meta-digi-arm: trustfence: implement Yocto secure boot configuration

Implement the set of TRUSTFENCE_ macros to configure each secure boot feature
available in U-Boot.

https://jira.digi.com/browse/DUB-570

Signed-off-by: Jose Diaz de Grenu de Pedro <Jose.DiazdeGrenudePedro@digi.com>

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb

@@ -63,6 +63,12 @@ do_compile () {
                     oe_runmake O=${config} oldconfig
                     oe_runmake O=${config} ${UBOOT_MAKE_TARGET}
                     cp  ${S}/${config}/${UBOOT_BINARY}  ${S}/${config}/u-boot-${type}.${UBOOT_SUFFIX}
+
+                    # Secure boot artifacts
+                    if [ -n "${TRUSTFENCE_UBOOT_SIGN}" ]; then
+                    then
+                        cp ${S}/${config}/u-boot-signed.imx ${S}/${config}/u-boot-signed-${type}.${UBOOT_SUFFIX}
+                    fi
                 fi
             done
             unset  j
@@ -94,6 +100,19 @@ do_deploy_append() {
 					cd ${DEPLOYDIR}
 					rm -r ${UBOOT_BINARY}-${type} ${UBOOT_SYMLINK}-${type}
 					ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
+					if [ -n "${TRUSTFENCE_UBOOT_SIGN}" ]
+					then
+						install ${S}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
+						install ${S}/${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
+						ln -sf u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-signed-${type}.${UBOOT_SUFFIX}
+						ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
+						if [ -n "${TRUSTFENCE_UBOOT_ENCRYPT}" ]
+						then
+							# Move the data encryption key in plain text directly to the deployment directory.
+							# Do not leave any other copies in the machine.
+							mv ${S}/${config}/dek.bin ${DEPLOYDIR}/dek-${type}.bin
+						fi
+					fi
 				fi
 			done
 			unset  j

meta-digi-dey/classes/trustfence.bbclass

@@ -33,4 +33,22 @@ python () {
             d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_CONSOLE_ENABLE_PASSPHRASE=y CONFIG_CONSOLE_ENABLE_PASSPHRASE_KEY=\\"%s\\" ' % passphrase_hash)
         elif d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE", True):
             d.appendVar("UBOOT_EXTRA_CONF", " CONFIG_CONSOLE_ENABLE_GPIO=y CONFIG_CCIMX6SBC_CONSOLE_ENABLE_GPIO_NR=%s " % d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE"))
+
+    # Secure boot configuration
+    if d.getVar("TRUSTFENCE_CHECK_KERNEL", True):
+        d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SECURE_BOOT=y ")
+    if d.getVar("TRUSTFENCE_UBOOT_SIGN", True):
+        d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SIGN_IMAGE=y ")
+        if d.getVar("TRUSTFENCE_CST_PATH", True):
+            d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_CST_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_CST_PATH"))
+        if d.getVar("TRUSTFENCE_CSF_SIZE", True):
+            d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_CSF_SIZE=%s " % d.getVar("TRUSTFENCE_CSF_SIZE"))
+        if d.getVar("TRUSTFENCE_KEY_INDEX", True):
+            d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
+        if d.getVar("TRUSTFENCE_UBOOT_ENCRYPT", True):
+            d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_ENCRYPT_IMAGE=y ")
+            if d.getVar("TRUSTFENCE_UBOOT_DEK_SIZE", True):
+                d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_DEK_SIZE=%s " % d.getVar("TRUSTFENCE_UBOOT_DEK_SIZE"))
+    if d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True):
+        d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_KEY=\\"%s\\"' % d.getVar("TRUSTFENCE_UBOOT_ENV_DEK"))
 }