trustfence: homogenize SIGN_MODE variables
* prefix TRUSTFENCE_ to variable SIGN_MODE for DEY * prefix CONFIG_ to variable SIGN_MODE for script Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit is contained in:
Hector Palacios
parent
6caecc5c53
commit
8320168821
|
|
@ -206,7 +206,7 @@ trustence_sign_cpio() {
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||||
|
|
||||||
if [ "${SIGN_MODE}" = "AHAB" ]; then
|
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||||
${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${1} a35 ${RAM_CONTAINER_LOC_TF} -out ${1}-mkimg
|
${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${1} a35 ${RAM_CONTAINER_LOC_TF} -out ${1}-mkimg
|
||||||
mv "${1}-mkimg" "${1}"
|
mv "${1}-mkimg" "${1}"
|
||||||
fi
|
fi
|
||||||
|
|
@ -220,7 +220,7 @@ trustence_sign_cpio() {
|
||||||
CONVERSIONTYPES += "tf"
|
CONVERSIONTYPES += "tf"
|
||||||
CONVERSION_CMD_tf = "trustence_sign_cpio ${IMAGE_NAME}.rootfs.${type}"
|
CONVERSION_CMD_tf = "trustence_sign_cpio ${IMAGE_NAME}.rootfs.${type}"
|
||||||
CONVERSION_DEPENDS_tf = "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', \
|
CONVERSION_DEPENDS_tf = "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', \
|
||||||
oe.utils.conditional('SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}"
|
oe.utils.conditional('TRUSTFENCE_SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}"
|
||||||
IMAGE_TYPES += "cpio.gz.u-boot.tf"
|
IMAGE_TYPES += "cpio.gz.u-boot.tf"
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
|
|
|
||||||
|
|
@ -44,4 +44,5 @@ MACHINE_EXTRA_RRECOMMENDS += " \
|
||||||
|
|
||||||
MACHINE_FEATURES += "accel-graphics accel-video wifi bluetooth pci"
|
MACHINE_FEATURES += "accel-graphics accel-video wifi bluetooth pci"
|
||||||
|
|
||||||
SIGN_MODE = "HAB"
|
# TrustFence
|
||||||
|
TRUSTFENCE_SIGN_MODE = "HAB"
|
||||||
|
|
|
||||||
|
|
@ -58,4 +58,5 @@ MKUBIFS_BOOT_ARGS ?= "-m 2048 -e 126976 -c 255"
|
||||||
# Max LEB count (-c 8191) calculated for a partition of up to 1 GiB considering 128 KiB erase-block size.
|
# Max LEB count (-c 8191) calculated for a partition of up to 1 GiB considering 128 KiB erase-block size.
|
||||||
MKUBIFS_ARGS ?= "-m 2048 -e 126976 -c 8191"
|
MKUBIFS_ARGS ?= "-m 2048 -e 126976 -c 8191"
|
||||||
|
|
||||||
SIGN_MODE = "HAB"
|
# TrustFence
|
||||||
|
TRUSTFENCE_SIGN_MODE = "HAB"
|
||||||
|
|
|
||||||
|
|
@ -75,8 +75,9 @@ VIRTUAL-RUNTIME_initscripts ?= "initscripts"
|
||||||
# For i.MX 8 silicon chip revision
|
# For i.MX 8 silicon chip revision
|
||||||
MX8_CHIP_REV ?= "B0"
|
MX8_CHIP_REV ?= "B0"
|
||||||
MX8_SOC_VAR ?= "QX"
|
MX8_SOC_VAR ?= "QX"
|
||||||
SIGN_MODE = "AHAB"
|
|
||||||
|
|
||||||
|
# TrustFence
|
||||||
|
TRUSTFENCE_SIGN_MODE = "AHAB"
|
||||||
# For Trustfence container header RAM locations
|
# For Trustfence container header RAM locations
|
||||||
RAM_CONTAINER_LOC_BOOT = "0x80280000"
|
RAM_CONTAINER_LOC_BOOT = "0x80280000"
|
||||||
RAM_CONTAINER_LOC_DTB = "0x82000000"
|
RAM_CONTAINER_LOC_DTB = "0x82000000"
|
||||||
|
|
|
||||||
|
|
@ -205,7 +205,7 @@ do_deploy () {
|
||||||
}
|
}
|
||||||
|
|
||||||
do_deploy_append () {
|
do_deploy_append () {
|
||||||
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "AHAB" ]; then
|
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||||
|
|
|
||||||
|
|
@ -43,12 +43,12 @@ do_install() {
|
||||||
install -d ${D}${bindir}
|
install -d ${D}${bindir}
|
||||||
install -m 0755 linux64/cst ${D}${bindir}/cst
|
install -m 0755 linux64/cst ${D}${bindir}/cst
|
||||||
install -m 0755 $(find linux64 -type f -name srktool) ${D}${bindir}/srktool
|
install -m 0755 $(find linux64 -type f -name srktool) ${D}${bindir}/srktool
|
||||||
if [ "${SIGN_MODE}" = "AHAB" ]; then
|
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||||
install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
|
install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
|
||||||
elif [ "${SIGN_MODE}" = "HAB" ]; then
|
elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
||||||
install -m 0755 keys/hab4_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
|
install -m 0755 keys/hab4_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
|
||||||
else
|
else
|
||||||
bberror "Unkown SIGN_MODE value"
|
bberror "Unkown TRUSTFENCE_SIGN_MODE value"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
install -m 0755 ca/openssl.cnf ${D}${bindir}/openssl.cnf
|
install -m 0755 ca/openssl.cnf ${D}${bindir}/openssl.cnf
|
||||||
|
|
|
||||||
|
|
@ -79,7 +79,7 @@ do_compile () {
|
||||||
unset k
|
unset k
|
||||||
|
|
||||||
# Secure boot artifacts
|
# Secure boot artifacts
|
||||||
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]
|
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]
|
||||||
then
|
then
|
||||||
cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX}
|
cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX}
|
||||||
cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX}
|
cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX}
|
||||||
|
|
@ -122,7 +122,7 @@ do_deploy_append() {
|
||||||
cd ${DEPLOYDIR}
|
cd ${DEPLOYDIR}
|
||||||
rm -r ${UBOOT_BINARY}-${type}
|
rm -r ${UBOOT_BINARY}-${type}
|
||||||
ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
|
ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
|
||||||
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]; then
|
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
||||||
install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
|
install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
|
||||||
ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
|
ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
|
||||||
|
|
||||||
|
|
@ -161,7 +161,7 @@ do_deploy_append() {
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||||
|
|
||||||
# Sign boot script
|
# Sign boot script
|
||||||
if [ "${SIGN_MODE}" = "HAB" ]; then
|
if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
||||||
TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
|
TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
|
||||||
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
|
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
|
||||||
mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"
|
mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"
|
||||||
|
|
|
||||||
|
|
@ -69,7 +69,7 @@ TARGET="$(readlink -m ${2})"
|
||||||
|
|
||||||
# Negative offset with respect to CONFIG_RAM_START in which U-Boot
|
# Negative offset with respect to CONFIG_RAM_START in which U-Boot
|
||||||
# copies the DEK blob.
|
# copies the DEK blob.
|
||||||
if [ "${SIGN_MODE}" = "HAB" ]; then
|
if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
|
||||||
DEK_BLOB_OFFSET="0x100"
|
DEK_BLOB_OFFSET="0x100"
|
||||||
CONFIG_CSF_SIZE="0x4000"
|
CONFIG_CSF_SIZE="0x4000"
|
||||||
fi
|
fi
|
||||||
|
|
@ -83,7 +83,7 @@ if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then
|
||||||
fi
|
fi
|
||||||
[ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
|
[ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
|
||||||
|
|
||||||
if [ "${SIGN_MODE}" = "HAB" ]; then
|
if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
|
||||||
if [ -n "${CONFIG_DEK_PATH}" ]; then
|
if [ -n "${CONFIG_DEK_PATH}" ]; then
|
||||||
if [ ! -f "${CONFIG_DEK_PATH}" ]; then
|
if [ ! -f "${CONFIG_DEK_PATH}" ]; then
|
||||||
echo "DEK not found. Generating random 256 bit DEK."
|
echo "DEK not found. Generating random 256 bit DEK."
|
||||||
|
|
@ -129,14 +129,14 @@ fi
|
||||||
CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))"
|
CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))"
|
||||||
|
|
||||||
SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
|
SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
|
||||||
if [ "${SIGN_MODE}" = "HAB" ]; then
|
if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
|
||||||
CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)"
|
CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)"
|
||||||
CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)"
|
CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
|
n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
|
||||||
|
|
||||||
if [ "${SIGN_MODE}" = "HAB" ]; then
|
if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
|
||||||
if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then
|
if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then
|
||||||
# PKI tree already exists.
|
# PKI tree already exists.
|
||||||
echo "Using existing PKI tree"
|
echo "Using existing PKI tree"
|
||||||
|
|
@ -151,11 +151,11 @@ if [ "${SIGN_MODE}" = "HAB" ]; then
|
||||||
echo "Inconsistent CST folder."
|
echo "Inconsistent CST folder."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
elif [ "${SIGN_MODE}" = "AHAB" ]; then
|
elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
|
||||||
if [ "${n_commas}" -eq 3 ] && [ "${SIGN_MODE}" = "AHAB" ]; then
|
if [ "${n_commas}" -eq 3 ] && [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
|
||||||
# PKI tree already exists. Do nothing
|
# PKI tree already exists. Do nothing
|
||||||
echo "Using existing PKI tree"
|
echo "Using existing PKI tree"
|
||||||
elif [ "${n_commas}" -eq 0 ] && [ "${SIGN_MODE}" = "AHAB" ]; then
|
elif [ "${n_commas}" -eq 0 ] && [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
|
||||||
# Generate PKI
|
# Generate PKI
|
||||||
trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}"
|
trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}"
|
||||||
|
|
||||||
|
|
@ -167,7 +167,7 @@ elif [ "${SIGN_MODE}" = "AHAB" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
SRK_TABLE="$(pwd)/SRK_table.bin"
|
SRK_TABLE="$(pwd)/SRK_table.bin"
|
||||||
if [ "${SIGN_MODE}" = "HAB" ]; then
|
if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
|
||||||
HAB_VER="hab_ver 4"
|
HAB_VER="hab_ver 4"
|
||||||
DIGEST="digest"
|
DIGEST="digest"
|
||||||
DIGEST_ALGO="sha256"
|
DIGEST_ALGO="sha256"
|
||||||
|
|
@ -281,7 +281,7 @@ if [ $? -ne 0 ]; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${SIGN_MODE}" = "HAB" ]; then
|
if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
|
||||||
# Pad to IVT
|
# Pad to IVT
|
||||||
objcopy -I binary -O binary --pad-to "${pad_len}" --gap-fill="${GAP_FILLER}" "${UIMAGE_PATH}" "${TARGET}"
|
objcopy -I binary -O binary --pad-to "${pad_len}" --gap-fill="${GAP_FILLER}" "${UIMAGE_PATH}" "${TARGET}"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -27,15 +27,15 @@ do_compile[noexec] = "1"
|
||||||
|
|
||||||
do_install() {
|
do_install() {
|
||||||
install -d ${D}${bindir}/csf_templates
|
install -d ${D}${bindir}/csf_templates
|
||||||
if [ "${SIGN_MODE}" = "AHAB" ]; then
|
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||||
install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
|
install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
|
||||||
install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-ahab-uboot.sh
|
install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-ahab-uboot.sh
|
||||||
elif [ "${SIGN_MODE}" = "HAB" ]; then
|
elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
||||||
install -m 0755 sign_hab ${D}${bindir}/csf_templates/
|
install -m 0755 sign_hab ${D}${bindir}/csf_templates/
|
||||||
install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/
|
install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/
|
||||||
install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
|
install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
|
||||||
else
|
else
|
||||||
bberror "Unkown SIGN_MODE value"
|
bberror "Unkown TRUSTFENCE_SIGN_MODE value"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/
|
install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@ trustfence_sign() {
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||||
|
|
||||||
# Sign/encrypt the kernel images
|
# Sign/encrypt the kernel images
|
||||||
if [ "${SIGN_MODE}" = "HAB" ]; then
|
if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
||||||
for type in ${KERNEL_IMAGETYPES}; do
|
for type in ${KERNEL_IMAGETYPES}; do
|
||||||
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
|
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
|
||||||
TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
|
TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
|
||||||
|
|
@ -42,7 +42,7 @@ trustfence_sign() {
|
||||||
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
|
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
|
||||||
mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
|
mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
|
||||||
done
|
done
|
||||||
elif [ "${SIGN_MODE}" = "AHAB" ]; then
|
elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||||
# Sign the kernel images
|
# Sign the kernel images
|
||||||
for type in ${KERNEL_IMAGETYPES}; do
|
for type in ${KERNEL_IMAGETYPES}; do
|
||||||
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
|
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
|
||||||
|
|
@ -64,7 +64,7 @@ trustfence_sign() {
|
||||||
rm -f ${DTB_IMAGE}-mkimg-signed
|
rm -f ${DTB_IMAGE}-mkimg-signed
|
||||||
done
|
done
|
||||||
else
|
else
|
||||||
bberror "Unkown SIGN_MODE value"
|
bberror "Unkown TRUSTFENCE_SIGN_MODE value"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -84,7 +84,7 @@ python () {
|
||||||
key_index_1 = key_index + 1
|
key_index_1 = key_index + 1
|
||||||
|
|
||||||
# Set the private key template, it will be expanded later in 'swu' recipes once keys are generated.
|
# Set the private key template, it will be expanded later in 'swu' recipes once keys are generated.
|
||||||
if (d.getVar("SIGN_MODE", "") == "AHAB"):
|
if (d.getVar("TRUSTFENCE_SIGN_MODE", "") == "AHAB"):
|
||||||
d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem")
|
d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem")
|
||||||
d.setVar("CONFIG_SIGN_MODE", "AHAB")
|
d.setVar("CONFIG_SIGN_MODE", "AHAB")
|
||||||
else:
|
else:
|
||||||
|
|
|
||||||
|
|
@ -40,12 +40,12 @@ do_install() {
|
||||||
KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)
|
KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)
|
||||||
|
|
||||||
# Find the certificate to use.
|
# Find the certificate to use.
|
||||||
if [ "${SIGN_MODE}" = "HAB" ]; then
|
if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
||||||
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
|
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
|
||||||
elif [ "${SIGN_MODE}" = "AHAB" ]; then
|
elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||||
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)"
|
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)"
|
||||||
else
|
else
|
||||||
bberror "Unkown SIGN_MODE value"
|
bberror "Unkown TRUSTFENCE_SIGN_MODE value"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue