u-boot-dey: add signing of install scripts
This commit add support to sign u-boot install scripts. Signed-off-by: Mike Engel <Mike.Engel@digi.com> https://onedigi.atlassian.net/browse/DEL-9931
This commit is contained in:
Mike Engel
parent
607783837d
commit
4eeeacdeba
|
|
@ -1,4 +1,4 @@
|
||||||
# Copyright (C) 2018-2025, Digi International Inc.
|
# Copyright (C) 2018-2026, Digi International Inc.
|
||||||
|
|
||||||
require recipes-bsp/u-boot/u-boot.inc
|
require recipes-bsp/u-boot/u-boot.inc
|
||||||
|
|
||||||
|
|
@ -31,6 +31,7 @@ SRC_URI = " \
|
||||||
file://boot.txt \
|
file://boot.txt \
|
||||||
file://install_linux_fw_media.txt \
|
file://install_linux_fw_media.txt \
|
||||||
file://install_linux_fw_uuu.sh \
|
file://install_linux_fw_uuu.sh \
|
||||||
|
file://fit-install-template.its \
|
||||||
"
|
"
|
||||||
|
|
||||||
BUILD_UBOOT_SCRIPTS ?= "true"
|
BUILD_UBOOT_SCRIPTS ?= "true"
|
||||||
|
|
@ -117,11 +118,34 @@ build_uboot_scripts() {
|
||||||
else
|
else
|
||||||
sed -i -e 's,-##SIGNED##,,g' -e 's,##SIGNED##,,g' ${TMP_INSTALL_SCR}
|
sed -i -e 's,-##SIGNED##,,g' -e 's,##SIGNED##,,g' ${TMP_INSTALL_SCR}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${f_ext}" = "txt" ]; then
|
if [ "${f_ext}" = "txt" ]; then
|
||||||
mkimage -T script -n "DEY firmware install script" -C none -d ${TMP_INSTALL_SCR} ${DEPLOYDIR}/${f%.*}.scr
|
mkimage -T script -n "DEY firmware install script" -C none -d ${TMP_INSTALL_SCR} ${DEPLOYDIR}/${f%.*}.scr
|
||||||
else
|
else
|
||||||
install -m 775 ${TMP_INSTALL_SCR} ${DEPLOYDIR}/${f}
|
install -m 775 ${TMP_INSTALL_SCR} ${DEPLOYDIR}/${f}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Create FIT image installer when Trustfence is enabled
|
||||||
|
if [ "${TRUSTFENCE_SIGN_FIT_STM}" = "1" ] || [ "${TRUSTFENCE_SIGN_FIT_NXP}" = "1" ]; then
|
||||||
|
# We only need the txt scripts
|
||||||
|
if [ "${f_ext}" = "txt" ]; then
|
||||||
|
cp ${TMP_INSTALL_SCR} ${WORKDIR}/${f%.*}.fit
|
||||||
|
INSTALL_LINUX_FW="${f%.*}"
|
||||||
|
INSTALL_LINUX_FW_DEV="${INSTALL_LINUX_FW##*_}"
|
||||||
|
TMP_FIT_ITS="$(mktemp ${WORKDIR}/fit-install-template.its.XXXXXX)"
|
||||||
|
sed -e 's,##INSTALL_LINUX_FW##,'${INSTALL_LINUX_FW}',g' \
|
||||||
|
-e 's,##INSTALL_LINUX_FW_DEV##,'${INSTALL_LINUX_FW_DEV}',g' \
|
||||||
|
-e 's,##INSTALL_LINUX_FW_FILE##,'${f%.*}',g' \
|
||||||
|
${WORKDIR}/fit-install-template.its > ${TMP_FIT_ITS}
|
||||||
|
|
||||||
|
# Generate the signed FIT image
|
||||||
|
mkimage -f ${TMP_FIT_ITS} ${DEPLOYDIR}/install_linux_fw.scr
|
||||||
|
mkimage -F -k ${TRUSTFENCE_SIGN_KEYS_PATH}/fit -r ${DEPLOYDIR}/install_linux_fw.scr
|
||||||
|
# copy FIT image installer using the same names we use for the normal script
|
||||||
|
cp ${DEPLOYDIR}/install_linux_fw.scr ${DEPLOYDIR}/${f%.*}.scr
|
||||||
|
rm -f ${TMP_FIT_ITS}
|
||||||
|
fi
|
||||||
|
fi
|
||||||
rm -f ${TMP_INSTALL_SCR}
|
rm -f ${TMP_INSTALL_SCR}
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
@ -142,6 +166,16 @@ build_uboot_scripts() {
|
||||||
TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
|
TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
|
||||||
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
|
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
|
||||||
mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"
|
mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"
|
||||||
|
|
||||||
|
# Sign USB installer script
|
||||||
|
TMP_SIGN_INSTALLSCR="$(mktemp ${WORKDIR}/install_linux_fw_usb-signed.XXXXXX)"
|
||||||
|
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -b "${DEPLOYDIR}/install_linux_fw_usb.scr" "${TMP_SIGN_INSTALLSCR}"
|
||||||
|
mv "${TMP_SIGN_INSTALLSCR}" "${DEPLOYDIR}/install_linux_fw_usb.scr"
|
||||||
|
|
||||||
|
# Sign uSD installer script
|
||||||
|
TMP_SIGN_INSTALLSCR="$(mktemp ${WORKDIR}/install_linux_fw_sd-signed.XXXXXX)"
|
||||||
|
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -b "${DEPLOYDIR}/install_linux_fw_sd.scr" "${TMP_SIGN_INSTALLSCR}"
|
||||||
|
mv "${TMP_SIGN_INSTALLSCR}" "${DEPLOYDIR}/install_linux_fw_sd.scr"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,42 @@
|
||||||
|
/dts-v1/;
|
||||||
|
|
||||||
|
/ {
|
||||||
|
description = "Installer fitImage for Digi Embedded Yocto";
|
||||||
|
#address-cells = <1>;
|
||||||
|
|
||||||
|
images {
|
||||||
|
##INSTALL_LINUX_FW## {
|
||||||
|
description = "U-boot ##INSTALL_LINUX_FW_DEV## installer script";
|
||||||
|
data = /incbin/("##INSTALL_LINUX_FW_FILE##.fit");
|
||||||
|
type = "script";
|
||||||
|
arch = "arm";
|
||||||
|
compression = "none";
|
||||||
|
hash-1 {
|
||||||
|
algo = "sha256";
|
||||||
|
};
|
||||||
|
signature-1 {
|
||||||
|
algo = "sha256,rsa2048";
|
||||||
|
key-name-hint = "fitimg";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
configurations {
|
||||||
|
default = "conf-##INSTALL_LINUX_FW##";
|
||||||
|
conf-##INSTALL_LINUX_FW## {
|
||||||
|
description = "u-boot ##INSTALL_LINUX_FW_DEV## installer script";
|
||||||
|
|
||||||
|
bootscr = "##INSTALL_LINUX_FW##";
|
||||||
|
|
||||||
|
hash-1 {
|
||||||
|
algo = "sha256";
|
||||||
|
};
|
||||||
|
signature-1 {
|
||||||
|
algo = "sha256,rsa2048";
|
||||||
|
key-name-hint = "fitcfg";
|
||||||
|
padding = "pkcs-1.5";
|
||||||
|
sign-images = "bootscr";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
Loading…
Reference in New Issue