From 39baff1e60b59d86c17ee31b62a30b74c9026956 Mon Sep 17 00:00:00 2001
From: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Date: Wed, 13 Jan 2021 10:00:15 +0100
Subject: [PATCH] trustfence: add new TRUSTFENCE_SRK_REVOKE_MASK variable

In order to revoke SRKs in platforms with AHAB we need to set a mask
during the signing/encryption process.

Create new TRUSTFENCE_SRK_REVOKE_MASK variable to export the
SRK_REVOKE_MASK variable required by the imx-boot signing script.

The revoke mask is not necessary for signing/encryption of other artifacts,
so set it by default to 0x0.

Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
---
 meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend     | 1 +
 .../recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab  | 2 +-
 .../recipes-digi/trustfence/trustfence-sign-tools/sign_ahab     | 2 +-
 meta-digi-dey/classes/trustfence.bbclass                        | 1 +
 4 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend
index db851ca82..575485ec2 100644
--- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend
+++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend
@@ -213,6 +213,7 @@ do_deploy_append () {
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
 		[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
+		[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
 
 		# Sign U-boot image
 		if [ "${UBOOT_RAM_COMBINATIONS}" = "" ]; then
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab
index 9e40c7e3a..f7df7b86c 100644
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab
@@ -14,7 +14,7 @@
     # Type of SRK set (NXP or OEM)
     Source set = OEM
     # bitmask of the revoked SRKs
-    Revocations = 0x%key_index%
+    Revocations = 0x0
 
 [Authenticate Data]
     # Binary to be signed generated by mkimage
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab
index 1b59802f2..0d43a64b3 100644
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab
@@ -14,7 +14,7 @@
     # Type of SRK set (NXP or OEM)
     Source set = OEM
     # bitmask of the revoked SRKs
-    Revocations = 0x%key_index%
+    Revocations = 0x0
 
 [Authenticate Data]
     # Binary to be signed generated by mkimage
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 664c14060..6ec8d054e 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -23,6 +23,7 @@ TRUSTFENCE_SIGN ?= "1"
 TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
 TRUSTFENCE_DEK_PATH ?= "default"
 TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
+TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
 
 # Trustfence initramfs image recipe
 TRUSTFENCE_INITRAMFS_IMAGE ?= "dey-image-trustfence-initramfs"