diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc index 0731dbfcf..005d65f9a 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc @@ -5,7 +5,7 @@ i.MX processors that integrate the HAB library in the internal boot ROM." HOMEPAGE = "https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL" LICENSE = "CLOSED" -DEPENDS = "openssl" +DEPENDS = "openssl byacc flex" SRC_URI = " \ ${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'file://cst-${PV}.tgz', '', d)} \ @@ -15,7 +15,6 @@ SRC_URI = " \ file://0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch \ file://0005-ahab_pki_tree.sh-automate-script.patch \ file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \ - file://Makefile \ " # Usually local files (with file:// protocol) are not checked for @@ -29,20 +28,18 @@ python() { d.setVar('PREMIRRORS', "file://cst.* %s \\n %s" % (source_mirror_url, premirrors)) } -S = "${WORKDIR}/release" - -do_configure() { - cp -f ${WORKDIR}/Makefile . -} +S = "${WORKDIR}/cst-${PV}/" do_compile() { - oe_runmake clean && oe_runmake + cd ${S}/code/cst + oe_runmake OSTYPE=linux64 clean + oe_runmake OSTYPE=linux64 rel_bin } do_install() { install -d ${D}${bindir} - install -m 0755 linux64/cst ${D}${bindir}/cst - install -m 0755 $(find linux64 -type f -name srktool) ${D}${bindir}/srktool + install -m 0755 $(find ${S}/code/cst/release/linux64 -type f -name cst) ${D}${bindir}/cst + install -m 0755 $(find ${S}/code/cst/release/linux64 -type f -name srktool) ${D}${bindir}/srktool if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch index 881a77761..709cae579 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch @@ -12,18 +12,18 @@ https://jira.digi.com/browse/DUB-608 Signed-off-by: Diaz de Grenu, Jose --- - code/back_end/src/adapt_layer_openssl.c | 1 + + code/cst/code/back_end/src/adapt_layer_openssl.c | 1 + 1 file changed, 1 insertion(+) -diff --git a/code/back_end/src/adapt_layer_openssl.c b/code/back_end/src/adapt_layer_openssl.c -index 8513046269ea..ce6e370f2c6a 100644 ---- a/code/back_end/src/adapt_layer_openssl.c -+++ b/code/back_end/src/adapt_layer_openssl.c -@@ -945,6 +945,7 @@ int32_t gen_auth_encrypted_data(const char* in_file, - } +diff --git a/code/cst/code/back_end/src/adapt_layer_openssl.c b/code/cst/code/back_end/src/adapt_layer_openssl.c +index 38b8bf5..f389e23 100755 +--- a/code/cst/code/back_end/src/adapt_layer_openssl.c ++++ b/code/cst/code/back_end/src/adapt_layer_openssl.c +@@ -1146,6 +1146,7 @@ int32_t gen_auth_encrypted_data(const char* in_file, printf("\n"); #endif -+ reuse_dek = 1; - if (reuse_dek) { - fh = fopen(key_file, "rb"); - if (fh == NULL) { + if (0 == key_init_done) { ++ reuse_dek = 1; + if (reuse_dek) { + fh = fopen(key_file, "rb"); + if (fh == NULL) { diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-hab4_pki_tree.sh-automate-script.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-hab4_pki_tree.sh-automate-script.patch index 21681dc35..b28303ae0 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-hab4_pki_tree.sh-automate-script.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-hab4_pki_tree.sh-automate-script.patch @@ -1,521 +1,223 @@ -From: "Diaz de Grenu, Jose" -Date: Mon, 18 Jul 2016 13:21:11 +0200 +From: Arturo Buzarra +Date: Wed, 22 Jul 2020 14:37:03 +0200 Subject: [PATCH] hab4_pki_tree.sh: automate script -Signed-off-by: Diaz de Grenu, Jose +This commit introduce a new command line argument to specify the +CSF path folder and prepare it to automate the build process. + +Signed-off-by: Arturo Buzarra --- - keys/hab4_pki_tree.sh | 347 ++++++++++++++++---------------------------------- - 1 file changed, 107 insertions(+), 240 deletions(-) + keys/hab4_pki_tree.sh | 78 ++++++++++++++++++++++++++++--------------- + 1 file changed, 51 insertions(+), 27 deletions(-) diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh -index 7dd67f68c8df..b2c6b71b604e 100755 +index 944cc66..39ed3bf 100755 --- a/keys/hab4_pki_tree.sh +++ b/keys/hab4_pki_tree.sh -@@ -42,84 +42,40 @@ - # - #----------------------------------------------------------------------------- - --printf "\n" --printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" --printf " This script is a part of the Code signing tools for Freescale's\n" --printf " High Assurance Boot. It generates a basic PKI tree. The PKI\n" --printf " tree consists of one or more Super Root Keys (SRK), with each\n" --printf " SRK having two subordinate keys: \n" --printf " + a Command Sequence File (CSF) key \n" --printf " + Image key. \n" --printf " Additional keys can be added to the PKI tree but a separate \n" --printf " script is available for this. This this script assumes openssl\n" --printf " is installed on your system and is included in your search \n" --printf " path. Finally, the private keys generated are password \n" --printf " protectedwith the password provided by the file key_pass.txt.\n" --printf " The format of the file is the password repeated twice:\n" --printf " my_password\n" --printf " my_password\n" --printf " All private keys in the PKI tree are in PKCS #8 format will be\n" --printf " protected by the same password.\n\n" --printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" -- --stty erase  -- --printf "Do you want to use an existing CA key (y/n)?: \b" --read existing_ca --if [ $existing_ca = "y" ] --then -- printf "Enter CA key name: \b" -- read ca_key -- printf "Enter CA certificate name: \b" -- read ca_cert +@@ -66,6 +66,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" + + stty erase  + +SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)" -+CSF_PATH="${1}" -+if [ ! -d "${CSF_PATH}" ]; then -+ echo "Invalid CSF_PATH: ${CSF_PATH}" -+ exit 1 - fi - --printf "Do you want to use Elliptic Curve Cryptography (y/n)?: \b" --read use_ecc --if [ $use_ecc = "y" ] --then -- printf "Enter length for elliptic curve to be used for PKI tree:\n" -- printf "Possible values p256, p384, p521: \b" -- read kl -- -- # Confirm that a valid key length has been entered -- case $kl in -- p256) -- cn="prime256v1" ;; -- p384) -- cn="secp384r1" ;; -- p521) -- cn="secp521r1" ;; -- *) -- echo Invalid key length. Supported key lengths: 256, 384, 521 -- exit 1 ;; -- esac --else -- printf "Enter key length in bits for PKI tree: \b" -- read kl -- -- # Confirm that a valid key length has been entered -- case $kl in -- 1024) ;; -- 2048) ;; -- 3072) ;; -- 4096) ;; -- *) -- echo Invalid key length. Supported key lengths: 1024, 2048, 3072, 4096 -- exit 1 ;; -- esac --fi -+cd "${CSF_PATH}" + + if [ $# -gt 0 ]; then + interactive="n" + else +@@ -80,7 +82,7 @@ usage() + echo "$0" + echo + echo "Command Line Mode:" +- echo "$0 -existing-ca [-ca-key -ca-cert ] -use-ecc -kl -duration -num-srk <1-4> -srk-ca " ++ echo "$0 [-csf-path] -existing-ca [-ca-key -ca-cert ] -use-ecc -kl -duration -num-srk <1-4> -srk-ca " + echo "Options:" + echo " -kl: -use-ecc = y then Supported key lengths: p256, p384, p521" + echo " : -use-ecc = n then Supported key lengths: 1024, 2048, 3072, 4096" +@@ -89,10 +91,18 @@ usage() + echo + } + +-max_param=16 +-min_param=12 ++max_param=18 ++min_param=1 + num_param=1 + ++# Default values ++existing_ca="n" ++use_ecc="n" ++kl=4096 ++duration=10 ++num_srk=4 ++srk_ca="y" ++ + if [ $interactive = "n" ] + then + # Validate command line parameters +@@ -111,6 +121,11 @@ then + while [ $num_param -le $max_param ] && [ "$1" != "" ] + do + case $1 in ++ -csf-path) ++ shift ++ CSF_PATH=$1 ++ shift ++ ;; + -existing-ca) + shift + existing_ca=$1 +@@ -164,9 +179,8 @@ then + shift + ;; + *) +- echo "ERROR: Invalid parameter: $1" +- usage +- exit 1 ++ CSF_PATH=$1 ++ shift + ;; + esac + num_param=$(( num_param + 2 )) +@@ -242,6 +256,16 @@ then + read duration + fi + ++# CSF folder structure ++if [ ! -d "${CSF_PATH}" ]; then ++ echo "Invalid CSF_PATH: ${CSF_PATH}" ++ usage ++ exit 1 ++fi ++cd "${CSF_PATH}" +[ -d crts ] || mkdir crts +[ -d keys ] || mkdir keys - -+cd keys - -+existing_ca="n" -+kl="4096" - --printf "Enter PKI tree duration (years): \b" --read duration -+# Confirm that a valid key length has been entered -+case $kl in -+ 1024) ;; -+ 2048) ;; -+ 3072) ;; -+ 4096) ;; -+ *) -+ echo Invalid key length. Supported key lengths: 1024, 2048, 3072, 4096 -+ exit 1 ;; -+esac + -+duration="10" - # Compute validity period val_period=$((duration*365)) - --printf "How many Super Root Keys should be generated? \b" --read num_srk -+num_srk="4" - - # Check that 0 < num_srk <= 4 (Max. number of SRKs) - if [ $num_srk -lt 1 ] || [ $num_srk -gt 4 ] -@@ -128,10 +84,7 @@ then - exit 1 + +@@ -275,9 +299,9 @@ then + script_name=$0 fi - --# Check if SRKs should be generated as CA certs or user certs --printf "Do you want the SRK certificates to have the CA flag set? (y/n)?: \b" --read srk_ca -- -+srk_ca="y" - # Check that the file "serial" is present, if not create it: - if [ ! -f serial ] + script_path=$(cd $(dirname "${script_name}") && pwd -P) +-keys_dir=${script_path}/../keys/ +-crts_dir=${script_path}/../crts/ +-ca_dir=${script_path}/../ca/ ++keys_dir=${CSF_PATH}/keys/ ++crts_dir=${CSF_PATH}/crts/ ++ca_dir=${CSF_PATH}/ca/ + + if [ ! -d "${keys_dir}" ] then -@@ -154,6 +107,9 @@ echo "unique_subject = no" > index.txt.attr - - if [ $existing_ca = "n" ] - then -+ ca_key=./CA1_sha256_${kl}_65537_v3_ca_key -+ ca_cert=../crts/CA1_sha256_${kl}_65537_v3_ca_crt -+ - # Generate CA key and certificate - # ------------------------------- - echo -@@ -161,31 +117,12 @@ then - echo + Generating CA key and certificate + - echo +++++++++++++++++++++++++++++++++++++ - echo -- -- if [ $use_ecc = 'n' ] -- then -- ca_key=./CA1_sha256_${kl}_65537_v3_ca_key -- ca_cert=../crts/CA1_sha256_${kl}_65537_v3_ca_crt -- ca_subj_req=/CN=CA1_sha256_${kl}_65537_v3_ca/ -- ca_key_type=rsa:${kl} -- else -- -- # Generate Elliptic Curve parameters: -- eck='ec-'$cn'.pem' -- openssl ecparam -out $eck -name $cn -- -- ca_key=./CA1_sha256_${cn}_v3_ca_key -- ca_cert=../crts/CA1_sha256_${cn}_v3_ca_crt -- ca_subj_req=/CN=CA1_sha256_${cn}_v3_ca/ -- ca_key_type=ec:${eck} -- fi -- -- openssl req -newkey ${ca_key_type} -passout file:./key_pass.txt \ -- -subj ${ca_subj_req} \ -- -x509 -extensions v3_ca \ -- -keyout temp_ca.pem \ -- -out ${ca_cert}.pem \ +@@ -291,11 +315,11 @@ then + exit 1 + fi + +-if [ ! -d "${ca_dir}" ] +-then +- echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." +- exit 1 +-fi ++# if [ ! -d "${ca_dir}" ] ++# then ++# echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." ++# exit 1 ++# fi + + # Switch current working directory to keys directory, if needed. + if [ "${crt_dir}" != "${keys_dir}" ] +@@ -365,7 +389,7 @@ then + -x509 -extensions v3_ca \ + -keyout temp_ca.pem \ + -out ${ca_cert}.pem \ - -days ${val_period} -config ../ca/openssl.cnf -+ openssl req -newkey rsa:${kl} -passout file:./key_pass.txt \ -+ -subj /CN=CA1_sha256_${kl}_65537_v3_ca/ \ -+ -x509 -extensions v3_ca \ -+ -keyout temp_ca.pem \ -+ -out ${ca_cert}.pem \ -+ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf" - ++ -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf" + # Generate CA key in PKCS #8 format - both PEM and DER openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ -@@ -202,7 +139,7 @@ then +@@ -382,7 +406,7 @@ then openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der - + # Cleanup - \rm temp_ca.pem + rm temp_ca.pem fi - - -@@ -219,64 +156,48 @@ then - echo + Generating SRK key and certificate $i + - echo ++++++++++++++++++++++++++++++++++++++++ - echo -- if [ $use_ecc = 'n' ] -- then -- # Generate SRK key -- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ -- -out ./temp_srk.pem ${kl} -- -- srk_subj_req=/CN=SRK${i}_sha256_${kl}_65537_v3_usr/ -- srk_crt=../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt -- srk_key=./SRK${i}_sha256_${kl}_65537_v3_usr_key -- else -- # Generate Elliptic Curve parameters: -- openssl ecparam -out ./temp_srk.pem -name ${cn} -genkey -- # Generate SRK key -- openssl ec -in ./temp_srk.pem -des3 -passout file:./key_pass.txt \ -- -out ./temp_srk.pem -- -- srk_subj_req=/CN=SRK${i}_sha256_${cn}_v3_usr/ -- srk_crt=../crts/SRK${i}_sha256_${cn}_v3_usr_crt -- srk_key=./SRK${i}_sha256_${cn}_v3_usr_key -- fi -+ -+ # Generate SRK key -+ openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ -+ -out ./temp_srk.pem ${kl} - - # Generate SRK certificate signing request - openssl req -new -batch -passin file:./key_pass.txt \ -- -subj ${srk_subj_req} \ -+ -subj /CN=SRK${i}_sha256_${kl}_65537_v3_usr/ \ - -key ./temp_srk.pem \ - -out ./temp_srk_req.pem - - # Generate SRK certificate (this is a CA cert) -- openssl ca -batch -passin file:./key_pass.txt \ -- -md sha256 -outdir ./ \ -- -in ./temp_srk_req.pem \ -- -cert ${ca_cert}.pem \ -+ openssl ca -batch -passin file:./key_pass.txt \ -+ -md sha256 -outdir ./ \ -+ -in ./temp_srk_req.pem \ -+ -cert ${ca_cert}.pem \ + + +@@ -432,10 +456,10 @@ then + -in ./temp_srk_req.pem \ + -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ - -extfile ../ca/v3_usr.cnf \ -- -out ${srk_crt}.pem \ -- -days ${val_period} \ ++ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \ + -out ${srk_crt}.pem \ + -days ${val_period} \ - -config ../ca/openssl.cnf -+ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \ -+ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.pem \ -+ -days ${val_period} \ -+ -config "${SCRIPT_BASEDIR}/openssl.cnf" - ++ -config "${SCRIPT_BASEDIR}/openssl.cnf" + # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ -- -in ${srk_crt}.pem \ -- -out ${srk_crt}.der -+ -in ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.pem \ -+ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_usr_crt.der - - # Generate SRK key in PKCS #8 format - both PEM and DER - openssl pkcs8 -passin file:./key_pass.txt \ - -passout file:./key_pass.txt \ - -topk8 -inform PEM -outform DER -v2 des3 \ - -in temp_srk.pem \ -- -out ${srk_key}.der -+ -out ./SRK${i}_sha256_${kl}_65537_v3_usr_key.der - - openssl pkcs8 -passin file:./key_pass.txt \ - -passout file:./key_pass.txt \ - -topk8 -inform PEM -outform PEM -v2 des3 \ - -in temp_srk.pem \ -- -out ${srk_key}.pem -+ -out ./SRK${i}_sha256_${kl}_65537_v3_usr_key.pem - +@@ -456,7 +480,7 @@ then + -out ${srk_key}.pem + # Cleanup - \rm ./temp_srk.pem ./temp_srk_req.pem + rm ./temp_srk.pem ./temp_srk_req.pem i=$((i+1)) done else -@@ -293,98 +214,60 @@ do - echo ++++++++++++++++++++++++++++++++++++++++ - echo - -- if [ $use_ecc = 'n' ] -- then -- # Generate SRK key -- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ -- -out ./temp_srk.pem ${kl} -- -- srk_subj_req=/CN=SRK${i}_sha256_${kl}_65537_v3_ca/ -- srk_crt=../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt -- srk_key=./SRK${i}_sha256_${kl}_65537_v3_ca_key -- else -- # Generate Elliptic Curve parameters: -- openssl ecparam -out ./temp_srk.pem -name ${cn} -genkey -- # Generate SRK key -- openssl ec -in ./temp_srk.pem -des3 -passout file:./key_pass.txt \ -- -out ./temp_srk.pem -- -- srk_subj_req=/CN=SRK${i}_sha256_${cn}_v3_ca/ -- srk_crt=../crts/SRK${i}_sha256_${cn}_v3_ca_crt -- srk_key=./SRK${i}_sha256_${cn}_v3_ca_key -- fi -+ # Generate SRK key -+ openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ -+ -out ./temp_srk.pem ${kl} -+ - # Generate SRK certificate signing request -- openssl req -new -batch -passin file:./key_pass.txt \ -- -subj ${srk_subj_req} \ -- -key ./temp_srk.pem \ -- -out ./temp_srk_req.pem -+ openssl req -new -batch -passin file:./key_pass.txt \ -+ -subj /CN=SRK${i}_sha256_${kl}_65537_v3_ca/ \ -+ -key ./temp_srk.pem \ -+ -out ./temp_srk_req.pem - - # Generate SRK certificate (this is a CA cert) -- openssl ca -batch -passin file:./key_pass.txt \ -- -md sha256 -outdir ./ \ -- -in ./temp_srk_req.pem \ -- -cert ${ca_cert}.pem \ -- -keyfile ${ca_key}.pem \ +@@ -505,10 +529,10 @@ do + -in ./temp_srk_req.pem \ + -cert ${ca_cert}.pem \ + -keyfile ${ca_key}.pem \ - -extfile ../ca/v3_ca.cnf \ -- -out ${srk_crt}.pem \ -- -days ${val_period} \ ++ -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \ + -out ${srk_crt}.pem \ + -days ${val_period} \ - -config ../ca/openssl.cnf -+ openssl ca -batch -passin file:./key_pass.txt \ -+ -md sha256 -outdir ./ \ -+ -in ./temp_srk_req.pem \ -+ -cert ${ca_cert}.pem \ -+ -keyfile ${ca_key}.pem \ -+ -extfile "${SCRIPT_BASEDIR}/v3_ca.cnf" \ -+ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \ -+ -days ${val_period} \ -+ -config "${SCRIPT_BASEDIR}/openssl.cnf" - ++ -config "${SCRIPT_BASEDIR}/openssl.cnf" + # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ -- -in ${srk_crt}.pem \ -- -out ${srk_crt}.der -+ -in ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \ -+ -out ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.der - - # Generate SRK key in PKCS #8 format - both PEM and DER -- openssl pkcs8 -passin file:./key_pass.txt \ -- -passout file:./key_pass.txt \ -+ openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ - -topk8 -inform PEM -outform DER -v2 des3 \ - -in temp_srk.pem \ -- -out ${srk_key}.der -+ -out ./SRK${i}_sha256_${kl}_65537_v3_ca_key.der - -- openssl pkcs8 -passin file:./key_pass.txt \ -- -passout file:./key_pass.txt \ -+ openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ - -topk8 -inform PEM -outform PEM -v2 des3 \ - -in temp_srk.pem \ -- -out ${srk_key}.pem -+ -out ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem - - # Cleanup - \rm ./temp_srk.pem ./temp_srk_req.pem - -+ - echo - echo ++++++++++++++++++++++++++++++++++++++++ - echo + Generating CSF key and certificate $i + - echo ++++++++++++++++++++++++++++++++++++++++ - echo - -- if [ $use_ecc = 'n' ] -- then -- srk_crt_i=../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem -- srk_key_i=./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem -- # Generate key -- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ -- -out ./temp_csf.pem ${kl} -- -- csf_subj_req=/CN=CSF${i}_1_sha256_${kl}_65537_v3_usr/ -- csf_crt=../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt -- csf_key=./CSF${i}_1_sha256_${kl}_65537_v3_usr_key -- else -- srk_crt_i=../crts/SRK${i}_sha256_${cn}_v3_ca_crt.pem -- srk_key_i=./SRK${i}_sha256_${cn}_v3_ca_key.pem -- # Generate Elliptic Curve parameters: -- openssl ecparam -out ./temp_csf.pem -name ${cn} -genkey -- # Generate key -- openssl ec -in ./temp_csf.pem -des3 -passout file:./key_pass.txt \ -- -out ./temp_csf.pem -- -- csf_subj_req=/CN=CSF${i}_1_sha256_${cn}_v3_usr/ -- csf_crt=../crts/CSF${i}_1_sha256_${cn}_v3_usr_crt -- csf_key=./CSF${i}_1_sha256_${cn}_v3_usr_key -- fi -+ # Generate key -+ openssl genrsa -des3 -passout file:./key_pass.txt \ -+ -f4 -out ./temp_csf.pem ${kl} - - # Generate CSF certificate signing request - openssl req -new -batch -passin file:./key_pass.txt \ -- -subj ${csf_subj_req} \ -+ -subj /CN=CSF${i}_1_sha256_${kl}_65537_v3_usr/ \ - -key ./temp_csf.pem \ - -out ./temp_csf_req.pem - -@@ -392,31 +275,31 @@ do - openssl ca -batch -md sha256 -outdir ./ \ - -passin file:./key_pass.txt \ +@@ -574,10 +598,10 @@ do -in ./temp_csf_req.pem \ -- -cert ${srk_crt_i} \ -- -keyfile ${srk_key_i} \ + -cert ${srk_crt_i} \ + -keyfile ${srk_key_i} \ - -extfile ../ca/v3_usr.cnf \ -- -out ${csf_crt}.pem \ -+ -cert ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \ -+ -keyfile ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem \ + -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \ -+ -out ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \ + -out ${csf_crt}.pem \ -days ${val_period} \ - -config ../ca/openssl.cnf + -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Convert CSF Certificate to DER format openssl x509 -inform PEM -outform DER \ -- -in ${csf_crt}.pem \ -- -out ${csf_crt}.der -+ -in ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \ -+ -out ../crts/CSF${i}_1_sha256_${kl}_65537_v3_usr_crt.der - - # Generate CSF key in PKCS #8 format - both PEM and DER - openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ - -topk8 -inform PEM -outform DER -v2 des3 \ - -in temp_csf.pem \ -- -out ${csf_key}.der -+ -out ./CSF${i}_1_sha256_${kl}_65537_v3_usr_key.der - - openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ - -topk8 -inform PEM -outform PEM -v2 des3 \ - -in temp_csf.pem \ -- -out ${csf_key}.pem -+ -out ./CSF${i}_1_sha256_${kl}_65537_v3_usr_key.pem - +@@ -596,7 +620,7 @@ do + -out ${csf_key}.pem + # Cleanup - \rm ./temp_csf.pem ./temp_csf_req.pem + rm ./temp_csf.pem ./temp_csf_req.pem - + echo echo ++++++++++++++++++++++++++++++++++++++++ -@@ -424,61 +307,45 @@ do - echo ++++++++++++++++++++++++++++++++++++++++ - echo - -- if [ $use_ecc = 'n' ] -- then -- # Generate key -- openssl genrsa -des3 -passout file:./key_pass.txt -f4 \ -- -out ./temp_img.pem ${kl} -- -- img_subj_req=/CN=IMG${i}_1_sha256_${kl}_65537_v3_usr/ -- img_crt=../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt -- img_key=./IMG${i}_1_sha256_${kl}_65537_v3_usr_key -- else -- # Generate Elliptic Curve parameters: -- openssl ecparam -out ./temp_img.pem -name ${cn} -genkey -- # Generate key -- openssl ec -in ./temp_img.pem -des3 -passout file:./key_pass.txt \ -- -out ./temp_img.pem -- -- img_subj_req=/CN=IMG${i}_1_sha256_${cn}_v3_usr/ -- img_crt=../crts/IMG${i}_1_sha256_${cn}_v3_usr_crt -- img_key=./IMG${i}_1_sha256_${cn}_v3_usr_key -- fi -+ # Generate key -+ openssl genrsa -des3 -passout file:./key_pass.txt \ -+ -f4 -out ./temp_img.pem ${kl} - - # Generate IMG certificate signing request - openssl req -new -batch -passin file:./key_pass.txt \ -- -subj ${img_subj_req} \ -+ -subj /CN=IMG${i}_1_sha256_${kl}_65537_v3_usr/ \ - -key ./temp_img.pem \ - -out ./temp_img_req.pem - - openssl ca -batch -md sha256 -outdir ./ \ - -passin file:./key_pass.txt \ +@@ -636,10 +660,10 @@ do -in ./temp_img_req.pem \ -- -cert ${srk_crt_i} \ -- -keyfile ${srk_key_i} \ + -cert ${srk_crt_i} \ + -keyfile ${srk_key_i} \ - -extfile ../ca/v3_usr.cnf \ -- -out ${img_crt}.pem \ -+ -cert ../crts/SRK${i}_sha256_${kl}_65537_v3_ca_crt.pem \ -+ -keyfile ./SRK${i}_sha256_${kl}_65537_v3_ca_key.pem \ + -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \ -+ -out ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \ + -out ${img_crt}.pem \ -days ${val_period} \ - -config ../ca/openssl.cnf + -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Convert IMG Certificate to DER format openssl x509 -inform PEM -outform DER \ -- -in ${img_crt}.pem \ -- -out ${img_crt}.der -+ -in ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.pem \ -+ -out ../crts/IMG${i}_1_sha256_${kl}_65537_v3_usr_crt.der - - # Generate IMG key in PKCS #8 format - both PEM and DER - openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ - -topk8 -inform PEM -outform DER -v2 des3 \ - -in temp_img.pem \ -- -out ${img_key}.der -+ -out ./IMG${i}_1_sha256_${kl}_65537_v3_usr_key.der - - openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ - -topk8 -inform PEM -outform PEM -v2 des3 \ - -in temp_img.pem \ -- -out ${img_key}.pem -+ -out ./IMG${i}_1_sha256_${kl}_65537_v3_usr_key.pem - +@@ -658,7 +682,7 @@ do + -out ${img_key}.pem + # Cleanup - \rm ./temp_img.pem ./temp_img_req.pem + rm ./temp_img.pem ./temp_img_req.pem -+ - + i=$((i+1)) done diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-openssl_helper-use-dev-urandom-as-seed-source.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-openssl_helper-use-dev-urandom-as-seed-source.patch index d8a80eac2..4aa674105 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-openssl_helper-use-dev-urandom-as-seed-source.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-openssl_helper-use-dev-urandom-as-seed-source.patch @@ -6,14 +6,14 @@ This is needed in order to avoid indefinitely blocking. Signed-off-by: Diaz de Grenu, Jose --- - code/back_end/src/openssl_helper.c | 2 +- + code/cst/code/common/src/openssl_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/code/back_end/src/openssl_helper.c b/code/back_end/src/openssl_helper.c -index 3c9c779092c5..f0cd4e06f0dd 100644 ---- a/code/back_end/src/openssl_helper.c -+++ b/code/back_end/src/openssl_helper.c -@@ -486,7 +486,7 @@ void print_version(void) +diff --git a/code/cst/code/common/src/openssl_helper.c b/code/cst/code/common/src/openssl_helper.c +index 871cf55..b62c8a8 100755 +--- a/code/cst/code/common/src/openssl_helper.c ++++ b/code/cst/code/common/src/openssl_helper.c +@@ -414,7 +414,7 @@ void print_version(void) ---------------------------*/ uint32_t seed_prng(uint32_t bytes) { diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch index ed165689a..cafd77ef6 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-hab4_pki_tree.sh-usa-a-random-password-for-the-defau.patch @@ -9,10 +9,10 @@ Signed-off-by: Diaz de Grenu, Jose 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh -index b2c6b71b604e..93347521cea1 100755 +index 39ed3bf..ac6fb29 100755 --- a/keys/hab4_pki_tree.sh +++ b/keys/hab4_pki_tree.sh -@@ -95,9 +95,10 @@ fi +@@ -342,9 +342,10 @@ fi # Check that the file "key_pass.txt" is present, if not create it with default user/pwd: if [ ! -f key_pass.txt ] then diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch index d238c945c..e5e60aff1 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-ahab_pki_tree.sh-automate-script.patch @@ -1,166 +1,157 @@ -From: Mike Engel -Date: Fri, 24 Jan 2020 17:31:50 +0100 +From: Arturo Buzarra +Date: Wed, 22 Jul 2020 15:10:21 +0200 Subject: [PATCH] ahab_pki_tree.sh: automate script -Signed-off-by: Mike Engel +This commit introduce a new command line argument to specify the +CSF path folder and prepare it to automate the build process. + +Signed-off-by: Arturo Buzarra --- - keys/ahab_pki_tree.sh | 116 ++++++++++++++++++------------------------------------- - 1 file changed, 38 insertions(+), 78 deletions(-) + keys/ahab_pki_tree.sh | 70 +++++++++++++++++++++++++++++-------------- + 1 file changed, 47 insertions(+), 23 deletions(-) diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh -index 988c27e..00dd143 100755 +index f5ab36c..2c16533 100755 --- a/keys/ahab_pki_tree.sh +++ b/keys/ahab_pki_tree.sh -@@ -47,74 +47,36 @@ - # - #----------------------------------------------------------------------------- - --printf "\n" --printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" --printf " This script is a part of the Code signing tools for NXP's\n" --printf " Advanced High Assurance Boot. It generates a basic PKI tree. The\n" --printf " PKI tree consists of one or more Super Root Keys (SRK), with each\n" --printf " SRK having one subordinate keys: \n" --printf " + a Signing key (SGK) \n" --printf " Additional keys can be added to the PKI tree but a separate \n" --printf " script is available for this. This this script assumes openssl\n" --printf " is installed on your system and is included in your search \n" --printf " path. Finally, the private keys generated are password \n" --printf " protectedwith the password provided by the file key_pass.txt.\n" --printf " The format of the file is the password repeated twice:\n" --printf " my_password\n" --printf " my_password\n" --printf " All private keys in the PKI tree are in PKCS #8 format will be\n" --printf " protected by the same password.\n\n" --printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" -- --stty erase  -- --printf "Do you want to use an existing CA key (y/n)?: \b" --read existing_ca --if [ $existing_ca = "y" ] --then -- printf "Enter CA key name: \b" -- read ca_key -- printf "Enter CA certificate name: \b" -- read ca_cert +@@ -64,6 +64,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" + + stty erase  + +SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)" -+CSF_PATH="${1}" -+if [ ! -d "${CSF_PATH}" ]; then -+ echo "Invalid CSF_PATH: ${CSF_PATH}" -+ exit 1 - fi - --printf "Do you want to use Elliptic Curve Cryptography (y/n)?: \b" --read use_ecc --if [ $use_ecc = "y" ] --then -- printf "Enter length for elliptic curve to be used for PKI tree:\n" -- printf "Possible values p256, p384, p521: \b" -- read kl -- -- # Confirm that a valid key length has been entered -- case $kl in -- p256) -- cn="prime256v1" ;; -- p384) -- cn="secp384r1" ;; -- p521) -- cn="secp521r1" ;; -- *) -- echo Invalid key length. Supported key lengths: 256, 384, 521 -- exit 1 ;; -- esac --else -- printf "Enter key length in bits for PKI tree: \b" -- read kl -- -- # Confirm that a valid key length has been entered -- case $kl in -- 2048) ;; -- 3072) ;; -- 4096) ;; -- *) -- echo Invalid key length. Supported key lengths: 2048, 3072, 4096 -- exit 1 ;; -- esac --fi -+cd "${CSF_PATH}" + + if [ $# -gt 0 ]; then + interactive="n" + else +@@ -78,7 +80,7 @@ usage() + echo "$0" + echo + echo "Command Line Mode:" +- echo "$0 -existing-ca [-ca-key -ca-cert ] -use-ecc -kl -da -duration -srk-ca " ++ echo "$0 [-csf-path] -existing-ca [-ca-key -ca-cert ] -use-ecc -kl -da -duration -srk-ca " + echo "Options:" + echo " -kl: -use-ecc = y then Supported key lengths: p256, p384, p521" + echo " : -use-ecc = n then Supported key lengths: 2048, 3072, 4096" +@@ -88,10 +90,18 @@ usage() + echo + } + +-max_param=16 +-min_param=12 ++max_param=18 ++min_param=1 + num_param=1 + ++# Default values ++existing_ca="n" ++use_ecc="y" ++kl=p521 ++da=sha512 ++duration=10 ++srk_ca="y" ++ + if [ $interactive = "n" ] + then + # Validate command line parameters +@@ -110,6 +120,11 @@ then + while [ $num_param -le $max_param ] && [ "$1" != "" ] + do + case $1 in ++ -csf-path) ++ shift ++ CSF_PATH=$1 ++ shift ++ ;; + -existing-ca) + shift + existing_ca=$1 +@@ -163,9 +178,8 @@ then + shift + ;; + *) +- echo "ERROR: Invalid parameter: $1" +- usage +- exit 1 ++ CSF_PATH=$1 ++ shift + ;; + esac + num_param=$(( num_param + 2 )) +@@ -255,6 +269,16 @@ then + read duration + fi + ++# CSF folder structure ++if [ ! -d "${CSF_PATH}" ]; then ++ echo "Invalid CSF_PATH: ${CSF_PATH}" ++ usage ++ exit 1 ++fi ++cd "${CSF_PATH}" +[ -d crts ] || mkdir crts +[ -d keys ] || mkdir keys -+ -+cd keys + -+use_ecc="y" -+existing_ca="n" -+kl="p521" -+cn="secp521r1" -+ -+# Confirm that a valid key length has been entered -+case $kl in -+ p256);; -+ p384);; -+ p521);; -+ *) -+ echo Invalid key length. Supported key lengths: 256, 384, 521 -+ exit 1 ;; -+esac - --printf "Enter the digest algorithm to use: \b" --read da -+da="sha512" - - # Confirm that a valid digest algorithm has been entered - case $da in -@@ -126,8 +88,7 @@ case $da in - exit 1 ;; - esac - --printf "Enter PKI tree duration (years): \b" --read duration -+duration="10" - # Compute validity period val_period=$((duration*365)) -@@ -144,8 +105,7 @@ then + +@@ -286,9 +310,9 @@ then + script_name=$0 fi - - # Check if SRKs should be generated as CA certs or user certs --printf "Do you want the SRK certificates to have the CA flag set? (y/n)?: \b" --read srk_ca -+srk_ca="y" - - # Check that the file "serial" is present, if not create it: - if [ ! -f serial ] -@@ -201,7 +161,7 @@ then + script_path=$(cd $(dirname "${script_name}") && pwd -P) +-keys_dir=${script_path}/../keys/ +-crts_dir=${script_path}/../crts/ +-ca_dir=${script_path}/../ca/ ++keys_dir=${CSF_PATH}/keys/ ++crts_dir=${CSF_PATH}/crts/ ++ca_dir=${CSF_PATH}/ca/ + + if [ ! -d "${keys_dir}" ] + then +@@ -302,11 +326,11 @@ then + exit 1 + fi + +-if [ ! -d "${ca_dir}" ] +-then +- echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." +- exit 1 +-fi ++# if [ ! -d "${ca_dir}" ] ++# then ++# echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." ++# exit 1 ++# fi + + # Switch current working directory to keys directory, if needed. + if [ "${crt_dir}" != "${keys_dir}" ] +@@ -377,7 +401,7 @@ then -x509 -extensions v3_ca \ -keyout temp_ca.pem \ -out ${ca_cert}.pem \ - -days ${val_period} -config ../ca/openssl.cnf + -days ${val_period} -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Generate CA key in PKCS #8 format - both PEM and DER openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ -@@ -218,7 +178,7 @@ then +@@ -394,7 +418,7 @@ then openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der - + # Cleanup - \rm temp_ca.pem + rm temp_ca.pem fi - - -@@ -292,7 +252,7 @@ then + + +@@ -468,7 +492,7 @@ then -out ${srk_key}.pem - + # Cleanup - \rm ./temp_srk.pem ./temp_srk_req.pem + rm ./temp_srk.pem ./temp_srk_req.pem i=$((i+1)) done else -@@ -341,10 +301,10 @@ do +@@ -517,10 +541,10 @@ do -in ./temp_srk_req.pem \ -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ @@ -170,19 +161,19 @@ index 988c27e..00dd143 100755 -days ${val_period} \ - -config ../ca/openssl.cnf + -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -365,7 +325,7 @@ do +@@ -541,7 +565,7 @@ do -out ${srk_key}.pem - + # Cleanup - \rm ./temp_srk.pem ./temp_srk_req.pem + rm ./temp_srk.pem ./temp_srk_req.pem - + echo echo ++++++++++++++++++++++++++++++++++++++++ -@@ -410,10 +370,10 @@ do +@@ -586,10 +610,10 @@ do -in ./temp_sgk_req.pem \ -cert ${srk_crt_i} \ -keyfile ${srk_key_i} \ @@ -192,15 +183,15 @@ index 988c27e..00dd143 100755 -days ${val_period} \ - -config ../ca/openssl.cnf + -config "${SCRIPT_BASEDIR}/openssl.cnf" - + # Convert SGK Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -432,7 +392,7 @@ do +@@ -608,7 +632,7 @@ do -out ${sgk_key}.pem - + # Cleanup - \rm ./temp_sgk.pem ./temp_sgk_req.pem + rm ./temp_sgk.pem ./temp_sgk_req.pem - + i=$((i+1)) done diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch index ab49ef09a..1c715b10f 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch @@ -9,10 +9,10 @@ Signed-off-by: Mike Engel 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh -index 00dd143..8b81143 100755 +index 2c16533..b85b00d 100755 --- a/keys/ahab_pki_tree.sh +++ b/keys/ahab_pki_tree.sh -@@ -117,9 +117,10 @@ fi +@@ -353,9 +353,10 @@ fi # Check that the file "key_pass.txt" is present, if not create it with default user/pwd: if [ ! -f key_pass.txt ] then diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/Makefile b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/Makefile deleted file mode 100644 index 194718797..000000000 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/Makefile +++ /dev/null @@ -1,23 +0,0 @@ -TARGET = linux64/cst -LIBS = -lfrontend -lcrypto -CFLAGS += -g -Wall - -.PHONY: default all clean - -default: $(TARGET) -all: default - -OBJECTS = code/back_end/src/*.c -HEADERS = code/back_end/hdr -LIBS_PATH = linux64/lib - -%.o: %.c - $(CC) $(CFLAGS) -c $< -o $@ - -.PRECIOUS: $(TARGET) $(OBJECTS) - -$(TARGET): $(OBJECTS) - $(CC) $(OBJECTS) $(CFLAGS) $(LDFLAGS) -L $(LIBS_PATH) $(LIBS) -I $(HEADERS) -o $@ - -clean: - -rm -f *.o $(TARGET) diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.1.0.bb b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.3.1.bb similarity index 100% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.1.0.bb rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst_3.3.1.bb