From 4b6d1a2c0927b5c475e50f6fe21f57105cf48a4b Mon Sep 17 00:00:00 2001
From: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Date: Thu, 2 Apr 2020 11:22:49 +0200
Subject: [PATCH] trustfence: Add U-Boot sign support for ccimx8mn

Add Trustfence support for signing imx-boot images:
- Install a different U-Boot signing script for images with U-Boot SPL.
- Store mkimage log for later use in the signing script
- make 'print_hab_log' and store its log for later use in the signing script

https://jira.digi.com/browse/DEL-7023

Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
---
 meta-digi-arm/conf/machine/include/ccimx8mn.inc      |  5 +++++
 .../recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend    | 12 ++++++++++--
 .../trustfence/trustfence-sign-tools_git.bb          |  8 +++++++-
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/meta-digi-arm/conf/machine/include/ccimx8mn.inc b/meta-digi-arm/conf/machine/include/ccimx8mn.inc
index b097ca0aa..a3077cee1 100644
--- a/meta-digi-arm/conf/machine/include/ccimx8mn.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx8mn.inc
@@ -69,6 +69,11 @@ KERNEL_IMAGETYPE = "Image.gz"
 VIRTUAL-RUNTIME_init_manager ?= "systemd"
 VIRTUAL-RUNTIME_initscripts ?= "initscripts"
 
+# TrustFence
+TRUSTFENCE_SIGN_MODE = "HAB"
+# TODO: not yet supported
+TRUSTFENCE_ENCRYPT_ENVIRONMENT = "0"
+
 # Adding 'wayland' along with 'x11' enables the xwayland backend
 # Vulkan is necessary for wayland to build
 DISTRO_FEATURES_append = " wayland vulkan systemd pam"
diff --git a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
index 5703ef2f6..8d747cf68 100644
--- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
+++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
@@ -11,7 +11,7 @@ SRC_URI_append_ccimx8x = " file://0001-iMX8QX-remove-SC_BD_FLAGS_ALT_CONFIG-flag
 IMX_EXTRA_FIRMWARE_ccimx8x = "digi-sc-firmware imx-seco"
 
 DEPENDS_append_ccimx8x = " coreutils-native"
-DEPENDS_append_ccimx8x += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
+DEPENDS_append_mx8 += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
 
 # For i.MX 8, this package aggregates the imx-m4-demos
 # output. Note that this aggregation replaces the aggregation
@@ -119,11 +119,17 @@ do_compile () {
 			# mkimage for i.MX8M
 			for target in ${IMXBOOT_TARGETS}; do
 				bbnote "building ${SOC_TARGET} - ${target}"
-				make SOC=${SOC_TARGET} ${target}
+				make SOC=${SOC_TARGET} ${target} > mkimage-${target}.log 2>&1
 				if [ -e "${BOOT_STAGING}/flash.bin" ]; then
 					cp ${BOOT_STAGING}/flash.bin ${S}/${UBOOT_PREFIX}-${MACHINE}.bin-${target}
 				fi
 			done
+
+			if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
+				# Log HAB FIT information
+				bbnote "building ${SOC_TARGET} - print_fit_hab"
+				make SOC=${SOC_TARGET} print_fit_hab > mkimage-print_fit_hab.log 2>&1
+			fi
 		fi
 	done
 
@@ -180,6 +186,8 @@ do_deploy () {
 		# Link to default bootable U-Boot filename.
 		ln -sf ${UBOOT_PREFIX}-${MACHINE}.bin-${IMAGE_IMXBOOT_TARGET} ${BOOTABLE_FILENAME}
 		cd -
+		# Link to first "target" mkimage log
+		ln -sf mkimage-${IMAGE_IMXBOOT_TARGET}.log mkimage.log
 	else
 		for ramc in ${UBOOT_RAM_COMBINATIONS}; do
 			IMAGE_IMXBOOT_TARGET=""
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
index 654e352b1..36d0b8800 100644
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
@@ -35,9 +35,15 @@ do_install() {
 		bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 		exit 1
 	fi
-	install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
 	install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/
 	install -m 0755 git/scripts/csf_templates/* ${D}${bindir}/csf_templates
+
+	# Select U-Boot sign script depending on U-Boot including an SPL image
+	if [ -n "${SPL_BINARY}" ]; then
+		install -m 0755 git/scripts/sign_spl_fit.sh ${D}${bindir}/trustfence-sign-uboot.sh
+	else
+		install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
+	fi
 }
 
 FILES_${PN} = "${bindir}"