Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

meta-digi-arm: trustfence-sign-tools: simplify script usage outside Yocto 

* Check number of arguments
* Add platform argument
* Read user configuration from .config file
* Remove unused variable (dek_blob_size)
* Remove noise in output messages

https://jira.digi.com/browse/DEL-2688

Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
This commit is contained in:
Diaz de Grenu, Jose 2016-09-06 17:29:40 +02:00
parent c5df62cd05
commit 6b0fbddf3b
2 changed files with 25 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
View File

@ -23,6 +23,14 @@
# #
#=============================================================================== #===============================================================================
SCRIPT_NAME="$(basename ${0})"
SCRIPT_PATH="$(cd $(dirname ${0}) && pwd)"
if [ "${#}" != "2" ]; then
echo "Usage: ${SCRIPT_NAME} input-unsigned-image output-signed-image"
exit 1
fi
# Negative offset with respect to CONFIG_UIMAGE_LOADADDR in which U-Boot # Negative offset with respect to CONFIG_UIMAGE_LOADADDR in which U-Boot
# copies the DEK blob. # copies the DEK blob.
DEK_BLOB_OFFSET="0x100" DEK_BLOB_OFFSET="0x100"
@ -30,9 +38,10 @@ CONFIG_CSF_SIZE="0x4000"
UIMAGE_PATH="$(readlink -e ${1})" UIMAGE_PATH="$(readlink -e ${1})"
TARGET="$(readlink -m ${2})" TARGET="$(readlink -m ${2})"
SCRIPT_BASEDIR="$(cd $(dirname ${0}) && pwd)"
# Check arguments # Read user configuration file (if used)
[ -f .config ] && . ./.config
if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then
echo "Undefined CONFIG_SIGN_KEYS_PATH"; echo "Undefined CONFIG_SIGN_KEYS_PATH";
exit 1 exit 1
@ -43,7 +52,7 @@ if [ -n "${CONFIG_DEK_PATH}" ]; then
if [ ! -f "${CONFIG_DEK_PATH}" ]; then if [ ! -f "${CONFIG_DEK_PATH}" ]; then
echo "DEK not found. Generating random 256 bit DEK." echo "DEK not found. Generating random 256 bit DEK."
[ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH}) [ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH})
dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=32 count=1 dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=32 count=1 >/dev/null 2>&1
fi fi
dek_size="$((8 * $(stat -L -c %s ${CONFIG_DEK_PATH})))" dek_size="$((8 * $(stat -L -c %s ${CONFIG_DEK_PATH})))"
if [ "${dek_size}" != "128" ] && [ "${dek_size}" != "192" ] && [ "${dek_size}" != "256" ]; then if [ "${dek_size}" != "128" ] && [ "${dek_size}" != "192" ] && [ "${dek_size}" != "256" ]; then
@ -52,15 +61,19 @@ if [ -n "${CONFIG_DEK_PATH}" ]; then
fi fi
ENCRYPT="true" ENCRYPT="true"
fi fi
[ "${CONFIG_PLATFORM}" = "ccimx6" ] && CONFIG_UIMAGE_LOADADDR="0x12000000"
[ "${CONFIG_PLATFORM}" = "ccimx6ul" ] && CONFIG_UIMAGE_LOADADDR="0x80800000"
if [ -z "${CONFIG_UIMAGE_LOADADDR}" ]; then if [ -z "${CONFIG_UIMAGE_LOADADDR}" ]; then
echo "Undefined CONFIG_UIMAGE_LOADADDR" echo "Undefined CONFIG_UIMAGE_LOADADDR"
echo "As an alternative, define CONFIG_PLATFORM. Supported platforms: ccimx6, ccimx6ul"
exit 1 exit 1
fi fi
# Default values # Default values
[ -z "${CONFIG_KEY_INDEX}" ] && CONFIG_KEY_INDEX="0" [ -z "${CONFIG_KEY_INDEX}" ] && CONFIG_KEY_INDEX="0"
CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))" CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))"
[ -z "${CONFIG_DEK_SIZE}" ] && CONFIG_DEK_SIZE="128"
SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)" SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)" CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)"
@ -88,9 +101,7 @@ SRK_TABLE="$(pwd)/SRK_table.bin"
# Other constants # Other constants
GAP_FILLER="0x00" GAP_FILLER="0x00"
# Compute dek blob size in bytes: # The DEK blob is placed by U-Boot just before the kernel image
# header (8) + 256-bit AES key (32) + MAC (16) + custom key size in bytes
dek_blob_size="$((8 + 32 + 16 + CONFIG_DEK_SIZE/8))"
dek_blob_offset="$((CONFIG_UIMAGE_LOADADDR - DEK_BLOB_OFFSET))" dek_blob_offset="$((CONFIG_UIMAGE_LOADADDR - DEK_BLOB_OFFSET))"
# Compute the layout: sizes and offsets. # Compute the layout: sizes and offsets.
@ -144,7 +155,7 @@ if [ "${ENCRYPT}" = "true" ]; then
-e "s,%r2_uimage_offset%,${r2_uimage_offset},g" \ -e "s,%r2_uimage_offset%,${r2_uimage_offset},g" \
-e "s,%r2_ram_start%,${r2_ram_start},g" \ -e "s,%r2_ram_start%,${r2_ram_start},g" \
-e "s,%r2_size%,${r2_size},g" \ -e "s,%r2_size%,${r2_size},g" \
"${SCRIPT_BASEDIR}/csf_templates/encrypt_uimage" > csf_descriptor "${SCRIPT_PATH}/csf_templates/encrypt_uimage" > csf_descriptor
else else
sed -e "s,%ram_start%,${CONFIG_UIMAGE_LOADADDR},g" \ sed -e "s,%ram_start%,${CONFIG_UIMAGE_LOADADDR},g" \
-e "s,%srk_table%,${SRK_TABLE},g" \ -e "s,%srk_table%,${SRK_TABLE},g" \
@ -154,7 +165,7 @@ else
-e "s,%cert_img%,${CERT_IMG},g" \ -e "s,%cert_img%,${CERT_IMG},g" \
-e "s,%uimage_path%,${TARGET},g" \ -e "s,%uimage_path%,${TARGET},g" \
-e "s,%key_index%,${CONFIG_KEY_INDEX},g" \ -e "s,%key_index%,${CONFIG_KEY_INDEX},g" \
"${SCRIPT_BASEDIR}/csf_templates/sign_uimage" > csf_descriptor "${SCRIPT_PATH}/csf_templates/sign_uimage" > csf_descriptor
fi fi
# Generate SRK tables # Generate SRK tables
@ -184,7 +195,7 @@ IVT_HEADER="0x402000D1"
} >> "${TARGET}" } >> "${TARGET}"
CURRENT_PATH="$(pwd)" CURRENT_PATH="$(pwd)"
cst -o "${CURRENT_PATH}/csf.bin" -i "${CURRENT_PATH}/csf_descriptor" cst -o "${CURRENT_PATH}/csf.bin" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "[ERROR] Could not generate CSF" echo "[ERROR] Could not generate CSF"
exit 1 exit 1
@ -193,5 +204,7 @@ fi
cat csf.bin >> "${TARGET}" cat csf.bin >> "${TARGET}"
objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}" objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}"
echo "Signed uImage at ${TARGET}"
[ "${ENCRYPT}" = "true" ] && ENCRYPTED_MSG="and encrypted "
echo "Signed ${ENCRYPTED_MSG}image ready: ${TARGET}"
rm -f "${SRK_TABLE}" csf_descriptor csf.bin 2> /dev/null rm -f "${SRK_TABLE}" csf_descriptor csf.bin 2> /dev/null

9
meta-digi-arm/recipes-kernel/linux/linux-dey.inc
View File

@ -26,17 +26,10 @@ S = "${WORKDIR}/git"
# machine, with different entry points # machine, with different entry points
KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}" KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}"
# In order to sign and encrypt the uImage, we need to know the address
# in which U-Boot loads the uImage. This is CONFIG_LOADADDR in U-Boot
# configuration file.
UBOOT_CONFIG_LOADADDR = ""
UBOOT_CONFIG_LOADADDR_ccimx6 = "0x12000000"
UBOOT_CONFIG_LOADADDR_ccimx6ul = "0x80800000"
do_deploy_append() { do_deploy_append() {
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
export CONFIG_UIMAGE_LOADADDR="${UBOOT_CONFIG_LOADADDR}" export CONFIG_PLATFORM="${DIGI_FAMILY}"
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
"${STAGING_BINDIR_NATIVE}/trustfence-sign-kernel.sh" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}.bin" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}-signed.bin" "${STAGING_BINDIR_NATIVE}/trustfence-sign-kernel.sh" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}.bin" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}-signed.bin"