Merge branch 'dey-2.0/master' into dey-2.0/maint

Signed-off-by: Alex Gonzalez <alex.gonzalez@digi.com>
2016-08-04 19:13:00 +02:00 · 2016-08-04 19:13:00 +02:00 · 35271a8dc9
parent fb2f7bd345 454fff56ba
commit 35271a8dc9
7 changed files with 48 additions and 19 deletions
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch
@ -0,0 +1,29 @@
+From: "Diaz de Grenu, Jose" <Jose.DiazdeGrenu@digi.com>
+Date: Fri, 29 Jul 2016 17:20:28 +0200
+Subject: [PATCH] hab4_pki_tree.sh: usa a random password for the default PKI
+ generation
+
+Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
+---
+ keys/hab4_pki_tree.sh | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
+index b2c6b71b604e..93347521cea1 100644
+--- a/keys/hab4_pki_tree.sh
+++ b/keys/hab4_pki_tree.sh
+@@ -95,9 +95,10 @@ fi
+ # Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
+ if [ ! -f key_pass.txt ]
+ then
+-    echo "test" > key_pass.txt
+-    echo "test" >> key_pass.txt
+-    echo "A default file 'key_pass.txt' was created with password = test!"
+    password="$(openssl rand -base64 32)"
+    echo "${password}" > key_pass.txt
+    echo "${password}" >> key_pass.txt
+    echo "A file 'key_pass.txt' was created with a random password!"
+ fi
+ 
+ # The following is required otherwise OpenSSL complains
+
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/Makefile
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-2.3.2/Makefile
@ -1,7 +1,6 @@
 TARGET = linux64/cst
 LIBS = -lfrontend -lcrypto
-CC = gcc
-CFLAGS = -g -Wall
+CFLAGS += -g -Wall

 .PHONY: default all clean

@ -18,7 +17,7 @@ LIBS_PATH = linux64/lib
 .PRECIOUS: $(TARGET) $(OBJECTS)

 $(TARGET): $(OBJECTS)
-	$(CC) $(OBJECTS) $(CFLAGS) -L $(LIBS_PATH) $(LIBS) -I $(HEADERS) -o $@
+	$(CC) $(OBJECTS) $(CFLAGS) $(LDFLAGS) -L $(LIBS_PATH) $(LIBS) -I $(HEADERS) -o $@

 clean:
 	-rm -f *.o $(TARGET)
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_2.3.2.bb
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_2.3.2.bb
@ -3,15 +3,18 @@ DESCRIPTION = "Provides software code signing support designed for use with i.MX
 HOMEPAGE = "https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL"
 LICENSE = "CLOSED"

-DEPENDS = "openssl"
+DEPENDS = "openssl-native"

-S= "${WORKDIR}/cst-${PV}"
+S = "${WORKDIR}/cst-${PV}"
+
+inherit native

 SRC_URI = " \
 	${@base_conditional('TRUSTFENCE_SIGN', '1', 'file://cst-${PV}.tar.gz', '', d)} \
 	file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \
 	file://0002-hab4_pki_tree.sh-automate-script.patch \
 	file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \
+	file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \
 	file://Makefile \
 "

@ -32,5 +35,3 @@ do_install () {
 	install -m 0755 ca/v3_ca.cnf ${D}${bindir}/v3_ca.cnf
 	install -m 0755 ca/v3_usr.cnf ${D}${bindir}/v3_usr.cnf
 }
-
-BBCLASSEXTEND = "native"
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
@ -36,11 +36,6 @@ UBOOT_EXTRA_CONF ?= ""
 python __anonymous() {
    if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN", True) != "1"):
         bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN=1) or remove encryption (TRUSTFENCE_DEK_PATH = 0)")
-    if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]):
-        if (d.getVar("TRUSTFENCE_DEK_PATH", True) in [None, "0"]):
-            bb.warn("It is strongly recommended to encrypt the U-Boot image when using environment encryption. Consider removing TRUSTFENCE_DEK_PATH = 0")
-        if (len(d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True)) != 32):
-            bb.fatal("Invalid TRUSTFENCE_UBOOT_ENV_DEK length. Define a string formed by 32 hexadecimal characters")
 }

 do_compile () {
@ -78,6 +73,7 @@ do_compile () {
                    if [ "${TRUSTFENCE_SIGN}" = "1" ]
                    then
                        cp ${S}/build_${config}/u-boot-signed.imx ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX}
+                        cp ${S}/build_${config}/u-boot-usb-signed.imx ${S}/build_${config}/u-boot-usb-signed-${type}.${UBOOT_SUFFIX}
 			if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]
 			then
 				cp ${S}/build_${config}/u-boot-encrypted.imx ${S}/build_${config}/u-boot-encrypted-${type}.${UBOOT_SUFFIX}
@ -129,6 +125,9 @@ do_deploy_append() {
 						install ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
 						ln -sf u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-signed-${type}.${UBOOT_SUFFIX}

+						install ${S}/build_${config}/u-boot-usb-signed-${type}.${UBOOT_SUFFIX} u-boot-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
+						ln -sf u-boot-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-usb-signed-${type}.${UBOOT_SUFFIX}
+
 						if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]
 						then
 							install ${S}/build_${config}/u-boot-encrypted-${type}.${UBOOT_SUFFIX} u-boot-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
@ -44,6 +44,8 @@ do_deploy_append() {
 	(cd ${DEPLOYDIR} && ln -sf ${KERNEL_IMAGE_BASE_NAME}.bin ${KERNEL_IMAGE_SYMLINK_NAME})
 }

+do_deploy[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH"
+
 FILES_kernel-image += "/boot/config-${KERNEL_VERSION}"

 # Don't include kernels in standard images
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -10,7 +10,7 @@
 #

 # Default secure console configuration
-TRUSTFENCE_CONSOLE_DISABLE ?= "1"
+TRUSTFENCE_CONSOLE_DISABLE ?= "0"

 # Uncomment to enable the console with the specified passphrase
 #TRUSTFENCE_CONSOLE_PASSPHRASE_ENABLE = "my_secure_passphrase"
@ -22,7 +22,8 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "1"
 TRUSTFENCE_SIGN ?= "1"
 TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
 TRUSTFENCE_DEK_PATH ?= "default"
-TRUSTFENCE_UBOOT_ENV_DEK ?= "gen_random"
+TRUSTFENCE_DEK_PATH_ccimx6ul = "0"
+TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"

 # Trustfence initramfs image recipe
 TRUSTFENCE_INITRAMFS_IMAGE ?= "dey-image-trustfence-initramfs"
@ -46,9 +47,6 @@ python () {
            d.appendVar("UBOOT_EXTRA_CONF", " CONFIG_CONSOLE_ENABLE_GPIO=y CONFIG_CONSOLE_ENABLE_GPIO_NR=%s " % d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE"))

    # Secure boot configuration
-    if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK") == "gen_random"):
-        d.setVar("TRUSTFENCE_UBOOT_ENV_DEK", str(binascii.hexlify(os.urandom(16)).decode()))
-
    if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"):
        d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence");

@ -63,6 +61,6 @@ python () {
            d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
        if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]):
            d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
-    if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]):
-        d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_KEY=\\"%s\\"' % d.getVar("TRUSTFENCE_UBOOT_ENV_DEK"))
+    if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"):
+        d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y')
 }
--- a/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb
+++ b/meta-digi-dey/recipes-digi/packagegroups/packagegroup-dey-trustfence.bb
@ -10,3 +10,4 @@ inherit packagegroup
 RDEPENDS_${PN} = "\
 	${@base_conditional('TRUSTFENCE_CONSOLE_DISABLE', '1', 'auto-serial-console', '', d)} \
 "
+do_package[vardeps] += "TRUSTFENCE_CONSOLE_DISABLE"