meta-digi-arm: sign/encrypt bootscript

https://jira.digi.com/browse/DUB-679 Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
2016-09-22 11:58:38 +02:00 · 2016-09-22 11:58:38 +02:00 · 934c819fd9
parent 7a02e1b00a
commit 934c819fd9
2 changed files with 13 additions and 2 deletions
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
@ -150,6 +150,13 @@ do_deploy_append() {
 	TMP_BOOTSCR="$(mktemp ${WORKDIR}/bootscr.XXXXXX)"
 	sed -e "${TF_BOOTSCRIPT_SEDFILTER}" ${WORKDIR}/boot.txt > ${TMP_BOOTSCR}
 	mkimage -T script -n bootscript -C none -d ${TMP_BOOTSCR} ${DEPLOYDIR}/boot.scr
+	if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
+		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
+		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
+		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
+		"${STAGING_BINDIR_NATIVE}/trustfence-sign-kernel.sh" -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${DEPLOYDIR}/boot-signed.scr"
+		mv ${DEPLOYDIR}/boot-signed.scr ${DEPLOYDIR}/boot.scr
+	fi
 	rm -f ${TMP_BOOTSCR}
 }

--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
@ -25,8 +25,9 @@
 SCRIPT_NAME="$(basename ${0})"
 SCRIPT_PATH="$(cd $(dirname ${0}) && pwd)"

-while getopts "dilp:" c; do
+while getopts "bdilp:" c; do
 	case "${c}" in
+		b) ARTIFACT_BOOTSCRIPT="y";;
 		d) ARTIFACT_DTB="y";;
 		i) ARTIFACT_INITRAMFS="y";;
 		l) ARTIFACT_KERNEL="y";;
@ -41,6 +42,7 @@ usage() {
 Usage: ${SCRIPT_NAME} [OPTIONS] input-unsigned-image output-signed-image

    -p <platform>    select platform for the project
+    -b               sign/encrypt bootscript
    -d               sign/encrypt initramfs
    -i               sign/encrypt DTB
    -l               sign/encrypt Linux image
@ -103,9 +105,11 @@ fi
 [ "${ARTIFACT_DTB}" = "y" ] && CONFIG_RAM_START="${CONFIG_FDT_LOADADDR}"
 [ "${ARTIFACT_INITRAMFS}" = "y" ] && CONFIG_RAM_START="${CONFIG_RAMDISK_LOADADDR}"
 [ "${ARTIFACT_KERNEL}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
+# bootscripts are loaded to $loadaddr, just like the kernel
+[ "${ARTIFACT_BOOTSCRIPT}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"

 if [ -z "${CONFIG_RAM_START}" ]; then
-        echo "Specify the type of image to process (-i, -d, or -l)"
+        echo "Specify the type of image to process (-b, -i, -d, or -l)"
        exit 1
 fi