images: add function to sign read only rootfs when Trustfence is enabled

Signed-off-by: Mike Engel <Mike.Engel@digi.com>
2021-10-29 11:48:06 +02:00 · 2021-10-29 11:48:06 +02:00 · 2145614724
parent eb730358e5
commit 2145614724
2 changed files with 27 additions and 0 deletions
--- a/meta-digi-arm/classes/image_types_digi.bbclass
+++ b/meta-digi-arm/classes/image_types_digi.bbclass
@ -219,6 +219,28 @@ CONVERSION_CMD_tf = "trustence_sign_cpio ${IMAGE_NAME}.rootfs.${type}"
 CONVERSION_DEPENDS_tf = "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
 IMAGE_TYPES += "cpio.gz.u-boot.tf"

+#
+# Sign read-only rootfs
+#
+do_image_squashfs[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'rootfs_sign', '', d)}"
+
+rootfs_sign() {
+        # Set environment variables for trustfence configuration
+        export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
+        [ -n "${CONFIG_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
+        [ -n "${CONFIG_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
+
+        ROOTFS_IMAGE="${IMGDEPLOYDIR}/${IMAGE_NAME}.rootfs.squashfs"
+        TMP_ROOTFS_IMAGE_SIGNED="$(mktemp ${ROOTFS_IMAGE}-signed.XXXXXX)"
+        # Sign rootfs read-only image
+        trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -r "${ROOTFS_IMAGE}" "${TMP_ROOTFS_IMAGE_SIGNED}"
+        mv "${TMP_ROOTFS_IMAGE_SIGNED}" "${ROOTFS_IMAGE}"
+}
+
+rootfs_sign[dirs] = "${DEPLOY_DIR_IMAGE}"
+
+do_image_squashfs[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX"
+
 ################################################################################
 #                                SDCARD IMAGES                                 #
 ################################################################################
@ -305,3 +327,4 @@ IMAGE_CMD_sdcard() {

 # The sdcard image requires the boot and rootfs images to be built before
 IMAGE_TYPEDEP_sdcard = "${SDIMG_BOOTFS_TYPE} ${SDIMG_ROOTFS_TYPE}.gz"
+
--- a/meta-digi-dey/classes/dey-image.bbclass
+++ b/meta-digi-dey/classes/dey-image.bbclass
@ -56,3 +56,7 @@ fakeroot toolchain_create_sdk_dey_version() {
 }
 toolchain_create_sdk_dey_version[vardepsexclude] = "DATETIME"

+#
+# Add dependency for read-only signed rootfs
+#
+DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"