trustfence-sign-artifact: add support for ccimx8x encryption

Add support to sign and encrypt OS artifacts for AHAB devices. https://jira.digi.com/browse/DEL-7371 Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
2021-01-05 09:22:22 +01:00 · 2021-01-05 09:22:22 +01:00 · 6c7bd330a4
parent 1e5cafeb79
commit 6c7bd330a4
3 changed files with 75 additions and 34 deletions
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab
@ -0,0 +1,29 @@
+# The syntax for this file is documented in the AHAB Code Signing Tool
+# User's Guide which is included in the CST package distributed by NXP
+[Header]
+    Target = AHAB
+    Version = 1.0
+
+[Install SRK]
+    # SRK table generated by srktool
+    File = "%srk_table%"
+    # Public key certificate in PEM format
+    Source = "%cert_img%"
+    # Index of the public key certificate within the SRK table (0 .. 3)
+    Source index = %key_index%
+    # Type of SRK set (NXP or OEM)
+    Source set = OEM
+    # bitmask of the revoked SRKs
+    Revocations = 0x%key_index%
+
+[Authenticate Data]
+    # Binary to be signed generated by mkimage
+    File = "%kernel-img%"
+    # Offsets = Container header Signature block (printed out by mkimage)
+    Offsets = %container_offset% %block_offset%
+
+[Install Secret Key]
+    Key = "%dek_path%"
+    Key Length = %dek_len%
+    #Key Identifier = 0x1234CAFE
+    Image Indexes = 0xFFFFFFFF
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
@ -3,7 +3,7 @@
 #
 #  trustfence-sign-artifact.sh
 #
-#  Copyright (C) 2016-2020 by Digi International Inc.
+#  Copyright (C) 2016-2021 by Digi International Inc.
 #  All rights reserved.
 #
 #  This program is free software; you can redistribute it and/or modify it
@ -122,10 +122,7 @@ if [ -z "${CONFIG_RAM_START}" ]; then
 	exit 1
 fi

-if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
-	# Negative offset with respect to CONFIG_RAM_START in which U-Boot
-	# copies the DEK blob.
-	DEK_BLOB_OFFSET="0x100"
+# Get DEK key
 if [ -n "${CONFIG_DEK_PATH}" ]; then
 	if [ ! -f "${CONFIG_DEK_PATH}" ]; then
 		if [ "${PLATFORM}" = "ccimx8mn" ]; then
@ -145,6 +142,11 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	fi
 	ENCRYPT="true"
 fi
+
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
+	# Negative offset with respect to CONFIG_RAM_START in which U-Boot
+	# copies the DEK blob.
+	DEK_BLOB_OFFSET="0x100"
 fi

 # Default values
@ -280,7 +282,7 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 		-e "s,%key_index%,${CONFIG_KEY_INDEX},g"	   \
 		"${SCRIPT_PATH}/csf_templates/sign_hab" > csf_descriptor
 	fi
-else
+elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
 	# Other constants
 	KERNEL_START_OFFSET="0x0"
 	KERNEL_SIG_BLOCK_OFFSET="0x90"
@ -299,6 +301,18 @@ else

 	SRK_CERT_KEY_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK${CONFIG_KEY_INDEX_1}*crt.pem | sed s/\ /\,/g)"

+	# Generate actual CSF descriptor file from template
+	if [ "${ENCRYPT}" = "true" ]; then
+		sed -e "s,%srk_table%,${SRK_TABLE},g"		   	\
+		-e "s,%cert_img%,${SRK_CERT_KEY_IMG},g"		   	\
+		-e "s,%kernel-img%,${KERNEL_NAME},g"		   	\
+		-e "s,%key_index%,${CONFIG_KEY_INDEX},g"	   	\
+		-e "s,%container_offset%,${container_header_offset},g" 	\
+		-e "s,%block_offset%,${signature_block_offset},g" 	\
+		-e "s,%dek_path%,${CONFIG_DEK_PATH},g"		   	\
+		-e "s,%dek_len%,${dek_size},g"			   	\
+		"${SCRIPT_PATH}/csf_templates/encrypt_ahab" > csf_descriptor
+	else
 		sed -e "s,%srk_table%,${SRK_TABLE},g"		   	\
 		-e "s,%cert_img%,${SRK_CERT_KEY_IMG},g"		   	\
 		-e "s,%kernel-img%,${KERNEL_NAME},g"		   	\
@ -306,10 +320,6 @@ else
 		-e "s,%container_offset%,${container_header_offset},g" 	\
 		-e "s,%block_offset%,${signature_block_offset},g" 	\
 		"${SCRIPT_PATH}/csf_templates/sign_ahab" > csf_descriptor
-
-	if [ "${ENCRYPT}" = "true" ]; then
-		echo "[ERROR] Environment encryption is not supported."
-		exit 1
 	fi
 fi

@ -350,8 +360,8 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	cat csf.bin >> "${TARGET}"

 	objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}"
-else
-	# Sign the image
+elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
+	# Sign and encrypt the image
 	CURRENT_PATH="$(pwd)"
 	cst -o "${TARGET}" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null
 	if [ $? -ne 0 ]; then
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
@ -1,4 +1,4 @@
-# Copyright (C) 2017-2020 Digi International
+# Copyright (C) 2017-2021 Digi International
 SUMMARY = "TrustFence signing and encryption scripts"
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
@ -20,6 +20,7 @@ SRC_URI = " \
    file://sign_hab;name=artifact-hab-sign \
    file://encrypt_hab;name=artifact-hab-encrypt \
    file://sign_ahab;name=artifact-ahab-sign \
+    file://encrypt_ahab;name=artifact-ahab-encrypt \
 "

 do_configure[noexec] = "1"
@ -29,6 +30,7 @@ do_install() {
 	install -d ${D}${bindir}/csf_templates
 	if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
+		install -m 0755 encrypt_ahab ${D}${bindir}/csf_templates/
 	elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 		install -m 0755 sign_hab ${D}${bindir}/csf_templates/
 		install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/