dey-installer: add signed/encrypted bootloader to installer zip

On NXP platforms, the signed/encrypted bootloader images are not
included on the installer ZIP. This prevents from using the installer
when TrustFence is enabled.

This commit adds to the installer:
 - If encryption is enabled
   - encrypted bootloader
   - signed bootloader (for USB recovery boot)
 - If encryption is disabled
   - signed bootloader
 - If TrustFence is disabled
   - non-signed bootloader

It also treats the ccimx6ul special, as this has a dedicated file for
USB recovery boot.

Signed-off-by: Hector Palacios <hector.palacios@digi.com>

https://onedigi.atlassian.net/browse/DEL-9698

meta-digi-arm/conf/machine/ccimx6qpsbc.conf

@@ -49,8 +49,8 @@ XBEE_TTY ?= "ttymxc4"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    u-boot-ccimx6qpsbc1GB.imx \
-    u-boot-ccimx6qpsbc2GB.imx \
+    u-boot##SIGNED##-ccimx6qpsbc1GB.imx \
+    u-boot##SIGNED##-ccimx6qpsbc2GB.imx \
 "
 
 # Default overlayfs_etc mount point and type

meta-digi-arm/conf/machine/ccimx6sbc.conf

@@ -51,11 +51,11 @@ XBEE_TTY ?= "ttymxc4"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    u-boot-ccimx6dlsbc512MB.imx \
-    u-boot-ccimx6dlsbc.imx \
-    u-boot-ccimx6qsbc2GB.imx \
-    u-boot-ccimx6qsbc512MB.imx \
-    u-boot-ccimx6qsbc.imx \
+    u-boot##SIGNED##-ccimx6dlsbc512MB.imx \
+    u-boot##SIGNED##-ccimx6dlsbc.imx \
+    u-boot##SIGNED##-ccimx6qsbc2GB.imx \
+    u-boot##SIGNED##-ccimx6qsbc512MB.imx \
+    u-boot##SIGNED##-ccimx6qsbc.imx \
 "
 
 # Default overlayfs_etc mount point and type

meta-digi-arm/conf/machine/ccimx6ulsbc.conf

@@ -36,7 +36,7 @@ XBEE_TTY ?= "ttymxc1"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    u-boot-ccimx6ulsbc1GB.imx \
-    u-boot-ccimx6ulsbc512MB.imx \
-    u-boot-ccimx6ulsbc.imx \
+    u-boot##SIGNED##-ccimx6ulsbc1GB.imx \
+    u-boot##SIGNED##-ccimx6ulsbc512MB.imx \
+    u-boot##SIGNED##-ccimx6ulsbc.imx \
 "

meta-digi-arm/conf/machine/ccimx6ulstarter.conf

@@ -35,7 +35,7 @@ DEFAULT_IMAGE_NAME ?= "core-image-base"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    u-boot-ccimx6ulstarter1GB.imx \
-    u-boot-ccimx6ulstarter512MB.imx \
-    u-boot-ccimx6ulstarter.imx \
+    u-boot##SIGNED##-ccimx6ulstarter1GB.imx \
+    u-boot##SIGNED##-ccimx6ulstarter512MB.imx \
+    u-boot##SIGNED##-ccimx6ulstarter.imx \
 "

meta-digi-arm/conf/machine/ccimx8mm-dvk.conf

@@ -55,7 +55,7 @@ XBEE_SLEEP_RQ_GPIO ?= "mca-gpio@11,gpio1@7"
 XBEE_TTY ?= "ttymxc3"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
-BOOTABLE_ARTIFACTS = "imx-boot-ccimx8mm-dvk.bin"
+BOOTABLE_ARTIFACTS = "imx-boot##SIGNED##-ccimx8mm-dvk.bin"
 
 # Default overlayfs_etc mount point and type
 OVERLAYFS_ETC_MOUNT_POINT ?= "/mnt/data"

meta-digi-arm/conf/machine/ccimx8mn-dvk.conf

@@ -56,7 +56,7 @@ XBEE_SLEEP_RQ_GPIO ?= "mca-gpio@11,gpio1@7"
 XBEE_TTY ?= "ttymxc3"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
-BOOTABLE_ARTIFACTS = "imx-boot-ccimx8mn-dvk.bin"
+BOOTABLE_ARTIFACTS = "imx-boot##SIGNED##-ccimx8mn-dvk.bin"
 
 # Default overlayfs_etc mount point and type
 OVERLAYFS_ETC_MOUNT_POINT ?= "/mnt/data"

meta-digi-arm/conf/machine/ccimx8x-sbc-express.conf

@@ -34,6 +34,6 @@ XBEE_TTY ?= "ttyLP0"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    imx-boot-ccimx8x-sbc-express-B0.bin \
-    imx-boot-ccimx8x-sbc-express-C0.bin \
+    imx-boot##SIGNED##-ccimx8x-sbc-express-B0.bin \
+    imx-boot##SIGNED##-ccimx8x-sbc-express-C0.bin \
 "

meta-digi-arm/conf/machine/ccimx8x-sbc-pro.conf

@@ -49,8 +49,8 @@ XBEE_TTY ?= "ttyMCA0"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    imx-boot-ccimx8x-sbc-pro-B0.bin \
-    imx-boot-ccimx8x-sbc-pro-C0.bin \
+    imx-boot##SIGNED##-ccimx8x-sbc-pro-B0.bin \
+    imx-boot##SIGNED##-ccimx8x-sbc-pro-C0.bin \
 "
 
 # Default overlayfs_etc mount point and type

meta-digi-arm/conf/machine/ccimx91-dvk.conf

@@ -47,7 +47,7 @@ IS_HEADLESS = "true"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    imx-boot-ccimx91-dvk.bin \
+    imx-boot##SIGNED##-ccimx91-dvk.bin \
 "
 
 # Add secure enclave

meta-digi-arm/conf/machine/ccimx93-dvk.conf

@@ -53,6 +53,6 @@ WKS_FILE_DEPENDS:append = " imx-m33-demos"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    imx-boot-ccimx93-dvk.bin \
-    imx-boot-ccimx93-dvk-A0.bin \
+    imx-boot##SIGNED##-ccimx93-dvk.bin \
+    imx-boot##SIGNED##-ccimx93-dvk-A0.bin \
 "

meta-digi-arm/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend

@@ -118,7 +118,9 @@ do_compile:ccimx8x() {
 
 do_install:ccimx8x () {
 	install -d ${D}/boot
-	for bin in ${BOOTABLE_ARTIFACTS}; do
+	# Remove ##SIGNED## placeholder from variable (signing takes place later)
+	BOOT_ARTIFACTS=$(echo "${BOOTABLE_ARTIFACTS}" | sed -e 's,##SIGNED##,,g')
+	for bin in ${BOOT_ARTIFACTS}; do
 		for target in ${IMXBOOT_TARGETS}; do
 			install -m 0644 ${S}/${bin}-${target} ${D}/boot/
 		done

meta-digi-dey/classes/dey-image-installer.bbclass

@@ -31,6 +31,50 @@ HAS_USB_DRIVER:ccimx9 = "true"
 HAS_USB_DRIVER:ccmp1 = "true"
 HAS_USB_DRIVER:ccmp2 = "true"
 
+BOOTLOADER_SIGNED_STRING ?= "-signed"
+BOOTLOADER_ENCRYPTED_STRING ?= "-encrypted"
+BOOTLOADER_SIGNED_USB_STRING ?= "-usb-signed"
+
+curate_bootloader_artifacts() {
+	for artifact in ${BOOTABLE_ARTIFACTS}; do
+		# NXP platforms may have a ##SIGNED## placeholder to replace
+		if [ "${DEY_SOC_VENDOR}" = "NXP" ] && echo "${artifact}" | grep -q -e "##SIGNED##"; then
+			if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
+				if [ "${DIGI_SOM}" = "ccimx6ul" ]; then
+					if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
+						# Encrypted bootloader
+						curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_ENCRYPTED_STRING},")
+						CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
+					else
+						# Signed, non-encrypted bootloader
+						curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_SIGNED_STRING},")
+						CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
+					fi
+					# Signed, non-encrypted bootloader for USB recovery
+					curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_SIGNED_USB_STRING},")
+					CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
+				else
+					if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
+						# Encrypted bootloader
+						curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_ENCRYPTED_STRING},")
+						CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
+					fi
+					# Signed, non-encrypted bootloader for USB recovery
+					curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_SIGNED_STRING},")
+					CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
+				fi
+			else
+				# Non-signed bootloader
+				curated_artifact=$(echo "${artifact}" | sed 's,##SIGNED##,,')
+				CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
+			fi
+		else
+			CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${artifact}"
+		fi
+	done
+	export CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS}"
+}
+
 generate_installer_zip () {
 	# Get list of files to pack
 	INSTALLER_FILELIST="${DEPLOY_DIR_IMAGE}/install_linux_fw_sd.scr \
@@ -53,7 +97,10 @@ generate_installer_zip () {
 			INSTALLER_FILELIST="${INSTALLER_FILELIST} ${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.${ext}"
 		fi
 	done
-	for artifact in ${BOOTABLE_ARTIFACTS}; do
+
+	# Add bootable artifacts to installer
+	curate_bootloader_artifacts
+	for artifact in ${CURATED_BOOTABLE_ARTIFACTS}; do
 		if readlink -e "${DEPLOY_DIR_IMAGE}/${artifact}" >/dev/null; then
 			INSTALLER_FILELIST="${INSTALLER_FILELIST} ${DEPLOY_DIR_IMAGE}/${artifact}"
 		fi