trustfence.bbclass: copy public key to fs only if TRUSTFENCE_SIGN is enabled

Commit 998598415a moved this logic to the trustfence.bbclass file, but in doing so, it removed the TRUSTFENCE_SIGN check it used to have. The check is needed for two reasons: * The signing of SWU packages only occurs when TRUSTFENCE_SIGN is enabled, so there's no need to copy the key if it's disabled * When building a project from scratch that has Trustfence enabled but TRUSTFENCE_SIGN disabled, a PKI is never generated and the key doesn't exist. Because of this, the key won't be found and an error will occur. Note that if your project is already pointing to a populated PKI, the error won't happen, only if there's no PKI to begin with. Although the PKI is guaranteed to exist by the time the rootfs is populated, make sure to check that it has been properly generated and create it if it doesn't exist. This logic depends on the trustfence-gen-pki.sh from trustfence-sign-tools-native, so add it as a dependency for dey-image-recovery-initramfs. The dependency is already there for another feature in the dey-image recipes, so simply reflect this new dependency in a comment. Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com> (cherry picked from commit 8e52c27d5a8e8071c3a17754e91c1819bcceee15)
2024-11-13 12:28:04 +01:00 · 2024-11-13 12:28:04 +01:00 · 171e5a5db1
parent 1f38abf896
commit 171e5a5db1
3 changed files with 40 additions and 30 deletions
--- a/meta-digi-dey/classes/dey-image.bbclass
+++ b/meta-digi-dey/classes/dey-image.bbclass
@ -62,7 +62,7 @@ create_sw_versions_file() {
 ROOTFS_POSTPROCESS_COMMAND:append = " create_sw_versions_file;"

 #
-# Add dependency for read-only signed rootfs
+# Add dependency for read-only signed rootfs and SWU public key copying
 #
 DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"

--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -102,6 +102,10 @@ check_gen_pki_tree() {
 }

 copy_public_key() {
+	if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
+		# Make sure a valid PKI exists before attempting to copy the key
+		check_gen_pki_tree
+
 		if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
 			KEY_INDEX="$(expr ${TRUSTFENCE_KEY_INDEX} + 1)"
 			PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/crts/key${KEY_INDEX}.pub"
@ -138,6 +142,7 @@ copy_public_key() {
 		# Copy the public key to the rootfs
 		install -d ${IMAGE_ROOTFS}${sysconfdir}/ssl/certs
 		cp -f "${PUBLIC_KEY}" "${IMAGE_ROOTFS}${sysconfdir}/ssl/certs/key.pub"
+	fi
 }
 ROOTFS_POSTPROCESS_COMMAND:append = " copy_public_key;"

--- a/meta-digi-dey/recipes-core/images/dey-image-recovery-initramfs.bb
+++ b/meta-digi-dey/recipes-core/images/dey-image-recovery-initramfs.bb
@ -31,6 +31,11 @@ inherit core-image image_types

 IMAGE_ROOTFS_SIZE = "8192"

+#
+# Add dependency for SWU public key copying
+#
+DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
+
 # Remove some packages added via recommendations
 BAD_RECOMMENDATIONS += " \
    openssl-bin \