From 54ddb775c4254f86a798dcad17fd3c2c758e9f65 Mon Sep 17 00:00:00 2001
From: Gabriel Valcazar <gabriel.valcazar@digi.com>
Date: Tue, 22 Mar 2022 12:41:32 +0100
Subject: [PATCH] trustfence-sign-artifact.sh: remove CONFIG_SIGN_MODE as a
 mandatory parameter

The sign mode needed for each platform is invariable, and since the platform
is already a mandatory parameter for the script, we can store this information
implicitly. Reflect this change in every recipe where the script is used, but
keep the variable at the Yocto level since it's still needed in several places.

https://onedigi.atlassian.net/browse/DEL-7862

Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
---
 meta-digi-arm/classes/image_types_digi.bbclass        |  2 --
 meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc      |  3 +--
 .../trustfence-sign-tools/trustfence-sign-artifact.sh | 11 +++++------
 meta-digi-arm/recipes-kernel/linux/linux-dey_5.10.bb  |  1 -
 meta-digi-arm/recipes-kernel/linux/linux-dey_5.4.bb   |  3 +--
 5 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/meta-digi-arm/classes/image_types_digi.bbclass b/meta-digi-arm/classes/image_types_digi.bbclass
index 841bb663d..91ce923e0 100644
--- a/meta-digi-arm/classes/image_types_digi.bbclass
+++ b/meta-digi-arm/classes/image_types_digi.bbclass
@@ -205,7 +205,6 @@ trustence_sign_cpio() {
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
-		[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
 
 		# Sign/encrypt the ramdisk
 		trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -i "${1}" "${1}.tf"
@@ -228,7 +227,6 @@ rootfs_sign() {
         # Set environment variables for trustfence configuration
         export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
         [ -n "${CONFIG_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
-        [ -n "${CONFIG_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
 
         ROOTFS_IMAGE="${IMGDEPLOYDIR}/${IMAGE_NAME}.rootfs.squashfs"
         TMP_ROOTFS_IMAGE_SIGNED="$(mktemp ${ROOTFS_IMAGE}-signed.XXXXXX)"
diff --git a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
index 51cbeb728..3d2c7cc8f 100644
--- a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
+++ b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
@@ -1,4 +1,4 @@
-# Copyright (C) 2018 Digi International
+# Copyright (C) 2018-2022 Digi International
 
 require recipes-bsp/u-boot/u-boot.inc
 
@@ -196,7 +196,6 @@ do_deploy_append() {
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
-		[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
 
 		# Sign boot script
 		TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
index 28adac4c6..d8f0a1d0c 100755
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
@@ -3,7 +3,7 @@
 #
 #  trustfence-sign-artifact.sh
 #
-#  Copyright (C) 2016-2021 by Digi International Inc.
+#  Copyright (C) 2016-2022 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@@ -16,7 +16,6 @@
 #
 #    The following environment variables define the script behaviour:
 #      CONFIG_SIGN_KEYS_PATH: (mandatory) path to the CST folder by NXP with keys generated.
-#      CONFIG_SIGN_MODE: (mandatory) Signing method: HAB/AHAB
 #      CONFIG_KEY_INDEX: (optional) key index to use for signing. Default is 0.
 #      CONFIG_DEK_PATH: (optional) Path to keyfile. Define it to generate
 #			encrypted images
@@ -80,10 +79,6 @@ if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then
 	exit 1
 fi
 [ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
-if [ -z "${CONFIG_SIGN_MODE}" ]; then
-	echo "Undefined CONFIG_SIGN_MODE";
-	exit 1
-fi
 
 # Get RAM_START address
 if [ "${PLATFORM}" = "ccimx6" ]; then
@@ -91,20 +86,24 @@ if [ "${PLATFORM}" = "ccimx6" ]; then
 	CONFIG_RAMDISK_LOADADDR="0x19000000"
 	CONFIG_KERNEL_LOADADDR="0x12000000"
 	CONFIG_CSF_SIZE="0x4000"
+	CONFIG_SIGN_MODE="HAB"
 elif [ "${PLATFORM}" = "ccimx6ul" ]; then
 	CONFIG_FDT_LOADADDR="0x83000000"
 	CONFIG_RAMDISK_LOADADDR="0x83800000"
 	CONFIG_KERNEL_LOADADDR="0x80800000"
 	CONFIG_CSF_SIZE="0x4000"
+	CONFIG_SIGN_MODE="HAB"
 elif [ "${PLATFORM}" = "ccimx8x" ]; then
 	CONFIG_FDT_LOADADDR="0x82000000"
 	CONFIG_RAMDISK_LOADADDR="0x82100000"
 	CONFIG_KERNEL_LOADADDR="0x80280000"
+	CONFIG_SIGN_MODE="AHAB"
 elif [ "${PLATFORM}" = "ccimx8mn" ] || [ "${PLATFORM}" = "ccimx8mm" ]; then
 	CONFIG_FDT_LOADADDR="0x43000000"
 	CONFIG_RAMDISK_LOADADDR="0x43800000"
 	CONFIG_KERNEL_LOADADDR="0x40480000"
 	CONFIG_CSF_SIZE="0x2000"
+	CONFIG_SIGN_MODE="HAB"
 else
 	echo "Invalid platform: ${PLATFORM}"
 	echo "Supported platforms: ccimx6, ccimx6ul, ccimx8x, ccimx8mn, ccimx8mm"
diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey_5.10.bb b/meta-digi-arm/recipes-kernel/linux/linux-dey_5.10.bb
index 2c12b929a..4a46988ad 100644
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey_5.10.bb
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey_5.10.bb
@@ -23,7 +23,6 @@ trustfence_sign() {
 	export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 	[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 	[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
-	[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
 
 	# Sign/encrypt the kernel images
 	for type in ${KERNEL_IMAGETYPES}; do
diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey_5.4.bb b/meta-digi-arm/recipes-kernel/linux/linux-dey_5.4.bb
index f9a5b1f3a..9c0f03d76 100644
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey_5.4.bb
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey_5.4.bb
@@ -1,4 +1,4 @@
-# Copyright (C) 2013-2020 Digi International
+# Copyright (C) 2013-2022 Digi International
 
 SUMMARY = "Linux kernel for Digi boards"
 LICENSE = "GPLv2"
@@ -23,7 +23,6 @@ trustfence_sign() {
 	export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 	[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 	[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
-	[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
 
 	# Sign/encrypt the kernel images
 	for type in ${KERNEL_IMAGETYPES}; do