Used to tell gcc which warning level to use.
 	verbose                 bool                 // Turns on verbose mode.
 	quiet                   bool                 // Suppresses almost every output.
@@ -84,7 +87,8 @@ func NewCommand() *cobra.Command {
 			"  " + os.Args[0] + " compile -b arduino:avr:uno /home/user/Arduino/MySketch\n" +
 			"  " + os.Args[0] + ` compile -b arduino:avr:uno --build-property "build.extra_flags=\"-DMY_DEFINE=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" +
 			"  " + os.Args[0] + ` compile -b arduino:avr:uno --build-property "build.extra_flags=-DPIN=2 \"-DMY_DEFINE=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" +
-			"  " + os.Args[0] + ` compile -b arduino:avr:uno --build-property build.extra_flags=-DPIN=2 --build-property "compiler.cpp.extra_flags=\"-DSSID=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n",
+			"  " + os.Args[0] + ` compile -b arduino:avr:uno --build-property build.extra_flags=-DPIN=2 --build-property "compiler.cpp.extra_flags=\"-DSSID=\"hello world\"\"" /home/user/Arduino/MySketch` + "\n" +
+			"  " + os.Args[0] + ` compile -b arduino:mbed_portenta:envie_m7:security=sien --keys-input-dir /home/user/Arduino/keys --sign-key-name ecsdsa-p256-signing-key.pem --encrypt-key-name ecsdsa-p256-encrypt-key.pem /home/user/Arduino/MySketch` + "\n",
 		Args: cobra.MaximumNArgs(1),
 		Run:  runCompileCommand,
 	}
@@ -100,6 +104,12 @@ func NewCommand() *cobra.Command {
 		tr("List of custom build properties separated by commas. Or can be used multiple times for multiple properties."))
 	compileCommand.Flags().StringArrayVar(&buildProperties, "build-property", []string{},
 		tr("Override a build property with a custom value. Can be used multiple times for multiple properties."))
+	compileCommand.Flags().StringVar(&keysDir, "keys-input-dir", "",
+		tr("The path of the dir where to search for the custom keys to sign and encrypt a binary. Used only by the platforms that supports it"))
+	compileCommand.Flags().StringVar(&signKeyName, "sign-key-name", "",
+		tr("The name of the custom signing key to use to sign a binary during the compile process. Used only by the platforms that supports it"))
+	compileCommand.Flags().StringVar(&encryptKeyName, "encrypt-key-name", "",
+		tr("The name of the custom encryption key to use to encrypt a binary during the compile process. Used only by the platforms that supports it"))
 	compileCommand.Flags().StringVar(&warnings, "warnings", "none",
 		tr(`Optional, can be: %s. Used to tell gcc which warning level to use (-W flag).`, "none, default, more, all"))
 	compileCommand.Flags().BoolVarP(&verbose, "verbose", "v", false, tr("Optional, turns on verbose mode."))
@@ -142,6 +152,10 @@ func runCompileCommand(cmd *cobra.Command, args []string) {
 
 	sketchPath := arguments.InitSketchPath(path)
 
+	if keysDir != "" || signKeyName != "" || encryptKeyName != "" {
+		arguments.CheckFlagsMandatory(cmd, "keys-input-dir", "sign-key-name", "encrypt-key-name")
+	}
+
 	var overrides map[string]string
 	if sourceOverrides != "" {
 		data, err := paths.New(sourceOverrides).ReadFile()
@@ -198,6 +212,9 @@ func runCompileCommand(cmd *cobra.Command, args []string) {
 		CreateCompilationDatabaseOnly: compilationDatabaseOnly,
 		SourceOverride:                overrides,
 		Library:                       library,
+		Keysdir:                       keysDir,
+		Signkeyname:                   signKeyName,
+		Encryptkeyname:                encryptKeyName,
 	}
 	compileStdOut := new(bytes.Buffer)
 	compileStdErr := new(bytes.Buffer)

commands/compile/compile.go

@@ -118,13 +118,34 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream
 		Package:              fqbn.Package,
 		PlatformArchitecture: fqbn.PlatformArch,
 	})
-	if targetPlatform == nil || pm.GetInstalledPlatformRelease(targetPlatform) == nil {
+	InstalledPlatformRelease := pm.GetInstalledPlatformRelease(targetPlatform)
+	if targetPlatform == nil || InstalledPlatformRelease == nil {
 		return nil, &arduino.PlatformNotFoundError{
 			Platform: fmt.Sprintf("%s:%s", fqbn.Package, fqbn.PlatformArch),
 			Cause:    fmt.Errorf(tr("platform not installed")),
 		}
 	}
 
+	// At the current time we do not have a way of knowing if a board supports the secure boot or not,
+	// so, if the flags to override the default keys are used, we try override the corresponding property in the properties.txt nonetheless.
+	// It's not possible to use the default name for the keys since there could be more tools to sign and encrypt.
+	// So it's mandatory to use all the tree flags to sign and encrypt the binary
+	if req.Keysdir != "" && req.Signkeyname != "" && req.Encryptkeyname != "" {
+		keysDirPath := paths.New(req.Keysdir)
+		if !keysDirPath.IsDir() {
+			return nil, &arduino.NotFoundError{Message: tr("The path specified is not a directory: %s", keysDirPath), Cause: err}
+		}
+		signKeyPath := keysDirPath.Join(req.GetSignkeyname())
+		if !signKeyPath.Exist() {
+			return nil, &arduino.NotFoundError{Message: tr("The path of the specified signing key do not exist: %s", signKeyPath), Cause: err}
+		}
+		encryptKeyPath := keysDirPath.Join(req.GetEncryptkeyname())
+		if !encryptKeyPath.Exist() {
+			return nil, &arduino.NotFoundError{Message: tr("The path of the specified encription key do not exist: %s", encryptKeyPath), Cause: err}
+		}
+		ReplaceSecurityKeys(InstalledPlatformRelease.Properties, req.Keysdir, req.Signkeyname, req.Encryptkeyname)
+	}
+
 	builderCtx := &types.Context{}
 	builderCtx.PackageManager = pm
 	builderCtx.FQBN = fqbn
@@ -296,3 +317,29 @@ func Compile(ctx context.Context, req *rpc.CompileRequest, outStream, errStream
 
 	return r, nil
 }
+
+// ReplaceSecurityKeys function will override the properties representing the security keys specified in the platform.txt file of a platform with the ones provided by the user.
+// The keys are stored in the keyDir
+// signKeyName is the key used to sign a binary
+// encryptKeyName is the key used to encrypt it
+func ReplaceSecurityKeys(properties *properties.Map, keysDir, signKeyName, encryptKeyName string) {
+	toolsProps := properties.SubTree("tools").FirstLevelOf()
+	for toolName, toolProps := range toolsProps {
+		// switch o else o select
+		if toolProps.ContainsKey("keys.path") {
+			key := "tools." + toolName + ".keys.path"
+			properties.Set(key, keysDir)
+			logrus.Tracef("Overriding Property: %s: %s", key, keysDir)
+		}
+		if toolProps.ContainsKey("sign.name") {
+			key := "tools." + toolName + ".sign.name"
+			properties.Set(key, signKeyName)
+			logrus.Tracef("Overriding Property: %s: %s", key, signKeyName)
+		}
+		if toolProps.ContainsKey("encrypt.name") {
+			key := "tools." + toolName + ".encrypt.name"
+			properties.Set(key, encryptKeyName)
+			logrus.Tracef("Overriding Property: %s: %s", key, encryptKeyName)
+		}
+	}
+}