meta-digi-arm: trustfence: implement Yocto secure boot configuration

Implement the set of TRUSTFENCE_ macros to configure each secure boot feature available in U-Boot. https://jira.digi.com/browse/DUB-570 Signed-off-by: Jose Diaz de Grenu de Pedro <Jose.DiazdeGrenudePedro@digi.com>
2016-05-31 11:22:31 +02:00 · 2016-05-31 11:22:31 +02:00 · 5f45a87ebd
parent 0aa26fb70a
commit 5f45a87ebd
2 changed files with 37 additions and 0 deletions
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
@ -63,6 +63,12 @@ do_compile () {
                    oe_runmake O=${config} oldconfig
                    oe_runmake O=${config} ${UBOOT_MAKE_TARGET}
                    cp  ${S}/${config}/${UBOOT_BINARY}  ${S}/${config}/u-boot-${type}.${UBOOT_SUFFIX}
                    # Secure boot artifacts
                    if [ -n "${TRUSTFENCE_UBOOT_SIGN}" ]; then
                    then
                        cp ${S}/${config}/u-boot-signed.imx ${S}/${config}/u-boot-signed-${type}.${UBOOT_SUFFIX}
                    fi
                fi
            done
            unset  j
@ -94,6 +100,19 @@ do_deploy_append() {
 					cd ${DEPLOYDIR}
 					rm -r ${UBOOT_BINARY}-${type} ${UBOOT_SYMLINK}-${type}
 					ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
 					if [ -n "${TRUSTFENCE_UBOOT_SIGN}" ]
 					then
 						install ${S}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
 						install ${S}/${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
 						ln -sf u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-signed-${type}.${UBOOT_SUFFIX}
 						ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
 						if [ -n "${TRUSTFENCE_UBOOT_ENCRYPT}" ]
 						then
 							# Move the data encryption key in plain text directly to the deployment directory.
 							# Do not leave any other copies in the machine.
 							mv ${S}/${config}/dek.bin ${DEPLOYDIR}/dek-${type}.bin
 						fi
 					fi
 				fi
 			done
 			unset  j
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -33,4 +33,22 @@ python () {
            d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_CONSOLE_ENABLE_PASSPHRASE=y CONFIG_CONSOLE_ENABLE_PASSPHRASE_KEY=\\"%s\\" ' % passphrase_hash)
        elif d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE", True):
            d.appendVar("UBOOT_EXTRA_CONF", " CONFIG_CONSOLE_ENABLE_GPIO=y CONFIG_CCIMX6SBC_CONSOLE_ENABLE_GPIO_NR=%s " % d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE"))
    # Secure boot configuration
    if d.getVar("TRUSTFENCE_CHECK_KERNEL", True):
        d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SECURE_BOOT=y ")
    if d.getVar("TRUSTFENCE_UBOOT_SIGN", True):
        d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SIGN_IMAGE=y ")
        if d.getVar("TRUSTFENCE_CST_PATH", True):
            d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_CST_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_CST_PATH"))
        if d.getVar("TRUSTFENCE_CSF_SIZE", True):
            d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_CSF_SIZE=%s " % d.getVar("TRUSTFENCE_CSF_SIZE"))
        if d.getVar("TRUSTFENCE_KEY_INDEX", True):
            d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
        if d.getVar("TRUSTFENCE_UBOOT_ENCRYPT", True):
            d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_ENCRYPT_IMAGE=y ")
            if d.getVar("TRUSTFENCE_UBOOT_DEK_SIZE", True):
                d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_DEK_SIZE=%s " % d.getVar("TRUSTFENCE_UBOOT_DEK_SIZE"))
    if d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True):
        d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_KEY=\\"%s\\"' % d.getVar("TRUSTFENCE_UBOOT_ENV_DEK"))
 }