trustfence-cst: fix build in DEY 4.0

Yocto 4.0 only supports OpenSSL 3.0.x while NXP's CST (code signing tool) is still using OpenSSL 1.1.x. So the build fails when using the Yocto-build OpenSSL. Instead, build OpenSSL 1.1.1 as part of the build of the CST and link statically against libcrypto, so the resulting binaries (cst, srktool) do not depend on any specific OpenSSL version installed on the development computer. Signed-off-by: Javier Viguera <javier.viguera@digi.com>
2022-07-05 16:31:56 +02:00 · 2022-07-05 16:31:56 +02:00 · 47215862cf
parent ba035acb22
commit 47215862cf
2 changed files with 13 additions and 42 deletions
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0007-Makefile-statically-link-libcrypto.patch
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0007-Makefile-statically-link-libcrypto.patch
@ -1,27 +0,0 @@
-From: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
-Date: Tue, 15 Dec 2020 17:01:45 +0100
-Subject: [PATCH] Makefile: statically link libcrypto
-
-Statically link libcrypto so the host machine does not require to have
-installed the same openssl version that was used to build the binaries.
-
-This requires dynamically linking the libpthread and libdl libraries.
-
-Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
---
- code/cst/code/build/make/gcc.mk | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/code/cst/code/build/make/gcc.mk b/code/cst/code/build/make/gcc.mk
-index 0394f5a..cc57f6b 100755
--- a/code/cst/code/build/make/gcc.mk
-+++ b/code/cst/code/build/make/gcc.mk
-@@ -28,7 +28,7 @@ COPTIONS += -std=c99 -D_POSIX_C_SOURCE=200809L -Wall -Werror -pedantic -fPIC -g
- #==============================================================================
- LDOPTIONS += -g
- 
-LDLIBS := -lcrypto
-+LDLIBS := -Wl,-Bstatic -lcrypto -Wl,-Bdynamic -lpthread -ldl
- 
- # Archiver flags
- #==============================================================================
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.3.1.bb
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.3.1.bb
@ -6,43 +6,43 @@ HOMEPAGE = "https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE.bsd3;md5=1fbcd66ae51447aa94da10cbf6271530"

-DEPENDS = "openssl byacc flex"
+DEPENDS = "byacc flex"

 # Explicitly add byacc-native as a dependency when building the package for the
 # SDK, otherwise, it won't get installed in the sysroot, causing a compilation
 # error.
 # Explicitly add openssl-native for the SDK build to correctly link to the
 # openssl libraries in the native dependencies folder.
-DEPENDS:append:class-nativesdk = " byacc-native openssl-native"
+DEPENDS:append:class-nativesdk = " byacc-native"

 SRC_URI = " \
-    ${DIGI_PKG_SRC}/cst-${PV}.tgz \
+    ${DIGI_PKG_SRC}/cst-${PV}.tgz;name=cst \
+    https://www.openssl.org/source/openssl-1.1.1q.tar.gz;name=openssl \
    file://0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch \
    file://0002-hab4_pki_tree.sh-automate-script.patch \
    file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \
    file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \
    file://0005-ahab_pki_tree.sh-automate-script.patch \
    file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \
-    file://0007-Makefile-statically-link-libcrypto.patch \
 "

-SRC_URI[md5sum] = "27ba9c8bc0b8a7f14d23185775c53794"
-SRC_URI[sha256sum] = "8b7e44e3e126f814f5caf8a634646fe64021405302ca59ff02f5c8f3b9a5abb9"
+SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794"
+SRC_URI[cst.sha256sum] = "8b7e44e3e126f814f5caf8a634646fe64021405302ca59ff02f5c8f3b9a5abb9"
+SRC_URI[openssl.md5sum] = "c685d239b6a6e1bd78be45624c092f51"
+SRC_URI[openssl.sha256sum] = "d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca"

 S = "${WORKDIR}/cst-${PV}"

 do_compile() {
-	export LDLIBPATH=-L${WORKDIR}/recipe-sysroot-native/usr/lib
-	export COPTIONS=-I${WORKDIR}/recipe-sysroot-native/usr/include
-	cd ${S}/code/cst
-	oe_runmake OSTYPE=linux64 clean
-	oe_runmake OSTYPE=linux64 rel_bin
+	cd code/cst
+	oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-1.1.1q OSTYPE=linux64 openssl
+	oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-1.1.1q OSTYPE=linux64 rel_bin
 }

 do_install() {
 	install -d ${D}${bindir}
-	install -m 0755 $(find ${S}/code/cst/release/linux64 -type f -name cst) ${D}${bindir}/cst
-	install -m 0755 $(find ${S}/code/cst/release/linux64 -type f -name srktool) ${D}${bindir}/srktool
+	install -m 0755 code/cst/code/obj.linux64/cst ${D}${bindir}
+	install -m 0755 code/cst/code/obj.linux64/srktool ${D}${bindir}
 	if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
 	elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
@ -56,7 +56,5 @@ do_install() {
 	install -m 0755 ca/v3_usr.cnf ${D}${bindir}/v3_usr.cnf
 }

-INSANE_SKIP:${PN} += "already-stripped"
-
 FILES:${PN} = "${bindir}"
 BBCLASSEXTEND = "native nativesdk"