From e2d52681a7adc77bd0d9103b7209923cd0977ac5 Mon Sep 17 00:00:00 2001
From: William Vinnicombe <william.vinnicombe@raspberrypi.com>
Date: Fri, 14 Mar 2025 11:57:27 +0000
Subject: [PATCH 1/3] Throw a warning when using the example signing/encryption
 keys

This is automatically disabled for pico-examples, and can be manually disabled by setting PICO_ALLOW_EXAMPLE_KEYS
---
 tools/CMakeLists.txt              |  33 ++++++++++++++++++++++++++++++
 tools/example_keys/private.pem    |   8 ++++++++
 tools/example_keys/privateaes.bin | Bin 0 -> 128 bytes
 3 files changed, 41 insertions(+)
 create mode 100644 tools/example_keys/private.pem
 create mode 100644 tools/example_keys/privateaes.bin

diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt
index c2fbe3281..d864a6444 100644
--- a/tools/CMakeLists.txt
+++ b/tools/CMakeLists.txt
@@ -153,6 +153,28 @@ function(picotool_check_configurable TARGET)
     endif()
 endfunction()
 
+# Compare 2 key files, used by picotool_check_default_keys
+function(picotool_compare_keys TARGET KEY DEFAULT TYPE)
+    if (KEY)
+        execute_process(COMMAND ${CMAKE_COMMAND} -E compare_files "${KEY}" "${PICO_SDK_PATH}/tools/example_keys/${DEFAULT}"
+            RESULT_VARIABLE compare_result
+        )
+        if(compare_result EQUAL 0)
+            message(WARNING "${TARGET} is using a default ${TYPE} key - this must be changed before production")
+        endif()
+    endif()
+endfunction()
+
+# Check if default signing/encryption keys are being used
+function(picotool_check_default_keys TARGET)
+    get_target_property(picotool_sigfile ${TARGET} PICOTOOL_SIGFILE)
+    picotool_compare_keys(${TARGET} ${picotool_sigfile} private.pem "signing")
+    get_target_property(picotool_aesfile ${TARGET} PICOTOOL_AESFILE)
+    picotool_compare_keys(${TARGET} ${picotool_aesfile} privateaes.bin "encryption")
+    get_target_property(picotool_enc_sigfile ${TARGET} PICOTOOL_ENC_SIGFILE)
+    picotool_compare_keys(${TARGET} ${picotool_enc_sigfile} private.pem "encrypted signing")
+endfunction()
+
 # Generate pio header and include it in the build
 # PICO_CMAKE_CONFIG: PICO_DEFAULT_PIOASM_OUTPUT_FORMAT, Default output format used by pioasm when using pico_generate_pio_header, type=string, default=c-sdk, group=build
 function(pico_generate_pio_header TARGET)
@@ -449,6 +471,17 @@ function(picotool_postprocess_binary TARGET)
     set_target_properties(${TARGET} PROPERTIES
         PICOTOOL_PROCESSING_CONFIGURED true
     )
+
+    # Allow using the example keys for pico-examples
+    if ((NOT DEFINED PICO_ALLOW_EXAMPLE_KEYS) AND (DEFINED PICO_EXAMPLES_PATH))
+        set(PICO_ALLOW_EXAMPLE_KEYS 1)
+    endif()
+
+    # PICO_CMAKE_CONFIG: PICO_ALLOW_EXAMPLE_KEYS, Don't throw warning when using default signing/encryption keys, type=bool, default=0, group=build
+    if (NOT PICO_ALLOW_EXAMPLE_KEYS)
+        picotool_check_default_keys(${TARGET})
+    endif()
+
     # Read target properties
     get_target_property(picotool_sign_output ${TARGET} PICOTOOL_SIGN_OUTPUT)
     if (picotool_sign_output)
diff --git a/tools/example_keys/private.pem b/tools/example_keys/private.pem
new file mode 100644
index 000000000..bf777d897
--- /dev/null
+++ b/tools/example_keys/private.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQACg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEIAXAdiilH8wT07TESUzWPt+BY9+NcchvYU3xbnpK+CBNoAcGBSuBBAAK
+oUQDQgAEYYJtMQFGW4AB94tU3u/Qir5sRcYjBYMqCa+8gxsYd9OwMS3dqWKsnVBz
+dyy7bFWdJzXDMb9o20xRRd57Q9xSYw==
+-----END EC PRIVATE KEY-----
diff --git a/tools/example_keys/privateaes.bin b/tools/example_keys/privateaes.bin
new file mode 100644
index 0000000000000000000000000000000000000000..21a47756d7b947b1e8a7c3a74b0ef5edc3984f87
GIT binary patch
literal 128
zcmV-`0Du26w%8aWE_-~VvA2+WFG12#wF6?-Aq=&R7v|M#4Tp^@bfmhu6m^K31uZgB
z!8HkZyKTa|re2kzDKa!$EYtX1;$I`{C#21=j`VJnh8dGO*q3D~C0Auh1OCS8i=%!k
iQ-EmQ1rQg?!>9y}60g}wscn#avtv&-#Q?Q&bmp4XE<5l5

literal 0
HcmV?d00001


From febb892db1a6c5f0658ee9258c92f212544fb372 Mon Sep 17 00:00:00 2001
From: William Vinnicombe <william.vinnicombe@raspberrypi.com>
Date: Tue, 18 Mar 2025 12:51:52 +0000
Subject: [PATCH 2/3] Handle allowing example keys in pico-examples instead

---
 tools/CMakeLists.txt | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt
index d864a6444..17b20250e 100644
--- a/tools/CMakeLists.txt
+++ b/tools/CMakeLists.txt
@@ -472,11 +472,6 @@ function(picotool_postprocess_binary TARGET)
         PICOTOOL_PROCESSING_CONFIGURED true
     )
 
-    # Allow using the example keys for pico-examples
-    if ((NOT DEFINED PICO_ALLOW_EXAMPLE_KEYS) AND (DEFINED PICO_EXAMPLES_PATH))
-        set(PICO_ALLOW_EXAMPLE_KEYS 1)
-    endif()
-
     # PICO_CMAKE_CONFIG: PICO_ALLOW_EXAMPLE_KEYS, Don't throw warning when using default signing/encryption keys, type=bool, default=0, group=build
     if (NOT PICO_ALLOW_EXAMPLE_KEYS)
         picotool_check_default_keys(${TARGET})

From 6eb753e15cd53aeea59e10e49b57854d5dcfdfd5 Mon Sep 17 00:00:00 2001
From: Graham Sanderson <graham.sanderson@raspberrypi.com>
Date: Sat, 22 Mar 2025 13:04:05 -0500
Subject: [PATCH 3/3] change variable description

---
 tools/CMakeLists.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt
index 17b20250e..7d68c9107 100644
--- a/tools/CMakeLists.txt
+++ b/tools/CMakeLists.txt
@@ -472,7 +472,7 @@ function(picotool_postprocess_binary TARGET)
         PICOTOOL_PROCESSING_CONFIGURED true
     )
 
-    # PICO_CMAKE_CONFIG: PICO_ALLOW_EXAMPLE_KEYS, Don't throw warning when using default signing/encryption keys, type=bool, default=0, group=build
+    # PICO_CMAKE_CONFIG: PICO_ALLOW_EXAMPLE_KEYS, Don't raise a warning when using default signing/encryption keys, type=bool, default=0, group=build
     if (NOT PICO_ALLOW_EXAMPLE_KEYS)
         picotool_check_default_keys(${TARGET})
     endif()