Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence: use conditionals for NXP-specific stuff 

Set TRUSTFENCE_DEK_PATH to "0" for CCMP1 (not using dek.bin), as if this
was disabled.
Set temporarily TRUSTFENCE_ENCRYPT_ENVIRONMENT to "0" for CCMP1 until
environment encryption is fully supported.

Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit is contained in:
Hector Palacios 2023-02-06 12:17:40 +01:00
parent 3229e37e88
commit 74ed606339
3 changed files with 49 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools.inc
View File

@ -27,25 +27,28 @@ do_configure[noexec] = "1"
do_compile[noexec] = "1" do_compile[noexec] = "1"
do_install() { do_install() {
install -d ${D}${bindir}/csf_templates if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then install -d ${D}${bindir}/csf_templates
install -m 0755 sign_ahab ${D}${bindir}/csf_templates/ if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
install -m 0755 encrypt_ahab ${D}${bindir}/csf_templates/ install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then install -m 0755 encrypt_ahab ${D}${bindir}/csf_templates/
install -m 0755 sign_hab ${D}${bindir}/csf_templates/ elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/ install -m 0755 sign_hab ${D}${bindir}/csf_templates/
else install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/
bberror "Unkown TRUSTFENCE_SIGN_MODE value" else
exit 1 bberror "Unkown TRUSTFENCE_SIGN_MODE value"
fi exit 1
install -m 0755 trustfence-sign-artifact.sh ${D}${bindir}/ fi
install -m 0755 git/scripts/csf_templates/* ${D}${bindir}/csf_templates
# Select U-Boot sign script depending on U-Boot including an SPL image install -m 0755 git/scripts/csf_templates/* ${D}${bindir}/csf_templates
if [ -n "${SPL_BINARY}" ]; then install -m 0755 trustfence-sign-artifact.sh ${D}${bindir}/
install -m 0755 git/scripts/sign_spl_fit.sh ${D}${bindir}/trustfence-sign-uboot.sh
else # Select U-Boot sign script depending on U-Boot including an SPL image
install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh if [ -n "${SPL_BINARY}" ]; then
install -m 0755 git/scripts/sign_spl_fit.sh ${D}${bindir}/trustfence-sign-uboot.sh
else
install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
fi
fi fi
} }

32
meta-digi-dey/classes/trustfence.bbclass
View File

@ -22,7 +22,9 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0"
TRUSTFENCE_SIGN ?= "1" TRUSTFENCE_SIGN ?= "1"
TRUSTFENCE_SIGN_KEYS_PATH ?= "default" TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
TRUSTFENCE_DEK_PATH ?= "default" TRUSTFENCE_DEK_PATH ?= "default"
TRUSTFENCE_DEK_PATH:ccmp1 ?= "0"
TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1" TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
TRUSTFENCE_ENCRYPT_ENVIRONMENT:ccmp1 ?= "0"
TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0" TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
# Partition encryption configuration # Partition encryption configuration
@ -52,8 +54,9 @@ python () {
if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"): if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"):
d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence"); d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence");
if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"): if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin"); if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"):
d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin");
if (d.getVar("TRUSTFENCE_SIGN") == "1"): if (d.getVar("TRUSTFENCE_SIGN") == "1"):
d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y CONFIG_AUTH_ARTIFACTS=y ") d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y CONFIG_AUTH_ARTIFACTS=y ")
@ -65,12 +68,14 @@ python () {
d.appendVar("UBOOT_TF_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ") d.appendVar("UBOOT_TF_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ")
if d.getVar("TRUSTFENCE_KEY_INDEX"): if d.getVar("TRUSTFENCE_KEY_INDEX"):
d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX")) d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]): if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH")) if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
if d.getVar("TRUSTFENCE_SIGN_MODE"): d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE")) if d.getVar("TRUSTFENCE_SIGN_MODE"):
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT") == "1"): if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT") == "1"):
d.appendVar("UBOOT_TF_CONF", "CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y ") if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
d.appendVar("UBOOT_TF_CONF", "CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y ")
# Provide sane default values for SWUPDATE class in case Trustfence is enabled # Provide sane default values for SWUPDATE class in case Trustfence is enabled
if (d.getVar("TRUSTFENCE_SIGN") == "1"): if (d.getVar("TRUSTFENCE_SIGN") == "1"):
@ -87,12 +92,13 @@ python () {
key_index_1 = key_index + 1 key_index_1 = key_index + 1
# Set the private key template, it will be expanded later in 'swu' recipes once keys are generated. # Set the private key template, it will be expanded later in 'swu' recipes once keys are generated.
if (d.getVar("TRUSTFENCE_SIGN_MODE", "") == "AHAB"): if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem") if (d.getVar("TRUSTFENCE_SIGN_MODE", "") == "AHAB"):
d.setVar("CONFIG_SIGN_MODE", "AHAB") d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem")
else: d.setVar("CONFIG_SIGN_MODE", "AHAB")
d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem") else:
d.setVar("CONFIG_SIGN_MODE", "HAB") d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem")
d.setVar("CONFIG_SIGN_MODE", "HAB")
# Set the key password. # Set the key password.
d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt") d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")

16
meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
View File

@ -47,13 +47,15 @@ do_install() {
KEY_INDEX_1=$(expr ${KEY_INDEX} + 1) KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)
# Find the certificate to use. # Find the certificate to use.
if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)" if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)" elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
else CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)"
bberror "Unkown TRUSTFENCE_SIGN_MODE value" else
exit 1 bberror "Unkown TRUSTFENCE_SIGN_MODE value"
exit 1
fi
fi fi
# Extract the public key from the certificate. # Extract the public key from the certificate.