Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence: add support to generate Cortex-M4 signing keys 

Add RSA key generation support for the Cortex-M4 co-processor on
ConnectCore MP15 platforms as part of DEY TrustFence framework.

https://onedigi.atlassian.net/browse/DEL-9920

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit is contained in:
Arturo Buzarra 2025-11-05 11:36:54 +01:00
parent 53d6606e69
commit 263d9a2baa
1 changed files with 46 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh
View File

@ -112,15 +112,39 @@ fi
RPROC_KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/rproc-keys/key_pass.txt"
# Generate random keys for Cortex-M coprocessor if they don't exist
if [ "${PLATFORM}" = "ccmp25" ]; then
if [ "${PLATFORM}" = "ccmp15" ] || [ "${PLATFORM}" = "ccmp25" ]; then
N_PUBK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey*.pem 2>/dev/null | wc -l)"
N_PRVK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/privateKey*.pem 2>/dev/null | wc -l)"
N_DERK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey*.der 2>/dev/null | wc -l)"
install -d "${CONFIG_SIGN_KEYS_PATH}/rproc-keys/"
if [ "${PLATFORM}" = "ccmp15" ]; then
if [ "${N_PUBK}" = "1" ] && [ "${N_PRVK}" = "1" ]; then
# PKI tree already exists.
echo "Using existing PKI tree for Cortex-M coprocessor"
elif [ "${N_PUBK}" = "0" ] && [ "${N_PRVK}" = "0" ]; then
echo "Generating random key"
if ! openssl genrsa -out "${CONFIG_SIGN_KEYS_PATH}/rproc-keys/privateKey.pem" 2048; then
echo "[ERROR] Could not generate private key for Cortex-M coprocessor"
exit 1
fi
chmod 444 "${CONFIG_SIGN_KEYS_PATH}/rproc-keys/privateKey.pem"
# Generate public key
if ! openssl rsa -pubout -in ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/privateKey.pem \
-out ${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey.pem; then
echo "[ERROR] Could not generate public key for Cortex-M coprocessor"
exit 1
fi
chmod 400 "${CONFIG_SIGN_KEYS_PATH}/rproc-keys/publicKey.pem"
else
echo "[ERROR] Could not generate PKI tree for Cortex-M coprocessor. An incomplete PKI tree may already exist."
exit 1
fi
else
if [ "${N_PUBK}" = "1" ] && [ "${N_PRVK}" = "1" ] && [ "${N_DERK}" = "1" ] && [ -f "${RPROC_KEY_PASS_FILE}" ]; then
# PKI tree already exists.
echo "Using existing PKI tree for Cortex-M coprocessor"
elif [ "${N_PUBK}" != "1" ] && [ "${N_PRVK}" != 1 ] && [ "${N_DERK}" != "1" ] && [ ! -f "${RPROC_KEY_PASS_FILE}" ]; then
elif [ "${N_PUBK}" = "0" ] && [ "${N_PRVK}" = "0" ] && [ "${N_DERK}" = "0" ] && [ ! -f "${RPROC_KEY_PASS_FILE}" ]; then
# Random password
password="$(openssl rand -base64 32)"
echo "Generating random key"
@ -142,6 +166,7 @@ if [ "${PLATFORM}" = "ccmp25" ]; then
exit 1
fi
fi
fi
if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then