From 674625455848059d11192c07eac897b3ba56cb6c Mon Sep 17 00:00:00 2001 From: "Diaz de Grenu, Jose" Date: Tue, 9 Aug 2016 17:02:31 +0200 Subject: [PATCH] meta-digi-dey: trustfence: add Yocto macro to unlock key revocation By default, on closed devices you cannot revoke any key. To do so, it is required to compile a U-Boot which instructs the HAB not to set the sticky bit which write protects that field in the OCOTP controller. This patch introduces a Yocto macro which allows to configure U-Boot in that way. In the ConnectCore 6, the value of this settings is ignored, because HAB never sets the sticky bit which write protects that field. https://jira.digi.com/browse/DUB-665 Signed-off-by: Diaz de Grenu, Jose --- README.md | 4 ++++ meta-digi-dey/classes/trustfence.bbclass | 2 ++ 2 files changed, 6 insertions(+) diff --git a/README.md b/README.md index cca2e48e6..515be72d0 100644 --- a/README.md +++ b/README.md @@ -110,6 +110,10 @@ Bluetooth Low Energy mode hang the processor when trying to authenticate an encrypted kernel image after a failed attempt. Hence the target needs to be reset after an authentication failure. +* NXP i.MX6 processor does not set the sticky bit which write protects the +SRK_REVOKE eFuse on closed devices. This means that in the ConnectCore 6, +key revocation is always possible, no matter the value of the Yocto macro +TRUSTFENCE_UNLOCK_KEY_REVOCATION. ## Digi ConnectCore 6 SBC diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index c933e34ed..49aa5459d 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -56,6 +56,8 @@ python () { d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SIGN_IMAGE=y ") if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True): d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_SIGN_KEYS_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH")) + if (d.getVar("TRUSTFENCE_UNLOCK_KEY_REVOCATION", True) == "1"): + d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ") if d.getVar("TRUSTFENCE_KEY_INDEX", True): d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX")) if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]):