trustfence: Add U-Boot sign support for ccimx8mn

Add Trustfence support for signing imx-boot images: - Install a different U-Boot signing script for images with U-Boot SPL. - Store mkimage log for later use in the signing script - make 'print_hab_log' and store its log for later use in the signing script https://jira.digi.com/browse/DEL-7023 Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
2020-04-02 11:22:49 +02:00 · 2020-04-02 11:22:49 +02:00 · 4b6d1a2c09
parent c52778d2a4
commit 4b6d1a2c09
3 changed files with 22 additions and 3 deletions
--- a/meta-digi-arm/conf/machine/include/ccimx8mn.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx8mn.inc
@ -69,6 +69,11 @@ KERNEL_IMAGETYPE = "Image.gz"
 VIRTUAL-RUNTIME_init_manager ?= "systemd"
 VIRTUAL-RUNTIME_initscripts ?= "initscripts"

+# TrustFence
+TRUSTFENCE_SIGN_MODE = "HAB"
+# TODO: not yet supported
+TRUSTFENCE_ENCRYPT_ENVIRONMENT = "0"
+
 # Adding 'wayland' along with 'x11' enables the xwayland backend
 # Vulkan is necessary for wayland to build
 DISTRO_FEATURES_append = " wayland vulkan systemd pam"
--- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
+++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
@ -11,7 +11,7 @@ SRC_URI_append_ccimx8x = " file://0001-iMX8QX-remove-SC_BD_FLAGS_ALT_CONFIG-flag
 IMX_EXTRA_FIRMWARE_ccimx8x = "digi-sc-firmware imx-seco"

 DEPENDS_append_ccimx8x = " coreutils-native"
-DEPENDS_append_ccimx8x += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
+DEPENDS_append_mx8 += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"

 # For i.MX 8, this package aggregates the imx-m4-demos
 # output. Note that this aggregation replaces the aggregation
@ -119,11 +119,17 @@ do_compile () {
 			# mkimage for i.MX8M
 			for target in ${IMXBOOT_TARGETS}; do
 				bbnote "building ${SOC_TARGET} - ${target}"
-				make SOC=${SOC_TARGET} ${target}
+				make SOC=${SOC_TARGET} ${target} > mkimage-${target}.log 2>&1
 				if [ -e "${BOOT_STAGING}/flash.bin" ]; then
 					cp ${BOOT_STAGING}/flash.bin ${S}/${UBOOT_PREFIX}-${MACHINE}.bin-${target}
 				fi
 			done
+
+			if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
+				# Log HAB FIT information
+				bbnote "building ${SOC_TARGET} - print_fit_hab"
+				make SOC=${SOC_TARGET} print_fit_hab > mkimage-print_fit_hab.log 2>&1
+			fi
 		fi
 	done

@ -180,6 +186,8 @@ do_deploy () {
 		# Link to default bootable U-Boot filename.
 		ln -sf ${UBOOT_PREFIX}-${MACHINE}.bin-${IMAGE_IMXBOOT_TARGET} ${BOOTABLE_FILENAME}
 		cd -
+		# Link to first "target" mkimage log
+		ln -sf mkimage-${IMAGE_IMXBOOT_TARGET}.log mkimage.log
 	else
 		for ramc in ${UBOOT_RAM_COMBINATIONS}; do
 			IMAGE_IMXBOOT_TARGET=""
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
@ -35,9 +35,15 @@ do_install() {
 		bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 		exit 1
 	fi
-	install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
 	install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/
 	install -m 0755 git/scripts/csf_templates/* ${D}${bindir}/csf_templates
+
+	# Select U-Boot sign script depending on U-Boot including an SPL image
+	if [ -n "${SPL_BINARY}" ]; then
+		install -m 0755 git/scripts/sign_spl_fit.sh ${D}${bindir}/trustfence-sign-uboot.sh
+	else
+		install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
+	fi
 }

 FILES_${PN} = "${bindir}"