diff --git a/meta-digi-arm/classes/image_types_digi.bbclass b/meta-digi-arm/classes/image_types_digi.bbclass index bbfe2668d..5ebdbf869 100644 --- a/meta-digi-arm/classes/image_types_digi.bbclass +++ b/meta-digi-arm/classes/image_types_digi.bbclass @@ -206,16 +206,18 @@ trustence_sign_cpio() { [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + if [ "${SIGN_MODE}" = "AHAB" ]; then + ${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${1} a35 ${RAM_CONTAINER_LOC_TF} -out ${1}-mkimg + mv "${1}-mkimg" "${1}" + fi # Sign/encrypt the ramdisk trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -i "${1}" "${1}.tf" - else - # Copy the image with no changes - cp "${1}" "${1}.tf" fi } CONVERSIONTYPES += "tf" CONVERSION_CMD_tf = "trustence_sign_cpio ${IMAGE_NAME}.rootfs.${type}" CONVERSION_DEPENDS_tf = "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}" +CONVERSION_DEPENDS_tf += "${@oe.utils.conditional('SIGN_MODE', 'AHAB', 'imx-mkimage', '', d)}" IMAGE_TYPES += "cpio.gz.u-boot.tf" ################################################################################ diff --git a/meta-digi-arm/conf/machine/include/ccimx6.inc b/meta-digi-arm/conf/machine/include/ccimx6.inc index a426af847..0a4d41c03 100644 --- a/meta-digi-arm/conf/machine/include/ccimx6.inc +++ b/meta-digi-arm/conf/machine/include/ccimx6.inc @@ -43,3 +43,5 @@ MACHINE_EXTRA_RRECOMMENDS += " \ " MACHINE_FEATURES += "accel-graphics accel-video wifi bluetooth pci" + +SIGN_MODE = "HAB" diff --git a/meta-digi-arm/conf/machine/include/ccimx6ul.inc b/meta-digi-arm/conf/machine/include/ccimx6ul.inc index 96349cf22..be96b3aba 100644 --- a/meta-digi-arm/conf/machine/include/ccimx6ul.inc +++ b/meta-digi-arm/conf/machine/include/ccimx6ul.inc @@ -57,3 +57,5 @@ MKUBIFS_BOOT_ARGS ?= "-m 2048 -e 126976 -c 255" # mkfs.ubifs parameters for rootfs partition # Max LEB count (-c 8191) calculated for a partition of up to 1 GiB considering 128 KiB erase-block size. MKUBIFS_ARGS ?= "-m 2048 -e 126976 -c 8191" + +SIGN_MODE = "HAB" diff --git a/meta-digi-arm/conf/machine/include/ccimx8x.inc b/meta-digi-arm/conf/machine/include/ccimx8x.inc index 20a37aacc..81a3cddb3 100644 --- a/meta-digi-arm/conf/machine/include/ccimx8x.inc +++ b/meta-digi-arm/conf/machine/include/ccimx8x.inc @@ -72,6 +72,16 @@ KERNEL_IMAGETYPE = "Image.gz" VIRTUAL-RUNTIME_init_manager ?= "systemd" VIRTUAL-RUNTIME_initscripts ?= "initscripts" +# For i.MX 8 silicon chip revision +MX8_CHIP_REV ?= "B0" +MX8_SOC_VAR ?= "QX" +SIGN_MODE = "AHAB" + +# For Trustfence container header RAM locations +RAM_CONTAINER_LOC_BOOT = "0x80280000" +RAM_CONTAINER_LOC_DTB = "0x82000000" +RAM_CONTAINER_LOC_TF = "0x82100000" + # Adding 'wayland' along with 'x11' enables the xwayland backend # Vulkan is necessary for wayland to build DISTRO_FEATURES_append = " wayland vulkan systemd pam" diff --git a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend index 99ab339a1..ab0299104 100644 --- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend +++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend @@ -11,6 +11,7 @@ SRC_URI_append_ccimx8x = " file://0001-iMX8QX-remove-SC_BD_FLAGS_ALT_CONFIG-flag IMX_EXTRA_FIRMWARE_ccimx8x = "digi-sc-firmware imx-seco" DEPENDS_append_ccimx8x = " coreutils-native" +DEPENDS_append_ccimx8x += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}" # For i.MX 8, this package aggregates the imx-m4-demos # output. Note that this aggregation replaces the aggregation @@ -203,4 +204,22 @@ do_deploy () { } +do_deploy_append () { + if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "AHAB" ]; then + export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" + [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" + [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + + # Sign U-boot image + for ramc in ${RAM_CONFIGS}; do + trustfence-sign-ahab-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}-signed.bin + done + + cd ${DEPLOYDIR} + cp ${B}/${config}SRK_efuses.bin ${DEPLOYDIR} + install ${B}/${config}SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin + ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin + fi +} + COMPATIBLE_MACHINE = "(ccimx8x|ccimx8mn)" diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc index 54ac3ec29..9639c584a 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc @@ -13,6 +13,8 @@ SRC_URI = " \ file://0002-hab4_pki_tree.sh-automate-script.patch \ file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \ file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \ + file://0005-ahab_pki_tree.sh-automate-script.patch \ + file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \ file://Makefile \ " @@ -41,7 +43,14 @@ do_install() { install -d ${D}${bindir} install -m 0755 linux64/cst ${D}${bindir}/cst install -m 0755 $(find linux64 -type f -name srktool) ${D}${bindir}/srktool - install -m 0755 keys/hab4_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh + if [ "${SIGN_MODE}" = "AHAB" ]; then + install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh + elif [ "${SIGN_MODE}" = "HAB" ]; then + install -m 0755 keys/hab4_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh + else + bberror "Unkown SIGN_MODE value" + exit 1 + fi install -m 0755 ca/openssl.cnf ${D}${bindir}/openssl.cnf install -m 0755 ca/v3_ca.cnf ${D}${bindir}/v3_ca.cnf install -m 0755 ca/v3_usr.cnf ${D}${bindir}/v3_usr.cnf diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch new file mode 100644 index 000000000..d238c945c --- /dev/null +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch @@ -0,0 +1,206 @@ +From: Mike Engel +Date: Fri, 24 Jan 2020 17:31:50 +0100 +Subject: [PATCH] ahab_pki_tree.sh: automate script + +Signed-off-by: Mike Engel +--- + keys/ahab_pki_tree.sh | 116 ++++++++++++++++++------------------------------------- + 1 file changed, 38 insertions(+), 78 deletions(-) + +diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh +index 988c27e..00dd143 100755 +--- a/keys/ahab_pki_tree.sh ++++ b/keys/ahab_pki_tree.sh +@@ -47,74 +47,36 @@ + # + #----------------------------------------------------------------------------- + +-printf "\n" +-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" +-printf " This script is a part of the Code signing tools for NXP's\n" +-printf " Advanced High Assurance Boot. It generates a basic PKI tree. The\n" +-printf " PKI tree consists of one or more Super Root Keys (SRK), with each\n" +-printf " SRK having one subordinate keys: \n" +-printf " + a Signing key (SGK) \n" +-printf " Additional keys can be added to the PKI tree but a separate \n" +-printf " script is available for this. This this script assumes openssl\n" +-printf " is installed on your system and is included in your search \n" +-printf " path. Finally, the private keys generated are password \n" +-printf " protectedwith the password provided by the file key_pass.txt.\n" +-printf " The format of the file is the password repeated twice:\n" +-printf " my_password\n" +-printf " my_password\n" +-printf " All private keys in the PKI tree are in PKCS #8 format will be\n" +-printf " protected by the same password.\n\n" +-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" +- +-stty erase  +- +-printf "Do you want to use an existing CA key (y/n)?: \b" +-read existing_ca +-if [ $existing_ca = "y" ] +-then +- printf "Enter CA key name: \b" +- read ca_key +- printf "Enter CA certificate name: \b" +- read ca_cert ++SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)" ++CSF_PATH="${1}" ++if [ ! -d "${CSF_PATH}" ]; then ++ echo "Invalid CSF_PATH: ${CSF_PATH}" ++ exit 1 + fi + +-printf "Do you want to use Elliptic Curve Cryptography (y/n)?: \b" +-read use_ecc +-if [ $use_ecc = "y" ] +-then +- printf "Enter length for elliptic curve to be used for PKI tree:\n" +- printf "Possible values p256, p384, p521: \b" +- read kl +- +- # Confirm that a valid key length has been entered +- case $kl in +- p256) +- cn="prime256v1" ;; +- p384) +- cn="secp384r1" ;; +- p521) +- cn="secp521r1" ;; +- *) +- echo Invalid key length. Supported key lengths: 256, 384, 521 +- exit 1 ;; +- esac +-else +- printf "Enter key length in bits for PKI tree: \b" +- read kl +- +- # Confirm that a valid key length has been entered +- case $kl in +- 2048) ;; +- 3072) ;; +- 4096) ;; +- *) +- echo Invalid key length. Supported key lengths: 2048, 3072, 4096 +- exit 1 ;; +- esac +-fi ++cd "${CSF_PATH}" ++ ++[ -d crts ] || mkdir crts ++[ -d keys ] || mkdir keys ++ ++cd keys ++ ++use_ecc="y" ++existing_ca="n" ++kl="p521" ++cn="secp521r1" ++ ++# Confirm that a valid key length has been entered ++case $kl in ++ p256);; ++ p384);; ++ p521);; ++ *) ++ echo Invalid key length. Supported key lengths: 256, 384, 521 ++ exit 1 ;; ++esac + +-printf "Enter the digest algorithm to use: \b" +-read da ++da="sha512" + + # Confirm that a valid digest algorithm has been entered + case $da in +@@ -126,8 +88,7 @@ case $da in + exit 1 ;; + esac + +-printf "Enter PKI tree duration (years): \b" +-read duration ++duration="10" + + # Compute validity period + val_period=$((duration*365)) +@@ -144,8 +105,7 @@ then + fi + + # Check if SRKs should be generated as CA certs or user certs +-printf "Do you want the SRK certificates to have the CA flag set? (y/n)?: \b" +-read srk_ca ++srk_ca="y" + + # Check that the file "serial" is present, if not create it: + if [ ! -f serial ] +@@ -201,7 +161,7 @@ then + -x509 -extensions v3_ca \ + -keyout temp_ca.pem \ + -out ${ca_cert}.pem \ +- -days ${val_period} -config ../ca/openssl.cnf ++ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf" + + # Generate CA key in PKCS #8 format - both PEM and DER + openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ +@@ -218,7 +178,7 @@ then + openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der + + # Cleanup +- \rm temp_ca.pem ++ rm temp_ca.pem + fi + + +@@ -292,7 +252,7 @@ then + -out ${srk_key}.pem + + # Cleanup +- \rm ./temp_srk.pem ./temp_srk_req.pem ++ rm ./temp_srk.pem ./temp_srk_req.pem + i=$((i+1)) + done + else +@@ -341,10 +301,10 @@ do + -in ./temp_srk_req.pem \ + -cert ${ca_cert}.pem \ + -keyfile ${ca_key}.pem \ +- -extfile ../ca/v3_ca.cnf \ ++ -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \ + -out ${srk_crt}.pem \ + -days ${val_period} \ +- -config ../ca/openssl.cnf ++ -config "${SCRIPT_BASEDIR}/openssl.cnf" + + # Convert SRK Certificate to DER format + openssl x509 -inform PEM -outform DER \ +@@ -365,7 +325,7 @@ do + -out ${srk_key}.pem + + # Cleanup +- \rm ./temp_srk.pem ./temp_srk_req.pem ++ rm ./temp_srk.pem ./temp_srk_req.pem + + echo + echo ++++++++++++++++++++++++++++++++++++++++ +@@ -410,10 +370,10 @@ do + -in ./temp_sgk_req.pem \ + -cert ${srk_crt_i} \ + -keyfile ${srk_key_i} \ +- -extfile ../ca/v3_usr.cnf \ ++ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \ + -out ${sgk_crt}.pem \ + -days ${val_period} \ +- -config ../ca/openssl.cnf ++ -config "${SCRIPT_BASEDIR}/openssl.cnf" + + # Convert SGK Certificate to DER format + openssl x509 -inform PEM -outform DER \ +@@ -432,7 +392,7 @@ do + -out ${sgk_key}.pem + + # Cleanup +- \rm ./temp_sgk.pem ./temp_sgk_req.pem ++ rm ./temp_sgk.pem ./temp_sgk_req.pem + + i=$((i+1)) + done diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch new file mode 100644 index 000000000..ab49ef09a --- /dev/null +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch @@ -0,0 +1,28 @@ +From: Mike Engel +Date: Fri, 24 Jan 2020 17:47:56 +0100 +Subject: [PATCH] ahab_pki_tree.sh: use a random password for the default PKI + generation + +Signed-off-by: Mike Engel +--- + keys/ahab_pki_tree.sh | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh +index 00dd143..8b81143 100755 +--- a/keys/ahab_pki_tree.sh ++++ b/keys/ahab_pki_tree.sh +@@ -117,9 +117,10 @@ fi + # Check that the file "key_pass.txt" is present, if not create it with default user/pwd: + if [ ! -f key_pass.txt ] + then +- echo "test" > key_pass.txt +- echo "test" >> key_pass.txt +- echo "A default file 'key_pass.txt' was created with password = test!" ++ password="$(openssl rand -base64 32)" ++ echo "${password}" > key_pass.txt ++ echo "${password}" >> key_pass.txt ++ echo "A file 'key_pass.txt' was created with a random password!" + fi + + # The following is required otherwise OpenSSL complains diff --git a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc index ab99d671a..9b40be959 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc +++ b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc @@ -79,7 +79,7 @@ do_compile () { unset k # Secure boot artifacts - if [ "${TRUSTFENCE_SIGN}" = "1" ] + if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ] then cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX} cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX} @@ -122,8 +122,7 @@ do_deploy_append() { cd ${DEPLOYDIR} rm -r ${UBOOT_BINARY}-${type} ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX} - if [ "${TRUSTFENCE_SIGN}" = "1" ] - then + if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]; then install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin @@ -162,9 +161,11 @@ do_deploy_append() { [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" # Sign boot script - TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)" - trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}" - mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr" + if [ "${SIGN_MODE}" = "HAB" ]; then + TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)" + trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}" + mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr" + fi fi rm -f ${TMP_BOOTSCR} } @@ -177,6 +178,11 @@ do_deploy_append_ccimx8x() { install -d ${DEPLOYDIR}/${BOOT_TOOLS} mv ${DEPLOYDIR}/u-boot* ${DEPLOYDIR}/${BOOT_TOOLS}/ mv ${DEPLOYDIR}/${UBOOT_SYMLINK}-* ${DEPLOYDIR}/${BOOT_TOOLS}/ + if [ "${TRUSTFENCE_SIGN}" = "1" ]; then + ${DEPLOY_DIR_IMAGE}/${BOOT_TOOLS}/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DEPLOYDIR}/boot.scr a35 ${RAM_CONTAINER_LOC_BOOT} -out ${DEPLOYDIR}/boot-mkimg.scr + trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot-mkimg.scr" "${DEPLOYDIR}/boot.scr" + rm -f ${DEPLOYDIR}/boot-mkimg.scr + fi } do_deploy_append_ccimx8mn() { diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_uimage b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_hab similarity index 100% rename from meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_uimage rename to meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_hab diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab new file mode 100644 index 000000000..839649e77 --- /dev/null +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab @@ -0,0 +1,23 @@ +# The syntax for this file is documented in the HAB Code Signing Tool +# User's Guid which is included in the CST package distributed by NXP +[Header] + Target = AHAB + Version = 1.0 + +[Install SRK] + # SRK table generated by srktool + File = "%srk_table%" + # Public key certificate in PEM format + Source = "%cert_img%" + # Index of the public key certificate within the SRK table (0 .. 3) + Source index = %key_index% + # Type of SRK set (NXP or OEM) + Source set = OEM + # bitmask of the revoked SRKs + Revocations = 0x%key_index% + +[Authenticate Data] + # Binary to be signed generated by mkimage + File = "%kernel-img%" + # Offsets = Container header Signature block (printed out by mkimage) + Offsets = %container_offset% %block_offset% \ No newline at end of file diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_uimage b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_hab similarity index 100% rename from meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_uimage rename to meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_hab diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh index 93e0629fd..9b25083c7 100755 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh @@ -1,9 +1,9 @@ #!/bin/sh #=============================================================================== # -# trustfence_sign_uimage.sh +# trustfence-sign-kernel.sh # -# Copyright (C) 2016 by Digi International Inc. +# Copyright (C) 2016-2020 by Digi International Inc. # All rights reserved. # # This program is free software; you can redistribute it and/or modify it @@ -54,7 +54,7 @@ Usage: ${SCRIPT_NAME} [OPTIONS] input-unsigned-image output-signed-image -i sign/encrypt initramfs -l sign/encrypt Linux image -Supported platforms: ccimx6, ccimx6ul +Supported platforms: ccimx6, ccimx6ul, ccimx8x EOF } @@ -64,14 +64,16 @@ if [ "${#}" != "2" ]; then exit 1 fi -# Negative offset with respect to CONFIG_RAM_START in which U-Boot -# copies the DEK blob. -DEK_BLOB_OFFSET="0x100" -CONFIG_CSF_SIZE="0x4000" - UIMAGE_PATH="$(readlink -e ${1})" TARGET="$(readlink -m ${2})" +# Negative offset with respect to CONFIG_RAM_START in which U-Boot +# copies the DEK blob. +if [ "${SIGN_MODE}" = "HAB" ]; then + DEK_BLOB_OFFSET="0x100" + CONFIG_CSF_SIZE="0x4000" +fi + # Read user configuration file (if used) [ -f .config ] && . ./.config @@ -81,43 +83,45 @@ if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then fi [ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}" -if [ -n "${CONFIG_DEK_PATH}" ]; then - if [ ! -f "${CONFIG_DEK_PATH}" ]; then - echo "DEK not found. Generating random 256 bit DEK." - [ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH}) - dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=32 count=1 >/dev/null 2>&1 +if [ "${SIGN_MODE}" = "HAB" ]; then + if [ -n "${CONFIG_DEK_PATH}" ]; then + if [ ! -f "${CONFIG_DEK_PATH}" ]; then + echo "DEK not found. Generating random 256 bit DEK." + [ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH}) + dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=32 count=1 >/dev/null 2>&1 + fi + dek_size="$((8 * $(stat -L -c %s ${CONFIG_DEK_PATH})))" + if [ "${dek_size}" != "128" ] && [ "${dek_size}" != "192" ] && [ "${dek_size}" != "256" ]; then + echo "Invalid DEK size: ${dek_size} bits. Valid sizes are 128, 192 and 256 bits" + exit 1 + fi + ENCRYPT="true" fi - dek_size="$((8 * $(stat -L -c %s ${CONFIG_DEK_PATH})))" - if [ "${dek_size}" != "128" ] && [ "${dek_size}" != "192" ] && [ "${dek_size}" != "256" ]; then - echo "Invalid DEK size: ${dek_size} bits. Valid sizes are 128, 192 and 256 bits" + + if [ "${PLATFORM}" = "ccimx6" ]; then + CONFIG_FDT_LOADADDR="0x18000000" + CONFIG_RAMDISK_LOADADDR="0x19000000" + CONFIG_KERNEL_LOADADDR="0x12000000" + elif [ "${PLATFORM}" = "ccimx6ul" ]; then + CONFIG_FDT_LOADADDR="0x83000000" + CONFIG_RAMDISK_LOADADDR="0x83800000" + CONFIG_KERNEL_LOADADDR="0x80800000" + else + echo "Invalid platform: ${PLATFORM}" + echo "Supported platforms: ccimx6, ccimx6ul" exit 1 fi - ENCRYPT="true" -fi -if [ "${PLATFORM}" = "ccimx6" ]; then - CONFIG_FDT_LOADADDR="0x18000000" - CONFIG_RAMDISK_LOADADDR="0x19000000" - CONFIG_KERNEL_LOADADDR="0x12000000" -elif [ "${PLATFORM}" = "ccimx6ul" ]; then - CONFIG_FDT_LOADADDR="0x83000000" - CONFIG_RAMDISK_LOADADDR="0x83800000" - CONFIG_KERNEL_LOADADDR="0x80800000" -else - echo "Invalid platform: ${PLATFORM}" - echo "Supported platforms: ccimx6, ccimx6ul" - exit 1 -fi + [ "${ARTIFACT_DTB}" = "y" ] && CONFIG_RAM_START="${CONFIG_FDT_LOADADDR}" + [ "${ARTIFACT_INITRAMFS}" = "y" ] && CONFIG_RAM_START="${CONFIG_RAMDISK_LOADADDR}" + [ "${ARTIFACT_KERNEL}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}" + # bootscripts are loaded to $loadaddr, just like the kernel + [ "${ARTIFACT_BOOTSCRIPT}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}" -[ "${ARTIFACT_DTB}" = "y" ] && CONFIG_RAM_START="${CONFIG_FDT_LOADADDR}" -[ "${ARTIFACT_INITRAMFS}" = "y" ] && CONFIG_RAM_START="${CONFIG_RAMDISK_LOADADDR}" -[ "${ARTIFACT_KERNEL}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}" -# bootscripts are loaded to $loadaddr, just like the kernel -[ "${ARTIFACT_BOOTSCRIPT}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}" - -if [ -z "${CONFIG_RAM_START}" ]; then - echo "Specify the type of image to process (-b, -i, -d, or -l)" - exit 1 + if [ -z "${CONFIG_RAM_START}" ]; then + echo "Specify the type of image to process (-b, -i, -d, or -l)" + exit 1 + fi fi # Default values @@ -125,135 +129,197 @@ fi CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))" SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)" -CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)" -CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)" +if [ "${SIGN_MODE}" = "HAB" ]; then + CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)" + CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)" +fi n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)" -if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then - # PKI tree already exists. - echo "Using existing PKI tree" -elif [ "${n_commas}" -eq 0 ] || [ ! -f "${CERT_CSF}" ] || [ ! -f "${CERT_IMG}" ]; then - # Generate PKI - trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}" +if [ "${SIGN_MODE}" = "HAB" ]; then + if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then + # PKI tree already exists. + echo "Using existing PKI tree" + elif [ "${n_commas}" -eq 0 ] || [ ! -f "${CERT_CSF}" ] || [ ! -f "${CERT_IMG}" ]; then + # Generate PKI + trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}" - SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)" - CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)" - CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)" -else - echo "Inconsistent CST folder." - exit 1 + SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)" + CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)" + CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)" + else + echo "Inconsistent CST folder." + exit 1 + fi +elif [ "${SIGN_MODE}" = "AHAB" ]; then + if [ "${n_commas}" -eq 3 ] && [ "${SIGN_MODE}" = "AHAB" ]; then + # PKI tree already exists. Do nothing + echo "Using existing PKI tree" + elif [ "${n_commas}" -eq 0 ] && [ "${SIGN_MODE}" = "AHAB" ]; then + # Generate PKI + trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}" + + SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)" + else + echo "Inconsistent CST folder." + exit 1 + fi fi SRK_TABLE="$(pwd)/SRK_table.bin" +if [ "${SIGN_MODE}" = "HAB" ]; then + HAB_VER="hab_ver 4" + DIGEST="digest" + DIGEST_ALGO="sha256" + SRK_EFUSES="/dev/null" -# Other constants -GAP_FILLER="0x00" + # Other constants + GAP_FILLER="0x00" -# The DEK blob is placed by U-Boot just before the kernel image -dek_blob_offset="$((CONFIG_KERNEL_LOADADDR - DEK_BLOB_OFFSET))" + # The DEK blob is placed by U-Boot just before the kernel image + dek_blob_offset="$((CONFIG_KERNEL_LOADADDR - DEK_BLOB_OFFSET))" -# Compute the layout: sizes and offsets. -uimage_size="$(stat -L -c %s ${UIMAGE_PATH})" -uimage_offset="0x0" -pad_len="$(((uimage_size + 0x1000 - 1) & ~(0x1000 - 1)))" -auth_len="$((pad_len + 0x20))" -sig_len="$((auth_len + CONFIG_CSF_SIZE))" + # Compute the layout: sizes and offsets. + uimage_size="$(stat -L -c %s ${UIMAGE_PATH})" + uimage_offset="0x0" + pad_len="$(((uimage_size + 0x1000 - 1) & ~(0x1000 - 1)))" + auth_len="$((pad_len + 0x20))" + sig_len="$((auth_len + CONFIG_CSF_SIZE))" -ivt_uimage_start="$((auth_len - 0x20))" -ivt_ram_start="$((CONFIG_RAM_START + ivt_uimage_start))" -ivt_size="0x20" -csf_ram_start="$((ivt_ram_start + ivt_size))" -entrypoint_uimage_offset="0x100" -entrypoint_ram_start="$((CONFIG_RAM_START + entrypoint_uimage_offset))" -entrypoint_size="0x20" -header_uimage_offset="0x0" -header_ram_start="${CONFIG_RAM_START}" -header_size="0x40" + ivt_uimage_start="$((auth_len - 0x20))" + ivt_ram_start="$((CONFIG_RAM_START + ivt_uimage_start))" + ivt_size="0x20" + csf_ram_start="$((ivt_ram_start + ivt_size))" + entrypoint_uimage_offset="0x100" + entrypoint_ram_start="$((CONFIG_RAM_START + entrypoint_uimage_offset))" + entrypoint_size="0x20" + header_uimage_offset="0x0" + header_ram_start="${CONFIG_RAM_START}" + header_size="0x40" -r1_uimage_offset="${header_size}" -r1_ram_start="$((CONFIG_RAM_START + r1_uimage_offset))" -r1_size="$((entrypoint_uimage_offset - header_size ))" -r2_uimage_offset="$((entrypoint_uimage_offset + entrypoint_size))" -r2_ram_start="$((CONFIG_RAM_START + r2_uimage_offset))" -r2_size="$((ivt_uimage_start - (entrypoint_uimage_offset + entrypoint_size)))" + r1_uimage_offset="${header_size}" + r1_ram_start="$((CONFIG_RAM_START + r1_uimage_offset))" + r1_size="$((entrypoint_uimage_offset - header_size ))" + r2_uimage_offset="$((entrypoint_uimage_offset + entrypoint_size))" + r2_ram_start="$((CONFIG_RAM_START + r2_uimage_offset))" + r2_size="$((ivt_uimage_start - (entrypoint_uimage_offset + entrypoint_size)))" -# Generate actual CSF descriptor file from template -if [ "${ENCRYPT}" = "true" ]; then - sed -e "s,%ram_start%,${CONFIG_RAM_START},g" \ - -e "s,%srk_table%,${SRK_TABLE},g " \ - -e "s,%cert_csf%,${CERT_CSF},g" \ - -e "s,%cert_img%,${CERT_IMG},g" \ - -e "s,%uimage_path%,${TARGET},g" \ - -e "s,%key_index%,${CONFIG_KEY_INDEX},g" \ - -e "s,%dek_len%,${dek_size},g" \ - -e "s,%dek_path%,${CONFIG_DEK_PATH},g" \ - -e "s,%dek_offset%,${dek_blob_offset},g" \ - -e "s,%ivt_uimage_start%,${ivt_uimage_start},g" \ - -e "s,%ivt_ram_start%,${ivt_ram_start},g" \ - -e "s,%ivt_size%,${ivt_size},g" \ - -e "s,%entrypoint_uimage_offset%,${entrypoint_uimage_offset},g" \ - -e "s,%entrypoint_ram_start%,${entrypoint_ram_start},g" \ - -e "s,%entrypoint_size%,${entrypoint_size},g" \ - -e "s,%header_uimage_offset%,${header_uimage_offset},g" \ - -e "s,%header_ram_start%,${header_ram_start},g" \ - -e "s,%header_size%,${header_size},g" \ - -e "s,%r1_uimage_offset%,${r1_uimage_offset},g" \ - -e "s,%r1_ram_start%,${r1_ram_start},g" \ - -e "s,%r1_size%,${r1_size},g" \ - -e "s,%r2_uimage_offset%,${r2_uimage_offset},g" \ - -e "s,%r2_ram_start%,${r2_ram_start},g" \ - -e "s,%r2_size%,${r2_size},g" \ - "${SCRIPT_PATH}/csf_templates/encrypt_uimage" > csf_descriptor + # Generate actual CSF descriptor file from template + if [ "${ENCRYPT}" = "true" ]; then + sed -e "s,%ram_start%,${CONFIG_RAM_START},g" \ + -e "s,%srk_table%,${SRK_TABLE},g " \ + -e "s,%cert_csf%,${CERT_CSF},g" \ + -e "s,%cert_img%,${CERT_IMG},g" \ + -e "s,%uimage_path%,${TARGET},g" \ + -e "s,%key_index%,${CONFIG_KEY_INDEX},g" \ + -e "s,%dek_len%,${dek_size},g" \ + -e "s,%dek_path%,${CONFIG_DEK_PATH},g" \ + -e "s,%dek_offset%,${dek_blob_offset},g" \ + -e "s,%ivt_uimage_start%,${ivt_uimage_start},g" \ + -e "s,%ivt_ram_start%,${ivt_ram_start},g" \ + -e "s,%ivt_size%,${ivt_size},g" \ + -e "s,%entrypoint_uimage_offset%,${entrypoint_uimage_offset},g" \ + -e "s,%entrypoint_ram_start%,${entrypoint_ram_start},g" \ + -e "s,%entrypoint_size%,${entrypoint_size},g" \ + -e "s,%header_uimage_offset%,${header_uimage_offset},g" \ + -e "s,%header_ram_start%,${header_ram_start},g" \ + -e "s,%header_size%,${header_size},g" \ + -e "s,%r1_uimage_offset%,${r1_uimage_offset},g" \ + -e "s,%r1_ram_start%,${r1_ram_start},g" \ + -e "s,%r1_size%,${r1_size},g" \ + -e "s,%r2_uimage_offset%,${r2_uimage_offset},g" \ + -e "s,%r2_ram_start%,${r2_ram_start},g" \ + -e "s,%r2_size%,${r2_size},g" \ + "${SCRIPT_PATH}/csf_templates/encrypt_hab" > csf_descriptor + else + sed -e "s,%ram_start%,${CONFIG_RAM_START},g" \ + -e "s,%srk_table%,${SRK_TABLE},g" \ + -e "s,%image_offset%,${uimage_offset},g" \ + -e "s,%auth_len%,${auth_len},g" \ + -e "s,%cert_csf%,${CERT_CSF},g" \ + -e "s,%cert_img%,${CERT_IMG},g" \ + -e "s,%uimage_path%,${TARGET},g" \ + -e "s,%key_index%,${CONFIG_KEY_INDEX},g" \ + "${SCRIPT_PATH}/csf_templates/sign_hab" > csf_descriptor + fi else - sed -e "s,%ram_start%,${CONFIG_RAM_START},g" \ - -e "s,%srk_table%,${SRK_TABLE},g" \ - -e "s,%image_offset%,${uimage_offset},g" \ - -e "s,%auth_len%,${auth_len},g" \ - -e "s,%cert_csf%,${CERT_CSF},g" \ - -e "s,%cert_img%,${CERT_IMG},g" \ - -e "s,%uimage_path%,${TARGET},g" \ - -e "s,%key_index%,${CONFIG_KEY_INDEX},g" \ - "${SCRIPT_PATH}/csf_templates/sign_uimage" > csf_descriptor + SRK_EFUSES="$(pwd)/SRK_efuses.bin" + + # Other constants + KERNEL_START_OFFSET="0x0" + KERNEL_SIG_BLOCK_OFFSET="0x90" + KERNEL_NAME="${1}" + + HAB_VER="ahab" + DIGEST="sign_digest" + DIGEST_ALGO="sha512" + + # Compute the layout: sizes and offsets. + container_header_offset="${KERNEL_START_OFFSET}" + signature_block_offset="${KERNEL_SIG_BLOCK_OFFSET}" + + SRK_CERT_KEY_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK${CONFIG_KEY_INDEX_1}*crt.pem | sed s/\ /\,/g)" + + sed -e "s,%srk_table%,${SRK_TABLE},g" \ + -e "s,%cert_img%,${SRK_CERT_KEY_IMG},g" \ + -e "s,%kernel-img%,${KERNEL_NAME},g" \ + -e "s,%key_index%,${CONFIG_KEY_INDEX},g" \ + -e "s,%container_offset%,${container_header_offset},g" \ + -e "s,%block_offset%,${signature_block_offset},g" \ + "${SCRIPT_PATH}/csf_templates/sign_ahab" > csf_descriptor + + if [ "${ENCRYPT}" = "true" ]; then + echo "[ERROR] Environment encryption is not supported." + exit 1 + fi fi # Generate SRK tables -srktool --hab_ver 4 --certs "${SRK_KEYS}" --table "${SRK_TABLE}" --efuses /dev/null --digest sha256 +srktool --${HAB_VER} --certs "${SRK_KEYS}" --table "${SRK_TABLE}" --efuses "${SRK_EFUSES}" --${DIGEST} "${DIGEST_ALGO}" if [ $? -ne 0 ]; then echo "[ERROR] Could not generate SRK tables" exit 1 fi -# Pad to IVT -objcopy -I binary -O binary --pad-to "${pad_len}" --gap-fill="${GAP_FILLER}" "${UIMAGE_PATH}" "${TARGET}" +if [ "${SIGN_MODE}" = "HAB" ]; then + # Pad to IVT + objcopy -I binary -O binary --pad-to "${pad_len}" --gap-fill="${GAP_FILLER}" "${UIMAGE_PATH}" "${TARGET}" -# Generate and attach IVT -# Fields: header, jump location, reserved (0), DCD pointer (null) -# boot data (null), self pointer, CSF pointer, reserved (0) -PRINTF="$(which printf)" -IVT_HEADER="0x402000D1" -{ - ${PRINTF} $(${PRINTF} "%08x" ${IVT_HEADER} | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') - ${PRINTF} $(${PRINTF} "%08x" ${entrypoint_ram_start} | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') - ${PRINTF} $(${PRINTF} "%08x" 0 | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') - ${PRINTF} $(${PRINTF} "%08x" 0 | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') - ${PRINTF} $(${PRINTF} "%08x" 0 | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') - ${PRINTF} $(${PRINTF} "%08x" ${ivt_ram_start} | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') - ${PRINTF} $(${PRINTF} "%08x" ${csf_ram_start} | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') - ${PRINTF} $(${PRINTF} "%08x" 0 | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') -} >> "${TARGET}" + # Generate and attach IVT + # Fields: header, jump location, reserved (0), DCD pointer (null) + # boot data (null), self pointer, CSF pointer, reserved (0) + PRINTF="$(which printf)" + IVT_HEADER="0x402000D1" + { + ${PRINTF} $(${PRINTF} "%08x" ${IVT_HEADER} | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') + ${PRINTF} $(${PRINTF} "%08x" ${entrypoint_ram_start} | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') + ${PRINTF} $(${PRINTF} "%08x" 0 | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') + ${PRINTF} $(${PRINTF} "%08x" 0 | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') + ${PRINTF} $(${PRINTF} "%08x" 0 | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') + ${PRINTF} $(${PRINTF} "%08x" ${ivt_ram_start} | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') + ${PRINTF} $(${PRINTF} "%08x" ${csf_ram_start} | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') + ${PRINTF} $(${PRINTF} "%08x" 0 | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n') + } >> "${TARGET}" -CURRENT_PATH="$(pwd)" -cst -o "${CURRENT_PATH}/csf.bin" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null -if [ $? -ne 0 ]; then - echo "[ERROR] Could not generate CSF" - exit 1 + CURRENT_PATH="$(pwd)" + cst -o "${CURRENT_PATH}/csf.bin" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null + if [ $? -ne 0 ]; then + echo "[ERROR] Could not generate CSF" + exit 1 + fi + + cat csf.bin >> "${TARGET}" + + objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}" +else + CURRENT_PATH="$(pwd)" + cst -o "${TARGET}" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null + if [ $? -ne 0 ]; then + echo "[ERROR] Could not generate CSF $?" + exit 1 + fi fi -cat csf.bin >> "${TARGET}" - -objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}" - [ "${ENCRYPT}" = "true" ] && ENCRYPTED_MSG="and encrypted " echo "Signed ${ENCRYPTED_MSG}image ready: ${TARGET}" rm -f "${SRK_TABLE}" csf_descriptor csf.bin 2> /dev/null diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb index 705f660b4..5bdb19960 100644 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb @@ -17,8 +17,9 @@ UBOOT_GIT_URI ?= "${@oe.utils.conditional('DIGI_INTERNAL_GIT', '1' , '${DIGI_GIT SRC_URI = " \ ${UBOOT_GIT_URI};branch=${SRCBRANCH} \ file://trustfence-sign-kernel.sh;name=kernel-script \ - file://sign_uimage;name=kernel-sign \ - file://encrypt_uimage;name=kernel-encrypt \ + file://sign_hab;name=kernel-sign \ + file://encrypt_hab;name=kernel-encrypt \ + file://sign_ahab;name=kernel-sign \ " do_configure[noexec] = "1" @@ -26,12 +27,19 @@ do_compile[noexec] = "1" do_install() { install -d ${D}${bindir}/csf_templates + if [ "${SIGN_MODE}" = "AHAB" ]; then + install -m 0755 sign_ahab ${D}${bindir}/csf_templates/ + install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-ahab-uboot.sh + elif [ "${SIGN_MODE}" = "HAB" ]; then + install -m 0755 sign_hab ${D}${bindir}/csf_templates/ + install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/ + install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh + else + bberror "Unkown SIGN_MODE value" + exit 1 + fi install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/ - install -m 0755 sign_uimage ${D}${bindir}/csf_templates/ - install -m 0755 encrypt_uimage ${D}${bindir}/csf_templates/ - install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh - install -m 0755 git/scripts/csf_templates/sign_uboot ${D}${bindir}/csf_templates - install -m 0755 git/scripts/csf_templates/encrypt_uboot ${D}${bindir}/csf_templates + install -m 0755 git/scripts/csf_templates/* ${D}${bindir}/csf_templates } FILES_${PN} = "${bindir}" diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc index 0575fb967..66db01319 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc @@ -24,23 +24,49 @@ trustfence_sign() { [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" # Sign/encrypt the kernel images - for type in ${KERNEL_IMAGETYPES}; do - KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" - TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)" - trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}" - mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}" - done + if [ "${SIGN_MODE}" = "HAB" ]; then + for type in ${KERNEL_IMAGETYPES}; do + KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" + TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)" + trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}" + mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}" + done - # Sign/encrypt the device tree blobs - for DTB in ${KERNEL_DEVICETREE}; do - DTB=`normalize_dtb "${DTB}"` - DTB_EXT=${DTB##*.} - DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` - DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" - TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)" - trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" - mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}" - done + # Sign/encrypt the device tree blobs + for DTB in ${KERNEL_DEVICETREE}; do + DTB=`normalize_dtb "${DTB}"` + DTB_EXT=${DTB##*.} + DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` + DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" + TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)" + trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" + mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}" + done + elif [ "${SIGN_MODE}" = "AHAB" ]; then + # Sign the kernel images + for type in ${KERNEL_IMAGETYPES}; do + KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" + ${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${WORKDIR}/build/arch/arm64/boot/Image a35 ${RAM_CONTAINER_LOC_BOOT} -out flash_os.bin + trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "flash_os.bin" "${type}-${MACHINE}-signed.bin" + gzip ${type}-${MACHINE}-signed.bin + mv ${type}-${MACHINE}-signed.bin.gz "${KERNEL_IMAGE}" + done + + # Sign/encrypt the device tree blobs + for DTB in ${KERNEL_DEVICETREE}; do + DTB=`normalize_dtb "${DTB}"` + DTB_EXT=${DTB##*.} + DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` + DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" + ${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg-signed + trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}-mkimg-signed" "${DTB_IMAGE}-signed" + mv "${DTB_IMAGE}-signed" "${DTB_IMAGE}" + rm -f ${DTB_IMAGE}-mkimg-signed + done + else + bberror "Unkown SIGN_MODE value" + exit 1 + fi } trustfence_sign[dirs] = "${DEPLOYDIR}" diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index c9e391132..a443606a7 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -67,7 +67,11 @@ python () { if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]): d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH", True)) if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"): - d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y') + if ("ccimx8x" in d.getVar("MACHINE", True)): + bb.fatal("Environment encryption is not currently supported on the ccimx8x SOM") + return + else: + d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y') # Provide sane default values for SWUPDATE class in case Trustfence is enabled if (d.getVar("TRUSTFENCE_SIGN", True) == "1"): @@ -84,7 +88,12 @@ python () { key_index_1 = key_index + 1 # Set the private key template, it will be expanded later in 'swu' recipes once keys are generated. - d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem") + if (d.getVar("SIGN_MODE", "") == "AHAB"): + d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem") + d.setVar("CONFIG_SIGN_MODE", "AHAB") + else: + d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem") + d.setVar("CONFIG_SIGN_MODE", "HAB") # Set the key password. d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt") diff --git a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb index 25e3e9e3a..2df871b24 100644 --- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb +++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb @@ -40,7 +40,14 @@ do_install() { KEY_INDEX_1=$(expr ${KEY_INDEX} + 1) # Find the certificate to use. - CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)" + if [ "${SIGN_MODE}" = "HAB" ]; then + CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)" + elif [ "${SIGN_MODE}" = "AHAB" ]; then + CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)" + else + bberror "Unkown SIGN_MODE value" + exit 1 + fi # Extract the public key from the certificate. install -d ${D}${sysconfdir}/ssl/certs