Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

meta-digi: add support for Trustfence secure rootfs 

When Trustfence is enabled, this adds a dependence on the TF initramfs,
so it's built and added to the boot image.

It also modifies the u-boot boot script on the fly, to boot correctly
using the Trustfence initramfs.

https://jira.digi.com/browse/DEL-2278

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera 2016-07-07 18:00:25 +02:00
parent 7a38d609f2
commit 6f8c58291e
3 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
meta-digi-arm/classes/image_types_digi.bbclass
View File

@ -1,10 +1,15 @@
inherit image_types inherit image_types
def TRUSTFENCE_BOOTIMAGE_DEPENDS(d):
tf_initramfs = d.getVar('TRUSTFENCE_INITRAMFS_IMAGE',True) or ""
return "%s:do_rootfs" % tf_initramfs if tf_initramfs else ""
IMAGE_DEPENDS_boot.vfat = " \ IMAGE_DEPENDS_boot.vfat = " \
dosfstools-native:do_populate_sysroot \ dosfstools-native:do_populate_sysroot \
mtools-native:do_populate_sysroot \ mtools-native:do_populate_sysroot \
u-boot:do_deploy \ u-boot:do_deploy \
virtual/kernel:do_deploy \ virtual/kernel:do_deploy \
${@TRUSTFENCE_BOOTIMAGE_DEPENDS(d)} \
" "
IMAGE_CMD_boot.vfat() { IMAGE_CMD_boot.vfat() {
@ -22,6 +27,12 @@ IMAGE_CMD_boot.vfat() {
done done
fi fi
# Add Trustfence initramfs if enabled
if [ -n "${TRUSTFENCE_INITRAMFS_IMAGE}" ]; then
BOOTIMG_FILES="${BOOTIMG_FILES} $(readlink -e ${DEPLOY_DIR_IMAGE}/${TRUSTFENCE_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot)"
BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${TRUSTFENCE_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot"
fi
# Size of kernel and device tree + 10% extra space (in bytes) # Size of kernel and device tree + 10% extra space (in bytes)
BOOTIMG_FILES_SIZE="$(expr $(du -bc ${BOOTIMG_FILES} | tail -n1 | cut -f1) \* \( 100 + 10 \) / 100)" BOOTIMG_FILES_SIZE="$(expr $(du -bc ${BOOTIMG_FILES} | tail -n1 | cut -f1) \* \( 100 + 10 \) / 100)"

13
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
View File

@ -141,8 +141,17 @@ do_deploy_append() {
sed -i -e 's,##GRAPHICAL_BACKEND##,${GRAPHICAL_BACKEND},g' ${WORKDIR}/install_linux_fw_sd.txt sed -i -e 's,##GRAPHICAL_BACKEND##,${GRAPHICAL_BACKEND},g' ${WORKDIR}/install_linux_fw_sd.txt
mkimage -T script -n "DEY firmware install script" -C none -d ${WORKDIR}/install_linux_fw_sd.txt ${DEPLOYDIR}/install_linux_fw_sd.scr mkimage -T script -n "DEY firmware install script" -C none -d ${WORKDIR}/install_linux_fw_sd.txt ${DEPLOYDIR}/install_linux_fw_sd.scr
# Boot script for DEY images # Boot script for DEY images (reconfigure on-the-fly if TRUSTFENCE is enabled)
mkimage -T script -n bootscript -C none -d ${WORKDIR}/boot.txt ${DEPLOYDIR}/boot.scr TMP_BOOTSCR="$(mktemp ${WORKDIR}/bootscr.XXXXXX)"
cat ${WORKDIR}/boot.txt > ${TMP_BOOTSCR}
if [ -n "${TRUSTFENCE_INITRAMFS_IMAGE}" ]; then
sed -i -e '/^dboot linux/{
i\setenv boot_initrd true
i\setenv initrd_file ${TRUSTFENCE_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot
}' ${TMP_BOOTSCR}
fi
mkimage -T script -n bootscript -C none -d ${TMP_BOOTSCR} ${DEPLOYDIR}/boot.scr
rm -f ${TMP_BOOTSCR}
} }
COMPATIBLE_MACHINE = "(ccimx6$|ccimx6ul)" COMPATIBLE_MACHINE = "(ccimx6$|ccimx6ul)"

3
meta-digi-dey/classes/trustfence.bbclass
View File

@ -24,6 +24,9 @@ TRUSTFENCE_UBOOT_SIGN ?= "1"
TRUSTFENCE_UBOOT_ENCRYPT ?= "1" TRUSTFENCE_UBOOT_ENCRYPT ?= "1"
TRUSTFENCE_UBOOT_ENV_DEK ?= "gen_random" TRUSTFENCE_UBOOT_ENV_DEK ?= "gen_random"
# Trustfence initramfs image recipe
TRUSTFENCE_INITRAMFS_IMAGE ?= "dey-image-trustfence-initramfs"
IMAGE_FEATURES += "dey-trustfence" IMAGE_FEATURES += "dey-trustfence"
UBOOT_EXTRA_CONF = "" UBOOT_EXTRA_CONF = ""