From 8320168821983c700a7d42e0bffa3056cd4ca7a5 Mon Sep 17 00:00:00 2001
From: Hector Palacios <hector.palacios@digi.com>
Date: Mon, 10 Feb 2020 10:44:49 +0100
Subject: [PATCH] trustfence: homogenize SIGN_MODE variables

* prefix TRUSTFENCE_ to variable SIGN_MODE for DEY
* prefix CONFIG_ to variable SIGN_MODE for script

Signed-off-by: Hector Palacios <hector.palacios@digi.com>
---
 meta-digi-arm/classes/image_types_digi.bbclass |  4 ++--
 meta-digi-arm/conf/machine/include/ccimx6.inc  |  3 ++-
 .../conf/machine/include/ccimx6ul.inc          |  3 ++-
 meta-digi-arm/conf/machine/include/ccimx8x.inc |  3 ++-
 .../imx-mkimage/imx-boot_0.2.bbappend          |  2 +-
 .../trustfence-cst/trustfence-cst.inc          |  6 +++---
 .../recipes-bsp/u-boot/digi-u-boot.inc         |  6 +++---
 .../trustfence-sign-kernel.sh                  | 18 +++++++++---------
 .../trustfence/trustfence-sign-tools_git.bb    |  6 +++---
 .../recipes-kernel/linux/linux-dey.inc         |  6 +++---
 meta-digi-dey/classes/trustfence.bbclass       |  2 +-
 .../recovery/recovery-initramfs.bb             |  6 +++---
 12 files changed, 34 insertions(+), 31 deletions(-)

diff --git a/meta-digi-arm/classes/image_types_digi.bbclass b/meta-digi-arm/classes/image_types_digi.bbclass
index dcb85f51d..20c198f2b 100644
--- a/meta-digi-arm/classes/image_types_digi.bbclass
+++ b/meta-digi-arm/classes/image_types_digi.bbclass
@@ -206,7 +206,7 @@ trustence_sign_cpio() {
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
 
-		if [ "${SIGN_MODE}" = "AHAB" ]; then
+		if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 			${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${1} a35 ${RAM_CONTAINER_LOC_TF} -out ${1}-mkimg
 			mv "${1}-mkimg" "${1}"
 		fi
@@ -220,7 +220,7 @@ trustence_sign_cpio() {
 CONVERSIONTYPES += "tf"
 CONVERSION_CMD_tf = "trustence_sign_cpio ${IMAGE_NAME}.rootfs.${type}"
 CONVERSION_DEPENDS_tf = "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', \
-			    oe.utils.conditional('SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}"
+			    oe.utils.conditional('TRUSTFENCE_SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}"
 IMAGE_TYPES += "cpio.gz.u-boot.tf"
 
 ################################################################################
diff --git a/meta-digi-arm/conf/machine/include/ccimx6.inc b/meta-digi-arm/conf/machine/include/ccimx6.inc
index 0a4d41c03..25d68619f 100644
--- a/meta-digi-arm/conf/machine/include/ccimx6.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx6.inc
@@ -44,4 +44,5 @@ MACHINE_EXTRA_RRECOMMENDS += " \
 
 MACHINE_FEATURES += "accel-graphics accel-video wifi bluetooth pci"
 
-SIGN_MODE = "HAB"
+# TrustFence
+TRUSTFENCE_SIGN_MODE = "HAB"
diff --git a/meta-digi-arm/conf/machine/include/ccimx6ul.inc b/meta-digi-arm/conf/machine/include/ccimx6ul.inc
index be96b3aba..1c254af7a 100644
--- a/meta-digi-arm/conf/machine/include/ccimx6ul.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx6ul.inc
@@ -58,4 +58,5 @@ MKUBIFS_BOOT_ARGS ?= "-m 2048 -e 126976 -c 255"
 # Max LEB count (-c 8191) calculated for a partition of up to 1 GiB considering 128 KiB erase-block size.
 MKUBIFS_ARGS ?= "-m 2048 -e 126976 -c 8191"
 
-SIGN_MODE = "HAB"
+# TrustFence
+TRUSTFENCE_SIGN_MODE = "HAB"
diff --git a/meta-digi-arm/conf/machine/include/ccimx8x.inc b/meta-digi-arm/conf/machine/include/ccimx8x.inc
index 81a3cddb3..0ad9dfb4c 100644
--- a/meta-digi-arm/conf/machine/include/ccimx8x.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx8x.inc
@@ -75,8 +75,9 @@ VIRTUAL-RUNTIME_initscripts ?= "initscripts"
 # For i.MX 8 silicon chip revision
 MX8_CHIP_REV ?= "B0"
 MX8_SOC_VAR ?= "QX"
-SIGN_MODE = "AHAB"
 
+# TrustFence
+TRUSTFENCE_SIGN_MODE = "AHAB"
 # For Trustfence container header RAM locations
 RAM_CONTAINER_LOC_BOOT = "0x80280000"
 RAM_CONTAINER_LOC_DTB = "0x82000000"
diff --git a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
index ab0299104..822c91bda 100644
--- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
+++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
@@ -205,7 +205,7 @@ do_deploy () {
 }
 
 do_deploy_append () {
-	if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "AHAB" ]; then
+	if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc
index 9639c584a..0731dbfcf 100644
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc
@@ -43,12 +43,12 @@ do_install() {
 	install -d ${D}${bindir}
 	install -m 0755 linux64/cst ${D}${bindir}/cst
 	install -m 0755 $(find linux64 -type f -name srktool) ${D}${bindir}/srktool
-	if [ "${SIGN_MODE}" = "AHAB" ]; then
+	if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
-	elif [ "${SIGN_MODE}" = "HAB" ]; then
+	elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 		install -m 0755 keys/hab4_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
 	else
-		bberror "Unkown SIGN_MODE value"
+		bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 		exit 1
 	fi
 	install -m 0755 ca/openssl.cnf ${D}${bindir}/openssl.cnf
diff --git a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
index 68f14fc16..aebfd9e99 100644
--- a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
+++ b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
@@ -79,7 +79,7 @@ do_compile () {
 					unset k
 
 					# Secure boot artifacts
-					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]
+					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]
 					then
 						cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX}
 						cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX}
@@ -122,7 +122,7 @@ do_deploy_append() {
 					cd ${DEPLOYDIR}
 					rm -r ${UBOOT_BINARY}-${type}
 					ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
-					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]; then
+					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 						install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
 						ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
 
@@ -161,7 +161,7 @@ do_deploy_append() {
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
 
 		# Sign boot script
-		if [ "${SIGN_MODE}" = "HAB" ]; then
+		if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 			TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
 			trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
 			mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
index 9b25083c7..ad5cce588 100755
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
@@ -69,7 +69,7 @@ TARGET="$(readlink -m ${2})"
 
 # Negative offset with respect to CONFIG_RAM_START in which U-Boot
 # copies the DEK blob.
-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	DEK_BLOB_OFFSET="0x100"
 	CONFIG_CSF_SIZE="0x4000"
 fi
@@ -83,7 +83,7 @@ if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then
 fi
 [ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
 
-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	if [ -n "${CONFIG_DEK_PATH}" ]; then
 		if [ ! -f "${CONFIG_DEK_PATH}" ]; then
 			echo "DEK not found. Generating random 256 bit DEK."
@@ -129,14 +129,14 @@ fi
 CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))"
 
 SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)"
 	CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)"
 fi
 
 n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
 
-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then
 		# PKI tree already exists.
 		echo "Using existing PKI tree"
@@ -151,11 +151,11 @@ if [ "${SIGN_MODE}" = "HAB" ]; then
 		echo "Inconsistent CST folder."
 		exit 1
 	fi
-elif [ "${SIGN_MODE}" = "AHAB" ]; then
-	if [ "${n_commas}" -eq 3 ] && [ "${SIGN_MODE}" = "AHAB" ]; then
+elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
+	if [ "${n_commas}" -eq 3 ] && [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
 		# PKI tree already exists. Do nothing
 		echo "Using existing PKI tree"
-	elif [ "${n_commas}" -eq 0 ] && [ "${SIGN_MODE}" = "AHAB" ]; then
+	elif [ "${n_commas}" -eq 0 ] && [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
 		# Generate PKI
 		trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}"
 
@@ -167,7 +167,7 @@ elif [ "${SIGN_MODE}" = "AHAB" ]; then
 fi
 
 SRK_TABLE="$(pwd)/SRK_table.bin"
-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	HAB_VER="hab_ver 4"
 	DIGEST="digest"
 	DIGEST_ALGO="sha256"
@@ -281,7 +281,7 @@ if [ $? -ne 0 ]; then
 	exit 1
 fi
 
-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	# Pad to IVT
 	objcopy -I binary -O binary --pad-to "${pad_len}" --gap-fill="${GAP_FILLER}" "${UIMAGE_PATH}" "${TARGET}"
 
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
index 813464718..0cc7a68ea 100644
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
@@ -27,15 +27,15 @@ do_compile[noexec] = "1"
 
 do_install() {
 	install -d ${D}${bindir}/csf_templates
-	if [ "${SIGN_MODE}" = "AHAB" ]; then
+	if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
 		install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-ahab-uboot.sh
-	elif [ "${SIGN_MODE}" = "HAB" ]; then
+	elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 		install -m 0755 sign_hab ${D}${bindir}/csf_templates/
 		install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/
 		install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
 	else
-		bberror "Unkown SIGN_MODE value"
+		bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 		exit 1
 	fi
 	install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/
diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
index 66db01319..e7d5800d7 100644
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
@@ -24,7 +24,7 @@ trustfence_sign() {
 	[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
 
 	# Sign/encrypt the kernel images
-	if [ "${SIGN_MODE}" = "HAB" ]; then
+	if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 		for type in ${KERNEL_IMAGETYPES}; do
 			KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
 			TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
@@ -42,7 +42,7 @@ trustfence_sign() {
 			trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
 			mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
 		done
-	elif [ "${SIGN_MODE}" = "AHAB" ]; then
+	elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		# Sign the kernel images
 		for type in ${KERNEL_IMAGETYPES}; do
 			KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
@@ -64,7 +64,7 @@ trustfence_sign() {
 			rm -f ${DTB_IMAGE}-mkimg-signed
 		done
 	else
-		bberror "Unkown SIGN_MODE value"
+		bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 		exit 1
 	fi
 }
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index c54b3b933..229b31d98 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -84,7 +84,7 @@ python () {
         key_index_1 = key_index + 1
 
         # Set the private key template, it will be expanded later in 'swu' recipes once keys are generated.
-        if (d.getVar("SIGN_MODE", "") == "AHAB"):
+        if (d.getVar("TRUSTFENCE_SIGN_MODE", "") == "AHAB"):
             d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem")
             d.setVar("CONFIG_SIGN_MODE", "AHAB")
         else:
diff --git a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
index 2df871b24..a05db3d71 100644
--- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
+++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
@@ -40,12 +40,12 @@ do_install() {
 		KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)
 
 		# Find the certificate to use.
-		if [ "${SIGN_MODE}" = "HAB" ]; then
+		if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 			CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
-		elif [ "${SIGN_MODE}" = "AHAB" ]; then
+		elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 			CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)"
 		else
-			bberror "Unkown SIGN_MODE value"
+			bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 			exit 1
 		fi