diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh index ad0c4548d..cba7b6627 100755 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh @@ -53,14 +53,16 @@ fi [ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}" # Default values -KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt" +KEY_PASS_BASEFILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass" +KEY_PASS_FILE="${KEY_PASS_BASEFILE}.txt" # Generate random keys if they don't exist -N_PUBK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/publicKey*.pem 2>/dev/null | wc -l)" -N_PRVK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/privateKey*.pem 2>/dev/null | wc -l)" +N_PUBK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/keys/publicKey*.pem 2>/dev/null | wc -l)" +N_PRVK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/keys/privateKey*.pem 2>/dev/null | wc -l)" +N_PASS="$(ls -l ${KEY_PASS_BASEFILE}*.txt 2>/dev/null | wc -l)" +install -d "${CONFIG_SIGN_KEYS_PATH}/keys/" if [ "${PLATFORM}" = "ccmp15" ]; then if [ "${N_PUBK}" != "1" ] && [ "${N_PRVK}" != 1 ] && [ ! -f "${KEY_PASS_FILE}" ]; then - install -d "${CONFIG_SIGN_KEYS_PATH}/keys/" # Random password password="$(openssl rand -base64 32)" echo "Generating random key" @@ -69,21 +71,33 @@ if [ "${PLATFORM}" = "ccmp15" ]; then exit 1 fi echo "${password}" > "${KEY_PASS_FILE}" + chmod 400 "${KEY_PASS_FILE}" fi elif [ "${PLATFORM}" = "ccmp13" ]; then - if [ "${N_PUBK}" != "8" ] && [ "${N_PRVK}" != 8 ] && [ ! -f "${KEY_PASS_FILE}" ]; then - install -d "${CONFIG_SIGN_KEYS_PATH}/keys/" - # 8 random passwords (separated by whitespaces) - passwords="$(openssl rand -base64 32)" - for i in $(seq 1 7); do - passwords="${passwords} $(openssl rand -base64 32)" + if [ "${N_PUBK}" = "8" ] && [ "${N_PRVK}" = "8" ] && [ "${N_PASS}" != "8" ] && [ -f "${KEY_PASS_FILE}" ]; then + # Backwards compatibility: if a single key_pass.txt file exists, + # split into 8 files with one password each + for i in $(seq 0 7); do + cat "${KEY_PASS_FILE}" | cut -f $((i+1)) -d " " > "${KEY_PASS_BASEFILE}0${i}.txt" + chmod 400 "${KEY_PASS_BASEFILE}0${i}.txt" + done + elif [ "${N_PUBK}" != "8" ] && [ "${N_PRVK}" != "8" ] && [ "${N_PASS}" != "8" ]; then + # Generate 8 random passwords + for i in $(seq 0 7); do + pass="$(openssl rand -base64 32)" + echo "${pass}" > "${KEY_PASS_BASEFILE}0${i}.txt" + chmod 400 "${KEY_PASS_BASEFILE}0${i}.txt" + # Combined string with 8 passwords separated by a white space + passwords="${passwords} ${pass}" done echo "Generating random keys" if ! STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd ${passwords} -n 8; then echo "[ERROR] Could not generate PKI tree" exit 1 fi - echo "${passwords}" > "${KEY_PASS_FILE}" + else + echo "[ERROR] Could not generate PKI tree. An incomplete PKI tree may already exist." + exit 1 fi else echo "Undefined platform" diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh index 236033d95..52f853c78 100755 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh @@ -62,7 +62,6 @@ fi # Default values [ -z "${CONFIG_KEY_INDEX}" ] && CONFIG_KEY_INDEX="0" -KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt" # Generate random keys if they don't exist if ! trustfence-gen-pki.sh -p ${PLATFORM}; then @@ -70,9 +69,11 @@ if ! trustfence-gen-pki.sh -p ${PLATFORM}; then fi if [ "${PLATFORM}" = "ccmp15" ]; then + KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt" PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey.pem" PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey.pem" elif [ "${PLATFORM}" = "ccmp13" ]; then + KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass0${CONFIG_KEY_INDEX}.txt" PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey0*.pem" PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey0${CONFIG_KEY_INDEX}.pem" else @@ -90,8 +91,7 @@ INPUT_FILE="$(readlink -e "${1}")" OUTPUT_FILE="$(readlink -m "${2}")" # Obtain password from key pass file -INDEX=$((CONFIG_KEY_INDEX + 1)) -PASS=$(cat "${KEY_PASS_FILE}" | cut -f "${INDEX}" -d " ") +PASS=$(cat "${KEY_PASS_FILE}") # Sign TF-A artifact if [ "${ARTIFACT_TFA}" = "y" ]; then diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index 6d7834e2e..eb459726c 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -242,9 +242,15 @@ python () { else: d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem") d.setVar("CONFIG_SIGN_MODE", "HAB") - - # Set the key password. - d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt") + # Set the key password. + d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt") + elif (d.getVar("DEY_SOC_VENDOR") == "STM"): + d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", d.getVar("FIP_SIGN_KEY")) + # Set the key password. + if (d.getVar("DIGI_SOM") == "ccmp15"): + d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt") + elif (d.getVar("DIGI_SOM") == "ccmp13"): + d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass0" + str(key_index) + ".txt") # Enable partition encryption if rootfs encryption is enabled if (d.getVar("TRUSTFENCE_ENCRYPT_ROOTFS") == "1"):