From 6b1d790c95887eccbc588e65a0a1929237cc2697 Mon Sep 17 00:00:00 2001 From: "Diaz de Grenu, Jose" Date: Fri, 2 Dec 2016 15:36:18 +0100 Subject: [PATCH] meta-digi-arm: linux-dey: create postfunc for trustfence The kernel recipe was modifying the device tree blobs in place within the kernel build temporal directory. This can cause problems after several compilations, only the deployed artifacts should be signed/encrypted. The deployment of the DTBs is done by do_deploy_appends in other layers which are appended after this recipe, so it is required to use a postfunc to do the trustfence related process after the deployment of all the artifacts. https://jira.digi.com/browse/DEL-3388 Signed-off-by: Diaz de Grenu, Jose --- .../recipes-kernel/linux/linux-dey.inc | 44 +++++++++++-------- 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc index fc77b74c0..45990474e 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc @@ -27,28 +27,34 @@ S = "${WORKDIR}/git" KERNEL_EXTRA_ARGS += "LOADADDR=${UBOOT_ENTRYPOINT}" do_deploy_append() { - if [ "${TRUSTFENCE_SIGN}" = "1" ]; then - # Set environment variables for trustfence configuration - export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" - [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" - [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" - - # Sign/encrypt the kernel image - "${STAGING_BINDIR_NATIVE}/trustfence-sign-kernel.sh" -p "${DIGI_FAMILY}" -l "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}.bin" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}-signed.bin" - mv "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}-signed.bin" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}.bin" - - # Sign/encrypt the device tree blobs - if [ -n "${KERNEL_DEVICETREE}" ]; then - for DTB_NAME in ${KERNEL_DEVICETREE}; do - DTB="${B}/arch/${ARCH}/boot/dts/${DTB_NAME}" - "${STAGING_BINDIR_NATIVE}/trustfence-sign-kernel.sh" -p "${DIGI_FAMILY}" -d "${DTB}" "${DTB}-signed" - mv "${DTB}-signed" "${DTB}" - done - fi - fi (cd ${DEPLOYDIR} && ln -sf ${KERNEL_IMAGE_BASE_NAME}.bin ${KERNEL_IMAGE_SYMLINK_NAME}) } +do_deploy[postfuncs] += "${@base_conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign', '', d)}" + +trustfence_sign() { + # Set environment variables for trustfence configuration + export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" + [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" + [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + + # Sign/encrypt the kernel image + KERNEL_IMAGE="$(readlink -e ${DEPLOYDIR}/${KERNEL_IMAGE_SYMLINK_NAME})" + TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${DEPLOYDIR}/${KERNEL_IMAGE_SYMLINK_NAME}-signed.XXXXXX)" + trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}" + mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}" + + # Sign/encrypt the device tree blobs + if [ -n "${KERNEL_DEVICETREE}" ]; then + for DTB_NAME in ${KERNEL_DEVICETREE}; do + DTB=$(readlink -e ${DEPLOYDIR}/${KERNEL_IMAGETYPE}-${DTB_NAME}) + TMP_DTB_SIGNED="$(mktemp ${DEPLOYDIR}/${KERNEL_IMAGETYPE}-${DTB_NAME}-signed.XXXXXX)" + trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB}" "${TMP_DTB_SIGNED}" + mv "${TMP_DTB_SIGNED}" "${DTB}" + done + fi +} + do_deploy[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH" FILES_kernel-image += "/boot/config-${KERNEL_VERSION}"