trustfence: add support for signing and encrypting DTBs and ramdisks
This patch introduces some parameters which allow to select the type of image to be signed. Currently the supported types are: * linux kernel (-l) * DTB (-d) * initramfs (-i) This also moves the CONFIG_PLATFORM environment variable to a parameter, for consistency. https://jira.digi.com/browse/DUB-614 https://jira.digi.com/browse/DUB-615 Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
This commit is contained in:
Diaz de Grenu, Jose
parent
69cf44fcb5
commit
5c4df1ddfd
|
|
@ -16,7 +16,6 @@
|
||||||
#
|
#
|
||||||
# The following environment variables define the script behaviour:
|
# The following environment variables define the script behaviour:
|
||||||
# CONFIG_SIGN_KEYS_PATH: (mandatory) path to the CST folder by NXP with keys generated.
|
# CONFIG_SIGN_KEYS_PATH: (mandatory) path to the CST folder by NXP with keys generated.
|
||||||
# CONFIG_UIMAGE_LOADADDR: (mandatory) memory address in which U-Boot loads the uImage
|
|
||||||
# CONFIG_KEY_INDEX: (optional) key index to use for signing. Default is 0.
|
# CONFIG_KEY_INDEX: (optional) key index to use for signing. Default is 0.
|
||||||
# CONFIG_DEK_PATH: (optional) Path to keyfile. Define it to generate
|
# CONFIG_DEK_PATH: (optional) Path to keyfile. Define it to generate
|
||||||
# encrypted images
|
# encrypted images
|
||||||
|
|
@ -26,12 +25,37 @@
|
||||||
SCRIPT_NAME="$(basename ${0})"
|
SCRIPT_NAME="$(basename ${0})"
|
||||||
SCRIPT_PATH="$(cd $(dirname ${0}) && pwd)"
|
SCRIPT_PATH="$(cd $(dirname ${0}) && pwd)"
|
||||||
|
|
||||||
|
while getopts "dilp:" c; do
|
||||||
|
case "${c}" in
|
||||||
|
d) ARTIFACT_DTB="y";;
|
||||||
|
i) ARTIFACT_INITRAMFS="y";;
|
||||||
|
l) ARTIFACT_KERNEL="y";;
|
||||||
|
p) PLATFORM="${OPTARG}";;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
shift "$((OPTIND - 1))"
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
cat <<EOF
|
||||||
|
|
||||||
|
Usage: ${SCRIPT_NAME} [OPTIONS] input-unsigned-image output-signed-image
|
||||||
|
|
||||||
|
-p <platform> select platform for the project
|
||||||
|
-d sign/encrypt initramfs
|
||||||
|
-i sign/encrypt DTB
|
||||||
|
-l sign/encrypt Linux image
|
||||||
|
|
||||||
|
Supported platforms: ccimx6, ccimx6ul
|
||||||
|
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
if [ "${#}" != "2" ]; then
|
if [ "${#}" != "2" ]; then
|
||||||
echo "Usage: ${SCRIPT_NAME} input-unsigned-image output-signed-image"
|
usage
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Negative offset with respect to CONFIG_UIMAGE_LOADADDR in which U-Boot
|
# Negative offset with respect to CONFIG_RAM_START in which U-Boot
|
||||||
# copies the DEK blob.
|
# copies the DEK blob.
|
||||||
DEK_BLOB_OFFSET="0x100"
|
DEK_BLOB_OFFSET="0x100"
|
||||||
CONFIG_CSF_SIZE="0x4000"
|
CONFIG_CSF_SIZE="0x4000"
|
||||||
|
|
@ -62,15 +86,29 @@ if [ -n "${CONFIG_DEK_PATH}" ]; then
|
||||||
ENCRYPT="true"
|
ENCRYPT="true"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ "${CONFIG_PLATFORM}" = "ccimx6" ] && CONFIG_UIMAGE_LOADADDR="0x12000000"
|
if [ "${PLATFORM}" = "ccimx6" ]; then
|
||||||
[ "${CONFIG_PLATFORM}" = "ccimx6ul" ] && CONFIG_UIMAGE_LOADADDR="0x80800000"
|
CONFIG_FDT_LOADADDR="0x18000000"
|
||||||
|
CONFIG_RAMDISK_LOADADDR="0x19000000"
|
||||||
if [ -z "${CONFIG_UIMAGE_LOADADDR}" ]; then
|
CONFIG_KERNEL_LOADADDR="0x12000000"
|
||||||
echo "Undefined CONFIG_UIMAGE_LOADADDR"
|
elif [ "${PLATFORM}" = "ccimx6ul" ]; then
|
||||||
echo "As an alternative, define CONFIG_PLATFORM. Supported platforms: ccimx6, ccimx6ul"
|
CONFIG_FDT_LOADADDR="0x83000000"
|
||||||
|
CONFIG_RAMDISK_LOADADDR="0x83800000"
|
||||||
|
CONFIG_KERNEL_LOADADDR="0x80800000"
|
||||||
|
else
|
||||||
|
echo "Invalid platform: ${PLATFORM}"
|
||||||
|
echo "Supported platforms: ccimx6, ccimx6ul"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ "${ARTIFACT_DTB}" = "y" ] && CONFIG_RAM_START="${CONFIG_FDT_LOADADDR}"
|
||||||
|
[ "${ARTIFACT_INITRAMFS}" = "y" ] && CONFIG_RAM_START="${CONFIG_RAMDISK_LOADADDR}"
|
||||||
|
[ "${ARTIFACT_KERNEL}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
|
||||||
|
|
||||||
|
if [ -z "${CONFIG_RAM_START}" ]; then
|
||||||
|
echo "Specify the type of image to process (-i, -d, or -l)"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
# Default values
|
# Default values
|
||||||
[ -z "${CONFIG_KEY_INDEX}" ] && CONFIG_KEY_INDEX="0"
|
[ -z "${CONFIG_KEY_INDEX}" ] && CONFIG_KEY_INDEX="0"
|
||||||
CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))"
|
CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))"
|
||||||
|
|
@ -102,7 +140,7 @@ SRK_TABLE="$(pwd)/SRK_table.bin"
|
||||||
GAP_FILLER="0x00"
|
GAP_FILLER="0x00"
|
||||||
|
|
||||||
# The DEK blob is placed by U-Boot just before the kernel image
|
# The DEK blob is placed by U-Boot just before the kernel image
|
||||||
dek_blob_offset="$((CONFIG_UIMAGE_LOADADDR - DEK_BLOB_OFFSET))"
|
dek_blob_offset="$((CONFIG_KERNEL_LOADADDR - DEK_BLOB_OFFSET))"
|
||||||
|
|
||||||
# Compute the layout: sizes and offsets.
|
# Compute the layout: sizes and offsets.
|
||||||
uimage_size="$(stat -L -c %s ${UIMAGE_PATH})"
|
uimage_size="$(stat -L -c %s ${UIMAGE_PATH})"
|
||||||
|
|
@ -112,26 +150,26 @@ auth_len="$((pad_len + 0x20))"
|
||||||
sig_len="$((auth_len + CONFIG_CSF_SIZE))"
|
sig_len="$((auth_len + CONFIG_CSF_SIZE))"
|
||||||
|
|
||||||
ivt_uimage_start="$((auth_len - 0x20))"
|
ivt_uimage_start="$((auth_len - 0x20))"
|
||||||
ivt_ram_start="$((CONFIG_UIMAGE_LOADADDR + ivt_uimage_start))"
|
ivt_ram_start="$((CONFIG_RAM_START + ivt_uimage_start))"
|
||||||
ivt_size="0x20"
|
ivt_size="0x20"
|
||||||
csf_ram_start="$((ivt_ram_start + ivt_size))"
|
csf_ram_start="$((ivt_ram_start + ivt_size))"
|
||||||
entrypoint_uimage_offset="0x1000"
|
entrypoint_uimage_offset="0x1000"
|
||||||
entrypoint_ram_start="$((CONFIG_UIMAGE_LOADADDR + entrypoint_uimage_offset))"
|
entrypoint_ram_start="$((CONFIG_RAM_START + entrypoint_uimage_offset))"
|
||||||
entrypoint_size="0x20"
|
entrypoint_size="0x20"
|
||||||
header_uimage_offset="0x0"
|
header_uimage_offset="0x0"
|
||||||
header_ram_start="${CONFIG_UIMAGE_LOADADDR}"
|
header_ram_start="${CONFIG_RAM_START}"
|
||||||
header_size="0x40"
|
header_size="0x40"
|
||||||
|
|
||||||
r1_uimage_offset="${header_size}"
|
r1_uimage_offset="${header_size}"
|
||||||
r1_ram_start="$((CONFIG_UIMAGE_LOADADDR + r1_uimage_offset))"
|
r1_ram_start="$((CONFIG_RAM_START + r1_uimage_offset))"
|
||||||
r1_size="$((entrypoint_uimage_offset - header_size ))"
|
r1_size="$((entrypoint_uimage_offset - header_size ))"
|
||||||
r2_uimage_offset="$((entrypoint_uimage_offset + entrypoint_size))"
|
r2_uimage_offset="$((entrypoint_uimage_offset + entrypoint_size))"
|
||||||
r2_ram_start="$((CONFIG_UIMAGE_LOADADDR + r2_uimage_offset))"
|
r2_ram_start="$((CONFIG_RAM_START + r2_uimage_offset))"
|
||||||
r2_size="$((ivt_uimage_start - (entrypoint_uimage_offset + entrypoint_size)))"
|
r2_size="$((ivt_uimage_start - (entrypoint_uimage_offset + entrypoint_size)))"
|
||||||
|
|
||||||
# Generate actual CSF descriptor file from template
|
# Generate actual CSF descriptor file from template
|
||||||
if [ "${ENCRYPT}" = "true" ]; then
|
if [ "${ENCRYPT}" = "true" ]; then
|
||||||
sed -e "s,%ram_start%,${CONFIG_UIMAGE_LOADADDR},g" \
|
sed -e "s,%ram_start%,${CONFIG_RAM_START},g" \
|
||||||
-e "s,%srk_table%,${SRK_TABLE},g " \
|
-e "s,%srk_table%,${SRK_TABLE},g " \
|
||||||
-e "s,%cert_csf%,${CERT_CSF},g" \
|
-e "s,%cert_csf%,${CERT_CSF},g" \
|
||||||
-e "s,%cert_img%,${CERT_IMG},g" \
|
-e "s,%cert_img%,${CERT_IMG},g" \
|
||||||
|
|
@ -157,7 +195,7 @@ if [ "${ENCRYPT}" = "true" ]; then
|
||||||
-e "s,%r2_size%,${r2_size},g" \
|
-e "s,%r2_size%,${r2_size},g" \
|
||||||
"${SCRIPT_PATH}/csf_templates/encrypt_uimage" > csf_descriptor
|
"${SCRIPT_PATH}/csf_templates/encrypt_uimage" > csf_descriptor
|
||||||
else
|
else
|
||||||
sed -e "s,%ram_start%,${CONFIG_UIMAGE_LOADADDR},g" \
|
sed -e "s,%ram_start%,${CONFIG_RAM_START},g" \
|
||||||
-e "s,%srk_table%,${SRK_TABLE},g" \
|
-e "s,%srk_table%,${SRK_TABLE},g" \
|
||||||
-e "s,%image_offset%,${uimage_offset},g" \
|
-e "s,%image_offset%,${uimage_offset},g" \
|
||||||
-e "s,%auth_len%,${auth_len},g" \
|
-e "s,%auth_len%,${auth_len},g" \
|
||||||
|
|
|
||||||
|
|
@ -28,11 +28,13 @@ KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
|
||||||
|
|
||||||
do_deploy_append() {
|
do_deploy_append() {
|
||||||
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
|
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
|
||||||
|
# Set environment variables for trustfence configuration
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||||
export CONFIG_PLATFORM="${DIGI_FAMILY}"
|
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||||
"${STAGING_BINDIR_NATIVE}/trustfence-sign-kernel.sh" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}.bin" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}-signed.bin"
|
|
||||||
|
# Sign/encrypt the kernel image
|
||||||
|
"${STAGING_BINDIR_NATIVE}/trustfence-sign-kernel.sh" -p "${DIGI_FAMILY}" -l "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}.bin" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}-signed.bin"
|
||||||
mv "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}-signed.bin" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}.bin"
|
mv "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}-signed.bin" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}.bin"
|
||||||
fi
|
fi
|
||||||
(cd ${DEPLOYDIR} && ln -sf ${KERNEL_IMAGE_BASE_NAME}.bin ${KERNEL_IMAGE_SYMLINK_NAME})
|
(cd ${DEPLOYDIR} && ln -sf ${KERNEL_IMAGE_BASE_NAME}.bin ${KERNEL_IMAGE_SYMLINK_NAME})
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue