trustfence: add encrypted boot artifact support for CCMP13 platform
This commit updates the secure boot support for STM platforms based on the STM32 MPU Ecosystem v6.1.1. It introduces support for encrypted boot artifacts, including TF-A and FIP for the ConnectCore MP13 platform. https://onedigi.atlassian.net/browse/DEL-8535 Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit is contained in:
Arturo Buzarra
parent
41ab14adb8
commit
3fdb245765
|
|
@ -153,10 +153,14 @@ ST_USERFS = "0"
|
|||
|
||||
# Boot artifacts to be copied from the deploy dir to the installer ZIP
|
||||
BOOTABLE_ARTIFACTS = " \
|
||||
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.stm32', \
|
||||
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
|
||||
oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.stm32 ', \
|
||||
'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32 '), \
|
||||
'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.stm32 ')} \
|
||||
metadata-ccmp13-dvk.bin \
|
||||
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.bin', \
|
||||
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
|
||||
oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.bin ', \
|
||||
'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin '), \
|
||||
'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.bin ')} \
|
||||
"
|
||||
|
||||
|
|
|
|||
|
|
@ -168,10 +168,33 @@ if [ "${PLATFORM}" = "ccmp15" ] || [ "${PLATFORM}" = "ccmp25" ]; then
|
|||
fi
|
||||
fi
|
||||
|
||||
if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then
|
||||
|
||||
# Generate random keys if they don't exist
|
||||
if [ "${PLATFORM}" = "ccmp25" ]; then
|
||||
if [ "${PLATFORM}" = "ccmp13" ]; then
|
||||
if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ]; then
|
||||
if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" ]; then
|
||||
echo "Generating random encryption key for FSBL"
|
||||
if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"; then
|
||||
echo "[ERROR] Failed to generate 16-byte FSBL encryption key"
|
||||
exit 1
|
||||
fi
|
||||
chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"
|
||||
fi
|
||||
if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}" ]; then
|
||||
echo "Generating encryption key for FIP"
|
||||
if ! hexdump -e '/1 "%02x"' "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" > "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"; then
|
||||
echo "[ERROR] Failed to generate 32-byte FIP encryption key"
|
||||
exit 1
|
||||
fi
|
||||
if ! hexdump -e '/1 "%02x"' "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" >> "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"; then
|
||||
echo "[ERROR] Failed to generate 32-byte FIP encryption key"
|
||||
exit 1
|
||||
fi
|
||||
printf "\n" >> "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"
|
||||
chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"
|
||||
fi
|
||||
fi
|
||||
elif [ "${PLATFORM}" = "ccmp25" ]; then
|
||||
if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then
|
||||
if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" ]; then
|
||||
echo "Generating random encryption key for FSBL"
|
||||
if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"; then
|
||||
|
|
@ -196,8 +219,8 @@ if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME
|
|||
fi
|
||||
chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
echo "[ERROR] Could not generate encryption keys. Platform not supported."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ TRUSTFENCE_KEYS_PATH ?= "${TOPDIR}/trustfence"
|
|||
# NXP keys
|
||||
TRUSTFENCE_DEK_ENCRYPT_KEYNAME ?= "dek.bin"
|
||||
# STM keys
|
||||
TRUSTFENCE_FIP_ENCRYPT_KEYNAME ?= "encryption_key_fip.bin"
|
||||
TRUSTFENCE_FIP_ENCRYPT_KEYNAME ?= "${TF_FIP_ENCRYPT_KEYNAME}"
|
||||
TRUSTFENCE_FSBL_ENCRYPT_KEYNAME ?= "encryption_key_fsbl.bin"
|
||||
TRUSTFENCE_RPROC_ENCRYPT_KEYNAME ?= "encryption_key_rproc.bin"
|
||||
|
||||
|
|
@ -59,7 +59,9 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
|
|||
# Platform specific defaults
|
||||
TF_ENCRYPT = "1"
|
||||
TF_ENCRYPT:ccimx9 = "0"
|
||||
TF_ENCRYPT:ccmp1 = "0"
|
||||
TF_ENCRYPT:ccmp15 = "0"
|
||||
TF_FIP_ENCRYPT_KEYNAME = "encryption_key_fip.bin"
|
||||
TF_FIP_ENCRYPT_KEYNAME:ccmp13 = "encryption_key_fip.txt"
|
||||
TF_FILE_BASED_ENCRYPT = "0"
|
||||
TF_FILE_BASED_ENCRYPT:ccimx9 = "1"
|
||||
TF_FILE_BASED_ENCRYPT:ccmp1 = "1"
|
||||
|
|
@ -91,8 +93,10 @@ gen_pki_tree() {
|
|||
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||
export CONFIG_FIP_ENCRYPT_KEYNAME="${TRUSTFENCE_FIP_ENCRYPT_KEYNAME}"
|
||||
export CONFIG_FSBL_ENCRYPT_KEYNAME="${TRUSTFENCE_FSBL_ENCRYPT_KEYNAME}"
|
||||
if [ "${DIGI_SOM}" = "ccmp25" ]; then
|
||||
export CONFIG_RPROC_ENCRYPT_KEYNAME="${TRUSTFENCE_RPROC_ENCRYPT_KEYNAME}"
|
||||
fi
|
||||
fi
|
||||
trustfence-gen-pki.sh -p ${DIGI_SOM}
|
||||
fi
|
||||
rm -rf ${GENPKI_LOCK_DIR}
|
||||
|
|
|
|||
Loading…
Reference in New Issue