From 13c136dbc5eeb957ba6f3a6282481fe9e59185a4 Mon Sep 17 00:00:00 2001
From: Hector Palacios <hector.palacios@digi.com>
Date: Wed, 3 May 2023 11:26:12 +0200
Subject: [PATCH] trustfence: add recipe to generate the PKI tree

Several recipes depend on the PKI creation.
Create a small recipe to just run this function which
is moved from the trustfence.bbclass.

Signed-off-by: Hector Palacios <hector.palacios@digi.com>
---
 .../trustfence/trustfence-genpki-native.bb    | 62 +++++++++++++++++++
 meta-digi-dey/classes/trustfence.bbclass      | 22 -------
 .../recovery/recovery-initramfs.bb            |  2 -
 .../recipes-digi/dualboot/dualboot.bb         |  2 -
 4 files changed, 62 insertions(+), 26 deletions(-)
 create mode 100644 meta-digi-arm/recipes-digi/trustfence/trustfence-genpki-native.bb

diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-genpki-native.bb b/meta-digi-arm/recipes-digi/trustfence/trustfence-genpki-native.bb
new file mode 100644
index 000000000..b1167f55c
--- /dev/null
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-genpki-native.bb
@@ -0,0 +1,62 @@
+# Copyright (C) 2023, Digi International Inc.
+
+SUMMARY = "TrustFence generation of Public Key Infrastructure (PKI)"
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
+
+inherit native
+
+RDEPENDS:${PN} = " \
+    trustfence-sign-tools-native \
+    openssl-native \
+"
+
+S = "${WORKDIR}"
+
+do_fetch[noexec] = "1"
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+# Function to generate a PKI tree (with lock dir protection)
+GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
+gen_pki_tree() {
+	if mkdir -p ${GENPKI_LOCK_DIR}; then
+		if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
+			trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH}
+		elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
+			# Call sign script with no artifact arguments to just
+			# generate the keys
+			export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
+			export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
+			trustfence-sign-artifact.sh -p ${DIGI_SOM}
+		fi
+		rm -rf ${GENPKI_LOCK_DIR}
+	else
+		bbfatal "Could not get lock to generate PKI tree"
+	fi
+}
+
+# Function that generates a PKI tree if there isn't one
+check_gen_pki_tree() {
+	if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
+		SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
+		n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
+		if [ "${n_commas}" -eq 0 ]; then
+			gen_pki_tree
+		elif [ "${n_commas}" -ne 3 ]; then
+			bbfatal "Inconsistent PKI tree"
+		fi
+	elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
+		# The script that generates the PKI tree already checks if
+		# there isn't one, so there's nothing to do here but calling it.
+		gen_pki_tree
+	fi
+}
+
+do_install[depends] = "trustfence-sign-tools-native:do_populate_sysroot \
+			openssl-native:do_populate_sysroot"
+do_install() {
+	check_gen_pki_tree
+}
+
+FILES:${PN} = "${bindir}"
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 7d3f14c92..b7b7c6a9d 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -127,25 +127,3 @@ python () {
     else:
         d.setVar("TRUSTFENCE_INITRAMFS_IMAGE", "");
 }
-
-# Function to generate a PKI tree (with lock dir protection)
-GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
-gen_pki_tree() {
-	if mkdir -p ${GENPKI_LOCK_DIR}; then
-		trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH}
-		rm -rf ${GENPKI_LOCK_DIR}
-	else
-		bbfatal "Could not get lock to generate PKI tree"
-	fi
-}
-
-# Function that generates a PKI tree if there isn't one
-check_gen_pki_tree() {
-	SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
-	n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
-	if [ "${n_commas}" -eq 0 ]; then
-		gen_pki_tree
-	elif [ "${n_commas}" -ne 3 ]; then
-		bbfatal "Inconsistent PKI tree"
-	fi
-}
diff --git a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
index e716bf6a7..04c007a71 100644
--- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
+++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
@@ -40,8 +40,6 @@ do_install() {
 	# If Trustfence is enabled, copy the public key that is going to be used into the
 	# initramfs '/etc/ssl/certs' folder in order to verify swupdate packages.
 	if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
-		# Check and generate a PKI tree if there isn't one
-		check_gen_pki_tree
 		# Retrieve the key index to use.
 		KEY_INDEX="0"
 		if [ -n "${TRUSTFENCE_KEY_INDEX}" ]; then
diff --git a/meta-digi-dey/recipes-digi/dualboot/dualboot.bb b/meta-digi-dey/recipes-digi/dualboot/dualboot.bb
index f8e7b901c..9036a3c81 100644
--- a/meta-digi-dey/recipes-digi/dualboot/dualboot.bb
+++ b/meta-digi-dey/recipes-digi/dualboot/dualboot.bb
@@ -40,8 +40,6 @@ do_install() {
 	# If Trustfence is enabled, copy the public key that is going to be used into the
 	# initramfs '/etc/ssl/certs' folder in order to verify swupdate packages.
 	if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
-		# Check and generate a PKI tree if there isn't one
-		check_gen_pki_tree
 		# Retrieve the key index to use.
 		KEY_INDEX="0"
 		if [ -n "${TRUSTFENCE_KEY_INDEX}" ]; then