installer: uuu: prevent installing encrypted uboot on open device

Programming an encrypted bootloader can only be done after the
secure keys have been programed on the OTP bits, and the device
has been closed. Programming on an open device would result in a
non-secure configuration or a non-bootable device after the
close operation.

Create functions to detect the current TrustFence status and exit
the install script if the device is open and the artifacts are
encrypted.

Signed-off-by: Hector Palacios <hector.palacios@digi.com>

https://onedigi.atlassian.net/browse/DEL-9699

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6qpsbc/install_linux_fw_uuu.sh

@@ -27,6 +27,15 @@ getenv()
 	uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p"
 }
 
+# Grep for string in command output
+# Params:
+#  1. Command
+#  2. String to grep
+grep_string()
+{
+	uuu -v fb: ucmd ${1} | grep "${2}"
+}
+
 show_usage()
 {
 	echo "Usage: $0 [options]"
@@ -171,6 +180,27 @@ if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
 	ENCRYPTED=true
 fi
 
+if [ "${ENCRYPTED}" = "true" ]; then
+	tf_status=$(grep_string "trustfence status" "Secure boot:")
+	if echo "${tf_status}" | grep -q -e "OPEN"; then
+		echo "\033[93m"
+		echo "WARNING!"
+		echo "You are trying to program encrypted images but the device status is OPEN."
+		echo "An OPEN device requires manual procedure for installing an encrypted bootloader,"
+		echo "programming the secure keys, and closing the device."
+		echo "Continuing would result in a non-secure setup or a non-bootable device after the"
+		echo "close operation."
+		echo ""
+		echo "Check the online documentation for manual steps at:"
+		echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html"
+		echo ""
+		echo "You can run this installer to program encrypted artifacts when the device has been closed."
+		echo "\033[0m"
+		echo "Exiting."
+		exit 1
+	fi
+fi
+
 # remove redirect
 uuu fb: ucmd setenv stdout serial
 

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6sbc/install_linux_fw_uuu.sh

@@ -27,6 +27,15 @@ getenv()
 	uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p"
 }
 
+# Grep for string in command output
+# Params:
+#  1. Command
+#  2. String to grep
+grep_string()
+{
+	uuu -v fb: ucmd ${1} | grep "${2}"
+}
+
 show_usage()
 {
 	echo "Usage: $0 [options]"
@@ -190,6 +199,27 @@ if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
 	ENCRYPTED=true
 fi
 
+if [ "${ENCRYPTED}" = "true" ]; then
+	tf_status=$(grep_string "trustfence status" "Secure boot:")
+	if echo "${tf_status}" | grep -q -e "OPEN"; then
+		echo "\033[93m"
+		echo "WARNING!"
+		echo "You are trying to program encrypted images but the device status is OPEN."
+		echo "An OPEN device requires manual procedure for installing an encrypted bootloader,"
+		echo "programming the secure keys, and closing the device."
+		echo "Continuing would result in a non-secure setup or a non-bootable device after the"
+		echo "close operation."
+		echo ""
+		echo "Check the online documentation for manual steps at:"
+		echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html"
+		echo ""
+		echo "You can run this installer to program encrypted artifacts when the device has been closed."
+		echo "\033[0m"
+		echo "Exiting."
+		exit 1
+	fi
+fi
+
 # remove redirect
 uuu fb: ucmd setenv stdout serial
 

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6ul/install_linux_fw_uuu.sh

@@ -27,6 +27,15 @@ getenv()
 	uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p"
 }
 
+# Grep for string in command output
+# Params:
+#  1. Command
+#  2. String to grep
+grep_string()
+{
+	uuu -v fb: ucmd ${1} | grep "${2}"
+}
+
 show_usage()
 {
 	echo "Usage: $0 [options]"
@@ -193,6 +202,27 @@ if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
 	ENCRYPTED=true
 fi
 
+if [ "${ENCRYPTED}" = "true" ]; then
+	tf_status=$(grep_string "trustfence status" "Secure boot:")
+	if echo "${tf_status}" | grep -q -e "OPEN"; then
+		echo "\033[93m"
+		echo "WARNING!"
+		echo "You are trying to program encrypted images but the device status is OPEN."
+		echo "An OPEN device requires manual procedure for installing an encrypted bootloader,"
+		echo "programming the secure keys, and closing the device."
+		echo "Continuing would result in a non-secure setup or a non-bootable device after the"
+		echo "close operation."
+		echo ""
+		echo "Check the online documentation for manual steps at:"
+		echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html"
+		echo ""
+		echo "You can run this installer to program encrypted artifacts when the device has been closed."
+		echo "\033[0m"
+		echo "Exiting."
+		exit 1
+	fi
+fi
+
 # remove redirect
 uuu fb: ucmd setenv stdout serial
 

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8m/install_linux_fw_uuu.sh

@@ -27,6 +27,15 @@ getenv()
 	uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p"
 }
 
+# Grep for string in command output
+# Params:
+#  1. Command
+#  2. String to grep
+grep_string()
+{
+	uuu -v fb: ucmd ${1} | grep "${2}"
+}
+
 show_usage()
 {
 	echo "Usage: $0 [options]"
@@ -123,9 +132,6 @@ if [ "${dualboot}" = "yes" ]; then
 	DUALBOOT=true;
 fi
 
-# remove redirect
-uuu fb: ucmd setenv stdout serial
-
 echo ""
 echo "Determining image files to use..."
 
@@ -142,6 +148,30 @@ if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
 	ENCRYPTED=true
 fi
 
+if [ "${ENCRYPTED}" = "true" ]; then
+	tf_status=$(grep_string "trustfence status" "Secure boot:")
+	if echo "${tf_status}" | grep -q -e "OPEN"; then
+		echo "\033[93m"
+		echo "WARNING!"
+		echo "You are trying to program encrypted images but the device status is OPEN."
+		echo "An OPEN device requires manual procedure for installing an encrypted bootloader,"
+		echo "programming the secure keys, and closing the device."
+		echo "Continuing would result in a non-secure setup or a non-bootable device after the"
+		echo "close operation."
+		echo ""
+		echo "Check the online documentation for manual steps at:"
+		echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html"
+		echo ""
+		echo "You can run this installer to program encrypted artifacts when the device has been closed."
+		echo "\033[0m"
+		echo "Exiting."
+		exit 1
+	fi
+fi
+
+# remove redirect
+uuu fb: ucmd setenv stdout serial
+
 # Determine linux, recovery, and rootfs image filenames to update
 if [ -z "${IMAGE_NAME}" ]; then
 	IMAGE_NAME="##DEFAULT_IMAGE_NAME##"

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x/install_linux_fw_uuu.sh

@@ -27,6 +27,15 @@ getenv()
 	uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p"
 }
 
+# Grep for string in command output
+# Params:
+#  1. Command
+#  2. String to grep
+grep_string()
+{
+	uuu -v fb: ucmd ${1} | grep "${2}"
+}
+
 show_usage()
 {
 	echo "Usage: $0 [options]"
@@ -146,6 +155,27 @@ if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
 	ENCRYPTED=true
 fi
 
+if [ "${ENCRYPTED}" = "true" ]; then
+	tf_status=$(grep_string "trustfence status" "Secure boot:")
+	if echo "${tf_status}" | grep -q -e "OPEN"; then
+		echo "\033[93m"
+		echo "WARNING!"
+		echo "You are trying to program encrypted images but the device status is OPEN."
+		echo "An OPEN device requires manual procedure for installing an encrypted bootloader,"
+		echo "programming the secure keys, and closing the device."
+		echo "Continuing would result in a non-secure setup or a non-bootable device after the"
+		echo "close operation."
+		echo ""
+		echo "Check the online documentation for manual steps at:"
+		echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html"
+		echo ""
+		echo "You can run this installer to program encrypted artifacts when the device has been closed."
+		echo "\033[0m"
+		echo "Exiting."
+		exit 1
+	fi
+fi
+
 # remove redirect
 uuu fb: ucmd setenv stdout serial
 

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx9/install_linux_fw_uuu.sh

@@ -27,6 +27,15 @@ getenv()
 	uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p"
 }
 
+# Grep for string in command output
+# Params:
+#  1. Command
+#  2. String to grep
+grep_string()
+{
+	uuu -v fb: ucmd ${1} | grep "${2}"
+}
+
 show_usage()
 {
 	echo "Usage: $0 [options]"
@@ -155,6 +164,27 @@ if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then
 	ENCRYPTED=true
 fi
 
+if [ "${ENCRYPTED}" = "true" ]; then
+	tf_status=$(grep_string "trustfence status" "Secure boot:")
+	if echo "${tf_status}" | grep -q -e "OPEN"; then
+		echo "\033[93m"
+		echo "WARNING!"
+		echo "You are trying to program encrypted images but the device status is OPEN."
+		echo "An OPEN device requires manual procedure for installing an encrypted bootloader,"
+		echo "programming the secure keys, and closing the device."
+		echo "Continuing would result in a non-secure setup or a non-bootable device after the"
+		echo "close operation."
+		echo ""
+		echo "Check the online documentation for manual steps at:"
+		echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html"
+		echo ""
+		echo "You can run this installer to program encrypted artifacts when the device has been closed."
+		echo "\033[0m"
+		echo "Exiting."
+		exit 1
+	fi
+fi
+
 # remove redirect
 uuu fb: ucmd setenv stdout serial
 
@@ -354,7 +384,7 @@ if [ -f ${COMPRESSED_ROOTFS_IMAGE} ] && [ -f ${INSTALL_ROOTFS_FILENAME} ]; then
 	rm -f "${INSTALL_ROOTFS_FILENAME}"
 fi
 # Set the dboot_kernel_var to fitimage if Trustfence is enabled
-if [ "${SIGNED}" = "true" || "${ENCRYPTED}" = "true" ]; then
+if [ "${SIGNED}" = "true" ] || [ "${ENCRYPTED}" = "true" ]; then
 	uuu fb: ucmd setenv dboot_kernel_var fitimage
 fi