Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence: add support to generate Cortex-M4 signing keys 

Add RSA key generation support for the Cortex-M4 co-processor on
ConnectCore MP15 platforms as part of DEY TrustFence framework.

https://onedigi.atlassian.net/browse/DEL-9920

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit is contained in:
Arturo Buzarra 2025-11-05 11:36:54 +01:00
parent 53d6606e69
commit 263d9a2baa
1 changed files with 46 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh
View File

@ -112,34 +112,59 @@ fi
RPROC_KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/rproc-keys/key_pass.txt" RPROC_KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/rproc-keys/key_pass.txt"
# Generate random keys for Cortex-M coprocessor if they don't exist # Generate random keys for Cortex-M coprocessor if they don't exist
if [ "${PLATFORM}" = "ccmp25" ]; then if [ "${PLATFORM}" = "ccmp15" ] || [ "${PLATFORM}" = "ccmp25" ]; then
N_PUBK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey*.pem 2>/dev/null | wc -l)" N_PUBK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey*.pem 2>/dev/null | wc -l)"
N_PRVK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/privateKey*.pem 2>/dev/null | wc -l)" N_PRVK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/privateKey*.pem 2>/dev/null | wc -l)"
N_DERK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey*.der 2>/dev/null | wc -l)" N_DERK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey*.der 2>/dev/null | wc -l)"
install -d "${CONFIG_SIGN_KEYS_PATH}/rproc-keys/" install -d "${CONFIG_SIGN_KEYS_PATH}/rproc-keys/"
if [ "${N_PUBK}" = "1" ] && [ "${N_PRVK}" = "1" ] && [ "${N_DERK}" = "1" ] && [ -f "${RPROC_KEY_PASS_FILE}" ]; then
# PKI tree already exists. if [ "${PLATFORM}" = "ccmp15" ]; then
echo "Using existing PKI tree for Cortex-M coprocessor" if [ "${N_PUBK}" = "1" ] && [ "${N_PRVK}" = "1" ]; then
elif [ "${N_PUBK}" != "1" ] && [ "${N_PRVK}" != 1 ] && [ "${N_DERK}" != "1" ] && [ ! -f "${RPROC_KEY_PASS_FILE}" ]; then # PKI tree already exists.
# Random password echo "Using existing PKI tree for Cortex-M coprocessor"
password="$(openssl rand -base64 32)" elif [ "${N_PUBK}" = "0" ] && [ "${N_PRVK}" = "0" ]; then
echo "Generating random key" echo "Generating random key"
if ! STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/rproc-keys/" -pwd ${password}; then if ! openssl genrsa -out "${CONFIG_SIGN_KEYS_PATH}/rproc-keys/privateKey.pem" 2048; then
echo "[ERROR] Could not generate PKI tree for Cortex-M coprocessor" echo "[ERROR] Could not generate private key for Cortex-M coprocessor"
exit 1 exit 1
fi fi
echo "${password}" > "${RPROC_KEY_PASS_FILE}" chmod 444 "${CONFIG_SIGN_KEYS_PATH}/rproc-keys/privateKey.pem"
chmod 400 "${RPROC_KEY_PASS_FILE}" # Generate public key
# Generate DER version of public key if ! openssl rsa -pubout -in ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/privateKey.pem \
if ! openssl ec -pubin -in ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey.pem \ -out ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey.pem; then
-outform DER -pubout \ echo "[ERROR] Could not generate public key for Cortex-M coprocessor"
-out ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey.der; then exit 1
echo "[ERROR] Could not generate DER public key for Cortex-M coprocessor" fi
chmod 400 "${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey.pem"
else
echo "[ERROR] Could not generate PKI tree for Cortex-M coprocessor. An incomplete PKI tree may already exist."
exit 1 exit 1
fi fi
else else
echo "[ERROR] Could not generate PKI tree for Cortex-M coprocessor. An incomplete PKI tree may already exist." if [ "${N_PUBK}" = "1" ] && [ "${N_PRVK}" = "1" ] && [ "${N_DERK}" = "1" ] && [ -f "${RPROC_KEY_PASS_FILE}" ]; then
exit 1 # PKI tree already exists.
echo "Using existing PKI tree for Cortex-M coprocessor"
elif [ "${N_PUBK}" = "0" ] && [ "${N_PRVK}" = "0" ] && [ "${N_DERK}" = "0" ] && [ ! -f "${RPROC_KEY_PASS_FILE}" ]; then
# Random password
password="$(openssl rand -base64 32)"
echo "Generating random key"
if ! STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/rproc-keys/" -pwd ${password}; then
echo "[ERROR] Could not generate PKI tree for Cortex-M coprocessor"
exit 1
fi
echo "${password}" > "${RPROC_KEY_PASS_FILE}"
chmod 400 "${RPROC_KEY_PASS_FILE}"
# Generate DER version of public key
if ! openssl ec -pubin -in ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey.pem \
-outform DER -pubout \
-out ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey.der; then
echo "[ERROR] Could not generate DER public key for Cortex-M coprocessor"
exit 1
fi
else
echo "[ERROR] Could not generate PKI tree for Cortex-M coprocessor. An incomplete PKI tree may already exist."
exit 1
fi
fi fi
fi fi