Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ccmp1: decouple FIT functionality from signed FIT functionality 

We rely on FIT support to implement boot artifact authentication on ccmp1
platforms, but our implementation made it impossible to enable FIT support
outside of the context of Trustfence/secure boot.

Change this so that it's possible to enable FIT support without having to sign
the FIT artifacts. Also, modify the linux-dey 5.15 recipe so that the U-Boot
DTBs with signatures get copied only when FIT signing is enabled.

https://onedigi.atlassian.net/browse/DEL-8946

Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This commit is contained in:
Gabriel Valcazar 2024-03-15 10:28:28 +01:00
parent ecd77dece9
commit 72675e510c
6 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
meta-digi-arm/conf/machine/ccmp13-dvk.conf
View File

@ -46,7 +46,7 @@ STM32MP_KERNEL_DEVICETREE:ccmp13-dvk += " \
_ov_som_wifi_ccmp13.dtbo \ _ov_som_wifi_ccmp13.dtbo \
" "
# Set DTB load address to U-Boot fdt_addr_r # Set DTB load address to U-Boot fdt_addr_r
UBOOT_DTB_LOADADDRESS = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', '0xc4000000', '', d)}" UBOOT_DTB_LOADADDRESS = "0xc4000000"
# List of U-Boot device tree to use # List of U-Boot device tree to use
UBOOT_DEVICETREE = "${STM32MP_DEVICETREE}" UBOOT_DEVICETREE = "${STM32MP_DEVICETREE}"
@ -112,7 +112,7 @@ OPTEE_CONF = "${STM32MP_DEVICETREE}"
# Kernel # Kernel
# ========================================================================= # =========================================================================
KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}" KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}"
KERNEL_CLASSES = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'kernel-fitimage', 'kernel-uimage', d)}" KERNEL_CLASSES = "kernel-fitimage"
KERNEL_ALT_IMAGETYPE = "Image vmlinux" KERNEL_ALT_IMAGETYPE = "Image vmlinux"
KERNEL_DEFCONFIG ?= "arch/arm/configs/ccmp1_defconfig" KERNEL_DEFCONFIG ?= "arch/arm/configs/ccmp1_defconfig"

4
meta-digi-arm/conf/machine/ccmp15-dvk.conf
View File

@ -53,7 +53,7 @@ STM32MP_KERNEL_DEVICETREE:ccmp15-dvk += " \
_ov_som_wifi_ccmp15.dtbo \ _ov_som_wifi_ccmp15.dtbo \
" "
# Set DTB load address to U-Boot fdt_addr_r # Set DTB load address to U-Boot fdt_addr_r
UBOOT_DTB_LOADADDRESS = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', '0xc4000000', '', d)}" UBOOT_DTB_LOADADDRESS = "0xc4000000"
# List of U-Boot device tree to use # List of U-Boot device tree to use
UBOOT_DEVICETREE = "${STM32MP_DEVICETREE}" UBOOT_DEVICETREE = "${STM32MP_DEVICETREE}"
@ -123,7 +123,7 @@ OPTEE_CONF = "${STM32MP_DEVICETREE}"
# Kernel # Kernel
# ========================================================================= # =========================================================================
KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}" KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}"
KERNEL_CLASSES = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'kernel-fitimage', 'kernel-uimage', d)}" KERNEL_CLASSES = "kernel-fitimage"
KERNEL_ALT_IMAGETYPE = "Image vmlinux" KERNEL_ALT_IMAGETYPE = "Image vmlinux"
KERNEL_DEFCONFIG ?= "arch/arm/configs/ccmp1_defconfig" KERNEL_DEFCONFIG ?= "arch/arm/configs/ccmp1_defconfig"

2
meta-digi-arm/conf/machine/include/ccmp1.inc
View File

@ -78,7 +78,7 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0"
do_create_flashlayout_config[noexec] = "1" do_create_flashlayout_config[noexec] = "1"
# Include boot script into the FIT image # Include boot script into the FIT image
UBOOT_ENV = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'boot', '', d)}" UBOOT_ENV = "boot"
# Partitions to blacklist for swupdate: # Partitions to blacklist for swupdate:
# fsbl1, fsbl2, metadata1, metadata2, fip-a, fip-b # fsbl1, fsbl2, metadata1, metadata2, fip-a, fip-b

4
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb
View File

@ -15,7 +15,7 @@ UBOOT_FIT_CFG_FRAGMENTS = " \
" "
SRC_URI += " \ SRC_URI += " \
${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '${UBOOT_FIT_CFG_FRAGMENTS}', '', d)} \ ${@oe.utils.conditional('TRUSTFENCE_FIT_IMG', '1', '${UBOOT_FIT_CFG_FRAGMENTS}', '', d)} \
" "
install_helper_files() { install_helper_files() {
@ -41,7 +41,7 @@ install_helper_files() {
do_install:append() { do_install:append() {
# Copy additional files, so kernel can use it when creating the FIT image # Copy additional files, so kernel can use it when creating the FIT image
if [ "${TRUSTFENCE_FIT_IMG}" = "1" ]; then if [ "${KERNEL_IMAGETYPE}" = "fitImage" ]; then
install_helper_files install_helper_files
fi fi
} }

2
meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb
View File

@ -41,7 +41,7 @@ do_assemble_fitimage:append:ccmp1() {
} }
kernel_do_deploy:append:ccmp1() { kernel_do_deploy:append:ccmp1() {
if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \ if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && \
[ -n "${UBOOT_DTB_BINARY}" ] ; then [ -n "${UBOOT_DTB_BINARY}" ] ; then
# Install device tree files with signature # Install device tree files with signature
if [ -n "${UBOOT_DEVICETREE}" ]; then if [ -n "${UBOOT_DEVICETREE}" ]; then

2
meta-digi-dey/classes/trustfence.bbclass
View File

@ -57,8 +57,6 @@ IMAGE_FEATURES += "dey-trustfence"
# Usage of FIT Image signed # Usage of FIT Image signed
# --------------------------------- # ---------------------------------
# Enable FIT image build when Trustfence is enabled
MACHINE_FEATURES += "${@oe.utils.conditional('TRUSTFENCE_FIT_IMG', '1', 'fit', '', d)}"
# key to sign FIT config nodes # key to sign FIT config nodes
TRUSTFENCE_FIT_CFG_SIGN_KEYNAME ?= "fitcfg" TRUSTFENCE_FIT_CFG_SIGN_KEYNAME ?= "fitcfg"
# key to sign FIT image nodes # key to sign FIT image nodes