trustfence: Add Trustfence support for CCMX8X

This commit adds Trustfence support for the CCMX8X platform. Signed-off-by: Mike Engel <Mike.Engel@digi.com> https://jira.digi.com/browse/DEL-6917
2020-01-02 17:32:42 +01:00 · 2020-01-02 17:32:42 +01:00 · 5beec04b6a
parent 31d8ff94fe
commit 5beec04b6a
17 changed files with 602 additions and 179 deletions
--- a/meta-digi-arm/classes/image_types_digi.bbclass
+++ b/meta-digi-arm/classes/image_types_digi.bbclass
@ -206,16 +206,18 @@ trustence_sign_cpio() {
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
 		if [ "${SIGN_MODE}" = "AHAB" ]; then
 			${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${1} a35 ${RAM_CONTAINER_LOC_TF} -out ${1}-mkimg
 			mv "${1}-mkimg" "${1}"
 		fi
 		# Sign/encrypt the ramdisk
 		trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -i "${1}" "${1}.tf"
 	else
 		# Copy the image with no changes
 		cp "${1}" "${1}.tf"
 	fi
 }
 CONVERSIONTYPES += "tf"
 CONVERSION_CMD_tf = "trustence_sign_cpio ${IMAGE_NAME}.rootfs.${type}"
 CONVERSION_DEPENDS_tf = "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
 CONVERSION_DEPENDS_tf += "${@oe.utils.conditional('SIGN_MODE', 'AHAB', 'imx-mkimage', '', d)}"
 IMAGE_TYPES += "cpio.gz.u-boot.tf"
 ################################################################################
--- a/meta-digi-arm/conf/machine/include/ccimx6.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx6.inc
@ -43,3 +43,5 @@ MACHINE_EXTRA_RRECOMMENDS += " \
 "
 MACHINE_FEATURES += "accel-graphics accel-video wifi bluetooth pci"
 SIGN_MODE = "HAB"
--- a/meta-digi-arm/conf/machine/include/ccimx6ul.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx6ul.inc
@ -57,3 +57,5 @@ MKUBIFS_BOOT_ARGS ?= "-m 2048 -e 126976 -c 255"
 # mkfs.ubifs parameters for rootfs partition
 # Max LEB count (-c 8191) calculated for a partition of up to 1 GiB considering 128 KiB erase-block size.
 MKUBIFS_ARGS ?= "-m 2048 -e 126976 -c 8191"
 SIGN_MODE = "HAB"
--- a/meta-digi-arm/conf/machine/include/ccimx8x.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx8x.inc
@ -72,6 +72,16 @@ KERNEL_IMAGETYPE = "Image.gz"
 VIRTUAL-RUNTIME_init_manager ?= "systemd"
 VIRTUAL-RUNTIME_initscripts ?= "initscripts"
 # For i.MX 8 silicon chip revision
 MX8_CHIP_REV ?= "B0"
 MX8_SOC_VAR ?= "QX"
 SIGN_MODE = "AHAB"
 # For Trustfence container header RAM locations
 RAM_CONTAINER_LOC_BOOT = "0x80280000"
 RAM_CONTAINER_LOC_DTB = "0x82000000"
 RAM_CONTAINER_LOC_TF = "0x82100000"
 # Adding 'wayland' along with 'x11' enables the xwayland backend
 # Vulkan is necessary for wayland to build
 DISTRO_FEATURES_append = " wayland vulkan systemd pam"
--- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
+++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
@ -11,6 +11,7 @@ SRC_URI_append_ccimx8x = " file://0001-iMX8QX-remove-SC_BD_FLAGS_ALT_CONFIG-flag
 IMX_EXTRA_FIRMWARE_ccimx8x = "digi-sc-firmware imx-seco"
 DEPENDS_append_ccimx8x = " coreutils-native"
 DEPENDS_append_ccimx8x += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
 # For i.MX 8, this package aggregates the imx-m4-demos
 # output. Note that this aggregation replaces the aggregation
@ -203,4 +204,22 @@ do_deploy () {
 }
 do_deploy_append () {
 	if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "AHAB" ]; then
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
 		# Sign U-boot image
 		for ramc in ${RAM_CONFIGS}; do
 			trustfence-sign-ahab-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}-signed.bin
 		done
 		cd ${DEPLOYDIR}
 		cp ${B}/${config}SRK_efuses.bin ${DEPLOYDIR}
 		install ${B}/${config}SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
 		ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
 	fi
 }
 COMPATIBLE_MACHINE = "(ccimx8x|ccimx8mn)"
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc
@ -13,6 +13,8 @@ SRC_URI = " \
    file://0002-hab4_pki_tree.sh-automate-script.patch \
    file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \
    file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \
    file://0005-ahab_pki_tree.sh-automate-script.patch \
    file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \
    file://Makefile \
 "
@ -41,7 +43,14 @@ do_install() {
 	install -d ${D}${bindir}
 	install -m 0755 linux64/cst ${D}${bindir}/cst
 	install -m 0755 $(find linux64 -type f -name srktool) ${D}${bindir}/srktool
 	if [ "${SIGN_MODE}" = "AHAB" ]; then
 		install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
 	elif [ "${SIGN_MODE}" = "HAB" ]; then
 		install -m 0755 keys/hab4_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
 	else
 		bberror "Unkown SIGN_MODE value"
 		exit 1
 	fi
 	install -m 0755 ca/openssl.cnf ${D}${bindir}/openssl.cnf
 	install -m 0755 ca/v3_ca.cnf ${D}${bindir}/v3_ca.cnf
 	install -m 0755 ca/v3_usr.cnf ${D}${bindir}/v3_usr.cnf
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch
@ -0,0 +1,206 @@
 From: Mike Engel <Mike.Engel@digi.com>
 Date: Fri, 24 Jan 2020 17:31:50 +0100
 Subject: [PATCH] ahab_pki_tree.sh: automate script
 Signed-off-by: Mike Engel <Mike.Engel@digi.com>
 ---
 keys/ahab_pki_tree.sh | 116 ++++++++++++++++++-------------------------------------
 1 file changed, 38 insertions(+), 78 deletions(-)
 diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
 index 988c27e..00dd143 100755
 --- a/keys/ahab_pki_tree.sh
 +++ b/keys/ahab_pki_tree.sh
@@ -47,74 +47,36 @@
 #
 #-----------------------------------------------------------------------------
 -printf "\n"
 -printf "    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
 -printf "    This script is a part of the Code signing tools for NXP's\n"
 -printf "    Advanced High Assurance Boot.  It generates a basic PKI tree. The\n"
 -printf "    PKI tree consists of one or more Super Root Keys (SRK), with each\n"
 -printf "    SRK having one subordinate keys: \n"
 -printf "        + a Signing key (SGK) \n"
 -printf "    Additional keys can be added to the PKI tree but a separate \n"
 -printf "    script is available for this.  This this script assumes openssl\n"
 -printf "    is installed on your system and is included in your search \n"
 -printf "    path.  Finally, the private keys generated are password \n"
 -printf "    protectedwith the password provided by the file key_pass.txt.\n"
 -printf "    The format of the file is the password repeated twice:\n"
 -printf "        my_password\n"
 -printf "        my_password\n"
 -printf "    All private keys in the PKI tree are in PKCS #8 format will be\n"
 -printf "    protected by the same password.\n\n"
 -printf "    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
 -
 -stty erase 
 -
 -printf "Do you want to use an existing CA key (y/n)?:  \b"
 -read existing_ca
 -if [ $existing_ca = "y" ]
 -then
 -    printf "Enter CA key name:  \b"
 -    read ca_key
 -    printf "Enter CA certificate name:  \b"
 -    read ca_cert
 +SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)"
 +CSF_PATH="${1}"
 +if [ ! -d "${CSF_PATH}" ]; then
 +	echo "Invalid CSF_PATH: ${CSF_PATH}"
 +	exit 1
 fi
 -printf "Do you want to use Elliptic Curve Cryptography (y/n)?:  \b"
 -read use_ecc
 -if [ $use_ecc = "y" ]
 -then
 -    printf "Enter length for elliptic curve to be used for PKI tree:\n"
 -    printf "Possible values p256, p384, p521:   \b"
 -    read kl
 -
 -    # Confirm that a valid key length has been entered
 -    case $kl in
 -        p256)
 -            cn="prime256v1" ;;
 -        p384)
 -            cn="secp384r1" ;;
 -        p521)
 -            cn="secp521r1" ;;
 -        *)
 -            echo Invalid key length. Supported key lengths: 256, 384, 521
 -        exit 1 ;;
 -    esac
 -else
 -    printf "Enter key length in bits for PKI tree:  \b"
 -    read kl
 -
 -    # Confirm that a valid key length has been entered
 -    case $kl in
 -        2048) ;;
 -        3072) ;;
 -        4096) ;;
 -        *)
 -            echo Invalid key length. Supported key lengths: 2048, 3072, 4096
 -        exit 1 ;;
 -    esac
 -fi
 +cd "${CSF_PATH}"
 +
 +[ -d crts ] || mkdir crts
 +[ -d keys ] || mkdir keys
 + 
 +cd keys
 +
 +use_ecc="y"
 +existing_ca="n"
 +kl="p521"
 +cn="secp521r1"
 +
 +# Confirm that a valid key length has been entered
 +case $kl in
 +    p256);;
 +    p384);;
 +    p521);;
 +    *)
 +        echo Invalid key length. Supported key lengths: 256, 384, 521
 +       exit 1 ;;
 +esac
 -printf "Enter the digest algorithm to use:  \b"
 -read da
 +da="sha512"
 # Confirm that a valid digest algorithm has been entered
 case $da in
@@ -126,8 +88,7 @@ case $da in
     exit 1 ;;
 esac
 -printf "Enter PKI tree duration (years):  \b"
 -read duration
 +duration="10"
 # Compute validity period
 val_period=$((duration*365))
@@ -144,8 +105,7 @@ then
 fi
 # Check if SRKs should be generated as CA certs or user certs
 -printf "Do you want the SRK certificates to have the CA flag set? (y/n)?:  \b"
 -read srk_ca
 +srk_ca="y"
 # Check that the file "serial" is present, if not create it:
 if [ ! -f serial ]
@@ -201,7 +161,7 @@ then
                    -x509 -extensions v3_ca \
                    -keyout temp_ca.pem \
                    -out ${ca_cert}.pem \
 -                   -days ${val_period} -config ../ca/openssl.cnf
 +                   -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf"
     # Generate CA key in PKCS #8 format - both PEM and DER
     openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -218,7 +178,7 @@ then
     openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
     # Cleanup
 -    \rm temp_ca.pem
 +    rm temp_ca.pem
 fi
@@ -292,7 +252,7 @@ then
                       -out ${srk_key}.pem
         # Cleanup
 -        \rm ./temp_srk.pem ./temp_srk_req.pem
 +        rm ./temp_srk.pem ./temp_srk_req.pem
         i=$((i+1))
     done
 else
@@ -341,10 +301,10 @@ do
                   -in ./temp_srk_req.pem \
                   -cert ${ca_cert}.pem \
                   -keyfile ${ca_key}.pem \
 -                  -extfile ../ca/v3_ca.cnf \
 +                  -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \
                   -out ${srk_crt}.pem \
                   -days ${val_period} \
 -                  -config ../ca/openssl.cnf
 +                  -config "${SCRIPT_BASEDIR}/openssl.cnf"
     # Convert SRK Certificate to DER format
     openssl x509 -inform PEM -outform DER \
@@ -365,7 +325,7 @@ do
                   -out ${srk_key}.pem
     # Cleanup
 -    \rm ./temp_srk.pem ./temp_srk_req.pem
 +    rm ./temp_srk.pem ./temp_srk_req.pem
     echo
     echo ++++++++++++++++++++++++++++++++++++++++
@@ -410,10 +370,10 @@ do
                -in ./temp_sgk_req.pem \
                -cert ${srk_crt_i} \
                -keyfile ${srk_key_i} \
 -               -extfile ../ca/v3_usr.cnf \
 +               -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
                -out ${sgk_crt}.pem \
                -days ${val_period} \
 -               -config ../ca/openssl.cnf
 +               -config "${SCRIPT_BASEDIR}/openssl.cnf"
     # Convert SGK Certificate to DER format
     openssl x509 -inform PEM -outform DER \
@@ -432,7 +392,7 @@ do
                   -out ${sgk_key}.pem
     # Cleanup
 -    \rm ./temp_sgk.pem ./temp_sgk_req.pem
 +    rm ./temp_sgk.pem ./temp_sgk_req.pem
     i=$((i+1))
 done
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch
@ -0,0 +1,28 @@
 From: Mike Engel <Mike.Engel@digi.com>
 Date: Fri, 24 Jan 2020 17:47:56 +0100
 Subject: [PATCH] ahab_pki_tree.sh: use a random password for the default PKI
 generation
 Signed-off-by: Mike Engel <Mike.Engel@digi.com>
 ---
 keys/ahab_pki_tree.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
 index 00dd143..8b81143 100755
 --- a/keys/ahab_pki_tree.sh
 +++ b/keys/ahab_pki_tree.sh
@@ -117,9 +117,10 @@ fi
 # Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
 if [ ! -f key_pass.txt ]
 then
 -    echo "test" > key_pass.txt
 -    echo "test" >> key_pass.txt
 -    echo "A default file 'key_pass.txt' was created with password = test!"
 +    password="$(openssl rand -base64 32)"
 +    echo "${password}" > key_pass.txt
 +    echo "${password}" >> key_pass.txt
 +    echo "A file 'key_pass.txt' was created with a random password!"
 fi
 # The following is required otherwise OpenSSL complains
--- a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
+++ b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
@ -79,7 +79,7 @@ do_compile () {
 					unset k
 					# Secure boot artifacts
-					if [ "${TRUSTFENCE_SIGN}" = "1" ]
+					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]
 					then
 						cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX}
 						cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX}
@ -122,8 +122,7 @@ do_deploy_append() {
 					cd ${DEPLOYDIR}
 					rm -r ${UBOOT_BINARY}-${type}
 					ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
-					if [ "${TRUSTFENCE_SIGN}" = "1" ]
+					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]; then
 					then
 						install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
 						ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
@ -162,10 +161,12 @@ do_deploy_append() {
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
 		# Sign boot script
 		if [ "${SIGN_MODE}" = "HAB" ]; then
 			TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
 			trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
 			mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"
 		fi
 	fi
 	rm -f ${TMP_BOOTSCR}
 }
@ -177,6 +178,11 @@ do_deploy_append_ccimx8x() {
 	install -d ${DEPLOYDIR}/${BOOT_TOOLS}
 	mv ${DEPLOYDIR}/u-boot* ${DEPLOYDIR}/${BOOT_TOOLS}/
 	mv ${DEPLOYDIR}/${UBOOT_SYMLINK}-* ${DEPLOYDIR}/${BOOT_TOOLS}/
 	if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
 		${DEPLOY_DIR_IMAGE}/${BOOT_TOOLS}/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DEPLOYDIR}/boot.scr a35 ${RAM_CONTAINER_LOC_BOOT} -out ${DEPLOYDIR}/boot-mkimg.scr
 		trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot-mkimg.scr" "${DEPLOYDIR}/boot.scr"
 		rm -f ${DEPLOYDIR}/boot-mkimg.scr
 	fi
 }
 do_deploy_append_ccimx8mn() {
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_uimage
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_uimage
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab
@ -0,0 +1,23 @@
 # The syntax for this file is documented in the HAB Code Signing Tool
 # User's Guid which is included in the CST package distributed by NXP
 [Header]
    Target = AHAB
    Version = 1.0
 [Install SRK]
    # SRK table generated by srktool
    File = "%srk_table%"
    # Public key certificate in PEM format
    Source = "%cert_img%"
    # Index of the public key certificate within the SRK table (0 .. 3)
    Source index = %key_index%
    # Type of SRK set (NXP or OEM)
    Source set = OEM
    # bitmask of the revoked SRKs
    Revocations = 0x%key_index%
 [Authenticate Data]
    # Binary to be signed generated by mkimage
    File = "%kernel-img%"
    # Offsets = Container header Signature block (printed out by mkimage)
    Offsets = %container_offset% %block_offset%
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_uimage
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_uimage
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
@ -1,9 +1,9 @@
 #!/bin/sh
 #===============================================================================
 #
-#  trustfence_sign_uimage.sh
+#  trustfence-sign-kernel.sh
 #
-#  Copyright (C) 2016 by Digi International Inc.
+#  Copyright (C) 2016-2020 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@ -54,7 +54,7 @@ Usage: ${SCRIPT_NAME} [OPTIONS] input-unsigned-image output-signed-image
    -i               sign/encrypt initramfs
    -l               sign/encrypt Linux image
-Supported platforms: ccimx6, ccimx6ul
+Supported platforms: ccimx6, ccimx6ul, ccimx8x
 EOF
 }
@ -64,14 +64,16 @@ if [ "${#}" != "2" ]; then
 	exit 1
 fi
 # Negative offset with respect to CONFIG_RAM_START in which U-Boot
 # copies the DEK blob.
 DEK_BLOB_OFFSET="0x100"
 CONFIG_CSF_SIZE="0x4000"
 UIMAGE_PATH="$(readlink -e ${1})"
 TARGET="$(readlink -m ${2})"
 # Negative offset with respect to CONFIG_RAM_START in which U-Boot
 # copies the DEK blob.
 if [ "${SIGN_MODE}" = "HAB" ]; then
 	DEK_BLOB_OFFSET="0x100"
 	CONFIG_CSF_SIZE="0x4000"
 fi
 # Read user configuration file (if used)
 [ -f .config ] && . ./.config
@ -81,7 +83,8 @@ if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then
 fi
 [ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
-if [ -n "${CONFIG_DEK_PATH}" ]; then
+if [ "${SIGN_MODE}" = "HAB" ]; then
 	if [ -n "${CONFIG_DEK_PATH}" ]; then
 		if [ ! -f "${CONFIG_DEK_PATH}" ]; then
 			echo "DEK not found. Generating random 256 bit DEK."
 			[ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH})
@ -93,31 +96,32 @@ if [ -n "${CONFIG_DEK_PATH}" ]; then
 			exit 1
 		fi
 		ENCRYPT="true"
-fi
+	fi
-if [ "${PLATFORM}" = "ccimx6" ]; then
+	if [ "${PLATFORM}" = "ccimx6" ]; then
 		CONFIG_FDT_LOADADDR="0x18000000"
 		CONFIG_RAMDISK_LOADADDR="0x19000000"
 		CONFIG_KERNEL_LOADADDR="0x12000000"
-elif [ "${PLATFORM}" = "ccimx6ul" ]; then
+	elif [ "${PLATFORM}" = "ccimx6ul" ]; then
 		CONFIG_FDT_LOADADDR="0x83000000"
 		CONFIG_RAMDISK_LOADADDR="0x83800000"
 		CONFIG_KERNEL_LOADADDR="0x80800000"
-else
+	else
 		echo "Invalid platform: ${PLATFORM}"
 		echo "Supported platforms: ccimx6, ccimx6ul"
 		exit 1
-fi
+	fi
-[ "${ARTIFACT_DTB}" = "y" ] && CONFIG_RAM_START="${CONFIG_FDT_LOADADDR}"
+	[ "${ARTIFACT_DTB}" = "y" ] && CONFIG_RAM_START="${CONFIG_FDT_LOADADDR}"
-[ "${ARTIFACT_INITRAMFS}" = "y" ] && CONFIG_RAM_START="${CONFIG_RAMDISK_LOADADDR}"
+	[ "${ARTIFACT_INITRAMFS}" = "y" ] && CONFIG_RAM_START="${CONFIG_RAMDISK_LOADADDR}"
-[ "${ARTIFACT_KERNEL}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
+	[ "${ARTIFACT_KERNEL}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
-# bootscripts are loaded to $loadaddr, just like the kernel
+	# bootscripts are loaded to $loadaddr, just like the kernel
-[ "${ARTIFACT_BOOTSCRIPT}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
+	[ "${ARTIFACT_BOOTSCRIPT}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
-if [ -z "${CONFIG_RAM_START}" ]; then
+	if [ -z "${CONFIG_RAM_START}" ]; then
 		echo "Specify the type of image to process (-b, -i, -d, or -l)"
 		exit 1
 	fi
 fi
 # Default values
@ -125,61 +129,83 @@ fi
 CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))"
 SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
-CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)"
+if [ "${SIGN_MODE}" = "HAB" ]; then
-CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)"
+	CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)"
 	CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)"
 fi
 n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
-if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then
+if [ "${SIGN_MODE}" = "HAB" ]; then
 	if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then
 		# PKI tree already exists.
 		echo "Using existing PKI tree"
-elif [ "${n_commas}" -eq 0 ] || [ ! -f "${CERT_CSF}" ] || [ ! -f "${CERT_IMG}" ]; then
+	elif [ "${n_commas}" -eq 0 ] || [ ! -f "${CERT_CSF}" ] || [ ! -f "${CERT_IMG}" ]; then
 		# Generate PKI
 		trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}"
 		SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
 		CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)"
 		CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)"
-else
+	else
 		echo "Inconsistent CST folder."
 		exit 1
 	fi
 elif [ "${SIGN_MODE}" = "AHAB" ]; then
 	if [ "${n_commas}" -eq 3 ] && [ "${SIGN_MODE}" = "AHAB" ]; then
 		# PKI tree already exists. Do nothing
 		echo "Using existing PKI tree"
 	elif [ "${n_commas}" -eq 0 ] && [ "${SIGN_MODE}" = "AHAB" ]; then
 		# Generate PKI
 		trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}"
 		SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
 	else
 		echo "Inconsistent CST folder."
 		exit 1
 	fi
 fi
 SRK_TABLE="$(pwd)/SRK_table.bin"
 if [ "${SIGN_MODE}" = "HAB" ]; then
 	HAB_VER="hab_ver 4"
 	DIGEST="digest"
 	DIGEST_ALGO="sha256"
 	SRK_EFUSES="/dev/null"
-# Other constants
+	# Other constants
-GAP_FILLER="0x00"
+	GAP_FILLER="0x00"
-# The DEK blob is placed by U-Boot just before the kernel image
+	# The DEK blob is placed by U-Boot just before the kernel image
-dek_blob_offset="$((CONFIG_KERNEL_LOADADDR - DEK_BLOB_OFFSET))"
+	dek_blob_offset="$((CONFIG_KERNEL_LOADADDR - DEK_BLOB_OFFSET))"
-# Compute the layout: sizes and offsets.
+	# Compute the layout: sizes and offsets.
-uimage_size="$(stat -L -c %s ${UIMAGE_PATH})"
+	uimage_size="$(stat -L -c %s ${UIMAGE_PATH})"
-uimage_offset="0x0"
+	uimage_offset="0x0"
-pad_len="$(((uimage_size + 0x1000 - 1) & ~(0x1000 - 1)))"
+	pad_len="$(((uimage_size + 0x1000 - 1) & ~(0x1000 - 1)))"
-auth_len="$((pad_len + 0x20))"
+	auth_len="$((pad_len + 0x20))"
-sig_len="$((auth_len + CONFIG_CSF_SIZE))"
+	sig_len="$((auth_len + CONFIG_CSF_SIZE))"
-ivt_uimage_start="$((auth_len - 0x20))"
+	ivt_uimage_start="$((auth_len - 0x20))"
-ivt_ram_start="$((CONFIG_RAM_START + ivt_uimage_start))"
+	ivt_ram_start="$((CONFIG_RAM_START + ivt_uimage_start))"
-ivt_size="0x20"
+	ivt_size="0x20"
-csf_ram_start="$((ivt_ram_start + ivt_size))"
+	csf_ram_start="$((ivt_ram_start + ivt_size))"
-entrypoint_uimage_offset="0x100"
+	entrypoint_uimage_offset="0x100"
-entrypoint_ram_start="$((CONFIG_RAM_START + entrypoint_uimage_offset))"
+	entrypoint_ram_start="$((CONFIG_RAM_START + entrypoint_uimage_offset))"
-entrypoint_size="0x20"
+	entrypoint_size="0x20"
-header_uimage_offset="0x0"
+	header_uimage_offset="0x0"
-header_ram_start="${CONFIG_RAM_START}"
+	header_ram_start="${CONFIG_RAM_START}"
-header_size="0x40"
+	header_size="0x40"
-r1_uimage_offset="${header_size}"
+	r1_uimage_offset="${header_size}"
-r1_ram_start="$((CONFIG_RAM_START + r1_uimage_offset))"
+	r1_ram_start="$((CONFIG_RAM_START + r1_uimage_offset))"
-r1_size="$((entrypoint_uimage_offset - header_size ))"
+	r1_size="$((entrypoint_uimage_offset - header_size ))"
-r2_uimage_offset="$((entrypoint_uimage_offset + entrypoint_size))"
+	r2_uimage_offset="$((entrypoint_uimage_offset + entrypoint_size))"
-r2_ram_start="$((CONFIG_RAM_START + r2_uimage_offset))"
+	r2_ram_start="$((CONFIG_RAM_START + r2_uimage_offset))"
-r2_size="$((ivt_uimage_start - (entrypoint_uimage_offset + entrypoint_size)))"
+	r2_size="$((ivt_uimage_start - (entrypoint_uimage_offset + entrypoint_size)))"
-# Generate actual CSF descriptor file from template
+	# Generate actual CSF descriptor file from template
-if [ "${ENCRYPT}" = "true" ]; then
+	if [ "${ENCRYPT}" = "true" ]; then
 		sed -e "s,%ram_start%,${CONFIG_RAM_START},g"		    \
 		-e "s,%srk_table%,${SRK_TABLE},g "				    \
 		-e "s,%cert_csf%,${CERT_CSF},g"				    \
@ -204,8 +230,8 @@ if [ "${ENCRYPT}" = "true" ]; then
 		-e "s,%r2_uimage_offset%,${r2_uimage_offset},g"		    \
 		-e "s,%r2_ram_start%,${r2_ram_start},g"			    \
 		-e "s,%r2_size%,${r2_size},g"				    \
-	"${SCRIPT_PATH}/csf_templates/encrypt_uimage" > csf_descriptor
+		"${SCRIPT_PATH}/csf_templates/encrypt_hab" > csf_descriptor
-else
+	else
 		sed -e "s,%ram_start%,${CONFIG_RAM_START},g" \
 		-e "s,%srk_table%,${SRK_TABLE},g"		   \
 		-e "s,%image_offset%,${uimage_offset},g"	   \
@ -214,25 +240,57 @@ else
 		-e "s,%cert_img%,${CERT_IMG},g"		   \
 		-e "s,%uimage_path%,${TARGET},g"		   \
 		-e "s,%key_index%,${CONFIG_KEY_INDEX},g"	   \
-	"${SCRIPT_PATH}/csf_templates/sign_uimage" > csf_descriptor
+		"${SCRIPT_PATH}/csf_templates/sign_hab" > csf_descriptor
 	fi
 else
 	SRK_EFUSES="$(pwd)/SRK_efuses.bin"
 	# Other constants
 	KERNEL_START_OFFSET="0x0"
 	KERNEL_SIG_BLOCK_OFFSET="0x90"
 	KERNEL_NAME="${1}"
 	HAB_VER="ahab"
 	DIGEST="sign_digest"
 	DIGEST_ALGO="sha512"
 	# Compute the layout: sizes and offsets.
 	container_header_offset="${KERNEL_START_OFFSET}"
 	signature_block_offset="${KERNEL_SIG_BLOCK_OFFSET}"
 	SRK_CERT_KEY_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK${CONFIG_KEY_INDEX_1}*crt.pem | sed s/\ /\,/g)"
 	sed -e "s,%srk_table%,${SRK_TABLE},g"		   \
 	-e "s,%cert_img%,${SRK_CERT_KEY_IMG},g"		   \
 	-e "s,%kernel-img%,${KERNEL_NAME},g"		   \
 	-e "s,%key_index%,${CONFIG_KEY_INDEX},g"	   \
 	-e "s,%container_offset%,${container_header_offset},g" \
 	-e "s,%block_offset%,${signature_block_offset},g" \
 	"${SCRIPT_PATH}/csf_templates/sign_ahab" > csf_descriptor
 	if [ "${ENCRYPT}" = "true" ]; then
 		echo "[ERROR] Environment encryption is not supported."
 		exit 1
 	fi
 fi
 # Generate SRK tables
-srktool --hab_ver 4 --certs "${SRK_KEYS}" --table "${SRK_TABLE}" --efuses /dev/null --digest sha256
+srktool --${HAB_VER} --certs "${SRK_KEYS}" --table "${SRK_TABLE}" --efuses "${SRK_EFUSES}" --${DIGEST} "${DIGEST_ALGO}"
 if [ $? -ne 0 ]; then
 	echo "[ERROR] Could not generate SRK tables"
 	exit 1
 fi
-# Pad to IVT
+if [ "${SIGN_MODE}" = "HAB" ]; then
-objcopy -I binary -O binary --pad-to "${pad_len}" --gap-fill="${GAP_FILLER}" "${UIMAGE_PATH}" "${TARGET}"
+	# Pad to IVT
 	objcopy -I binary -O binary --pad-to "${pad_len}" --gap-fill="${GAP_FILLER}" "${UIMAGE_PATH}" "${TARGET}"
-# Generate and attach IVT
+	# Generate and attach IVT
-# Fields: header, jump location, reserved (0), DCD pointer (null)
+	# Fields: header, jump location, reserved (0), DCD pointer (null)
-#	  boot data (null), self pointer, CSF pointer, reserved (0)
+	#	  boot data (null), self pointer, CSF pointer, reserved (0)
-PRINTF="$(which printf)"
+	PRINTF="$(which printf)"
-IVT_HEADER="0x402000D1"
+	IVT_HEADER="0x402000D1"
-{
+	{
 		${PRINTF} $(${PRINTF} "%08x" ${IVT_HEADER} | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n')
 		${PRINTF} $(${PRINTF} "%08x" ${entrypoint_ram_start} | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n')
 		${PRINTF} $(${PRINTF} "%08x" 0 | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n')
@ -241,19 +299,27 @@ IVT_HEADER="0x402000D1"
 		${PRINTF} $(${PRINTF} "%08x" ${ivt_ram_start} | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n')
 		${PRINTF} $(${PRINTF} "%08x" ${csf_ram_start} | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n')
 		${PRINTF} $(${PRINTF} "%08x" 0 | sed 's/.\{2\}/&\n/g' | tac | sed 's,^,\\x,g' | tr -d '\n')
-} >> "${TARGET}"
+	} >> "${TARGET}"
-CURRENT_PATH="$(pwd)"
+	CURRENT_PATH="$(pwd)"
-cst -o "${CURRENT_PATH}/csf.bin" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null
+	cst -o "${CURRENT_PATH}/csf.bin" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null
-if [ $? -ne 0 ]; then
+	if [ $? -ne 0 ]; then
 		echo "[ERROR] Could not generate CSF"
 		exit 1
 	fi
 	cat csf.bin >> "${TARGET}"
 	objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}"
 else
 	CURRENT_PATH="$(pwd)"
 	cst -o "${TARGET}" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null
 	if [ $? -ne 0 ]; then
 		echo "[ERROR] Could not generate CSF $?"
 		exit 1
 	fi
 fi
 cat csf.bin >> "${TARGET}"
 objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}"
 [ "${ENCRYPT}" = "true" ] && ENCRYPTED_MSG="and encrypted "
 echo "Signed ${ENCRYPTED_MSG}image ready: ${TARGET}"
 rm -f "${SRK_TABLE}" csf_descriptor csf.bin 2> /dev/null
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
@ -17,8 +17,9 @@ UBOOT_GIT_URI ?= "${@oe.utils.conditional('DIGI_INTERNAL_GIT', '1' , '${DIGI_GIT
 SRC_URI = " \
    ${UBOOT_GIT_URI};branch=${SRCBRANCH} \
    file://trustfence-sign-kernel.sh;name=kernel-script \
-    file://sign_uimage;name=kernel-sign \
+    file://sign_hab;name=kernel-sign \
-    file://encrypt_uimage;name=kernel-encrypt \
+    file://encrypt_hab;name=kernel-encrypt \
    file://sign_ahab;name=kernel-sign \
 "
 do_configure[noexec] = "1"
@ -26,12 +27,19 @@ do_compile[noexec] = "1"
 do_install() {
 	install -d ${D}${bindir}/csf_templates
-	install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/
+	if [ "${SIGN_MODE}" = "AHAB" ]; then
-	install -m 0755 sign_uimage ${D}${bindir}/csf_templates/
+		install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
-	install -m 0755 encrypt_uimage ${D}${bindir}/csf_templates/
+		install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-ahab-uboot.sh
 	elif [ "${SIGN_MODE}" = "HAB" ]; then
 		install -m 0755 sign_hab ${D}${bindir}/csf_templates/
 		install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/
 		install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
-	install -m 0755 git/scripts/csf_templates/sign_uboot ${D}${bindir}/csf_templates
+	else
-	install -m 0755 git/scripts/csf_templates/encrypt_uboot ${D}${bindir}/csf_templates
+		bberror "Unkown SIGN_MODE value"
 		exit 1
 	fi
 	install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/
 	install -m 0755 git/scripts/csf_templates/* ${D}${bindir}/csf_templates
 }
 FILES_${PN} = "${bindir}"
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
@ -24,6 +24,7 @@ trustfence_sign() {
 	[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
 	# Sign/encrypt the kernel images
 	if [ "${SIGN_MODE}" = "HAB" ]; then
 		for type in ${KERNEL_IMAGETYPES}; do
 			KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
 			TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
@ -41,6 +42,31 @@ trustfence_sign() {
 			trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
 			mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
 		done
 	elif [ "${SIGN_MODE}" = "AHAB" ]; then
 		# Sign the kernel images
 		for type in ${KERNEL_IMAGETYPES}; do
 			KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
 			${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${WORKDIR}/build/arch/arm64/boot/Image a35 ${RAM_CONTAINER_LOC_BOOT} -out flash_os.bin
 			trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "flash_os.bin" "${type}-${MACHINE}-signed.bin"
 			gzip ${type}-${MACHINE}-signed.bin
 			mv ${type}-${MACHINE}-signed.bin.gz "${KERNEL_IMAGE}"
 		done
 		# Sign/encrypt the device tree blobs
 		for DTB in ${KERNEL_DEVICETREE}; do
 			DTB=`normalize_dtb "${DTB}"`
 			DTB_EXT=${DTB##*.}
 			DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"`
 			DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}"
 			${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg-signed
 			trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}-mkimg-signed" "${DTB_IMAGE}-signed"
 			mv "${DTB_IMAGE}-signed" "${DTB_IMAGE}"
 			rm -f ${DTB_IMAGE}-mkimg-signed
 		done
 	else
 		bberror "Unkown SIGN_MODE value"
 		exit 1
 	fi
 }
 trustfence_sign[dirs] = "${DEPLOYDIR}"
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -67,6 +67,10 @@ python () {
        if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]):
            d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH", True))
    if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"):
        if ("ccimx8x" in d.getVar("MACHINE", True)):
            bb.fatal("Environment encryption is not currently supported on the ccimx8x SOM")
            return
        else:
            d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y')
    # Provide sane default values for SWUPDATE class in case Trustfence is enabled
@ -84,7 +88,12 @@ python () {
        key_index_1 = key_index + 1
        # Set the private key template, it will be expanded later in 'swu' recipes once keys are generated.
        if (d.getVar("SIGN_MODE", "") == "AHAB"):
            d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem")
            d.setVar("CONFIG_SIGN_MODE", "AHAB")
        else:
            d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem")
            d.setVar("CONFIG_SIGN_MODE", "HAB")
        # Set the key password.
        d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")
--- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
+++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
@ -40,7 +40,14 @@ do_install() {
 		KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)
 		# Find the certificate to use.
 		if [ "${SIGN_MODE}" = "HAB" ]; then
 			CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
 		elif [ "${SIGN_MODE}" = "AHAB" ]; then
 			CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)"
 		else
 			bberror "Unkown SIGN_MODE value"
 			exit 1
 		fi
 		# Extract the public key from the certificate.
 		install -d ${D}${sysconfdir}/ssl/certs