trustfence: use conditionals for NXP-specific stuff

Set TRUSTFENCE_DEK_PATH to "0" for CCMP1 (not using dek.bin), as if this was disabled. Set temporarily TRUSTFENCE_ENCRYPT_ENVIRONMENT to "0" for CCMP1 until environment encryption is fully supported. Signed-off-by: Hector Palacios <hector.palacios@digi.com>
2023-02-06 12:17:40 +01:00 · 2023-02-06 12:17:40 +01:00 · 74ed606339
parent 3229e37e88
commit 74ed606339
3 changed files with 49 additions and 38 deletions
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools.inc
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools.inc
@ -27,25 +27,28 @@ do_configure[noexec] = "1"
 do_compile[noexec] = "1"

 do_install() {
-	install -d ${D}${bindir}/csf_templates
-	if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
-		install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
-		install -m 0755 encrypt_ahab ${D}${bindir}/csf_templates/
-	elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
-		install -m 0755 sign_hab ${D}${bindir}/csf_templates/
-		install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/
-	else
-		bberror "Unkown TRUSTFENCE_SIGN_MODE value"
-		exit 1
-	fi
-	install -m 0755 trustfence-sign-artifact.sh ${D}${bindir}/
-	install -m 0755 git/scripts/csf_templates/* ${D}${bindir}/csf_templates
+	if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
+		install -d ${D}${bindir}/csf_templates
+		if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
+			install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
+			install -m 0755 encrypt_ahab ${D}${bindir}/csf_templates/
+		elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
+			install -m 0755 sign_hab ${D}${bindir}/csf_templates/
+			install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/
+		else
+			bberror "Unkown TRUSTFENCE_SIGN_MODE value"
+			exit 1
+		fi

-	# Select U-Boot sign script depending on U-Boot including an SPL image
-	if [ -n "${SPL_BINARY}" ]; then
-		install -m 0755 git/scripts/sign_spl_fit.sh ${D}${bindir}/trustfence-sign-uboot.sh
-	else
-		install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
+		install -m 0755 git/scripts/csf_templates/* ${D}${bindir}/csf_templates
+		install -m 0755 trustfence-sign-artifact.sh ${D}${bindir}/
+
+		# Select U-Boot sign script depending on U-Boot including an SPL image
+		if [ -n "${SPL_BINARY}" ]; then
+			install -m 0755 git/scripts/sign_spl_fit.sh ${D}${bindir}/trustfence-sign-uboot.sh
+		else
+			install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
+		fi
 	fi
 }

--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -22,7 +22,9 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0"
 TRUSTFENCE_SIGN ?= "1"
 TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
 TRUSTFENCE_DEK_PATH ?= "default"
+TRUSTFENCE_DEK_PATH:ccmp1 ?= "0"
 TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
+TRUSTFENCE_ENCRYPT_ENVIRONMENT:ccmp1 ?= "0"
 TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"

 # Partition encryption configuration
@ -52,8 +54,9 @@ python () {
    if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"):
        d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence");

-    if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"):
-        d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin");
+    if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
+        if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"):
+            d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin");

    if (d.getVar("TRUSTFENCE_SIGN") == "1"):
        d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y CONFIG_AUTH_ARTIFACTS=y ")
@ -65,12 +68,14 @@ python () {
            d.appendVar("UBOOT_TF_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ")
        if d.getVar("TRUSTFENCE_KEY_INDEX"):
            d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
-        if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
-            d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
-        if d.getVar("TRUSTFENCE_SIGN_MODE"):
-            d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
+        if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
+            if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
+                d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
+            if d.getVar("TRUSTFENCE_SIGN_MODE"):
+                d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
    if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT") == "1"):
-        d.appendVar("UBOOT_TF_CONF", "CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y ")
+        if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
+            d.appendVar("UBOOT_TF_CONF", "CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y ")

    # Provide sane default values for SWUPDATE class in case Trustfence is enabled
    if (d.getVar("TRUSTFENCE_SIGN") == "1"):
@ -87,12 +92,13 @@ python () {
        key_index_1 = key_index + 1

        # Set the private key template, it will be expanded later in 'swu' recipes once keys are generated.
-        if (d.getVar("TRUSTFENCE_SIGN_MODE", "") == "AHAB"):
-            d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem")
-            d.setVar("CONFIG_SIGN_MODE", "AHAB")
-        else:
-            d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem")
-            d.setVar("CONFIG_SIGN_MODE", "HAB")
+        if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
+            if (d.getVar("TRUSTFENCE_SIGN_MODE", "") == "AHAB"):
+                d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem")
+                d.setVar("CONFIG_SIGN_MODE", "AHAB")
+            else:
+                d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/IMG" + str(key_index_1) + "*key.pem")
+                d.setVar("CONFIG_SIGN_MODE", "HAB")

        # Set the key password.
        d.setVar("SWUPDATE_PASSWORD_FILE", keys_path + "/keys/key_pass.txt")
--- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
+++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
@ -47,13 +47,15 @@ do_install() {
 		KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)

 		# Find the certificate to use.
-		if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
-			CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
-		elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
-			CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)"
-		else
-			bberror "Unkown TRUSTFENCE_SIGN_MODE value"
-			exit 1
+		if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
+			if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
+				CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
+			elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
+				CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)"
+			else
+				bberror "Unkown TRUSTFENCE_SIGN_MODE value"
+				exit 1
+			fi
 		fi

 		# Extract the public key from the certificate.