trustfence: add encrypted boot artifact support for CCMP13 platform

This commit updates the secure boot support for STM platforms based on the
STM32 MPU Ecosystem v6.1.1. It introduces support for encrypted boot artifacts,
including TF-A and FIP for the ConnectCore MP13 platform.

https://onedigi.atlassian.net/browse/DEL-8535

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>

meta-digi-arm/conf/machine/ccmp13-dvk.conf

@@ -153,11 +153,15 @@ ST_USERFS   = "0"
 
 # Boot artifacts to be copied from the deploy dir to the installer ZIP
 BOOTABLE_ARTIFACTS = " \
-    ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.stm32', \
-                                                           'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.stm32')} \
+    ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
+        oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.stm32 ', \
+                                                               'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32 '), \
+        'tf-a-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.stm32 ')} \
     metadata-ccmp13-dvk.bin \
-    ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.bin', \
-                                                           'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.bin')} \
+    ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
+        oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${SIGN_SUFFIX}.bin ', \
+                                                               'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin '), \
+        'fip-ccmp13-dvk-256MB-${BOOTSCHEME_DEFAULT}-nand.bin ')} \
 "
 
 # Default overlayfs_etc mount point and type

meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh

@@ -168,10 +168,33 @@ if [ "${PLATFORM}" = "ccmp15" ] || [ "${PLATFORM}" = "ccmp25" ]; then
 	fi
 fi
 
-if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then
-
-	# Generate random keys if they don't exist
-	if [ "${PLATFORM}" = "ccmp25" ]; then
+# Generate random keys if they don't exist
+if [ "${PLATFORM}" = "ccmp13" ]; then
+	if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ]; then
+		if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" ]; then
+			echo "Generating random encryption key for FSBL"
+			if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"; then
+				echo "[ERROR] Failed to generate 16-byte FSBL encryption key"
+				exit 1
+			fi
+			chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"
+		fi
+		if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}" ]; then
+			echo "Generating encryption key for FIP"
+			if ! hexdump -e '/1 "%02x"' "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" > "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"; then
+				echo "[ERROR] Failed to generate 32-byte FIP encryption key"
+				exit 1
+			fi
+			if ! hexdump -e '/1 "%02x"' "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" >> "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"; then
+				echo "[ERROR] Failed to generate 32-byte FIP encryption key"
+				exit 1
+			fi
+			printf "\n" >> "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"
+			chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"
+		fi
+	fi
+elif [ "${PLATFORM}" = "ccmp25" ]; then
+	if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then
 		if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" ]; then
 			echo "Generating random encryption key for FSBL"
 			if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"; then
@@ -196,8 +219,8 @@ if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME
 			fi
 			chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}"
 		fi
-	else
-		echo "[ERROR] Could not generate encryption keys. Platform not supported."
-		exit 1
 	fi
+else
+	echo "[ERROR] Could not generate encryption keys. Platform not supported."
+	exit 1
 fi

meta-digi-dey/classes/trustfence.bbclass

@@ -21,7 +21,7 @@ TRUSTFENCE_KEYS_PATH ?= "${TOPDIR}/trustfence"
 # NXP keys
 TRUSTFENCE_DEK_ENCRYPT_KEYNAME ?= "dek.bin"
 # STM keys
-TRUSTFENCE_FIP_ENCRYPT_KEYNAME ?= "encryption_key_fip.bin"
+TRUSTFENCE_FIP_ENCRYPT_KEYNAME ?= "${TF_FIP_ENCRYPT_KEYNAME}"
 TRUSTFENCE_FSBL_ENCRYPT_KEYNAME ?= "encryption_key_fsbl.bin"
 TRUSTFENCE_RPROC_ENCRYPT_KEYNAME ?= "encryption_key_rproc.bin"
 
@@ -59,7 +59,9 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
 # Platform specific defaults
 TF_ENCRYPT = "1"
 TF_ENCRYPT:ccimx9 = "0"
-TF_ENCRYPT:ccmp1 = "0"
+TF_ENCRYPT:ccmp15 = "0"
+TF_FIP_ENCRYPT_KEYNAME = "encryption_key_fip.bin"
+TF_FIP_ENCRYPT_KEYNAME:ccmp13 = "encryption_key_fip.txt"
 TF_FILE_BASED_ENCRYPT = "0"
 TF_FILE_BASED_ENCRYPT:ccimx9 = "1"
 TF_FILE_BASED_ENCRYPT:ccmp1 = "1"
@@ -91,7 +93,9 @@ gen_pki_tree() {
 			if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
 				export CONFIG_FIP_ENCRYPT_KEYNAME="${TRUSTFENCE_FIP_ENCRYPT_KEYNAME}"
 				export CONFIG_FSBL_ENCRYPT_KEYNAME="${TRUSTFENCE_FSBL_ENCRYPT_KEYNAME}"
-				export CONFIG_RPROC_ENCRYPT_KEYNAME="${TRUSTFENCE_RPROC_ENCRYPT_KEYNAME}"
+				if [ "${DIGI_SOM}" = "ccmp25" ]; then
+					export CONFIG_RPROC_ENCRYPT_KEYNAME="${TRUSTFENCE_RPROC_ENCRYPT_KEYNAME}"
+				fi
 			fi
 			trustfence-gen-pki.sh -p ${DIGI_SOM}
 		fi