From 0cd1c33a7b0c9bc698aecbd464d151a585d2ecce Mon Sep 17 00:00:00 2001 From: Mike Engel Date: Wed, 13 Dec 2023 09:36:11 +0100 Subject: [PATCH] trustfence: use signed images suffixes for ccmp1 boot artifacts When TrustFence is enabled, the boot artifacts (TFA and FIP) have a 'signed' suffix. Handle this case so that the correct symlinks are created and the correct artifacts are put into the SWU file. Signed-off-by: Mike Engel Signed-off-by: Hector Palacios --- .../trusted-firmware-a/tf-a-stm32mp_%.bbappend | 8 +++++--- meta-digi-dey/classes/dey-swupdate-common.bbclass | 5 +++-- meta-digi-dey/classes/trustfence.bbclass | 3 +++ 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend index 4aad85436..0241faded 100644 --- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend @@ -74,7 +74,7 @@ do_deploy:append() { i="$(expr ${i} + 1)" dt_config="$(echo ${FIP_DEVICETREE} | cut -d',' -f${i})" for dt in ${dt_config}; do - FIP_FILENAME="${FIP_BASENAME}-${dt}-${config}.${FIP_SUFFIX}" + FIP_FILENAME="${FIP_BASENAME}-${dt}-${config}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX}" echo "${FIP_FILENAME}" if [ -f "${DEPLOYDIR}/fip/${FIP_FILENAME}" ]; then cd "${DEPLOYDIR}" @@ -104,9 +104,11 @@ tfa_sign() { bl2) TF_A_FILENAME="${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" if [ -f "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_FILENAME}" ]; then - trustfence-sign-artifact.sh -p "${DIGI_SOM}" -t "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_FILENAME}" "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_FILENAME}_signed" + trustfence-sign-artifact.sh -p "${DIGI_SOM}" -t "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_FILENAME}" "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_FILENAME}${TFA_SIGN_SUFFIX}" # the generated artifact lacks 'w' permission which prevents deletion by the build system - chmod u+w "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_FILENAME}_signed" + chmod u+w "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_FILENAME}${TFA_SIGN_SUFFIX}" + # symlink TF-A + ln -s "arm-trusted-firmware/${TF_A_FILENAME}${TFA_SIGN_SUFFIX}" "${DEPLOYDIR}/" fi esac done # for file_type in ${tfa_file_type} diff --git a/meta-digi-dey/classes/dey-swupdate-common.bbclass b/meta-digi-dey/classes/dey-swupdate-common.bbclass index b06ddf026..856948dd3 100644 --- a/meta-digi-dey/classes/dey-swupdate-common.bbclass +++ b/meta-digi-dey/classes/dey-swupdate-common.bbclass @@ -98,8 +98,9 @@ SWUPDATE_UBOOT_EXT ?= ".${UBOOT_SUFFIX}" SWUPDATE_UBOOT_EXT_TFA ?= ".stm32" SWUPDATE_UBOOT_NAME ?= "${SWUPDATE_UBOOT_PREFIX}-${MACHINE}${SWUPDATE_UBOOT_EXT}" -SWUPDATE_UBOOT_NAME:ccmp1 ?= "${SWUPDATE_UBOOT_PREFIX}-${MACHINE}-optee${SWUPDATE_UBOOT_EXT}" -SWUPDATE_UBOOT_NAME_TFA ?= "${@oe.utils.conditional('DEY_SOC_VENDOR', 'STM', '${SWUPDATE_UBOOT_PREFIX_TFA}-${MACHINE}-nand${SWUPDATE_UBOOT_EXT_TFA}', '', d)}" +SWUPDATE_UBOOT_NAME:ccmp1 ?= "${SWUPDATE_UBOOT_PREFIX}-${MACHINE}-optee${FIP_SIGN_SUFFIX}${SWUPDATE_UBOOT_EXT}" +SWUPDATE_UBOOT_NAME_TFA ?= "" +SWUPDATE_UBOOT_NAME_TFA:ccmp1 ?= "${SWUPDATE_UBOOT_PREFIX_TFA}-${MACHINE}-nand${SWUPDATE_UBOOT_EXT_TFA}${TFA_SIGN_SUFFIX}" SWUPDATE_UBOOT_OFFSET ?= "0" SWUPDATE_UBOOT_OFFSET:ccimx6 ?= "1" diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index eb459726c..c98059851 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -37,6 +37,9 @@ TRUSTFENCE_ENCRYPT_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only- # Read-only rootfs TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "1", "0", d)}" +FIP_SIGN_SUFFIX ?= "${@bb.utils.contains('TRUSTFENCE_SIGN', '1', '_Signed', '', d)}" +TFA_SIGN_SUFFIX ?= "${@bb.utils.contains('TRUSTFENCE_SIGN', '1', '_signed', '', d)}" + # # NOTHING TO CUSTOMIZE BELOW THIS LINE #