From 8f40cddfc60265bb51063b48ce00e2cc5e5d5e90 Mon Sep 17 00:00:00 2001
From: Hector Palacios <hector.palacios@digi.com>
Date: Tue, 7 Nov 2023 13:24:22 +0100
Subject: [PATCH] trustfence: rework configuration for signing FIT images

- Set variables required for FIT signing inside python function, under the
  condition of having TRUSTFENCE_SIGN="1".
- Define two sign keys using TRUSTFENCE_ wrapper constants. Default values:
  - 'fitcfg' for configuration nodes inside the FIT
  - 'fitimg' for image nodes inside the FIT
- Enable FIT_SIGN_INDIVIDUAL to also sign individual images inside the FIT
- Set FIT_GENERATE_KEYS by default (kernel-fitimage.bbclass already checks
  if the keys exist before generating new ones)

Signed-off-by: Hector Palacios <hector.palacios@digi.com>
---
 meta-digi-dey/classes/trustfence.bbclass | 30 +++++++++++++++---------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 5a210809b..1dac97cbb 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -52,17 +52,10 @@ IMAGE_FEATURES += "dey-trustfence"
 
 # Enable FIT image build when Trustfence is enabled
 MACHINE_FEATURES += "${@oe.utils.conditional('TRUSTFENCE_FIT_IMG', '1', 'fit', '', d)}"
-# keys name in keydir (eg. "ubootfit.crt", "ubootfit.key")
-TRUSTFENCE_SIGN_KEYNAME ?= ""
-# Set variables required by poky to sign FIT image
-UBOOT_SIGN_KEYNAME ?= "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '${TRUSTFENCE_SIGN_KEYNAME}', '', d)}"
-UBOOT_MKIMAGE_DTCOPTS ?= "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '-I dts -O dtb -p 2000', '', d)}"
-# Enable FIT signing support
-UBOOT_SIGN_ENABLE ?= "${TRUSTFENCE_SIGN}"
-# Set path to FIT signing keys
-UBOOT_SIGN_KEYDIR ?= "${TRUSTFENCE_SIGN_KEYS_PATH}"
-# Create keys if not defined
-FIT_GENERATE_KEYS ?= "${@oe.utils.conditional('TRUSTFENCE_SIGN_KEYNAME', '', '1', '', d)}"
+# key to sign FIT config nodes
+TRUSTFENCE_FIT_CFG_SIGN_KEYNAME ?= "fitcfg"
+# key to sign FIT image nodes
+TRUSTFENCE_FIT_IMG_SIGN_KEYNAME ?= "fitimg"
 
 # Function to generate a PKI tree (with lock dir protection)
 GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
@@ -198,6 +191,21 @@ python () {
                 d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
             if d.getVar("TRUSTFENCE_SIGN_MODE"):
                 d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
+
+        # FIT-related variables
+        # Create keys if not defined
+        d.setVar("FIT_GENERATE_KEYS", "1")
+        # Sign individual images (prevents running unsigned images in FIT)
+        d.setVar("FIT_SIGN_INDIVIDUAL", "1")
+        # Set variables required by poky to sign FIT image
+        d.setVar("UBOOT_SIGN_KEYNAME", d.getVar("TRUSTFENCE_FIT_CFG_SIGN_KEYNAME"))
+        d.setVar("UBOOT_SIGN_IMG_KEYNAME", d.getVar("TRUSTFENCE_FIT_IMG_SIGN_KEYNAME"))
+        d.setVar("UBOOT_MKIMAGE_DTCOPTS", "-I dts -O dtb -p 2000")
+        # Enable FIT signing support
+        d.setVar("UBOOT_SIGN_ENABLE", d.getVar("TRUSTFENCE_SIGN"))
+        # Set path to FIT signing keys
+        d.setVar("UBOOT_SIGN_KEYDIR", "%s/fit" % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"))
+
     else:
         # Disable signing artifacts if TRUSTFENCE_SIGN != 1
         d.setVar("TRUSTFENCE_SIGN_ARTIFACTS", "0")