trustfence.bbclass: copy public key to fs only if TRUSTFENCE_SIGN is enabled
Commit 998598415a moved this logic to the
trustfence.bbclass file, but in doing so, it removed the TRUSTFENCE_SIGN check
it used to have. The check is needed for two reasons:
* The signing of SWU packages only occurs when TRUSTFENCE_SIGN is enabled, so
there's no need to copy the key if it's disabled
* When building a project from scratch that has Trustfence enabled but
TRUSTFENCE_SIGN disabled, a PKI is never generated and the key doesn't exist.
Because of this, the key won't be found and an error will occur. Note that
if your project is already pointing to a populated PKI, the error won't
happen, only if there's no PKI to begin with.
Although the PKI is guaranteed to exist by the time the rootfs is populated,
make sure to check that it has been properly generated and create it if it
doesn't exist. This logic depends on the trustfence-gen-pki.sh from
trustfence-sign-tools-native, so add it as a dependency for
dey-image-recovery-initramfs. The dependency is already there for another
feature in the dey-image recipes, so simply reflect this new dependency in a
comment.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
(cherry picked from commit 8e52c27d5a8e8071c3a17754e91c1819bcceee15)
This commit is contained in:
Gabriel Valcazar
parent
1f38abf896
commit
171e5a5db1
|
|
@ -62,7 +62,7 @@ create_sw_versions_file() {
|
|||
ROOTFS_POSTPROCESS_COMMAND:append = " create_sw_versions_file;"
|
||||
|
||||
#
|
||||
# Add dependency for read-only signed rootfs
|
||||
# Add dependency for read-only signed rootfs and SWU public key copying
|
||||
#
|
||||
DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
|
||||
|
||||
|
|
|
|||
|
|
@ -102,42 +102,47 @@ check_gen_pki_tree() {
|
|||
}
|
||||
|
||||
copy_public_key() {
|
||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
||||
KEY_INDEX="$(expr ${TRUSTFENCE_KEY_INDEX} + 1)"
|
||||
PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/crts/key${KEY_INDEX}.pub"
|
||||
# The new hab/ahab_pki_tree.sh script extracts the public keys after the PKI
|
||||
# generation and leaves them in the crts/ folder. However, the PKI tree may
|
||||
# already exist, the PKI generation script not called, and then the public
|
||||
# keys may not be available. This is a fall-back to generate at least the
|
||||
# selected public key.
|
||||
if [ ! -f "${PUBLIC_KEY}" ]; then
|
||||
if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
||||
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)"
|
||||
elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX}*crt.pem)"
|
||||
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
|
||||
# Make sure a valid PKI exists before attempting to copy the key
|
||||
check_gen_pki_tree
|
||||
|
||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
||||
KEY_INDEX="$(expr ${TRUSTFENCE_KEY_INDEX} + 1)"
|
||||
PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/crts/key${KEY_INDEX}.pub"
|
||||
# The new hab/ahab_pki_tree.sh script extracts the public keys after the PKI
|
||||
# generation and leaves them in the crts/ folder. However, the PKI tree may
|
||||
# already exist, the PKI generation script not called, and then the public
|
||||
# keys may not be available. This is a fall-back to generate at least the
|
||||
# selected public key.
|
||||
if [ ! -f "${PUBLIC_KEY}" ]; then
|
||||
if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
||||
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)"
|
||||
elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX}*crt.pem)"
|
||||
else
|
||||
bberror "Unknown TRUSTFENCE_SIGN_MODE value"
|
||||
exit 1
|
||||
fi
|
||||
# Extract the public key from the certificate.
|
||||
openssl x509 -pubkey -noout -in "${CERT_IMG}" > "${PUBLIC_KEY}"
|
||||
fi
|
||||
elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
|
||||
if [ "${DIGI_SOM}" = "ccmp15" ]; then
|
||||
PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey.pem"
|
||||
elif [ "${DIGI_SOM}" = "ccmp13" ]; then
|
||||
PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem"
|
||||
else
|
||||
bberror "Unknown TRUSTFENCE_SIGN_MODE value"
|
||||
bberror "Unknown DIGI_SOM"
|
||||
exit 1
|
||||
fi
|
||||
# Extract the public key from the certificate.
|
||||
openssl x509 -pubkey -noout -in "${CERT_IMG}" > "${PUBLIC_KEY}"
|
||||
fi
|
||||
elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
|
||||
if [ "${DIGI_SOM}" = "ccmp15" ]; then
|
||||
PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey.pem"
|
||||
elif [ "${DIGI_SOM}" = "ccmp13" ]; then
|
||||
PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem"
|
||||
else
|
||||
bberror "Unknown DIGI_SOM"
|
||||
echo "ERROR: Cannot determine the public key"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "ERROR: Cannot determine the public key"
|
||||
exit 1
|
||||
# Copy the public key to the rootfs
|
||||
install -d ${IMAGE_ROOTFS}${sysconfdir}/ssl/certs
|
||||
cp -f "${PUBLIC_KEY}" "${IMAGE_ROOTFS}${sysconfdir}/ssl/certs/key.pub"
|
||||
fi
|
||||
# Copy the public key to the rootfs
|
||||
install -d ${IMAGE_ROOTFS}${sysconfdir}/ssl/certs
|
||||
cp -f "${PUBLIC_KEY}" "${IMAGE_ROOTFS}${sysconfdir}/ssl/certs/key.pub"
|
||||
}
|
||||
ROOTFS_POSTPROCESS_COMMAND:append = " copy_public_key;"
|
||||
|
||||
|
|
|
|||
|
|
@ -31,6 +31,11 @@ inherit core-image image_types
|
|||
|
||||
IMAGE_ROOTFS_SIZE = "8192"
|
||||
|
||||
#
|
||||
# Add dependency for SWU public key copying
|
||||
#
|
||||
DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
|
||||
|
||||
# Remove some packages added via recommendations
|
||||
BAD_RECOMMENDATIONS += " \
|
||||
openssl-bin \
|
||||
|
|
|
|||
Loading…
Reference in New Issue