meta-digi: add support for Trustfence secure rootfs

When Trustfence is enabled, this adds a dependence on the TF initramfs, so it's built and added to the boot image. It also modifies the u-boot boot script on the fly, to boot correctly using the Trustfence initramfs. https://jira.digi.com/browse/DEL-2278 Signed-off-by: Javier Viguera <javier.viguera@digi.com>
2016-07-07 18:00:25 +02:00 · 2016-07-07 18:00:25 +02:00 · 6f8c58291e
parent 7a38d609f2
commit 6f8c58291e
3 changed files with 25 additions and 2 deletions
--- a/meta-digi-arm/classes/image_types_digi.bbclass
+++ b/meta-digi-arm/classes/image_types_digi.bbclass
@ -1,10 +1,15 @@
 inherit image_types

+def TRUSTFENCE_BOOTIMAGE_DEPENDS(d):
+    tf_initramfs = d.getVar('TRUSTFENCE_INITRAMFS_IMAGE',True) or ""
+    return "%s:do_rootfs" % tf_initramfs if tf_initramfs else ""
+
 IMAGE_DEPENDS_boot.vfat = " \
    dosfstools-native:do_populate_sysroot \
    mtools-native:do_populate_sysroot \
    u-boot:do_deploy \
    virtual/kernel:do_deploy \
+    ${@TRUSTFENCE_BOOTIMAGE_DEPENDS(d)} \
 "

 IMAGE_CMD_boot.vfat() {
@ -22,6 +27,12 @@ IMAGE_CMD_boot.vfat() {
 		done
 	fi

+	# Add Trustfence initramfs if enabled
+	if [ -n "${TRUSTFENCE_INITRAMFS_IMAGE}" ]; then
+		BOOTIMG_FILES="${BOOTIMG_FILES} $(readlink -e ${DEPLOY_DIR_IMAGE}/${TRUSTFENCE_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot)"
+		BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${TRUSTFENCE_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot"
+	fi
+
 	# Size of kernel and device tree + 10% extra space (in bytes)
 	BOOTIMG_FILES_SIZE="$(expr $(du -bc ${BOOTIMG_FILES} | tail -n1 | cut -f1) \* \( 100 + 10 \) / 100)"

--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
@ -141,8 +141,17 @@ do_deploy_append() {
 	sed -i -e 's,##GRAPHICAL_BACKEND##,${GRAPHICAL_BACKEND},g' ${WORKDIR}/install_linux_fw_sd.txt
 	mkimage -T script -n "DEY firmware install script" -C none -d ${WORKDIR}/install_linux_fw_sd.txt ${DEPLOYDIR}/install_linux_fw_sd.scr

-	# Boot script for DEY images
-	mkimage -T script -n bootscript -C none -d ${WORKDIR}/boot.txt ${DEPLOYDIR}/boot.scr
+	# Boot script for DEY images (reconfigure on-the-fly if TRUSTFENCE is enabled)
+	TMP_BOOTSCR="$(mktemp ${WORKDIR}/bootscr.XXXXXX)"
+	cat ${WORKDIR}/boot.txt > ${TMP_BOOTSCR}
+	if [ -n "${TRUSTFENCE_INITRAMFS_IMAGE}" ]; then
+		sed -i -e '/^dboot linux/{
+				i\setenv boot_initrd true
+				i\setenv initrd_file ${TRUSTFENCE_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot
+			}' ${TMP_BOOTSCR}
+	fi
+	mkimage -T script -n bootscript -C none -d ${TMP_BOOTSCR} ${DEPLOYDIR}/boot.scr
+	rm -f ${TMP_BOOTSCR}
 }

 COMPATIBLE_MACHINE = "(ccimx6$|ccimx6ul)"
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -24,6 +24,9 @@ TRUSTFENCE_UBOOT_SIGN ?= "1"
 TRUSTFENCE_UBOOT_ENCRYPT ?= "1"
 TRUSTFENCE_UBOOT_ENV_DEK ?= "gen_random"

+# Trustfence initramfs image recipe
+TRUSTFENCE_INITRAMFS_IMAGE ?= "dey-image-trustfence-initramfs"
+
 IMAGE_FEATURES += "dey-trustfence"

 UBOOT_EXTRA_CONF = ""