From 6c7bd330a466e583f8fd921696b549c2f23fde27 Mon Sep 17 00:00:00 2001 From: Arturo Buzarra Date: Tue, 5 Jan 2021 09:22:22 +0100 Subject: [PATCH] trustfence-sign-artifact: add support for ccimx8x encryption Add support to sign and encrypt OS artifacts for AHAB devices. https://jira.digi.com/browse/DEL-7371 Signed-off-by: Arturo Buzarra --- .../trustfence-sign-tools/encrypt_ahab | 29 +++++++ .../trustfence-sign-artifact.sh | 76 +++++++++++-------- .../trustfence/trustfence-sign-tools_git.bb | 4 +- 3 files changed, 75 insertions(+), 34 deletions(-) create mode 100644 meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab new file mode 100644 index 000000000..9e40c7e3a --- /dev/null +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab @@ -0,0 +1,29 @@ +# The syntax for this file is documented in the AHAB Code Signing Tool +# User's Guide which is included in the CST package distributed by NXP +[Header] + Target = AHAB + Version = 1.0 + +[Install SRK] + # SRK table generated by srktool + File = "%srk_table%" + # Public key certificate in PEM format + Source = "%cert_img%" + # Index of the public key certificate within the SRK table (0 .. 3) + Source index = %key_index% + # Type of SRK set (NXP or OEM) + Source set = OEM + # bitmask of the revoked SRKs + Revocations = 0x%key_index% + +[Authenticate Data] + # Binary to be signed generated by mkimage + File = "%kernel-img%" + # Offsets = Container header Signature block (printed out by mkimage) + Offsets = %container_offset% %block_offset% + +[Install Secret Key] + Key = "%dek_path%" + Key Length = %dek_len% + #Key Identifier = 0x1234CAFE + Image Indexes = 0xFFFFFFFF diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh index 1d4247756..45e1b1b26 100755 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh @@ -3,7 +3,7 @@ # # trustfence-sign-artifact.sh # -# Copyright (C) 2016-2020 by Digi International Inc. +# Copyright (C) 2016-2021 by Digi International Inc. # All rights reserved. # # This program is free software; you can redistribute it and/or modify it @@ -122,29 +122,31 @@ if [ -z "${CONFIG_RAM_START}" ]; then exit 1 fi +# Get DEK key +if [ -n "${CONFIG_DEK_PATH}" ]; then + if [ ! -f "${CONFIG_DEK_PATH}" ]; then + if [ "${PLATFORM}" = "ccimx8mn" ]; then + echo "DEK not found. Generating random 128 bit DEK." + [ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH}) + dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=16 count=1 >/dev/null 2>&1 + else + echo "DEK not found. Generating random 256 bit DEK." + [ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH}) + dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=32 count=1 >/dev/null 2>&1 + fi + fi + dek_size="$((8 * $(stat -L -c %s ${CONFIG_DEK_PATH})))" + if [ "${dek_size}" != "128" ] && [ "${dek_size}" != "192" ] && [ "${dek_size}" != "256" ]; then + echo "Invalid DEK size: ${dek_size} bits. Valid sizes are 128, 192 and 256 bits" + exit 1 + fi + ENCRYPT="true" +fi + if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then # Negative offset with respect to CONFIG_RAM_START in which U-Boot # copies the DEK blob. DEK_BLOB_OFFSET="0x100" - if [ -n "${CONFIG_DEK_PATH}" ]; then - if [ ! -f "${CONFIG_DEK_PATH}" ]; then - if [ "${PLATFORM}" = "ccimx8mn" ]; then - echo "DEK not found. Generating random 128 bit DEK." - [ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH}) - dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=16 count=1 >/dev/null 2>&1 - else - echo "DEK not found. Generating random 256 bit DEK." - [ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH}) - dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=32 count=1 >/dev/null 2>&1 - fi - fi - dek_size="$((8 * $(stat -L -c %s ${CONFIG_DEK_PATH})))" - if [ "${dek_size}" != "128" ] && [ "${dek_size}" != "192" ] && [ "${dek_size}" != "256" ]; then - echo "Invalid DEK size: ${dek_size} bits. Valid sizes are 128, 192 and 256 bits" - exit 1 - fi - ENCRYPT="true" - fi fi # Default values @@ -280,7 +282,7 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then -e "s,%key_index%,${CONFIG_KEY_INDEX},g" \ "${SCRIPT_PATH}/csf_templates/sign_hab" > csf_descriptor fi -else +elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then # Other constants KERNEL_START_OFFSET="0x0" KERNEL_SIG_BLOCK_OFFSET="0x90" @@ -299,17 +301,25 @@ else SRK_CERT_KEY_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK${CONFIG_KEY_INDEX_1}*crt.pem | sed s/\ /\,/g)" - sed -e "s,%srk_table%,${SRK_TABLE},g" \ - -e "s,%cert_img%,${SRK_CERT_KEY_IMG},g" \ - -e "s,%kernel-img%,${KERNEL_NAME},g" \ - -e "s,%key_index%,${CONFIG_KEY_INDEX},g" \ - -e "s,%container_offset%,${container_header_offset},g" \ - -e "s,%block_offset%,${signature_block_offset},g" \ - "${SCRIPT_PATH}/csf_templates/sign_ahab" > csf_descriptor - + # Generate actual CSF descriptor file from template if [ "${ENCRYPT}" = "true" ]; then - echo "[ERROR] Environment encryption is not supported." - exit 1 + sed -e "s,%srk_table%,${SRK_TABLE},g" \ + -e "s,%cert_img%,${SRK_CERT_KEY_IMG},g" \ + -e "s,%kernel-img%,${KERNEL_NAME},g" \ + -e "s,%key_index%,${CONFIG_KEY_INDEX},g" \ + -e "s,%container_offset%,${container_header_offset},g" \ + -e "s,%block_offset%,${signature_block_offset},g" \ + -e "s,%dek_path%,${CONFIG_DEK_PATH},g" \ + -e "s,%dek_len%,${dek_size},g" \ + "${SCRIPT_PATH}/csf_templates/encrypt_ahab" > csf_descriptor + else + sed -e "s,%srk_table%,${SRK_TABLE},g" \ + -e "s,%cert_img%,${SRK_CERT_KEY_IMG},g" \ + -e "s,%kernel-img%,${KERNEL_NAME},g" \ + -e "s,%key_index%,${CONFIG_KEY_INDEX},g" \ + -e "s,%container_offset%,${container_header_offset},g" \ + -e "s,%block_offset%,${signature_block_offset},g" \ + "${SCRIPT_PATH}/csf_templates/sign_ahab" > csf_descriptor fi fi @@ -350,8 +360,8 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then cat csf.bin >> "${TARGET}" objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}" -else - # Sign the image +elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then + # Sign and encrypt the image CURRENT_PATH="$(pwd)" cst -o "${TARGET}" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null if [ $? -ne 0 ]; then diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb index de5c09fad..97cee424b 100644 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb @@ -1,4 +1,4 @@ -# Copyright (C) 2017-2020 Digi International +# Copyright (C) 2017-2021 Digi International SUMMARY = "TrustFence signing and encryption scripts" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" @@ -20,6 +20,7 @@ SRC_URI = " \ file://sign_hab;name=artifact-hab-sign \ file://encrypt_hab;name=artifact-hab-encrypt \ file://sign_ahab;name=artifact-ahab-sign \ + file://encrypt_ahab;name=artifact-ahab-encrypt \ " do_configure[noexec] = "1" @@ -29,6 +30,7 @@ do_install() { install -d ${D}${bindir}/csf_templates if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then install -m 0755 sign_ahab ${D}${bindir}/csf_templates/ + install -m 0755 encrypt_ahab ${D}${bindir}/csf_templates/ elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then install -m 0755 sign_hab ${D}${bindir}/csf_templates/ install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/