From 47215862cf827b117600d08931c8f4aab9392f98 Mon Sep 17 00:00:00 2001
From: Javier Viguera <javier.viguera@digi.com>
Date: Tue, 5 Jul 2022 16:31:56 +0200
Subject: [PATCH] trustfence-cst: fix build in DEY 4.0

Yocto 4.0 only supports OpenSSL 3.0.x while NXP's CST (code signing
tool) is still using OpenSSL 1.1.x. So the build fails when using the
Yocto-build OpenSSL. Instead, build OpenSSL 1.1.1 as part of the build of
the CST and link statically against libcrypto, so the resulting binaries
(cst, srktool) do not depend on any specific OpenSSL version installed
on the development computer.

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
---
 ...7-Makefile-statically-link-libcrypto.patch | 27 ------------------
 .../trustfence-cst/trustfence-cst_3.3.1.bb    | 28 +++++++++----------
 2 files changed, 13 insertions(+), 42 deletions(-)
 delete mode 100644 meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0007-Makefile-statically-link-libcrypto.patch

diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0007-Makefile-statically-link-libcrypto.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0007-Makefile-statically-link-libcrypto.patch
deleted file mode 100644
index 8cdde4006..000000000
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0007-Makefile-statically-link-libcrypto.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
-Date: Tue, 15 Dec 2020 17:01:45 +0100
-Subject: [PATCH] Makefile: statically link libcrypto
-
-Statically link libcrypto so the host machine does not require to have
-installed the same openssl version that was used to build the binaries.
-
-This requires dynamically linking the libpthread and libdl libraries.
-
-Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
----
- code/cst/code/build/make/gcc.mk | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/code/cst/code/build/make/gcc.mk b/code/cst/code/build/make/gcc.mk
-index 0394f5a..cc57f6b 100755
---- a/code/cst/code/build/make/gcc.mk
-+++ b/code/cst/code/build/make/gcc.mk
-@@ -28,7 +28,7 @@ COPTIONS += -std=c99 -D_POSIX_C_SOURCE=200809L -Wall -Werror -pedantic -fPIC -g
- #==============================================================================
- LDOPTIONS += -g
- 
--LDLIBS := -lcrypto
-+LDLIBS := -Wl,-Bstatic -lcrypto -Wl,-Bdynamic -lpthread -ldl
- 
- # Archiver flags
- #==============================================================================
diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.3.1.bb b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.3.1.bb
index e7057c573..3ee692daf 100644
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.3.1.bb
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.3.1.bb
@@ -6,43 +6,43 @@ HOMEPAGE = "https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE.bsd3;md5=1fbcd66ae51447aa94da10cbf6271530"
 
-DEPENDS = "openssl byacc flex"
+DEPENDS = "byacc flex"
 
 # Explicitly add byacc-native as a dependency when building the package for the
 # SDK, otherwise, it won't get installed in the sysroot, causing a compilation
 # error.
 # Explicitly add openssl-native for the SDK build to correctly link to the
 # openssl libraries in the native dependencies folder.
-DEPENDS:append:class-nativesdk = " byacc-native openssl-native"
+DEPENDS:append:class-nativesdk = " byacc-native"
 
 SRC_URI = " \
-    ${DIGI_PKG_SRC}/cst-${PV}.tgz \
+    ${DIGI_PKG_SRC}/cst-${PV}.tgz;name=cst \
+    https://www.openssl.org/source/openssl-1.1.1q.tar.gz;name=openssl \
     file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \
     file://0002-hab4_pki_tree.sh-automate-script.patch \
     file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \
     file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \
     file://0005-ahab_pki_tree.sh-automate-script.patch \
     file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \
-    file://0007-Makefile-statically-link-libcrypto.patch \
 "
 
-SRC_URI[md5sum] = "27ba9c8bc0b8a7f14d23185775c53794"
-SRC_URI[sha256sum] = "8b7e44e3e126f814f5caf8a634646fe64021405302ca59ff02f5c8f3b9a5abb9"
+SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794"
+SRC_URI[cst.sha256sum] = "8b7e44e3e126f814f5caf8a634646fe64021405302ca59ff02f5c8f3b9a5abb9"
+SRC_URI[openssl.md5sum] = "c685d239b6a6e1bd78be45624c092f51"
+SRC_URI[openssl.sha256sum] = "d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca"
 
 S = "${WORKDIR}/cst-${PV}"
 
 do_compile() {
-	export LDLIBPATH=-L${WORKDIR}/recipe-sysroot-native/usr/lib
-	export COPTIONS=-I${WORKDIR}/recipe-sysroot-native/usr/include
-	cd ${S}/code/cst
-	oe_runmake OSTYPE=linux64 clean
-	oe_runmake OSTYPE=linux64 rel_bin
+	cd code/cst
+	oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-1.1.1q OSTYPE=linux64 openssl
+	oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-1.1.1q OSTYPE=linux64 rel_bin
 }
 
 do_install() {
 	install -d ${D}${bindir}
-	install -m 0755 $(find ${S}/code/cst/release/linux64 -type f -name cst) ${D}${bindir}/cst
-	install -m 0755 $(find ${S}/code/cst/release/linux64 -type f -name srktool) ${D}${bindir}/srktool
+	install -m 0755 code/cst/code/obj.linux64/cst ${D}${bindir}
+	install -m 0755 code/cst/code/obj.linux64/srktool ${D}${bindir}
 	if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
 	elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
@@ -56,7 +56,5 @@ do_install() {
 	install -m 0755 ca/v3_usr.cnf ${D}${bindir}/v3_usr.cnf
 }
 
-INSANE_SKIP:${PN} += "already-stripped"
-
 FILES:${PN} = "${bindir}"
 BBCLASSEXTEND = "native nativesdk"