From 171e5a5db11449f54dd93b56bb8c1027ee5fa124 Mon Sep 17 00:00:00 2001 From: Gabriel Valcazar Date: Wed, 13 Nov 2024 12:28:04 +0100 Subject: [PATCH] trustfence.bbclass: copy public key to fs only if TRUSTFENCE_SIGN is enabled Commit 998598415aaa4fcc9d14a558a72592d0496c6bf5 moved this logic to the trustfence.bbclass file, but in doing so, it removed the TRUSTFENCE_SIGN check it used to have. The check is needed for two reasons: * The signing of SWU packages only occurs when TRUSTFENCE_SIGN is enabled, so there's no need to copy the key if it's disabled * When building a project from scratch that has Trustfence enabled but TRUSTFENCE_SIGN disabled, a PKI is never generated and the key doesn't exist. Because of this, the key won't be found and an error will occur. Note that if your project is already pointing to a populated PKI, the error won't happen, only if there's no PKI to begin with. Although the PKI is guaranteed to exist by the time the rootfs is populated, make sure to check that it has been properly generated and create it if it doesn't exist. This logic depends on the trustfence-gen-pki.sh from trustfence-sign-tools-native, so add it as a dependency for dey-image-recovery-initramfs. The dependency is already there for another feature in the dey-image recipes, so simply reflect this new dependency in a comment. Signed-off-by: Gabriel Valcazar (cherry picked from commit 8e52c27d5a8e8071c3a17754e91c1819bcceee15) --- meta-digi-dey/classes/dey-image.bbclass | 2 +- meta-digi-dey/classes/trustfence.bbclass | 63 ++++++++++--------- .../images/dey-image-recovery-initramfs.bb | 5 ++ 3 files changed, 40 insertions(+), 30 deletions(-) diff --git a/meta-digi-dey/classes/dey-image.bbclass b/meta-digi-dey/classes/dey-image.bbclass index bd537b35e..623bd7edc 100644 --- a/meta-digi-dey/classes/dey-image.bbclass +++ b/meta-digi-dey/classes/dey-image.bbclass @@ -62,7 +62,7 @@ create_sw_versions_file() { ROOTFS_POSTPROCESS_COMMAND:append = " create_sw_versions_file;" # -# Add dependency for read-only signed rootfs +# Add dependency for read-only signed rootfs and SWU public key copying # DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}" diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index 5ba8f39ad..81a882ec2 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -102,42 +102,47 @@ check_gen_pki_tree() { } copy_public_key() { - if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then - KEY_INDEX="$(expr ${TRUSTFENCE_KEY_INDEX} + 1)" - PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/crts/key${KEY_INDEX}.pub" - # The new hab/ahab_pki_tree.sh script extracts the public keys after the PKI - # generation and leaves them in the crts/ folder. However, the PKI tree may - # already exist, the PKI generation script not called, and then the public - # keys may not be available. This is a fall-back to generate at least the - # selected public key. - if [ ! -f "${PUBLIC_KEY}" ]; then - if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then - CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)" - elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then - CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX}*crt.pem)" + if [ "${TRUSTFENCE_SIGN}" = "1" ]; then + # Make sure a valid PKI exists before attempting to copy the key + check_gen_pki_tree + + if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then + KEY_INDEX="$(expr ${TRUSTFENCE_KEY_INDEX} + 1)" + PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/crts/key${KEY_INDEX}.pub" + # The new hab/ahab_pki_tree.sh script extracts the public keys after the PKI + # generation and leaves them in the crts/ folder. However, the PKI tree may + # already exist, the PKI generation script not called, and then the public + # keys may not be available. This is a fall-back to generate at least the + # selected public key. + if [ ! -f "${PUBLIC_KEY}" ]; then + if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then + CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)" + elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then + CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX}*crt.pem)" + else + bberror "Unknown TRUSTFENCE_SIGN_MODE value" + exit 1 + fi + # Extract the public key from the certificate. + openssl x509 -pubkey -noout -in "${CERT_IMG}" > "${PUBLIC_KEY}" + fi + elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then + if [ "${DIGI_SOM}" = "ccmp15" ]; then + PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey.pem" + elif [ "${DIGI_SOM}" = "ccmp13" ]; then + PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem" else - bberror "Unknown TRUSTFENCE_SIGN_MODE value" + bberror "Unknown DIGI_SOM" exit 1 fi - # Extract the public key from the certificate. - openssl x509 -pubkey -noout -in "${CERT_IMG}" > "${PUBLIC_KEY}" - fi - elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then - if [ "${DIGI_SOM}" = "ccmp15" ]; then - PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey.pem" - elif [ "${DIGI_SOM}" = "ccmp13" ]; then - PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem" else - bberror "Unknown DIGI_SOM" + echo "ERROR: Cannot determine the public key" exit 1 fi - else - echo "ERROR: Cannot determine the public key" - exit 1 + # Copy the public key to the rootfs + install -d ${IMAGE_ROOTFS}${sysconfdir}/ssl/certs + cp -f "${PUBLIC_KEY}" "${IMAGE_ROOTFS}${sysconfdir}/ssl/certs/key.pub" fi - # Copy the public key to the rootfs - install -d ${IMAGE_ROOTFS}${sysconfdir}/ssl/certs - cp -f "${PUBLIC_KEY}" "${IMAGE_ROOTFS}${sysconfdir}/ssl/certs/key.pub" } ROOTFS_POSTPROCESS_COMMAND:append = " copy_public_key;" diff --git a/meta-digi-dey/recipes-core/images/dey-image-recovery-initramfs.bb b/meta-digi-dey/recipes-core/images/dey-image-recovery-initramfs.bb index ff8ec23be..e1de5bb34 100644 --- a/meta-digi-dey/recipes-core/images/dey-image-recovery-initramfs.bb +++ b/meta-digi-dey/recipes-core/images/dey-image-recovery-initramfs.bb @@ -31,6 +31,11 @@ inherit core-image image_types IMAGE_ROOTFS_SIZE = "8192" +# +# Add dependency for SWU public key copying +# +DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}" + # Remove some packages added via recommendations BAD_RECOMMENDATIONS += " \ openssl-bin \