Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence: Add Trustfence support for CCMX8X 

This commit adds Trustfence support for the CCMX8X
platform.

Signed-off-by: Mike Engel <Mike.Engel@digi.com>

https://jira.digi.com/browse/DEL-6917
This commit is contained in:
Mike Engel 2020-01-02 17:32:42 +01:00
parent 31d8ff94fe
commit 5beec04b6a
17 changed files with 602 additions and 179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
meta-digi-arm/classes/image_types_digi.bbclass
View File

@ -206,16 +206,18 @@ trustence_sign_cpio() {
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
if [ "${SIGN_MODE}" = "AHAB" ]; then
${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${1} a35 ${RAM_CONTAINER_LOC_TF} -out ${1}-mkimg
mv "${1}-mkimg" "${1}"
fi
# Sign/encrypt the ramdisk
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -i "${1}" "${1}.tf"
else
# Copy the image with no changes
cp "${1}" "${1}.tf"
fi
}
CONVERSIONTYPES += "tf"
CONVERSION_CMD_tf = "trustence_sign_cpio ${IMAGE_NAME}.rootfs.${type}"
CONVERSION_DEPENDS_tf = "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
CONVERSION_DEPENDS_tf += "${@oe.utils.conditional('SIGN_MODE', 'AHAB', 'imx-mkimage', '', d)}"
IMAGE_TYPES += "cpio.gz.u-boot.tf"
################################################################################

2
meta-digi-arm/conf/machine/include/ccimx6.inc
View File

@ -43,3 +43,5 @@ MACHINE_EXTRA_RRECOMMENDS += " \
"
MACHINE_FEATURES += "accel-graphics accel-video wifi bluetooth pci"
SIGN_MODE = "HAB"

2
meta-digi-arm/conf/machine/include/ccimx6ul.inc
View File

@ -57,3 +57,5 @@ MKUBIFS_BOOT_ARGS ?= "-m 2048 -e 126976 -c 255"
# mkfs.ubifs parameters for rootfs partition
# Max LEB count (-c 8191) calculated for a partition of up to 1 GiB considering 128 KiB erase-block size.
MKUBIFS_ARGS ?= "-m 2048 -e 126976 -c 8191"
SIGN_MODE = "HAB"

10
meta-digi-arm/conf/machine/include/ccimx8x.inc
View File

@ -72,6 +72,16 @@ KERNEL_IMAGETYPE = "Image.gz"
VIRTUAL-RUNTIME_init_manager ?= "systemd"
VIRTUAL-RUNTIME_initscripts ?= "initscripts"
# For i.MX 8 silicon chip revision
MX8_CHIP_REV ?= "B0"
MX8_SOC_VAR ?= "QX"
SIGN_MODE = "AHAB"
# For Trustfence container header RAM locations
RAM_CONTAINER_LOC_BOOT = "0x80280000"
RAM_CONTAINER_LOC_DTB = "0x82000000"
RAM_CONTAINER_LOC_TF = "0x82100000"
# Adding 'wayland' along with 'x11' enables the xwayland backend
# Vulkan is necessary for wayland to build
DISTRO_FEATURES_append = " wayland vulkan systemd pam"

19
meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
View File

@ -11,6 +11,7 @@ SRC_URI_append_ccimx8x = " file://0001-iMX8QX-remove-SC_BD_FLAGS_ALT_CONFIG-flag
IMX_EXTRA_FIRMWARE_ccimx8x = "digi-sc-firmware imx-seco"
DEPENDS_append_ccimx8x = " coreutils-native"
DEPENDS_append_ccimx8x += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
# For i.MX 8, this package aggregates the imx-m4-demos
# output. Note that this aggregation replaces the aggregation
@ -203,4 +204,22 @@ do_deploy () {
}
do_deploy_append () {
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "AHAB" ]; then
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
# Sign U-boot image
for ramc in ${RAM_CONFIGS}; do
trustfence-sign-ahab-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}-signed.bin
done
cd ${DEPLOYDIR}
cp ${B}/${config}SRK_efuses.bin ${DEPLOYDIR}
install ${B}/${config}SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
fi
}
COMPATIBLE_MACHINE = "(ccimx8x|ccimx8mn)"

9
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc
View File

@ -13,6 +13,8 @@ SRC_URI = " \
file://0002-hab4_pki_tree.sh-automate-script.patch \
file://0003-openssl_helper-use-dev-urandom-as-seed-source.patch \
file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \
file://0005-ahab_pki_tree.sh-automate-script.patch \
file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \
file://Makefile \
"
@ -41,7 +43,14 @@ do_install() {
install -d ${D}${bindir}
install -m 0755 linux64/cst ${D}${bindir}/cst
install -m 0755 $(find linux64 -type f -name srktool) ${D}${bindir}/srktool
if [ "${SIGN_MODE}" = "AHAB" ]; then
install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
elif [ "${SIGN_MODE}" = "HAB" ]; then
install -m 0755 keys/hab4_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
else
bberror "Unkown SIGN_MODE value"
exit 1
fi
install -m 0755 ca/openssl.cnf ${D}${bindir}/openssl.cnf
install -m 0755 ca/v3_ca.cnf ${D}${bindir}/v3_ca.cnf
install -m 0755 ca/v3_usr.cnf ${D}${bindir}/v3_usr.cnf

206
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch Normal file
View File

@ -0,0 +1,206 @@
From: Mike Engel <Mike.Engel@digi.com>
Date: Fri, 24 Jan 2020 17:31:50 +0100
Subject: [PATCH] ahab_pki_tree.sh: automate script
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
---
keys/ahab_pki_tree.sh | 116 ++++++++++++++++++-------------------------------------
1 file changed, 38 insertions(+), 78 deletions(-)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index 988c27e..00dd143 100755
--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
@@ -47,74 +47,36 @@
#
#-----------------------------------------------------------------------------
-printf "\n"
-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
-printf " This script is a part of the Code signing tools for NXP's\n"
-printf " Advanced High Assurance Boot. It generates a basic PKI tree. The\n"
-printf " PKI tree consists of one or more Super Root Keys (SRK), with each\n"
-printf " SRK having one subordinate keys: \n"
-printf " + a Signing key (SGK) \n"
-printf " Additional keys can be added to the PKI tree but a separate \n"
-printf " script is available for this. This this script assumes openssl\n"
-printf " is installed on your system and is included in your search \n"
-printf " path. Finally, the private keys generated are password \n"
-printf " protectedwith the password provided by the file key_pass.txt.\n"
-printf " The format of the file is the password repeated twice:\n"
-printf " my_password\n"
-printf " my_password\n"
-printf " All private keys in the PKI tree are in PKCS #8 format will be\n"
-printf " protected by the same password.\n\n"
-printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
-
-stty erase 
-
-printf "Do you want to use an existing CA key (y/n)?: \b"
-read existing_ca
-if [ $existing_ca = "y" ]
-then
- printf "Enter CA key name: \b"
- read ca_key
- printf "Enter CA certificate name: \b"
- read ca_cert
+SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)"
+CSF_PATH="${1}"
+if [ ! -d "${CSF_PATH}" ]; then
+ echo "Invalid CSF_PATH: ${CSF_PATH}"
+ exit 1
fi
-printf "Do you want to use Elliptic Curve Cryptography (y/n)?: \b"
-read use_ecc
-if [ $use_ecc = "y" ]
-then
- printf "Enter length for elliptic curve to be used for PKI tree:\n"
- printf "Possible values p256, p384, p521: \b"
- read kl
-
- # Confirm that a valid key length has been entered
- case $kl in
- p256)
- cn="prime256v1" ;;
- p384)
- cn="secp384r1" ;;
- p521)
- cn="secp521r1" ;;
- *)
- echo Invalid key length. Supported key lengths: 256, 384, 521
- exit 1 ;;
- esac
-else
- printf "Enter key length in bits for PKI tree: \b"
- read kl
-
- # Confirm that a valid key length has been entered
- case $kl in
- 2048) ;;
- 3072) ;;
- 4096) ;;
- *)
- echo Invalid key length. Supported key lengths: 2048, 3072, 4096
- exit 1 ;;
- esac
-fi
+cd "${CSF_PATH}"
+
+[ -d crts ] || mkdir crts
+[ -d keys ] || mkdir keys
+
+cd keys
+
+use_ecc="y"
+existing_ca="n"
+kl="p521"
+cn="secp521r1"
+
+# Confirm that a valid key length has been entered
+case $kl in
+ p256);;
+ p384);;
+ p521);;
+ *)
+ echo Invalid key length. Supported key lengths: 256, 384, 521
+ exit 1 ;;
+esac
-printf "Enter the digest algorithm to use: \b"
-read da
+da="sha512"
# Confirm that a valid digest algorithm has been entered
case $da in
@@ -126,8 +88,7 @@ case $da in
exit 1 ;;
esac
-printf "Enter PKI tree duration (years): \b"
-read duration
+duration="10"
# Compute validity period
val_period=$((duration*365))
@@ -144,8 +105,7 @@ then
fi
# Check if SRKs should be generated as CA certs or user certs
-printf "Do you want the SRK certificates to have the CA flag set? (y/n)?: \b"
-read srk_ca
+srk_ca="y"
# Check that the file "serial" is present, if not create it:
if [ ! -f serial ]
@@ -201,7 +161,7 @@ then
-x509 -extensions v3_ca \
-keyout temp_ca.pem \
-out ${ca_cert}.pem \
- -days ${val_period} -config ../ca/openssl.cnf
+ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Generate CA key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -218,7 +178,7 @@ then
openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
# Cleanup
- \rm temp_ca.pem
+ rm temp_ca.pem
fi
@@ -292,7 +252,7 @@ then
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
i=$((i+1))
done
else
@@ -341,10 +301,10 @@ do
-in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \
- -extfile ../ca/v3_ca.cnf \
+ -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \
-out ${srk_crt}.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -365,7 +325,7 @@ do
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
echo
echo ++++++++++++++++++++++++++++++++++++++++
@@ -410,10 +370,10 @@ do
-in ./temp_sgk_req.pem \
-cert ${srk_crt_i} \
-keyfile ${srk_key_i} \
- -extfile ../ca/v3_usr.cnf \
+ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
-out ${sgk_crt}.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Convert SGK Certificate to DER format
openssl x509 -inform PEM -outform DER \
@@ -432,7 +392,7 @@ do
-out ${sgk_key}.pem
# Cleanup
- \rm ./temp_sgk.pem ./temp_sgk_req.pem
+ rm ./temp_sgk.pem ./temp_sgk_req.pem
i=$((i+1))
done

28
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch Normal file
View File

@ -0,0 +1,28 @@
From: Mike Engel <Mike.Engel@digi.com>
Date: Fri, 24 Jan 2020 17:47:56 +0100
Subject: [PATCH] ahab_pki_tree.sh: use a random password for the default PKI
generation
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
---
keys/ahab_pki_tree.sh | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index 00dd143..8b81143 100755
--- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh
@@ -117,9 +117,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ]
then
- echo "test" > key_pass.txt
- echo "test" >> key_pass.txt
- echo "A default file 'key_pass.txt' was created with password = test!"
+ password="$(openssl rand -base64 32)"
+ echo "${password}" > key_pass.txt
+ echo "${password}" >> key_pass.txt
+ echo "A file 'key_pass.txt' was created with a random password!"
fi
# The following is required otherwise OpenSSL complains

12
meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
View File

@ -79,7 +79,7 @@ do_compile () {
unset k
# Secure boot artifacts
if [ "${TRUSTFENCE_SIGN}" = "1" ]
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]
then
cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX}
cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX}
@ -122,8 +122,7 @@ do_deploy_append() {
cd ${DEPLOYDIR}
rm -r ${UBOOT_BINARY}-${type}
ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
if [ "${TRUSTFENCE_SIGN}" = "1" ]
then
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]; then
install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
@ -162,10 +161,12 @@ do_deploy_append() {
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
# Sign boot script
if [ "${SIGN_MODE}" = "HAB" ]; then
TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"
fi
fi
rm -f ${TMP_BOOTSCR}
}
@ -177,6 +178,11 @@ do_deploy_append_ccimx8x() {
install -d ${DEPLOYDIR}/${BOOT_TOOLS}
mv ${DEPLOYDIR}/u-boot* ${DEPLOYDIR}/${BOOT_TOOLS}/
mv ${DEPLOYDIR}/${UBOOT_SYMLINK}-* ${DEPLOYDIR}/${BOOT_TOOLS}/
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
${DEPLOY_DIR_IMAGE}/${BOOT_TOOLS}/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DEPLOYDIR}/boot.scr a35 ${RAM_CONTAINER_LOC_BOOT} -out ${DEPLOYDIR}/boot-mkimg.scr
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot-mkimg.scr" "${DEPLOYDIR}/boot.scr"
rm -f ${DEPLOYDIR}/boot-mkimg.scr
fi
}
do_deploy_append_ccimx8mn() {

0
meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_uimage → meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_hab
View File

23
meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab Normal file
View File

@ -0,0 +1,23 @@
# The syntax for this file is documented in the HAB Code Signing Tool
# User's Guid which is included in the CST package distributed by NXP
[Header]
Target = AHAB
Version = 1.0
[Install SRK]
# SRK table generated by srktool
File = "%srk_table%"
# Public key certificate in PEM format
Source = "%cert_img%"
# Index of the public key certificate within the SRK table (0 .. 3)
Source index = %key_index%
# Type of SRK set (NXP or OEM)
Source set = OEM
# bitmask of the revoked SRKs
Revocations = 0x%key_index%
[Authenticate Data]
# Binary to be signed generated by mkimage
File = "%kernel-img%"
# Offsets = Container header Signature block (printed out by mkimage)
Offsets = %container_offset% %block_offset%

0
meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_uimage → meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_hab
View File

88
meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
View File

@ -1,9 +1,9 @@
#!/bin/sh
#===============================================================================
#
# trustfence_sign_uimage.sh
# trustfence-sign-kernel.sh
#
# Copyright (C) 2016 by Digi International Inc.
# Copyright (C) 2016-2020 by Digi International Inc.
# All rights reserved.
#
# This program is free software; you can redistribute it and/or modify it
@ -54,7 +54,7 @@ Usage: ${SCRIPT_NAME} [OPTIONS] input-unsigned-image output-signed-image
-i sign/encrypt initramfs
-l sign/encrypt Linux image
Supported platforms: ccimx6, ccimx6ul
Supported platforms: ccimx6, ccimx6ul, ccimx8x
EOF
}
@ -64,14 +64,16 @@ if [ "${#}" != "2" ]; then
exit 1
fi
# Negative offset with respect to CONFIG_RAM_START in which U-Boot
# copies the DEK blob.
DEK_BLOB_OFFSET="0x100"
CONFIG_CSF_SIZE="0x4000"
UIMAGE_PATH="$(readlink -e ${1})"
TARGET="$(readlink -m ${2})"
# Negative offset with respect to CONFIG_RAM_START in which U-Boot
# copies the DEK blob.
if [ "${SIGN_MODE}" = "HAB" ]; then
DEK_BLOB_OFFSET="0x100"
CONFIG_CSF_SIZE="0x4000"
fi
# Read user configuration file (if used)
[ -f .config ] && . ./.config
@ -81,6 +83,7 @@ if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then
fi
[ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
if [ "${SIGN_MODE}" = "HAB" ]; then
if [ -n "${CONFIG_DEK_PATH}" ]; then
if [ ! -f "${CONFIG_DEK_PATH}" ]; then
echo "DEK not found. Generating random 256 bit DEK."
@ -119,17 +122,21 @@ if [ -z "${CONFIG_RAM_START}" ]; then
echo "Specify the type of image to process (-b, -i, -d, or -l)"
exit 1
fi
fi
# Default values
[ -z "${CONFIG_KEY_INDEX}" ] && CONFIG_KEY_INDEX="0"
CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))"
SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
if [ "${SIGN_MODE}" = "HAB" ]; then
CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)"
CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)"
fi
n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
if [ "${SIGN_MODE}" = "HAB" ]; then
if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then
# PKI tree already exists.
echo "Using existing PKI tree"
@ -144,8 +151,27 @@ else
echo "Inconsistent CST folder."
exit 1
fi
elif [ "${SIGN_MODE}" = "AHAB" ]; then
if [ "${n_commas}" -eq 3 ] && [ "${SIGN_MODE}" = "AHAB" ]; then
# PKI tree already exists. Do nothing
echo "Using existing PKI tree"
elif [ "${n_commas}" -eq 0 ] && [ "${SIGN_MODE}" = "AHAB" ]; then
# Generate PKI
trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}"
SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
else
echo "Inconsistent CST folder."
exit 1
fi
fi
SRK_TABLE="$(pwd)/SRK_table.bin"
if [ "${SIGN_MODE}" = "HAB" ]; then
HAB_VER="hab_ver 4"
DIGEST="digest"
DIGEST_ALGO="sha256"
SRK_EFUSES="/dev/null"
# Other constants
GAP_FILLER="0x00"
@ -204,7 +230,7 @@ if [ "${ENCRYPT}" = "true" ]; then
-e "s,%r2_uimage_offset%,${r2_uimage_offset},g" \
-e "s,%r2_ram_start%,${r2_ram_start},g" \
-e "s,%r2_size%,${r2_size},g" \
"${SCRIPT_PATH}/csf_templates/encrypt_uimage" > csf_descriptor
"${SCRIPT_PATH}/csf_templates/encrypt_hab" > csf_descriptor
else
sed -e "s,%ram_start%,${CONFIG_RAM_START},g" \
-e "s,%srk_table%,${SRK_TABLE},g" \
@ -214,16 +240,48 @@ else
-e "s,%cert_img%,${CERT_IMG},g" \
-e "s,%uimage_path%,${TARGET},g" \
-e "s,%key_index%,${CONFIG_KEY_INDEX},g" \
"${SCRIPT_PATH}/csf_templates/sign_uimage" > csf_descriptor
"${SCRIPT_PATH}/csf_templates/sign_hab" > csf_descriptor
fi
else
SRK_EFUSES="$(pwd)/SRK_efuses.bin"
# Other constants
KERNEL_START_OFFSET="0x0"
KERNEL_SIG_BLOCK_OFFSET="0x90"
KERNEL_NAME="${1}"
HAB_VER="ahab"
DIGEST="sign_digest"
DIGEST_ALGO="sha512"
# Compute the layout: sizes and offsets.
container_header_offset="${KERNEL_START_OFFSET}"
signature_block_offset="${KERNEL_SIG_BLOCK_OFFSET}"
SRK_CERT_KEY_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK${CONFIG_KEY_INDEX_1}*crt.pem | sed s/\ /\,/g)"
sed -e "s,%srk_table%,${SRK_TABLE},g" \
-e "s,%cert_img%,${SRK_CERT_KEY_IMG},g" \
-e "s,%kernel-img%,${KERNEL_NAME},g" \
-e "s,%key_index%,${CONFIG_KEY_INDEX},g" \
-e "s,%container_offset%,${container_header_offset},g" \
-e "s,%block_offset%,${signature_block_offset},g" \
"${SCRIPT_PATH}/csf_templates/sign_ahab" > csf_descriptor
if [ "${ENCRYPT}" = "true" ]; then
echo "[ERROR] Environment encryption is not supported."
exit 1
fi
fi
# Generate SRK tables
srktool --hab_ver 4 --certs "${SRK_KEYS}" --table "${SRK_TABLE}" --efuses /dev/null --digest sha256
srktool --${HAB_VER} --certs "${SRK_KEYS}" --table "${SRK_TABLE}" --efuses "${SRK_EFUSES}" --${DIGEST} "${DIGEST_ALGO}"
if [ $? -ne 0 ]; then
echo "[ERROR] Could not generate SRK tables"
exit 1
fi
if [ "${SIGN_MODE}" = "HAB" ]; then
# Pad to IVT
objcopy -I binary -O binary --pad-to "${pad_len}" --gap-fill="${GAP_FILLER}" "${UIMAGE_PATH}" "${TARGET}"
@ -253,6 +311,14 @@ fi
cat csf.bin >> "${TARGET}"
objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}"
else
CURRENT_PATH="$(pwd)"
cst -o "${TARGET}" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null
if [ $? -ne 0 ]; then
echo "[ERROR] Could not generate CSF $?"
exit 1
fi
fi
[ "${ENCRYPT}" = "true" ] && ENCRYPTED_MSG="and encrypted "
echo "Signed ${ENCRYPTED_MSG}image ready: ${TARGET}"

22
meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
View File

@ -17,8 +17,9 @@ UBOOT_GIT_URI ?= "${@oe.utils.conditional('DIGI_INTERNAL_GIT', '1' , '${DIGI_GIT
SRC_URI = " \
${UBOOT_GIT_URI};branch=${SRCBRANCH} \
file://trustfence-sign-kernel.sh;name=kernel-script \
file://sign_uimage;name=kernel-sign \
file://encrypt_uimage;name=kernel-encrypt \
file://sign_hab;name=kernel-sign \
file://encrypt_hab;name=kernel-encrypt \
file://sign_ahab;name=kernel-sign \
"
do_configure[noexec] = "1"
@ -26,12 +27,19 @@ do_compile[noexec] = "1"
do_install() {
install -d ${D}${bindir}/csf_templates
install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/
install -m 0755 sign_uimage ${D}${bindir}/csf_templates/
install -m 0755 encrypt_uimage ${D}${bindir}/csf_templates/
if [ "${SIGN_MODE}" = "AHAB" ]; then
install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-ahab-uboot.sh
elif [ "${SIGN_MODE}" = "HAB" ]; then
install -m 0755 sign_hab ${D}${bindir}/csf_templates/
install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/
install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
install -m 0755 git/scripts/csf_templates/sign_uboot ${D}${bindir}/csf_templates
install -m 0755 git/scripts/csf_templates/encrypt_uboot ${D}${bindir}/csf_templates
else
bberror "Unkown SIGN_MODE value"
exit 1
fi
install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/
install -m 0755 git/scripts/csf_templates/* ${D}${bindir}/csf_templates
}
FILES_${PN} = "${bindir}"

26
meta-digi-arm/recipes-kernel/linux/linux-dey.inc
View File

@ -24,6 +24,7 @@ trustfence_sign() {
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
# Sign/encrypt the kernel images
if [ "${SIGN_MODE}" = "HAB" ]; then
for type in ${KERNEL_IMAGETYPES}; do
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
@ -41,6 +42,31 @@ trustfence_sign() {
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
done
elif [ "${SIGN_MODE}" = "AHAB" ]; then
# Sign the kernel images
for type in ${KERNEL_IMAGETYPES}; do
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${WORKDIR}/build/arch/arm64/boot/Image a35 ${RAM_CONTAINER_LOC_BOOT} -out flash_os.bin
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "flash_os.bin" "${type}-${MACHINE}-signed.bin"
gzip ${type}-${MACHINE}-signed.bin
mv ${type}-${MACHINE}-signed.bin.gz "${KERNEL_IMAGE}"
done
# Sign/encrypt the device tree blobs
for DTB in ${KERNEL_DEVICETREE}; do
DTB=`normalize_dtb "${DTB}"`
DTB_EXT=${DTB##*.}
DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"`
DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}"
${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg-signed
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}-mkimg-signed" "${DTB_IMAGE}-signed"
mv "${DTB_IMAGE}-signed" "${DTB_IMAGE}"
rm -f ${DTB_IMAGE}-mkimg-signed
done
else
bberror "Unkown SIGN_MODE value"
exit 1
fi
}
trustfence_sign[dirs] = "${DEPLOYDIR}"

9
meta-digi-dey/classes/trustfence.bbclass
View File

@ -67,6 +67,10 @@ python () {
if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]):
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH", True))
if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"):
if ("ccimx8x" in d.getVar("MACHINE", True)):
bb.fatal("Environment encryption is not currently supported on the ccimx8x SOM")
return
else:
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y')
# Provide sane default values for SWUPDATE class in case Trustfence is enabled
@ -84,7 +88,12 @@ python () {
key_index_1 = key_index + 1
# Set the private key template, it will be expanded later in 'swu' recipes once keys are generated.
if (d.getVar("SIGN_MODE", "") == "AHAB"):
d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem")
d.setVar("CONFIG_SIGN_MODE", "AHAB")
else:
d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem")
d.setVar("CONFIG_SIGN_MODE", "HAB")
# Set the key password.
d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")

7
meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
View File

@ -40,7 +40,14 @@ do_install() {
KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)
# Find the certificate to use.
if [ "${SIGN_MODE}" = "HAB" ]; then
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
elif [ "${SIGN_MODE}" = "AHAB" ]; then
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)"
else
bberror "Unkown SIGN_MODE value"
exit 1
fi
# Extract the public key from the certificate.
install -d ${D}${sysconfdir}/ssl/certs