ccmp1: decouple FIT functionality from signed FIT functionality

We rely on FIT support to implement boot artifact authentication on ccmp1 platforms, but our implementation made it impossible to enable FIT support outside of the context of Trustfence/secure boot. Change this so that it's possible to enable FIT support without having to sign the FIT artifacts. Also, modify the linux-dey 5.15 recipe so that the U-Boot DTBs with signatures get copied only when FIT signing is enabled. https://onedigi.atlassian.net/browse/DEL-8946 Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
2024-03-15 10:28:28 +01:00 · 2024-03-15 10:28:28 +01:00 · 72675e510c
parent ecd77dece9
commit 72675e510c
6 changed files with 8 additions and 10 deletions
--- a/meta-digi-arm/conf/machine/ccmp13-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccmp13-dvk.conf
@ -46,7 +46,7 @@ STM32MP_KERNEL_DEVICETREE:ccmp13-dvk += " \
    _ov_som_wifi_ccmp13.dtbo \
 "
 # Set DTB load address to U-Boot fdt_addr_r
-UBOOT_DTB_LOADADDRESS = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', '0xc4000000', '', d)}"
+UBOOT_DTB_LOADADDRESS = "0xc4000000"
 # List of U-Boot device tree to use
 UBOOT_DEVICETREE = "${STM32MP_DEVICETREE}"

@ -112,7 +112,7 @@ OPTEE_CONF = "${STM32MP_DEVICETREE}"
 # Kernel
 # =========================================================================
 KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}"
-KERNEL_CLASSES = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'kernel-fitimage', 'kernel-uimage', d)}"
+KERNEL_CLASSES = "kernel-fitimage"
 KERNEL_ALT_IMAGETYPE = "Image vmlinux"
 KERNEL_DEFCONFIG ?= "arch/arm/configs/ccmp1_defconfig"

--- a/meta-digi-arm/conf/machine/ccmp15-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccmp15-dvk.conf
@ -53,7 +53,7 @@ STM32MP_KERNEL_DEVICETREE:ccmp15-dvk += " \
    _ov_som_wifi_ccmp15.dtbo \
 "
 # Set DTB load address to U-Boot fdt_addr_r
-UBOOT_DTB_LOADADDRESS = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', '0xc4000000', '', d)}"
+UBOOT_DTB_LOADADDRESS = "0xc4000000"
 # List of U-Boot device tree to use
 UBOOT_DEVICETREE = "${STM32MP_DEVICETREE}"

@ -123,7 +123,7 @@ OPTEE_CONF = "${STM32MP_DEVICETREE}"
 # Kernel
 # =========================================================================
 KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}"
-KERNEL_CLASSES = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'kernel-fitimage', 'kernel-uimage', d)}"
+KERNEL_CLASSES = "kernel-fitimage"
 KERNEL_ALT_IMAGETYPE = "Image vmlinux"
 KERNEL_DEFCONFIG ?= "arch/arm/configs/ccmp1_defconfig"

--- a/meta-digi-arm/conf/machine/include/ccmp1.inc
+++ b/meta-digi-arm/conf/machine/include/ccmp1.inc
@ -78,7 +78,7 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0"
 do_create_flashlayout_config[noexec] = "1"

 # Include boot script into the FIT image
-UBOOT_ENV = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'boot', '', d)}"
+UBOOT_ENV = "boot"

 # Partitions to blacklist for swupdate:
 # fsbl1, fsbl2, metadata1, metadata2, fip-a, fip-b
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb
@ -15,7 +15,7 @@ UBOOT_FIT_CFG_FRAGMENTS = " \
 "

 SRC_URI += " \
-    ${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '${UBOOT_FIT_CFG_FRAGMENTS}', '', d)} \
+    ${@oe.utils.conditional('TRUSTFENCE_FIT_IMG', '1', '${UBOOT_FIT_CFG_FRAGMENTS}', '', d)} \
 "

 install_helper_files() {
@ -41,7 +41,7 @@ install_helper_files() {

 do_install:append() {
 	# Copy additional files, so kernel can use it when creating the FIT image
-	if [ "${TRUSTFENCE_FIT_IMG}" = "1" ]; then
+	if [ "${KERNEL_IMAGETYPE}" = "fitImage" ]; then
 		install_helper_files
 	fi
 }
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb
@ -41,7 +41,7 @@ do_assemble_fitimage:append:ccmp1() {
 }

 kernel_do_deploy:append:ccmp1() {
-	if [ "${UBOOT_SIGN_ENABLE}" = "1" -o "${UBOOT_FITIMAGE_ENABLE}" = "1" ] && \
+	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && \
 	   [ -n "${UBOOT_DTB_BINARY}" ] ; then
 		# Install device tree files with signature
 		if [ -n "${UBOOT_DEVICETREE}" ]; then
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -57,8 +57,6 @@ IMAGE_FEATURES += "dey-trustfence"
 #  Usage of FIT Image signed
 # ---------------------------------

-# Enable FIT image build when Trustfence is enabled
-MACHINE_FEATURES += "${@oe.utils.conditional('TRUSTFENCE_FIT_IMG', '1', 'fit', '', d)}"
 # key to sign FIT config nodes
 TRUSTFENCE_FIT_CFG_SIGN_KEYNAME ?= "fitcfg"
 # key to sign FIT image nodes