From 401e99d3f050bc1911b0aa49d37c8fefe12138f0 Mon Sep 17 00:00:00 2001 From: Gabriel Valcazar Date: Fri, 25 Oct 2024 13:53:51 +0200 Subject: [PATCH] trustfence-cst: update to cst 3.4.1 Now that the tool supports OpenSSL 3.2.3, the same version provided by Yocto 5.0 poky, we can simply use the regular Yocto version of the package and link to it dynamically instead of building a separate version specific for the tool. Reflect this change in the recipe and include the new binary "mac_dump" in the package. Signed-off-by: Gabriel Valcazar --- ...2.bb => nativesdk-trustfence-cst_3.4.1.bb} | 0 ...cst-3.3.2.inc => trustfence-cst-3.4.1.inc} | 24 +++++++------------ ...crypted_data-reuse-existing-DEK-file.patch | 12 +++++----- ...elper-use-dev-urandom-as-seed-source.patch | 12 +++++----- ...ab4_pki_tree.sh-adapt-script-for-DEY.patch | 0 ...hab_pki_tree.sh-adapt-script-for-DEY.patch | 0 ....3.2.bb => trustfence-cst-native_3.4.1.bb} | 0 7 files changed, 21 insertions(+), 27 deletions(-) rename meta-digi-arm/recipes-bsp/trustfence-cst/{nativesdk-trustfence-cst_3.3.2.bb => nativesdk-trustfence-cst_3.4.1.bb} (100%) rename meta-digi-arm/recipes-bsp/trustfence-cst/{trustfence-cst-3.3.2.inc => trustfence-cst-3.4.1.inc} (59%) rename meta-digi-arm/recipes-bsp/trustfence-cst/{trustfence-cst-3.3.2 => trustfence-cst-3.4.1}/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch (68%) rename meta-digi-arm/recipes-bsp/trustfence-cst/{trustfence-cst-3.3.2 => trustfence-cst-3.4.1}/0002-openssl_helper-use-dev-urandom-as-seed-source.patch (63%) rename meta-digi-arm/recipes-bsp/trustfence-cst/{trustfence-cst-3.3.2 => trustfence-cst-3.4.1}/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch (100%) rename meta-digi-arm/recipes-bsp/trustfence-cst/{trustfence-cst-3.3.2 => trustfence-cst-3.4.1}/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch (100%) rename meta-digi-arm/recipes-bsp/trustfence-cst/{trustfence-cst-native_3.3.2.bb => trustfence-cst-native_3.4.1.bb} (100%) diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/nativesdk-trustfence-cst_3.3.2.bb b/meta-digi-arm/recipes-bsp/trustfence-cst/nativesdk-trustfence-cst_3.4.1.bb similarity index 100% rename from meta-digi-arm/recipes-bsp/trustfence-cst/nativesdk-trustfence-cst_3.3.2.bb rename to meta-digi-arm/recipes-bsp/trustfence-cst/nativesdk-trustfence-cst_3.4.1.bb diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2.inc b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1.inc similarity index 59% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2.inc rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1.inc index 015ea103c..5a460989a 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2.inc +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1.inc @@ -1,44 +1,38 @@ -# Copyright (C) 2017-2023, Digi International Inc. +# Copyright (C) 2017-2024, Digi International Inc. SUMMARY = "NXP Code signing Tool for the High Assurance Boot library" DESCRIPTION = "Provides software code signing support designed for use with \ i.MX processors that integrate the HAB library in the internal boot ROM." HOMEPAGE = "https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL" LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE.bsd3;md5=1fbcd66ae51447aa94da10cbf6271530" +LIC_FILES_CHKSUM = "file://LICENSE.bsd3;md5=14aba05f9fa6c25527297c8aac95fcf6" -DEPENDS = "byacc-native flex-native" - -OPENSSL1_VERSION = "1.1.1t" +DEPENDS = "byacc-native flex-native openssl" SRC_URI = " \ ${DIGI_PKG_SRC}/cst-${PV}.tgz;name=cst \ - https://www.openssl.org/source/openssl-${OPENSSL1_VERSION}.tar.gz;name=openssl \ file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \ file://0002-openssl_helper-use-dev-urandom-as-seed-source.patch \ file://0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch \ file://0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch \ " -SRC_URI[cst.md5sum] = "4b9fccac381fa412cba8ba7028c154c7" -SRC_URI[cst.sha256sum] = "517b11dca181e8c438a6249f56f0a13a0eb251b30e690760be3bf6191ee06c68" -SRC_URI[openssl.md5sum] = "1cfee919e0eac6be62c88c5ae8bcd91e" -SRC_URI[openssl.sha256sum] = "8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b" +SRC_URI[cst.md5sum] = "b23ed5983734d4812fcf1da33eac8f31" +SRC_URI[cst.sha256sum] = "0715fffe43d82708696af3f5d721bf36edd1d9be1ec482f21b9f1c48bc699097" S = "${WORKDIR}/cst-${PV}" EXTRA_OEMAKE = 'CC="${CC}" LD="${CC}" AR="${AR}" OBJCOPY="${OBJCOPY}"' do_compile() { - cd code/cst - oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-${OPENSSL1_VERSION} OSTYPE=linux64 openssl - oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-${OPENSSL1_VERSION} OSTYPE=linux64 os_bin + oe_runmake -C code/obj.linux64 OSTYPE=linux64 ENCRYPTION=yes COPTIONS="${CFLAGS} ${CPPFLAGS}" LDOPTIONS="${LDFLAGS}" } do_install() { install -d ${D}${bindir} - install -m 0755 code/cst/code/obj.linux64/cst ${D}${bindir} - install -m 0755 code/cst/code/obj.linux64/srktool ${D}${bindir} + install -m 0755 code/obj.linux64/cst ${D}${bindir} + install -m 0755 code/obj.linux64/mac_dump ${D}${bindir} + install -m 0755 code/obj.linux64/srktool ${D}${bindir} if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch similarity index 68% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch index d6a0b0327..c422bf853 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch @@ -14,14 +14,14 @@ https://jira.digi.com/browse/DUB-608 Signed-off-by: Diaz de Grenu, Jose --- - code/cst/code/back_end-ssl/src/adapt_layer_openssl.c | 1 + + code/back_end-ssl/src/adapt_layer_openssl.c | 1 + 1 file changed, 1 insertion(+) -diff --git a/code/cst/code/back_end-ssl/src/adapt_layer_openssl.c b/code/cst/code/back_end-ssl/src/adapt_layer_openssl.c -index d8df54e..86e7e4f 100755 ---- a/code/cst/code/back_end-ssl/src/adapt_layer_openssl.c -+++ b/code/cst/code/back_end-ssl/src/adapt_layer_openssl.c -@@ -1231,6 +1231,7 @@ int32_t gen_auth_encrypted_data(const char* in_file, +diff --git a/code/back_end-ssl/src/adapt_layer_openssl.c b/code/back_end-ssl/src/adapt_layer_openssl.c +index 74a707f..da4df42 100644 +--- a/code/back_end-ssl/src/adapt_layer_openssl.c ++++ b/code/back_end-ssl/src/adapt_layer_openssl.c +@@ -1211,6 +1211,7 @@ int32_t gen_auth_encrypted_data(const char* in_file, printf("\n"); #endif if (0 == key_init_done) { diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0002-openssl_helper-use-dev-urandom-as-seed-source.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1/0002-openssl_helper-use-dev-urandom-as-seed-source.patch similarity index 63% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0002-openssl_helper-use-dev-urandom-as-seed-source.patch rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1/0002-openssl_helper-use-dev-urandom-as-seed-source.patch index 489631960..ac0ba8359 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0002-openssl_helper-use-dev-urandom-as-seed-source.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1/0002-openssl_helper-use-dev-urandom-as-seed-source.patch @@ -8,14 +8,14 @@ Upstream-Status: Inappropriate [DEY specific] Signed-off-by: Diaz de Grenu, Jose --- - code/cst/code/common/src/openssl_helper.c | 2 +- + code/common/src/openssl_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/code/cst/code/common/src/openssl_helper.c b/code/cst/code/common/src/openssl_helper.c -index 1e1131b..918c82e 100755 ---- a/code/cst/code/common/src/openssl_helper.c -+++ b/code/cst/code/common/src/openssl_helper.c -@@ -404,7 +404,7 @@ void print_version(void) +diff --git a/code/common/src/openssl_helper.c b/code/common/src/openssl_helper.c +index c6b5292..c2ff0ca 100644 +--- a/code/common/src/openssl_helper.c ++++ b/code/common/src/openssl_helper.c +@@ -380,7 +380,7 @@ void print_version(void) ---------------------------*/ uint32_t seed_prng(uint32_t bytes) { diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch similarity index 100% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch similarity index 100% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.4.1/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_3.3.2.bb b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_3.4.1.bb similarity index 100% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_3.3.2.bb rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_3.4.1.bb