Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

u-boot-dey: add signing of install scripts 

This commit add support to sign u-boot install
scripts.

Signed-off-by: Mike Engel <Mike.Engel@digi.com>

https://onedigi.atlassian.net/browse/DEL-9931
This commit is contained in:
Mike Engel 2026-01-27 18:13:26 +01:00
parent 607783837d
commit 4eeeacdeba
2 changed files with 77 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
View File

@ -1,4 +1,4 @@
# Copyright (C) 2018-2025, Digi International Inc.
# Copyright (C) 2018-2026, Digi International Inc.
require recipes-bsp/u-boot/u-boot.inc
@ -31,6 +31,7 @@ SRC_URI = " \
file://boot.txt \
file://install_linux_fw_media.txt \
file://install_linux_fw_uuu.sh \
file://fit-install-template.its \
"
BUILD_UBOOT_SCRIPTS ?= "true"
@ -117,11 +118,34 @@ build_uboot_scripts() {
else
sed -i -e 's,-##SIGNED##,,g' -e 's,##SIGNED##,,g' ${TMP_INSTALL_SCR}
fi
if [ "${f_ext}" = "txt" ]; then
mkimage -T script -n "DEY firmware install script" -C none -d ${TMP_INSTALL_SCR} ${DEPLOYDIR}/${f%.*}.scr
else
install -m 775 ${TMP_INSTALL_SCR} ${DEPLOYDIR}/${f}
fi
# Create FIT image installer when Trustfence is enabled
if [ "${TRUSTFENCE_SIGN_FIT_STM}" = "1" ] || [ "${TRUSTFENCE_SIGN_FIT_NXP}" = "1" ]; then
# We only need the txt scripts
if [ "${f_ext}" = "txt" ]; then
cp ${TMP_INSTALL_SCR} ${WORKDIR}/${f%.*}.fit
INSTALL_LINUX_FW="${f%.*}"
INSTALL_LINUX_FW_DEV="${INSTALL_LINUX_FW##*_}"
TMP_FIT_ITS="$(mktemp ${WORKDIR}/fit-install-template.its.XXXXXX)"
sed -e 's,##INSTALL_LINUX_FW##,'${INSTALL_LINUX_FW}',g' \
-e 's,##INSTALL_LINUX_FW_DEV##,'${INSTALL_LINUX_FW_DEV}',g' \
-e 's,##INSTALL_LINUX_FW_FILE##,'${f%.*}',g' \
${WORKDIR}/fit-install-template.its > ${TMP_FIT_ITS}
# Generate the signed FIT image
mkimage -f ${TMP_FIT_ITS} ${DEPLOYDIR}/install_linux_fw.scr
mkimage -F -k ${TRUSTFENCE_SIGN_KEYS_PATH}/fit -r ${DEPLOYDIR}/install_linux_fw.scr
# copy FIT image installer using the same names we use for the normal script
cp ${DEPLOYDIR}/install_linux_fw.scr ${DEPLOYDIR}/${f%.*}.scr
rm -f ${TMP_FIT_ITS}
fi
fi
rm -f ${TMP_INSTALL_SCR}
done
@ -142,6 +166,16 @@ build_uboot_scripts() {
TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"
# Sign USB installer script
TMP_SIGN_INSTALLSCR="$(mktemp ${WORKDIR}/install_linux_fw_usb-signed.XXXXXX)"
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -b "${DEPLOYDIR}/install_linux_fw_usb.scr" "${TMP_SIGN_INSTALLSCR}"
mv "${TMP_SIGN_INSTALLSCR}" "${DEPLOYDIR}/install_linux_fw_usb.scr"
# Sign uSD installer script
TMP_SIGN_INSTALLSCR="$(mktemp ${WORKDIR}/install_linux_fw_sd-signed.XXXXXX)"
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -b "${DEPLOYDIR}/install_linux_fw_sd.scr" "${TMP_SIGN_INSTALLSCR}"
mv "${TMP_SIGN_INSTALLSCR}" "${DEPLOYDIR}/install_linux_fw_sd.scr"
fi
}

42
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/fit-install-template.its Normal file
View File

@ -0,0 +1,42 @@
/dts-v1/;
/ {
description = "Installer fitImage for Digi Embedded Yocto";
#address-cells = <1>;
images {
##INSTALL_LINUX_FW## {
description = "U-boot ##INSTALL_LINUX_FW_DEV## installer script";
data = /incbin/("##INSTALL_LINUX_FW_FILE##.fit");
type = "script";
arch = "arm";
compression = "none";
hash-1 {
algo = "sha256";
};
signature-1 {
algo = "sha256,rsa2048";
key-name-hint = "fitimg";
};
};
};
configurations {
default = "conf-##INSTALL_LINUX_FW##";
conf-##INSTALL_LINUX_FW## {
description = "u-boot ##INSTALL_LINUX_FW_DEV## installer script";
bootscr = "##INSTALL_LINUX_FW##";
hash-1 {
algo = "sha256";
};
signature-1 {
algo = "sha256,rsa2048";
key-name-hint = "fitcfg";
padding = "pkcs-1.5";
sign-images = "bootscr";
};
};
};
};