trustfence: split ccmp13 passwords in 8 files and set SWUPDATE keys

For signing SWU files we need to set a couple of variables:
 - SWUPDATE_PRIVATE_KEY_TEMPLATE to the private key file
 - SWUPDATE_PASSWORD_FILE to the password of the private key

The latter must only contain one password, whereas the current key_pass.txt
file had (for the ccmp13) the eight keys separated by a white space.

This commit:
 - If the file key_pass.txt exists, it extracts each key into a separate
   file key_pass0X.txt.
 - If the keys don't exist, generates separate files per key.
 - Changes the permissions of password files to 400.
 - Adapts the sign script to use the single password files.
 - Fixes a few quotes

Signed-off-by: Hector Palacios <hector.palacios@digi.com>

meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh

@@ -53,14 +53,16 @@ fi
 [ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
 
 # Default values
-KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt"
+KEY_PASS_BASEFILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass"
+KEY_PASS_FILE="${KEY_PASS_BASEFILE}.txt"
 
 # Generate random keys if they don't exist
-N_PUBK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/publicKey*.pem 2>/dev/null | wc -l)"
-N_PRVK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/privateKey*.pem 2>/dev/null | wc -l)"
+N_PUBK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/keys/publicKey*.pem 2>/dev/null | wc -l)"
+N_PRVK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/keys/privateKey*.pem 2>/dev/null | wc -l)"
+N_PASS="$(ls -l ${KEY_PASS_BASEFILE}*.txt 2>/dev/null | wc -l)"
+install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
 if [ "${PLATFORM}" = "ccmp15" ]; then
 	if [ "${N_PUBK}" != "1" ] && [ "${N_PRVK}" != 1 ] && [ ! -f "${KEY_PASS_FILE}" ]; then
-		install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
 		# Random password
 		password="$(openssl rand -base64 32)"
 		echo "Generating random key"
@@ -69,21 +71,33 @@ if [ "${PLATFORM}" = "ccmp15" ]; then
 			exit 1
 		fi
 		echo "${password}" > "${KEY_PASS_FILE}"
+		chmod 400 "${KEY_PASS_FILE}"
 	fi
 elif [ "${PLATFORM}" = "ccmp13" ]; then
-	if [ "${N_PUBK}" != "8" ] && [ "${N_PRVK}" != 8 ] && [ ! -f "${KEY_PASS_FILE}" ]; then
-		install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
-		# 8 random passwords (separated by whitespaces)
-		passwords="$(openssl rand -base64 32)"
-		for i in $(seq 1 7); do
-			passwords="${passwords} $(openssl rand -base64 32)"
+	if [ "${N_PUBK}" = "8" ] && [ "${N_PRVK}" = "8" ] && [ "${N_PASS}" != "8" ] && [ -f "${KEY_PASS_FILE}" ]; then
+		# Backwards compatibility: if a single key_pass.txt file exists,
+		# split into 8 files with one password each
+		for i in $(seq 0 7); do
+			cat "${KEY_PASS_FILE}" | cut -f $((i+1)) -d " " > "${KEY_PASS_BASEFILE}0${i}.txt"
+			chmod 400 "${KEY_PASS_BASEFILE}0${i}.txt"
+		done
+	elif [ "${N_PUBK}" != "8" ] && [ "${N_PRVK}" != "8" ] && [ "${N_PASS}" != "8" ]; then
+		# Generate 8 random passwords
+		for i in $(seq 0 7); do
+			pass="$(openssl rand -base64 32)"
+			echo "${pass}" > "${KEY_PASS_BASEFILE}0${i}.txt"
+			chmod 400 "${KEY_PASS_BASEFILE}0${i}.txt"
+			# Combined string with 8 passwords separated by a white space
+			passwords="${passwords} ${pass}"
 		done
 		echo "Generating random keys"
 		if ! STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd ${passwords} -n 8; then
 			echo "[ERROR] Could not generate PKI tree"
 			exit 1
 		fi
-		echo "${passwords}" > "${KEY_PASS_FILE}"
+	else
+		echo "[ERROR] Could not generate PKI tree. An incomplete PKI tree may already exist."
+		exit 1
 	fi
 else
 	echo "Undefined platform"

meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh

@@ -62,7 +62,6 @@ fi
 
 # Default values
 [ -z "${CONFIG_KEY_INDEX}" ] && CONFIG_KEY_INDEX="0"
-KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt"
 
 # Generate random keys if they don't exist
 if ! trustfence-gen-pki.sh -p ${PLATFORM}; then
@@ -70,9 +69,11 @@ if ! trustfence-gen-pki.sh -p ${PLATFORM}; then
 fi
 
 if [ "${PLATFORM}" = "ccmp15" ]; then
+	KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt"
 	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey.pem"
 	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey.pem"
 elif [ "${PLATFORM}" = "ccmp13" ]; then
+	KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass0${CONFIG_KEY_INDEX}.txt"
 	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey0*.pem"
 	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey0${CONFIG_KEY_INDEX}.pem"
 else
@@ -90,8 +91,7 @@ INPUT_FILE="$(readlink -e "${1}")"
 OUTPUT_FILE="$(readlink -m "${2}")"
 
 # Obtain password from key pass file
-INDEX=$((CONFIG_KEY_INDEX + 1))
-PASS=$(cat "${KEY_PASS_FILE}" | cut -f "${INDEX}" -d " ")
+PASS=$(cat "${KEY_PASS_FILE}")
 
 # Sign TF-A artifact
 if [ "${ARTIFACT_TFA}" = "y" ]; then

meta-digi-dey/classes/trustfence.bbclass

@@ -242,9 +242,15 @@ python () {
             else:
                 d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem")
                 d.setVar("CONFIG_SIGN_MODE", "HAB")
-
             # Set the key password.
             d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")
+        elif (d.getVar("DEY_SOC_VENDOR") == "STM"):
+            d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", d.getVar("FIP_SIGN_KEY"))
+            # Set the key password.
+            if (d.getVar("DIGI_SOM") == "ccmp15"):
+                d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")
+            elif (d.getVar("DIGI_SOM") == "ccmp13"):
+                d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass0" + str(key_index) + ".txt")
 
     # Enable partition encryption if rootfs encryption is enabled
     if (d.getVar("TRUSTFENCE_ENCRYPT_ROOTFS") == "1"):