From 3fc0a301150febecff39806993e8c75674818d97 Mon Sep 17 00:00:00 2001
From: Gabriel Valcazar <gabriel.valcazar@digi.com>
Date: Tue, 19 Mar 2024 13:20:30 +0100
Subject: [PATCH] trustfence: rename variables related to FIT image signing

Different mechanisms are used to sign FIT images on the ccmp1 platforms and the
ccimx93, and we manage each mechanism via a different variable. The variable
names don't really reflect which platform they affect, which makes maintenance
harder.

Rename the variables so that it's easier to identify the platforms/vendors they
affect:

    * Replace TRUSTFENCE_FIT_IMG with TRUSTFENCE_SIGN_FIT_STM
    * Replace TRUSTFENCE_SIGN_FIT_ARTIFACT with TRUSTFENCE_SIGN_FIT_NXP

Don't rename TRUSTFENCE_FIT_IMG_SIGN_KEYNAME

Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
---
 meta-digi-arm/classes/image_types_digi.bbclass         |  2 +-
 meta-digi-arm/conf/machine/ccmp13-dvk.conf             |  2 +-
 meta-digi-arm/conf/machine/ccmp15-dvk.conf             |  2 +-
 meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc        |  2 +-
 meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb |  2 +-
 .../recipes-kernel/linux/linux-trustfence.inc          |  2 +-
 meta-digi-dey/classes/trustfence.bbclass               | 10 +++++-----
 7 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/meta-digi-arm/classes/image_types_digi.bbclass b/meta-digi-arm/classes/image_types_digi.bbclass
index d5fded013..236164dc1 100644
--- a/meta-digi-arm/classes/image_types_digi.bbclass
+++ b/meta-digi-arm/classes/image_types_digi.bbclass
@@ -221,7 +221,7 @@ trustence_sign_cpio() {
 	# Image generation code for image type 'cpio.gz.u-boot.tf'
 	# (signed/encrypted ramdisk)
 	#
-	if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_ARTIFACT}" = "0" ]; then
+	if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_NXP}" = "0" ]; then
 		# Set environment variables for trustfence configuration
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
diff --git a/meta-digi-arm/conf/machine/ccmp13-dvk.conf b/meta-digi-arm/conf/machine/ccmp13-dvk.conf
index b70b081d7..7564a34d4 100644
--- a/meta-digi-arm/conf/machine/ccmp13-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccmp13-dvk.conf
@@ -111,7 +111,7 @@ OPTEE_CONF = "${STM32MP_DEVICETREE}"
 # =========================================================================
 # Kernel
 # =========================================================================
-KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}"
+KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_SIGN_FIT_STM', '1', 'fitImage', 'zImage', d)}"
 KERNEL_CLASSES = "kernel-fitimage"
 KERNEL_ALT_IMAGETYPE = "Image vmlinux"
 KERNEL_DEFCONFIG ?= "arch/arm/configs/ccmp1_defconfig"
diff --git a/meta-digi-arm/conf/machine/ccmp15-dvk.conf b/meta-digi-arm/conf/machine/ccmp15-dvk.conf
index 2784a040e..9d4e5fd72 100644
--- a/meta-digi-arm/conf/machine/ccmp15-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccmp15-dvk.conf
@@ -122,7 +122,7 @@ OPTEE_CONF = "${STM32MP_DEVICETREE}"
 # =========================================================================
 # Kernel
 # =========================================================================
-KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}"
+KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_SIGN_FIT_STM', '1', 'fitImage', 'zImage', d)}"
 KERNEL_CLASSES = "kernel-fitimage"
 KERNEL_ALT_IMAGETYPE = "Image vmlinux"
 KERNEL_DEFCONFIG ?= "arch/arm/configs/ccmp1_defconfig"
diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
index 30b6c55b3..637b0033d 100644
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
@@ -118,7 +118,7 @@ build_uboot_scripts() {
 	rm -f ${TMP_BOOTSCR}
 
 	# Sign the boot script if not contained in a FIT image
-	if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_ARTIFACT}" = "0" ]; then
+	if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_NXP}" = "0" ]; then
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb
index 5e921be4c..8550e699c 100644
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb
@@ -10,7 +10,7 @@ SRCBRANCH = "v2021.10/master"
 SRCREV = "${AUTOREV}"
 
 SRC_URI += " \
-    ${@oe.utils.conditional('TRUSTFENCE_FIT_IMG', '1', 'file://fit_signature.cfg', '', d)} \
+    ${@oe.utils.conditional('TRUSTFENCE_SIGN_FIT_STM', '1', 'file://fit_signature.cfg', '', d)} \
 "
 
 install_helper_files() {
diff --git a/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc b/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc
index 4fca51f2c..1a65fc204 100644
--- a/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc
+++ b/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc
@@ -32,7 +32,7 @@ trustfence_sign() {
 	done
 
 	# For FIT images there is no need to sign the rest of artifacts
-	[ "${TRUSTFENCE_SIGN_FIT_ARTIFACT}" = "1" ] && return 0
+	[ "${TRUSTFENCE_SIGN_FIT_NXP}" = "1" ] && return 0
 
 	# Sign/encrypt the device tree blobs
 	for DTB in ${KERNEL_DEVICETREE}; do
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index d1f356a90..af122e8b5 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -32,7 +32,7 @@ TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
 TRUSTFENCE_KEY_INDEX ?= "0"
 TRUSTFENCE_SIGN_ARTIFACTS = "1"
 TRUSTFENCE_SIGN_ARTIFACTS:ccmp1 = "0"
-TRUSTFENCE_FIT_IMG:ccmp1 ?= "1"
+TRUSTFENCE_SIGN_FIT_STM:ccmp1 ?= "1"
 
 # Partition encryption configuration
 TRUSTFENCE_ENCRYPT_PARTITIONS ?= "1"
@@ -48,8 +48,8 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
 #
 
 # NXP-based sign a FIT-format boot artifact
-TRUSTFENCE_SIGN_FIT_ARTIFACT = "0"
-TRUSTFENCE_SIGN_FIT_ARTIFACT:ccimx93 = "${TRUSTFENCE_SIGN_ARTIFACTS}"
+TRUSTFENCE_SIGN_FIT_NXP = "0"
+TRUSTFENCE_SIGN_FIT_NXP:ccimx93 = "${TRUSTFENCE_SIGN_ARTIFACTS}"
 
 IMAGE_FEATURES += "dey-trustfence"
 
@@ -183,7 +183,7 @@ python () {
         d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y ")
         if (d.getVar("TRUSTFENCE_SIGN_ARTIFACTS") == "1"):
             d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTH_ARTIFACTS=y ")
-            if (d.getVar("TRUSTFENCE_SIGN_FIT_ARTIFACT") == "1"):
+            if (d.getVar("TRUSTFENCE_SIGN_FIT_NXP") == "1"):
                 d.appendVar("UBOOT_TF_CONF", '"# CONFIG_CMD_BOOTI is not set" ')
                 d.appendVar("UBOOT_TF_CONF", '"# CONFIG_LEGACY_IMAGE_FORMAT is not set" ')
         if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"):
@@ -201,7 +201,7 @@ python () {
                 d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
 
 
-        if (d.getVar("TRUSTFENCE_FIT_IMG") == "1"):
+        if (d.getVar("TRUSTFENCE_SIGN_FIT_STM") == "1"):
             # FIT-related variables
             # Create keys if not defined
             d.setVar("FIT_GENERATE_KEYS", "1")