diff --git a/meta-digi-arm/conf/machine/ccmp13-dvk.conf b/meta-digi-arm/conf/machine/ccmp13-dvk.conf index 8bd31d79e..79b1aaf71 100644 --- a/meta-digi-arm/conf/machine/ccmp13-dvk.conf +++ b/meta-digi-arm/conf/machine/ccmp13-dvk.conf @@ -153,11 +153,15 @@ ST_USERFS = "0" # Boot artifacts to be copied from the deploy dir to the installer ZIP BOOTABLE_ARTIFACTS = " \ - ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.stm32', \ - 'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.stm32')} \ + ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \ + oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.stm32 ', \ + 'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32 '), \ + 'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.stm32 ')} \ metadata-ccmp13-dvk.bin \ - ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.bin', \ - 'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.bin')} \ + ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \ + oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.bin ', \ + 'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin '), \ + 'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.bin ')} \ " # Default overlayfs_etc mount point and type diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh index 7568b9341..4cc60eb74 100755 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh @@ -168,10 +168,33 @@ if [ "${PLATFORM}" = "ccmp15" ] || [ "${PLATFORM}" = "ccmp25" ]; then fi fi -if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then - - # Generate random keys if they don't exist - if [ "${PLATFORM}" = "ccmp25" ]; then +# Generate random keys if they don't exist +if [ "${PLATFORM}" = "ccmp13" ]; then + if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ]; then + if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" ]; then + echo "Generating random encryption key for FSBL" + if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"; then + echo "[ERROR] Failed to generate 16-byte FSBL encryption key" + exit 1 + fi + chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" + fi + if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}" ]; then + echo "Generating encryption key for FIP" + if ! hexdump -e '/1 "%02x"' "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" > "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"; then + echo "[ERROR] Failed to generate 32-byte FIP encryption key" + exit 1 + fi + if ! hexdump -e '/1 "%02x"' "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" >> "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"; then + echo "[ERROR] Failed to generate 32-byte FIP encryption key" + exit 1 + fi + printf "\n" >> "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}" + chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}" + fi + fi +elif [ "${PLATFORM}" = "ccmp25" ]; then + if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" ]; then echo "Generating random encryption key for FSBL" if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"; then @@ -196,8 +219,8 @@ if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME fi chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}" fi - else - echo "[ERROR] Could not generate encryption keys. Platform not supported." - exit 1 fi +else + echo "[ERROR] Could not generate encryption keys. Platform not supported." + exit 1 fi diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index fe18354d1..be263313a 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -21,7 +21,7 @@ TRUSTFENCE_KEYS_PATH ?= "${TOPDIR}/trustfence" # NXP keys TRUSTFENCE_DEK_ENCRYPT_KEYNAME ?= "dek.bin" # STM keys -TRUSTFENCE_FIP_ENCRYPT_KEYNAME ?= "encryption_key_fip.bin" +TRUSTFENCE_FIP_ENCRYPT_KEYNAME ?= "${TF_FIP_ENCRYPT_KEYNAME}" TRUSTFENCE_FSBL_ENCRYPT_KEYNAME ?= "encryption_key_fsbl.bin" TRUSTFENCE_RPROC_ENCRYPT_KEYNAME ?= "encryption_key_rproc.bin" @@ -59,7 +59,9 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl # Platform specific defaults TF_ENCRYPT = "1" TF_ENCRYPT:ccimx9 = "0" -TF_ENCRYPT:ccmp1 = "0" +TF_ENCRYPT:ccmp15 = "0" +TF_FIP_ENCRYPT_KEYNAME = "encryption_key_fip.bin" +TF_FIP_ENCRYPT_KEYNAME:ccmp13 = "encryption_key_fip.txt" TF_FILE_BASED_ENCRYPT = "0" TF_FILE_BASED_ENCRYPT:ccimx9 = "1" TF_FILE_BASED_ENCRYPT:ccmp1 = "1" @@ -91,7 +93,9 @@ gen_pki_tree() { if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then export CONFIG_FIP_ENCRYPT_KEYNAME="${TRUSTFENCE_FIP_ENCRYPT_KEYNAME}" export CONFIG_FSBL_ENCRYPT_KEYNAME="${TRUSTFENCE_FSBL_ENCRYPT_KEYNAME}" - export CONFIG_RPROC_ENCRYPT_KEYNAME="${TRUSTFENCE_RPROC_ENCRYPT_KEYNAME}" + if [ "${DIGI_SOM}" = "ccmp25" ]; then + export CONFIG_RPROC_ENCRYPT_KEYNAME="${TRUSTFENCE_RPROC_ENCRYPT_KEYNAME}" + fi fi trustfence-gen-pki.sh -p ${DIGI_SOM} fi