trustfence-sign-artifact: add support for ccimx8x encryption

Add support to sign and encrypt OS artifacts for AHAB devices. https://jira.digi.com/browse/DEL-7371 Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
2021-01-05 09:22:22 +01:00 · 2021-01-05 09:22:22 +01:00 · 6c7bd330a4
parent 1e5cafeb79
commit 6c7bd330a4
3 changed files with 75 additions and 34 deletions
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab
@ -0,0 +1,29 @@
 # The syntax for this file is documented in the AHAB Code Signing Tool
 # User's Guide which is included in the CST package distributed by NXP
 [Header]
    Target = AHAB
    Version = 1.0
 [Install SRK]
    # SRK table generated by srktool
    File = "%srk_table%"
    # Public key certificate in PEM format
    Source = "%cert_img%"
    # Index of the public key certificate within the SRK table (0 .. 3)
    Source index = %key_index%
    # Type of SRK set (NXP or OEM)
    Source set = OEM
    # bitmask of the revoked SRKs
    Revocations = 0x%key_index%
 [Authenticate Data]
    # Binary to be signed generated by mkimage
    File = "%kernel-img%"
    # Offsets = Container header Signature block (printed out by mkimage)
    Offsets = %container_offset% %block_offset%
 [Install Secret Key]
    Key = "%dek_path%"
    Key Length = %dek_len%
    #Key Identifier = 0x1234CAFE
    Image Indexes = 0xFFFFFFFF
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
@ -3,7 +3,7 @@
 #
 #  trustfence-sign-artifact.sh
 #
-#  Copyright (C) 2016-2020 by Digi International Inc.
+#  Copyright (C) 2016-2021 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@ -122,29 +122,31 @@ if [ -z "${CONFIG_RAM_START}" ]; then
 	exit 1
 fi
 # Get DEK key
 if [ -n "${CONFIG_DEK_PATH}" ]; then
 	if [ ! -f "${CONFIG_DEK_PATH}" ]; then
 		if [ "${PLATFORM}" = "ccimx8mn" ]; then
 			echo "DEK not found. Generating random 128 bit DEK."
 			[ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH})
 			dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=16 count=1 >/dev/null 2>&1
 		else
 			echo "DEK not found. Generating random 256 bit DEK."
 			[ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH})
 			dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=32 count=1 >/dev/null 2>&1
 		fi
 	fi
 	dek_size="$((8 * $(stat -L -c %s ${CONFIG_DEK_PATH})))"
 	if [ "${dek_size}" != "128" ] && [ "${dek_size}" != "192" ] && [ "${dek_size}" != "256" ]; then
 		echo "Invalid DEK size: ${dek_size} bits. Valid sizes are 128, 192 and 256 bits"
 		exit 1
 	fi
 	ENCRYPT="true"
 fi
 if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	# Negative offset with respect to CONFIG_RAM_START in which U-Boot
 	# copies the DEK blob.
 	DEK_BLOB_OFFSET="0x100"
 	if [ -n "${CONFIG_DEK_PATH}" ]; then
 		if [ ! -f "${CONFIG_DEK_PATH}" ]; then
 			if [ "${PLATFORM}" = "ccimx8mn" ]; then
 				echo "DEK not found. Generating random 128 bit DEK."
 				[ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH})
 				dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=16 count=1 >/dev/null 2>&1
 			else
 				echo "DEK not found. Generating random 256 bit DEK."
 				[ -d $(dirname ${CONFIG_DEK_PATH}) ] || mkdir -p $(dirname ${CONFIG_DEK_PATH})
 				dd if=/dev/urandom of="${CONFIG_DEK_PATH}" bs=32 count=1 >/dev/null 2>&1
 			fi
 		fi
 		dek_size="$((8 * $(stat -L -c %s ${CONFIG_DEK_PATH})))"
 		if [ "${dek_size}" != "128" ] && [ "${dek_size}" != "192" ] && [ "${dek_size}" != "256" ]; then
 			echo "Invalid DEK size: ${dek_size} bits. Valid sizes are 128, 192 and 256 bits"
 			exit 1
 		fi
 		ENCRYPT="true"
 	fi
 fi
 # Default values
@ -280,7 +282,7 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 		-e "s,%key_index%,${CONFIG_KEY_INDEX},g"	   \
 		"${SCRIPT_PATH}/csf_templates/sign_hab" > csf_descriptor
 	fi
-else
+elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
 	# Other constants
 	KERNEL_START_OFFSET="0x0"
 	KERNEL_SIG_BLOCK_OFFSET="0x90"
@ -299,17 +301,25 @@ else
 	SRK_CERT_KEY_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK${CONFIG_KEY_INDEX_1}*crt.pem | sed s/\ /\,/g)"
-	sed -e "s,%srk_table%,${SRK_TABLE},g"		   \
+	# Generate actual CSF descriptor file from template
 	-e "s,%cert_img%,${SRK_CERT_KEY_IMG},g"		   \
 	-e "s,%kernel-img%,${KERNEL_NAME},g"		   \
 	-e "s,%key_index%,${CONFIG_KEY_INDEX},g"	   \
 	-e "s,%container_offset%,${container_header_offset},g" \
 	-e "s,%block_offset%,${signature_block_offset},g" \
 	"${SCRIPT_PATH}/csf_templates/sign_ahab" > csf_descriptor
 	if [ "${ENCRYPT}" = "true" ]; then
-		echo "[ERROR] Environment encryption is not supported."
+		sed -e "s,%srk_table%,${SRK_TABLE},g"		   	\
-		exit 1
+		-e "s,%cert_img%,${SRK_CERT_KEY_IMG},g"		   	\
 		-e "s,%kernel-img%,${KERNEL_NAME},g"		   	\
 		-e "s,%key_index%,${CONFIG_KEY_INDEX},g"	   	\
 		-e "s,%container_offset%,${container_header_offset},g" 	\
 		-e "s,%block_offset%,${signature_block_offset},g" 	\
 		-e "s,%dek_path%,${CONFIG_DEK_PATH},g"		   	\
 		-e "s,%dek_len%,${dek_size},g"			   	\
 		"${SCRIPT_PATH}/csf_templates/encrypt_ahab" > csf_descriptor
 	else
 		sed -e "s,%srk_table%,${SRK_TABLE},g"		   	\
 		-e "s,%cert_img%,${SRK_CERT_KEY_IMG},g"		   	\
 		-e "s,%kernel-img%,${KERNEL_NAME},g"		   	\
 		-e "s,%key_index%,${CONFIG_KEY_INDEX},g"	   	\
 		-e "s,%container_offset%,${container_header_offset},g" 	\
 		-e "s,%block_offset%,${signature_block_offset},g" 	\
 		"${SCRIPT_PATH}/csf_templates/sign_ahab" > csf_descriptor
 	fi
 fi
@ -350,8 +360,8 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	cat csf.bin >> "${TARGET}"
 	objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}"
-else
+elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
-	# Sign the image
+	# Sign and encrypt the image
 	CURRENT_PATH="$(pwd)"
 	cst -o "${TARGET}" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null
 	if [ $? -ne 0 ]; then
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
@ -1,4 +1,4 @@
-# Copyright (C) 2017-2020 Digi International
+# Copyright (C) 2017-2021 Digi International
 SUMMARY = "TrustFence signing and encryption scripts"
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
@ -20,6 +20,7 @@ SRC_URI = " \
    file://sign_hab;name=artifact-hab-sign \
    file://encrypt_hab;name=artifact-hab-encrypt \
    file://sign_ahab;name=artifact-ahab-sign \
    file://encrypt_ahab;name=artifact-ahab-encrypt \
 "
 do_configure[noexec] = "1"
@ -29,6 +30,7 @@ do_install() {
 	install -d ${D}${bindir}/csf_templates
 	if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
 		install -m 0755 encrypt_ahab ${D}${bindir}/csf_templates/
 	elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 		install -m 0755 sign_hab ${D}${bindir}/csf_templates/
 		install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/