From 72675e510c92707977332df78503e2e06f05be60 Mon Sep 17 00:00:00 2001 From: Gabriel Valcazar Date: Fri, 15 Mar 2024 10:28:28 +0100 Subject: [PATCH] ccmp1: decouple FIT functionality from signed FIT functionality We rely on FIT support to implement boot artifact authentication on ccmp1 platforms, but our implementation made it impossible to enable FIT support outside of the context of Trustfence/secure boot. Change this so that it's possible to enable FIT support without having to sign the FIT artifacts. Also, modify the linux-dey 5.15 recipe so that the U-Boot DTBs with signatures get copied only when FIT signing is enabled. https://onedigi.atlassian.net/browse/DEL-8946 Signed-off-by: Gabriel Valcazar --- meta-digi-arm/conf/machine/ccmp13-dvk.conf | 4 ++-- meta-digi-arm/conf/machine/ccmp15-dvk.conf | 4 ++-- meta-digi-arm/conf/machine/include/ccmp1.inc | 2 +- meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb | 4 ++-- meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb | 2 +- meta-digi-dey/classes/trustfence.bbclass | 2 -- 6 files changed, 8 insertions(+), 10 deletions(-) diff --git a/meta-digi-arm/conf/machine/ccmp13-dvk.conf b/meta-digi-arm/conf/machine/ccmp13-dvk.conf index a4df2b433..b70b081d7 100644 --- a/meta-digi-arm/conf/machine/ccmp13-dvk.conf +++ b/meta-digi-arm/conf/machine/ccmp13-dvk.conf @@ -46,7 +46,7 @@ STM32MP_KERNEL_DEVICETREE:ccmp13-dvk += " \ _ov_som_wifi_ccmp13.dtbo \ " # Set DTB load address to U-Boot fdt_addr_r -UBOOT_DTB_LOADADDRESS = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', '0xc4000000', '', d)}" +UBOOT_DTB_LOADADDRESS = "0xc4000000" # List of U-Boot device tree to use UBOOT_DEVICETREE = "${STM32MP_DEVICETREE}" @@ -112,7 +112,7 @@ OPTEE_CONF = "${STM32MP_DEVICETREE}" # Kernel # ========================================================================= KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}" -KERNEL_CLASSES = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'kernel-fitimage', 'kernel-uimage', d)}" +KERNEL_CLASSES = "kernel-fitimage" KERNEL_ALT_IMAGETYPE = "Image vmlinux" KERNEL_DEFCONFIG ?= "arch/arm/configs/ccmp1_defconfig" diff --git a/meta-digi-arm/conf/machine/ccmp15-dvk.conf b/meta-digi-arm/conf/machine/ccmp15-dvk.conf index cdcf53aad..2784a040e 100644 --- a/meta-digi-arm/conf/machine/ccmp15-dvk.conf +++ b/meta-digi-arm/conf/machine/ccmp15-dvk.conf @@ -53,7 +53,7 @@ STM32MP_KERNEL_DEVICETREE:ccmp15-dvk += " \ _ov_som_wifi_ccmp15.dtbo \ " # Set DTB load address to U-Boot fdt_addr_r -UBOOT_DTB_LOADADDRESS = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', '0xc4000000', '', d)}" +UBOOT_DTB_LOADADDRESS = "0xc4000000" # List of U-Boot device tree to use UBOOT_DEVICETREE = "${STM32MP_DEVICETREE}" @@ -123,7 +123,7 @@ OPTEE_CONF = "${STM32MP_DEVICETREE}" # Kernel # ========================================================================= KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}" -KERNEL_CLASSES = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'kernel-fitimage', 'kernel-uimage', d)}" +KERNEL_CLASSES = "kernel-fitimage" KERNEL_ALT_IMAGETYPE = "Image vmlinux" KERNEL_DEFCONFIG ?= "arch/arm/configs/ccmp1_defconfig" diff --git a/meta-digi-arm/conf/machine/include/ccmp1.inc b/meta-digi-arm/conf/machine/include/ccmp1.inc index e298e91f6..e6d31378b 100644 --- a/meta-digi-arm/conf/machine/include/ccmp1.inc +++ b/meta-digi-arm/conf/machine/include/ccmp1.inc @@ -78,7 +78,7 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0" do_create_flashlayout_config[noexec] = "1" # Include boot script into the FIT image -UBOOT_ENV = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'boot', '', d)}" +UBOOT_ENV = "boot" # Partitions to blacklist for swupdate: # fsbl1, fsbl2, metadata1, metadata2, fip-a, fip-b diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb index 1d0e04099..84cd41898 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb @@ -15,7 +15,7 @@ UBOOT_FIT_CFG_FRAGMENTS = " \ " SRC_URI += " \ - ${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '${UBOOT_FIT_CFG_FRAGMENTS}', '', d)} \ + ${@oe.utils.conditional('TRUSTFENCE_FIT_IMG', '1', '${UBOOT_FIT_CFG_FRAGMENTS}', '', d)} \ " install_helper_files() { @@ -41,7 +41,7 @@ install_helper_files() { do_install:append() { # Copy additional files, so kernel can use it when creating the FIT image - if [ "${TRUSTFENCE_FIT_IMG}" = "1" ]; then + if [ "${KERNEL_IMAGETYPE}" = "fitImage" ]; then install_helper_files fi } diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb b/meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb index e219c7709..3d078e899 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb @@ -41,7 +41,7 @@ do_assemble_fitimage:append:ccmp1() { } kernel_do_deploy:append:ccmp1() { - if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \ + if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && \ [ -n "${UBOOT_DTB_BINARY}" ] ; then # Install device tree files with signature if [ -n "${UBOOT_DEVICETREE}" ]; then diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index 6d10ec992..d1f356a90 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -57,8 +57,6 @@ IMAGE_FEATURES += "dey-trustfence" # Usage of FIT Image signed # --------------------------------- -# Enable FIT image build when Trustfence is enabled -MACHINE_FEATURES += "${@oe.utils.conditional('TRUSTFENCE_FIT_IMG', '1', 'fit', '', d)}" # key to sign FIT config nodes TRUSTFENCE_FIT_CFG_SIGN_KEYNAME ?= "fitcfg" # key to sign FIT image nodes