trustfence: homogenize SIGN_MODE variables

* prefix TRUSTFENCE_ to variable SIGN_MODE for DEY * prefix CONFIG_ to variable SIGN_MODE for script Signed-off-by: Hector Palacios <hector.palacios@digi.com>
2020-02-10 10:44:49 +01:00 · 2020-02-10 10:44:49 +01:00 · 8320168821
parent 6caecc5c53
commit 8320168821
12 changed files with 34 additions and 31 deletions
--- a/meta-digi-arm/classes/image_types_digi.bbclass
+++ b/meta-digi-arm/classes/image_types_digi.bbclass
@ -206,7 +206,7 @@ trustence_sign_cpio() {
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"

-		if [ "${SIGN_MODE}" = "AHAB" ]; then
+		if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 			${DEPLOY_DIR_IMAGE}/imx-boot-tools/mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${1} a35 ${RAM_CONTAINER_LOC_TF} -out ${1}-mkimg
 			mv "${1}-mkimg" "${1}"
 		fi
@ -220,7 +220,7 @@ trustence_sign_cpio() {
 CONVERSIONTYPES += "tf"
 CONVERSION_CMD_tf = "trustence_sign_cpio ${IMAGE_NAME}.rootfs.${type}"
 CONVERSION_DEPENDS_tf = "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', \
-			    oe.utils.conditional('SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}"
+			    oe.utils.conditional('TRUSTFENCE_SIGN_MODE', 'AHAB', 'trustfence-sign-tools-native imx-mkimage', 'trustfence-sign-tools-native', d), '', d)}"
 IMAGE_TYPES += "cpio.gz.u-boot.tf"

 ################################################################################
--- a/meta-digi-arm/conf/machine/include/ccimx6.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx6.inc
@ -44,4 +44,5 @@ MACHINE_EXTRA_RRECOMMENDS += " \

 MACHINE_FEATURES += "accel-graphics accel-video wifi bluetooth pci"

-SIGN_MODE = "HAB"
+# TrustFence
+TRUSTFENCE_SIGN_MODE = "HAB"
--- a/meta-digi-arm/conf/machine/include/ccimx6ul.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx6ul.inc
@ -58,4 +58,5 @@ MKUBIFS_BOOT_ARGS ?= "-m 2048 -e 126976 -c 255"
 # Max LEB count (-c 8191) calculated for a partition of up to 1 GiB considering 128 KiB erase-block size.
 MKUBIFS_ARGS ?= "-m 2048 -e 126976 -c 8191"

-SIGN_MODE = "HAB"
+# TrustFence
+TRUSTFENCE_SIGN_MODE = "HAB"
--- a/meta-digi-arm/conf/machine/include/ccimx8x.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx8x.inc
@ -75,8 +75,9 @@ VIRTUAL-RUNTIME_initscripts ?= "initscripts"
 # For i.MX 8 silicon chip revision
 MX8_CHIP_REV ?= "B0"
 MX8_SOC_VAR ?= "QX"
-SIGN_MODE = "AHAB"

+# TrustFence
+TRUSTFENCE_SIGN_MODE = "AHAB"
 # For Trustfence container header RAM locations
 RAM_CONTAINER_LOC_BOOT = "0x80280000"
 RAM_CONTAINER_LOC_DTB = "0x82000000"
--- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
+++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
@ -205,7 +205,7 @@ do_deploy () {
 }

 do_deploy_append () {
-	if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "AHAB" ]; then
+	if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
--- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc
+++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst.inc
@ -43,12 +43,12 @@ do_install() {
 	install -d ${D}${bindir}
 	install -m 0755 linux64/cst ${D}${bindir}/cst
 	install -m 0755 $(find linux64 -type f -name srktool) ${D}${bindir}/srktool
-	if [ "${SIGN_MODE}" = "AHAB" ]; then
+	if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		install -m 0755 keys/ahab_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
-	elif [ "${SIGN_MODE}" = "HAB" ]; then
+	elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 		install -m 0755 keys/hab4_pki_tree.sh ${D}${bindir}/trustfence-gen-pki.sh
 	else
-		bberror "Unkown SIGN_MODE value"
+		bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 		exit 1
 	fi
 	install -m 0755 ca/openssl.cnf ${D}${bindir}/openssl.cnf
--- a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
+++ b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
@ -79,7 +79,7 @@ do_compile () {
 					unset k

 					# Secure boot artifacts
-					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]
+					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]
 					then
 						cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX}
 						cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX}
@ -122,7 +122,7 @@ do_deploy_append() {
 					cd ${DEPLOYDIR}
 					rm -r ${UBOOT_BINARY}-${type}
 					ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
-					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${SIGN_MODE}" = "HAB" ]; then
+					if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 						install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
 						ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin

@ -161,7 +161,7 @@ do_deploy_append() {
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"

 		# Sign boot script
-		if [ "${SIGN_MODE}" = "HAB" ]; then
+		if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 			TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
 			trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
 			mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
@ -69,7 +69,7 @@ TARGET="$(readlink -m ${2})"

 # Negative offset with respect to CONFIG_RAM_START in which U-Boot
 # copies the DEK blob.
-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	DEK_BLOB_OFFSET="0x100"
 	CONFIG_CSF_SIZE="0x4000"
 fi
@ -83,7 +83,7 @@ if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then
 fi
 [ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"

-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	if [ -n "${CONFIG_DEK_PATH}" ]; then
 		if [ ! -f "${CONFIG_DEK_PATH}" ]; then
 			echo "DEK not found. Generating random 256 bit DEK."
@ -129,14 +129,14 @@ fi
 CONFIG_KEY_INDEX_1="$((CONFIG_KEY_INDEX + 1))"

 SRK_KEYS="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	CERT_CSF="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/CSF${CONFIG_KEY_INDEX_1}*crt.pem)"
 	CERT_IMG="$(echo ${CONFIG_SIGN_KEYS_PATH}/crts/IMG${CONFIG_KEY_INDEX_1}*crt.pem)"
 fi

 n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"

-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then
 		# PKI tree already exists.
 		echo "Using existing PKI tree"
@ -151,11 +151,11 @@ if [ "${SIGN_MODE}" = "HAB" ]; then
 		echo "Inconsistent CST folder."
 		exit 1
 	fi
-elif [ "${SIGN_MODE}" = "AHAB" ]; then
-	if [ "${n_commas}" -eq 3 ] && [ "${SIGN_MODE}" = "AHAB" ]; then
+elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
+	if [ "${n_commas}" -eq 3 ] && [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
 		# PKI tree already exists. Do nothing
 		echo "Using existing PKI tree"
-	elif [ "${n_commas}" -eq 0 ] && [ "${SIGN_MODE}" = "AHAB" ]; then
+	elif [ "${n_commas}" -eq 0 ] && [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
 		# Generate PKI
 		trustfence-gen-pki.sh "${CONFIG_SIGN_KEYS_PATH}"

@ -167,7 +167,7 @@ elif [ "${SIGN_MODE}" = "AHAB" ]; then
 fi

 SRK_TABLE="$(pwd)/SRK_table.bin"
-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	HAB_VER="hab_ver 4"
 	DIGEST="digest"
 	DIGEST_ALGO="sha256"
@ -281,7 +281,7 @@ if [ $? -ne 0 ]; then
 	exit 1
 fi

-if [ "${SIGN_MODE}" = "HAB" ]; then
+if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	# Pad to IVT
 	objcopy -I binary -O binary --pad-to "${pad_len}" --gap-fill="${GAP_FILLER}" "${UIMAGE_PATH}" "${TARGET}"

--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_git.bb
@ -27,15 +27,15 @@ do_compile[noexec] = "1"

 do_install() {
 	install -d ${D}${bindir}/csf_templates
-	if [ "${SIGN_MODE}" = "AHAB" ]; then
+	if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		install -m 0755 sign_ahab ${D}${bindir}/csf_templates/
 		install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-ahab-uboot.sh
-	elif [ "${SIGN_MODE}" = "HAB" ]; then
+	elif [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 		install -m 0755 sign_hab ${D}${bindir}/csf_templates/
 		install -m 0755 encrypt_hab ${D}${bindir}/csf_templates/
 		install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
 	else
-		bberror "Unkown SIGN_MODE value"
+		bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 		exit 1
 	fi
 	install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
@ -24,7 +24,7 @@ trustfence_sign() {
 	[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"

 	# Sign/encrypt the kernel images
-	if [ "${SIGN_MODE}" = "HAB" ]; then
+	if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 		for type in ${KERNEL_IMAGETYPES}; do
 			KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
 			TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
@ -42,7 +42,7 @@ trustfence_sign() {
 			trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
 			mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
 		done
-	elif [ "${SIGN_MODE}" = "AHAB" ]; then
+	elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 		# Sign the kernel images
 		for type in ${KERNEL_IMAGETYPES}; do
 			KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
@ -64,7 +64,7 @@ trustfence_sign() {
 			rm -f ${DTB_IMAGE}-mkimg-signed
 		done
 	else
-		bberror "Unkown SIGN_MODE value"
+		bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 		exit 1
 	fi
 }
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -84,7 +84,7 @@ python () {
        key_index_1 = key_index + 1

        # Set the private key template, it will be expanded later in 'swu' recipes once keys are generated.
-        if (d.getVar("SIGN_MODE", "") == "AHAB"):
+        if (d.getVar("TRUSTFENCE_SIGN_MODE", "") == "AHAB"):
            d.setVar("SWUPDATE_PRIVATE_KEY_TEMPLATE", keys_path + "/keys/SRK" + str(key_index_1) + "*key.pem")
            d.setVar("CONFIG_SIGN_MODE", "AHAB")
        else:
--- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
+++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
@ -40,12 +40,12 @@ do_install() {
 		KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)

 		# Find the certificate to use.
-		if [ "${SIGN_MODE}" = "HAB" ]; then
+		if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
 			CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
-		elif [ "${SIGN_MODE}" = "AHAB" ]; then
+		elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
 			CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)"
 		else
-			bberror "Unkown SIGN_MODE value"
+			bberror "Unkown TRUSTFENCE_SIGN_MODE value"
 			exit 1
 		fi