From 5f45a87ebd42e99673fca24365d8643a1c179592 Mon Sep 17 00:00:00 2001 From: Jose Diaz de Grenu de Pedro Date: Tue, 31 May 2016 11:22:31 +0200 Subject: [PATCH] meta-digi-arm: trustfence: implement Yocto secure boot configuration Implement the set of TRUSTFENCE_ macros to configure each secure boot feature available in U-Boot. https://jira.digi.com/browse/DUB-570 Signed-off-by: Jose Diaz de Grenu de Pedro --- .../recipes-bsp/u-boot/u-boot-dey_2015.04.bb | 19 +++++++++++++++++++ meta-digi-dey/classes/trustfence.bbclass | 18 ++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb index 4c8eca0e4..47aa9b21f 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb @@ -63,6 +63,12 @@ do_compile () { oe_runmake O=${config} oldconfig oe_runmake O=${config} ${UBOOT_MAKE_TARGET} cp ${S}/${config}/${UBOOT_BINARY} ${S}/${config}/u-boot-${type}.${UBOOT_SUFFIX} + + # Secure boot artifacts + if [ -n "${TRUSTFENCE_UBOOT_SIGN}" ]; then + then + cp ${S}/${config}/u-boot-signed.imx ${S}/${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} + fi fi done unset j @@ -94,6 +100,19 @@ do_deploy_append() { cd ${DEPLOYDIR} rm -r ${UBOOT_BINARY}-${type} ${UBOOT_SYMLINK}-${type} ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX} + if [ -n "${TRUSTFENCE_UBOOT_SIGN}" ] + then + install ${S}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin + install ${S}/${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} + ln -sf u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-signed-${type}.${UBOOT_SUFFIX} + ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin + if [ -n "${TRUSTFENCE_UBOOT_ENCRYPT}" ] + then + # Move the data encryption key in plain text directly to the deployment directory. + # Do not leave any other copies in the machine. + mv ${S}/${config}/dek.bin ${DEPLOYDIR}/dek-${type}.bin + fi + fi fi done unset j diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index 6058e450e..bd627dec7 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -33,4 +33,22 @@ python () { d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_CONSOLE_ENABLE_PASSPHRASE=y CONFIG_CONSOLE_ENABLE_PASSPHRASE_KEY=\\"%s\\" ' % passphrase_hash) elif d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE", True): d.appendVar("UBOOT_EXTRA_CONF", " CONFIG_CONSOLE_ENABLE_GPIO=y CONFIG_CCIMX6SBC_CONSOLE_ENABLE_GPIO_NR=%s " % d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE")) + + # Secure boot configuration + if d.getVar("TRUSTFENCE_CHECK_KERNEL", True): + d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SECURE_BOOT=y ") + if d.getVar("TRUSTFENCE_UBOOT_SIGN", True): + d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SIGN_IMAGE=y ") + if d.getVar("TRUSTFENCE_CST_PATH", True): + d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_CST_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_CST_PATH")) + if d.getVar("TRUSTFENCE_CSF_SIZE", True): + d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_CSF_SIZE=%s " % d.getVar("TRUSTFENCE_CSF_SIZE")) + if d.getVar("TRUSTFENCE_KEY_INDEX", True): + d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX")) + if d.getVar("TRUSTFENCE_UBOOT_ENCRYPT", True): + d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_ENCRYPT_IMAGE=y ") + if d.getVar("TRUSTFENCE_UBOOT_DEK_SIZE", True): + d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_DEK_SIZE=%s " % d.getVar("TRUSTFENCE_UBOOT_DEK_SIZE")) + if d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True): + d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_KEY=\\"%s\\"' % d.getVar("TRUSTFENCE_UBOOT_ENV_DEK")) }