Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence-cst: fix build in DEY 4.0 

Yocto 4.0 only supports OpenSSL 3.0.x while NXP's CST (code signing
tool) is still using OpenSSL 1.1.x. So the build fails when using the
Yocto-build OpenSSL. Instead, build OpenSSL 1.1.1 as part of the build of
the CST and link statically against libcrypto, so the resulting binaries
(cst, srktool) do not depend on any specific OpenSSL version installed
on the development computer.

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera 2022-07-05 16:31:56 +02:00
parent ba035acb22
commit 47215862cf
2 changed files with 13 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0007-Makefile-statically-link-libcrypto.patch
View File

@ -1,27 +0,0 @@
From: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Date: Tue, 15 Dec 2020 17:01:45 +0100
Subject: [PATCH] Makefile: statically link libcrypto
Statically link libcrypto so the host machine does not require to have
installed the same openssl version that was used to build the binaries.
This requires dynamically linking the libpthread and libdl libraries.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
---
code/cst/code/build/make/gcc.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code/cst/code/build/make/gcc.mk b/code/cst/code/build/make/gcc.mk
index 0394f5a..cc57f6b 100755
--- a/code/cst/code/build/make/gcc.mk
+++ b/code/cst/code/build/make/gcc.mk
@@ -28,7 +28,7 @@ COPTIONS += -std=c99 -D_POSIX_C_SOURCE=200809L -Wall -Werror -pedantic -fPIC -g
#==============================================================================
LDOPTIONS += -g
-LDLIBS := -lcrypto
+LDLIBS := -Wl,-Bstatic -lcrypto -Wl,-Bdynamic -lpthread -ldl
# Archiver flags
#==============================================================================

28
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.3.1.bb
View File

@ -6,43 +6,43 @@ HOMEPAGE = "https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL"
LICENSE = "BSD-3-Clause" LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE.bsd3;md5=1fbcd66ae51447aa94da10cbf6271530" LIC_FILES_CHKSUM = "file://LICENSE.bsd3;md5=1fbcd66ae51447aa94da10cbf6271530"
DEPENDS = "openssl byacc flex" DEPENDS = "byacc flex"
# Explicitly add byacc-native as a dependency when building the package for the # Explicitly add byacc-native as a dependency when building the package for the
# SDK, otherwise, it won't get installed in the sysroot, causing a compilation # SDK, otherwise, it won't get installed in the sysroot, causing a compilation
# error. # error.
# Explicitly add openssl-native for the SDK build to correctly link to the # Explicitly add openssl-native for the SDK build to correctly link to the
# openssl libraries in the native dependencies folder. # openssl libraries in the native dependencies folder.
DEPENDS:append:class-nativesdk = " byacc-native openssl-native" DEPENDS:append:class-nativesdk = " byacc-native"
SRC_URI = " \ SRC_URI = " \
${DIGI_PKG_SRC}/cst-${PV}.tgz \ ${DIGI_PKG_SRC}/cst-${PV}.tgz;name=cst \
https://www.openssl.org/source/openssl-1.1.1q.tar.gz;name=openssl \
file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \ file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \
file://0002-hab4_pki_tree.sh-automate-script.patch \ file://0002-hab4_pki_tree.sh-automate-script.patch \
file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \ file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \
file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \ file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \
file://0005-ahab_pki_tree.sh-automate-script.patch \ file://0005-ahab_pki_tree.sh-automate-script.patch \
file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \ file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \
file://0007-Makefile-statically-link-libcrypto.patch \
" "
SRC_URI[md5sum] = "27ba9c8bc0b8a7f14d23185775c53794" SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794"
SRC_URI[sha256sum] = "8b7e44e3e126f814f5caf8a634646fe64021405302ca59ff02f5c8f3b9a5abb9" SRC_URI[cst.sha256sum] = "8b7e44e3e126f814f5caf8a634646fe64021405302ca59ff02f5c8f3b9a5abb9"
SRC_URI[openssl.md5sum] = "c685d239b6a6e1bd78be45624c092f51"
SRC_URI[openssl.sha256sum] = "d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca"
S = "${WORKDIR}/cst-${PV}" S = "${WORKDIR}/cst-${PV}"
do_compile() { do_compile() {
export LDLIBPATH=-L${WORKDIR}/recipe-sysroot-native/usr/lib cd code/cst
export COPTIONS=-I${WORKDIR}/recipe-sysroot-native/usr/include oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-1.1.1q OSTYPE=linux64 openssl
cd ${S}/code/cst oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-1.1.1q OSTYPE=linux64 rel_bin
oe_runmake OSTYPE=linux64 clean
oe_runmake OSTYPE=linux64 rel_bin
} }
do_install() { do_install() {
install -d ${D}${bindir} install -d ${D}${bindir}
install -m 0755 $(find ${S}/code/cst/release/linux64 -type f -name cst) ${D}${bindir}/cst install -m 0755 code/cst/code/obj.linux64/cst ${D}${bindir}
install -m 0755 $(find ${S}/code/cst/release/linux64 -type f -name srktool) ${D}${bindir}/srktool install -m 0755 code/cst/code/obj.linux64/srktool ${D}${bindir}
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
@ -56,7 +56,5 @@ do_install() {
install -m 0755 ca/v3_usr.cnf ${D}${bindir}/v3_usr.cnf install -m 0755 ca/v3_usr.cnf ${D}${bindir}/v3_usr.cnf
} }
INSANE_SKIP:${PN} += "already-stripped"
FILES:${PN} = "${bindir}" FILES:${PN} = "${bindir}"
BBCLASSEXTEND = "native nativesdk" BBCLASSEXTEND = "native nativesdk"