From 7a02e1b00aed5295bbf26004b349476ff3aff209 Mon Sep 17 00:00:00 2001 From: "Diaz de Grenu, Jose" Date: Mon, 19 Sep 2016 16:34:38 +0200 Subject: [PATCH] trustfence: define new type of image for signed/encrypted ramdisks Also change the image type of dey-image-trustfence-initramfs. https://jira.digi.com/browse/DUB-615 Signed-off-by: Diaz de Grenu, Jose --- .../classes/image_types_digi.bbclass | 22 +++++++++++++++++-- .../recipes-bsp/u-boot/u-boot-dey_2015.04.bb | 2 +- .../images/dey-image-trustfence-initramfs.bb | 2 +- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/meta-digi-arm/classes/image_types_digi.bbclass b/meta-digi-arm/classes/image_types_digi.bbclass index 9588d2d86..160cdd66c 100644 --- a/meta-digi-arm/classes/image_types_digi.bbclass +++ b/meta-digi-arm/classes/image_types_digi.bbclass @@ -29,8 +29,8 @@ IMAGE_CMD_boot.vfat() { # Add Trustfence initramfs if enabled if [ -n "${TRUSTFENCE_INITRAMFS_IMAGE}" ]; then - BOOTIMG_FILES="${BOOTIMG_FILES} $(readlink -e ${DEPLOY_DIR_IMAGE}/${TRUSTFENCE_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot)" - BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${TRUSTFENCE_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot" + BOOTIMG_FILES="${BOOTIMG_FILES} $(readlink -e ${DEPLOY_DIR_IMAGE}/${TRUSTFENCE_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf)" + BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${TRUSTFENCE_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf" fi # Size of kernel and device tree + 10% extra space (in bytes) @@ -130,6 +130,24 @@ IMAGE_CMD_rootfs.initramfs() { } IMAGE_TYPEDEP_rootfs.initramfs = "cpio.gz" +IMAGE_CMD_cpio.gz.u-boot.tf() { + # + # Image generation code for image type 'cpio.gz.u-boot.tf' + # (signed/encrypted ramdisk) + # + if [ "${TRUSTFENCE_SIGN}" = "1" ]; then + # Set environment variables for trustfence configuration + export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" + [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" + [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + + # Sign/encrypt the ramdisk + "${STAGING_BINDIR_NATIVE}/trustfence-sign-kernel.sh" -p "${DIGI_FAMILY}" -i "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.cpio.gz.u-boot" "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.rootfs.cpio.gz.u-boot.tf" + fi +} + +IMAGE_TYPEDEP_cpio.gz.u-boot.tf = "cpio.gz.u-boot" + # Set alignment to 4MB [in KiB] IMAGE_ROOTFS_ALIGNMENT = "4096" diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb index daf4509e3..f628729fb 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb @@ -101,7 +101,7 @@ TF_BOOTSCRIPT_SEDFILTER_ccimx6 = "${@tf_bootscript_sedfilter(d)}" def tf_bootscript_sedfilter(d): tf_initramfs = d.getVar('TRUSTFENCE_INITRAMFS_IMAGE',True) or "" - return "/^dboot linux/i\setenv boot_initrd true\\nsetenv initrd_file %s-${MACHINE}.cpio.gz.u-boot" % tf_initramfs if tf_initramfs else "" + return "/^dboot linux/i\setenv boot_initrd true\\nsetenv initrd_file %s-${MACHINE}.cpio.gz.u-boot.tf" % tf_initramfs if tf_initramfs else "" do_deploy_append() { # Remove canonical U-Boot symlinks for ${UBOOT_CONFIG} currently in the form: diff --git a/meta-digi-dey/recipes-core/images/dey-image-trustfence-initramfs.bb b/meta-digi-dey/recipes-core/images/dey-image-trustfence-initramfs.bb index f5923ce55..24a4a75a1 100644 --- a/meta-digi-dey/recipes-core/images/dey-image-trustfence-initramfs.bb +++ b/meta-digi-dey/recipes-core/images/dey-image-trustfence-initramfs.bb @@ -11,7 +11,7 @@ PACKAGE_INSTALL = " \ IMAGE_FEATURES = "" IMAGE_LINGUAS = "" -IMAGE_FSTYPES = "cpio.gz.u-boot" +IMAGE_FSTYPES = "cpio.gz.u-boot.tf" inherit core-image image_types_uboot IMAGE_ROOTFS_SIZE = "8192"