From 6298a50b2e159d599e351c8dff8d60ea4d2c81e5 Mon Sep 17 00:00:00 2001 From: Hector Palacios Date: Tue, 25 Apr 2023 12:46:48 +0200 Subject: [PATCH] trustfence: copy the public key to the rootfs The root file system requires the public key to authenticate SWU files. For NXP platforms, the public key is extracted from the certificate. For STM platforms, simply copy the public key over to the rootfs. Signed-off-by: Hector Palacios --- .../recovery/recovery-initramfs.bb | 19 +++++++--- .../recipes-digi/dualboot/dualboot.bb | 35 +++++++++++++------ 2 files changed, 39 insertions(+), 15 deletions(-) diff --git a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb index 04c007a71..7b2a395fe 100644 --- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb +++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb @@ -57,11 +57,22 @@ do_install() { bberror "Unkown TRUSTFENCE_SIGN_MODE value" exit 1 fi + # Extract the public key from the certificate. + install -d ${D}${sysconfdir}/ssl/certs + openssl x509 -pubkey -noout -in "${CERT_IMG}" > ${D}${sysconfdir}/ssl/certs/key.pub + elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then + # Copy the public key to the rootfs + if [ "${DIGI_SOM}" = "ccmp15" ]; then + PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey00.pem" + elif [ "${DIGI_SOM}" = "ccmp13" ]; then + PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${KEY_INDEX}.pem" + else + bberror "Unknown DIGI_SOM" + exit 1 + fi + install -d ${D}${sysconfdir}/ssl/certs + cp ${PUBLIC_KEY} ${D}${sysconfdir}/ssl/certs/key.pub fi - - # Extract the public key from the certificate. - install -d ${D}${sysconfdir}/ssl/certs - openssl x509 -pubkey -noout -in "${CERT_IMG}" > ${D}${sysconfdir}/ssl/certs/key.pub fi } diff --git a/meta-digi-dey/recipes-digi/dualboot/dualboot.bb b/meta-digi-dey/recipes-digi/dualboot/dualboot.bb index 9036a3c81..188ef3839 100644 --- a/meta-digi-dey/recipes-digi/dualboot/dualboot.bb +++ b/meta-digi-dey/recipes-digi/dualboot/dualboot.bb @@ -48,18 +48,31 @@ do_install() { KEY_INDEX_1=$(expr ${KEY_INDEX} + 1) # Find the certificate to use. - if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then - CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)" - elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then - CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)" - else - bberror "Unkown TRUSTFENCE_SIGN_MODE value" - exit 1 + if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then + if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then + CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)" + elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then + CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)" + else + bberror "Unknown TRUSTFENCE_SIGN_MODE value" + exit 1 + fi + # Extract the public key from the certificate. + install -d ${D}${sysconfdir}/ssl/certs + openssl x509 -pubkey -noout -in "${CERT_IMG}" > ${D}${sysconfdir}/ssl/certs/key.pub + elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then + # Copy the public key to the rootfs + if [ "${DIGI_SOM}" = "ccmp15" ]; then + PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey00.pem" + elif [ "${DIGI_SOM}" = "ccmp13" ]; then + PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${KEY_INDEX}.pem" + else + bberror "Unknown DIGI_SOM" + exit 1 + fi + install -d ${D}${sysconfdir}/ssl/certs + cp ${PUBLIC_KEY} ${D}${sysconfdir}/ssl/certs/key.pub fi - - # Extract the public key from the certificate. - install -d ${D}${sysconfdir}/ssl/certs - openssl x509 -pubkey -noout -in "${CERT_IMG}" > ${D}${sysconfdir}/ssl/certs/key.pub fi }