trustfence: split ccmp13 passwords in 8 files and set SWUPDATE keys
For signing SWU files we need to set a couple of variables: - SWUPDATE_PRIVATE_KEY_TEMPLATE to the private key file - SWUPDATE_PASSWORD_FILE to the password of the private key The latter must only contain one password, whereas the current key_pass.txt file had (for the ccmp13) the eight keys separated by a white space. This commit: - If the file key_pass.txt exists, it extracts each key into a separate file key_pass0X.txt. - If the keys don't exist, generates separate files per key. - Changes the permissions of password files to 400. - Adapts the sign script to use the single password files. - Fixes a few quotes Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit is contained in:
Hector Palacios
Mike Engel
parent
161c66f5f6
commit
4f33afcbcf
|
|
@ -53,14 +53,16 @@ fi
|
||||||
[ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
|
[ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
|
||||||
|
|
||||||
# Default values
|
# Default values
|
||||||
KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt"
|
KEY_PASS_BASEFILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass"
|
||||||
|
KEY_PASS_FILE="${KEY_PASS_BASEFILE}.txt"
|
||||||
|
|
||||||
# Generate random keys if they don't exist
|
# Generate random keys if they don't exist
|
||||||
N_PUBK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/publicKey*.pem 2>/dev/null | wc -l)"
|
N_PUBK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/keys/publicKey*.pem 2>/dev/null | wc -l)"
|
||||||
N_PRVK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/privateKey*.pem 2>/dev/null | wc -l)"
|
N_PRVK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/keys/privateKey*.pem 2>/dev/null | wc -l)"
|
||||||
|
N_PASS="$(ls -l ${KEY_PASS_BASEFILE}*.txt 2>/dev/null | wc -l)"
|
||||||
|
install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
|
||||||
if [ "${PLATFORM}" = "ccmp15" ]; then
|
if [ "${PLATFORM}" = "ccmp15" ]; then
|
||||||
if [ "${N_PUBK}" != "1" ] && [ "${N_PRVK}" != 1 ] && [ ! -f "${KEY_PASS_FILE}" ]; then
|
if [ "${N_PUBK}" != "1" ] && [ "${N_PRVK}" != 1 ] && [ ! -f "${KEY_PASS_FILE}" ]; then
|
||||||
install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
|
|
||||||
# Random password
|
# Random password
|
||||||
password="$(openssl rand -base64 32)"
|
password="$(openssl rand -base64 32)"
|
||||||
echo "Generating random key"
|
echo "Generating random key"
|
||||||
|
|
@ -69,21 +71,33 @@ if [ "${PLATFORM}" = "ccmp15" ]; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
echo "${password}" > "${KEY_PASS_FILE}"
|
echo "${password}" > "${KEY_PASS_FILE}"
|
||||||
|
chmod 400 "${KEY_PASS_FILE}"
|
||||||
fi
|
fi
|
||||||
elif [ "${PLATFORM}" = "ccmp13" ]; then
|
elif [ "${PLATFORM}" = "ccmp13" ]; then
|
||||||
if [ "${N_PUBK}" != "8" ] && [ "${N_PRVK}" != 8 ] && [ ! -f "${KEY_PASS_FILE}" ]; then
|
if [ "${N_PUBK}" = "8" ] && [ "${N_PRVK}" = "8" ] && [ "${N_PASS}" != "8" ] && [ -f "${KEY_PASS_FILE}" ]; then
|
||||||
install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
|
# Backwards compatibility: if a single key_pass.txt file exists,
|
||||||
# 8 random passwords (separated by whitespaces)
|
# split into 8 files with one password each
|
||||||
passwords="$(openssl rand -base64 32)"
|
for i in $(seq 0 7); do
|
||||||
for i in $(seq 1 7); do
|
cat "${KEY_PASS_FILE}" | cut -f $((i+1)) -d " " > "${KEY_PASS_BASEFILE}0${i}.txt"
|
||||||
passwords="${passwords} $(openssl rand -base64 32)"
|
chmod 400 "${KEY_PASS_BASEFILE}0${i}.txt"
|
||||||
|
done
|
||||||
|
elif [ "${N_PUBK}" != "8" ] && [ "${N_PRVK}" != "8" ] && [ "${N_PASS}" != "8" ]; then
|
||||||
|
# Generate 8 random passwords
|
||||||
|
for i in $(seq 0 7); do
|
||||||
|
pass="$(openssl rand -base64 32)"
|
||||||
|
echo "${pass}" > "${KEY_PASS_BASEFILE}0${i}.txt"
|
||||||
|
chmod 400 "${KEY_PASS_BASEFILE}0${i}.txt"
|
||||||
|
# Combined string with 8 passwords separated by a white space
|
||||||
|
passwords="${passwords} ${pass}"
|
||||||
done
|
done
|
||||||
echo "Generating random keys"
|
echo "Generating random keys"
|
||||||
if ! STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd ${passwords} -n 8; then
|
if ! STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd ${passwords} -n 8; then
|
||||||
echo "[ERROR] Could not generate PKI tree"
|
echo "[ERROR] Could not generate PKI tree"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
echo "${passwords}" > "${KEY_PASS_FILE}"
|
else
|
||||||
|
echo "[ERROR] Could not generate PKI tree. An incomplete PKI tree may already exist."
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "Undefined platform"
|
echo "Undefined platform"
|
||||||
|
|
|
||||||
|
|
@ -62,7 +62,6 @@ fi
|
||||||
|
|
||||||
# Default values
|
# Default values
|
||||||
[ -z "${CONFIG_KEY_INDEX}" ] && CONFIG_KEY_INDEX="0"
|
[ -z "${CONFIG_KEY_INDEX}" ] && CONFIG_KEY_INDEX="0"
|
||||||
KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt"
|
|
||||||
|
|
||||||
# Generate random keys if they don't exist
|
# Generate random keys if they don't exist
|
||||||
if ! trustfence-gen-pki.sh -p ${PLATFORM}; then
|
if ! trustfence-gen-pki.sh -p ${PLATFORM}; then
|
||||||
|
|
@ -70,9 +69,11 @@ if ! trustfence-gen-pki.sh -p ${PLATFORM}; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${PLATFORM}" = "ccmp15" ]; then
|
if [ "${PLATFORM}" = "ccmp15" ]; then
|
||||||
|
KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt"
|
||||||
PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey.pem"
|
PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey.pem"
|
||||||
PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey.pem"
|
PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey.pem"
|
||||||
elif [ "${PLATFORM}" = "ccmp13" ]; then
|
elif [ "${PLATFORM}" = "ccmp13" ]; then
|
||||||
|
KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass0${CONFIG_KEY_INDEX}.txt"
|
||||||
PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey0*.pem"
|
PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey0*.pem"
|
||||||
PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey0${CONFIG_KEY_INDEX}.pem"
|
PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey0${CONFIG_KEY_INDEX}.pem"
|
||||||
else
|
else
|
||||||
|
|
@ -90,8 +91,7 @@ INPUT_FILE="$(readlink -e "${1}")"
|
||||||
OUTPUT_FILE="$(readlink -m "${2}")"
|
OUTPUT_FILE="$(readlink -m "${2}")"
|
||||||
|
|
||||||
# Obtain password from key pass file
|
# Obtain password from key pass file
|
||||||
INDEX=$((CONFIG_KEY_INDEX + 1))
|
PASS=$(cat "${KEY_PASS_FILE}")
|
||||||
PASS=$(cat "${KEY_PASS_FILE}" | cut -f "${INDEX}" -d " ")
|
|
||||||
|
|
||||||
# Sign TF-A artifact
|
# Sign TF-A artifact
|
||||||
if [ "${ARTIFACT_TFA}" = "y" ]; then
|
if [ "${ARTIFACT_TFA}" = "y" ]; then
|
||||||
|
|
|
||||||
|
|
@ -242,9 +242,15 @@ python () {
|
||||||
else:
|
else:
|
||||||
d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem")
|
d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem")
|
||||||
d.setVar("CONFIG_SIGN_MODE", "HAB")
|
d.setVar("CONFIG_SIGN_MODE", "HAB")
|
||||||
|
|
||||||
# Set the key password.
|
# Set the key password.
|
||||||
d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")
|
d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")
|
||||||
|
elif (d.getVar("DEY_SOC_VENDOR") == "STM"):
|
||||||
|
d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", d.getVar("FIP_SIGN_KEY"))
|
||||||
|
# Set the key password.
|
||||||
|
if (d.getVar("DIGI_SOM") == "ccmp15"):
|
||||||
|
d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")
|
||||||
|
elif (d.getVar("DIGI_SOM") == "ccmp13"):
|
||||||
|
d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass0" + str(key_index) + ".txt")
|
||||||
|
|
||||||
# Enable partition encryption if rootfs encryption is enabled
|
# Enable partition encryption if rootfs encryption is enabled
|
||||||
if (d.getVar("TRUSTFENCE_ENCRYPT_ROOTFS") == "1"):
|
if (d.getVar("TRUSTFENCE_ENCRYPT_ROOTFS") == "1"):
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue