From 9672b2a80addcfeb81c4d83ebf29758512579739 Mon Sep 17 00:00:00 2001 From: Hector Palacios Date: Mon, 30 Jun 2025 17:34:29 +0200 Subject: [PATCH] installer: uuu: prevent installing encrypted uboot on open device Programming an encrypted bootloader can only be done after the secure keys have been programed on the OTP bits, and the device has been closed. Programming on an open device would result in a non-secure configuration or a non-bootable device after the close operation. Create functions to detect the current TrustFence status and exit the install script if the device is open and the artifacts are encrypted. Signed-off-by: Hector Palacios https://onedigi.atlassian.net/browse/DEL-9699 --- .../ccimx6qpsbc/install_linux_fw_uuu.sh | 30 ++++++++++++++++ .../ccimx6sbc/install_linux_fw_uuu.sh | 30 ++++++++++++++++ .../ccimx6ul/install_linux_fw_uuu.sh | 30 ++++++++++++++++ .../ccimx8m/install_linux_fw_uuu.sh | 36 +++++++++++++++++-- .../ccimx8x/install_linux_fw_uuu.sh | 30 ++++++++++++++++ .../u-boot-dey/ccimx9/install_linux_fw_uuu.sh | 32 ++++++++++++++++- 6 files changed, 184 insertions(+), 4 deletions(-) diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6qpsbc/install_linux_fw_uuu.sh b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6qpsbc/install_linux_fw_uuu.sh index 20859dc0d..bdbe07e51 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6qpsbc/install_linux_fw_uuu.sh +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6qpsbc/install_linux_fw_uuu.sh @@ -27,6 +27,15 @@ getenv() uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p" } +# Grep for string in command output +# Params: +# 1. Command +# 2. String to grep +grep_string() +{ + uuu -v fb: ucmd ${1} | grep "${2}" +} + show_usage() { echo "Usage: $0 [options]" @@ -171,6 +180,27 @@ if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then ENCRYPTED=true fi +if [ "${ENCRYPTED}" = "true" ]; then + tf_status=$(grep_string "trustfence status" "Secure boot:") + if echo "${tf_status}" | grep -q -e "OPEN"; then + echo "\033[93m" + echo "WARNING!" + echo "You are trying to program encrypted images but the device status is OPEN." + echo "An OPEN device requires manual procedure for installing an encrypted bootloader," + echo "programming the secure keys, and closing the device." + echo "Continuing would result in a non-secure setup or a non-bootable device after the" + echo "close operation." + echo "" + echo "Check the online documentation for manual steps at:" + echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html" + echo "" + echo "You can run this installer to program encrypted artifacts when the device has been closed." + echo "\033[0m" + echo "Exiting." + exit 1 + fi +fi + # remove redirect uuu fb: ucmd setenv stdout serial diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6sbc/install_linux_fw_uuu.sh b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6sbc/install_linux_fw_uuu.sh index 0301f8a87..56c34d53f 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6sbc/install_linux_fw_uuu.sh +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6sbc/install_linux_fw_uuu.sh @@ -27,6 +27,15 @@ getenv() uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p" } +# Grep for string in command output +# Params: +# 1. Command +# 2. String to grep +grep_string() +{ + uuu -v fb: ucmd ${1} | grep "${2}" +} + show_usage() { echo "Usage: $0 [options]" @@ -190,6 +199,27 @@ if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then ENCRYPTED=true fi +if [ "${ENCRYPTED}" = "true" ]; then + tf_status=$(grep_string "trustfence status" "Secure boot:") + if echo "${tf_status}" | grep -q -e "OPEN"; then + echo "\033[93m" + echo "WARNING!" + echo "You are trying to program encrypted images but the device status is OPEN." + echo "An OPEN device requires manual procedure for installing an encrypted bootloader," + echo "programming the secure keys, and closing the device." + echo "Continuing would result in a non-secure setup or a non-bootable device after the" + echo "close operation." + echo "" + echo "Check the online documentation for manual steps at:" + echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html" + echo "" + echo "You can run this installer to program encrypted artifacts when the device has been closed." + echo "\033[0m" + echo "Exiting." + exit 1 + fi +fi + # remove redirect uuu fb: ucmd setenv stdout serial diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6ul/install_linux_fw_uuu.sh b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6ul/install_linux_fw_uuu.sh index 9bfe9888d..552bb4a9a 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6ul/install_linux_fw_uuu.sh +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6ul/install_linux_fw_uuu.sh @@ -27,6 +27,15 @@ getenv() uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p" } +# Grep for string in command output +# Params: +# 1. Command +# 2. String to grep +grep_string() +{ + uuu -v fb: ucmd ${1} | grep "${2}" +} + show_usage() { echo "Usage: $0 [options]" @@ -193,6 +202,27 @@ if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then ENCRYPTED=true fi +if [ "${ENCRYPTED}" = "true" ]; then + tf_status=$(grep_string "trustfence status" "Secure boot:") + if echo "${tf_status}" | grep -q -e "OPEN"; then + echo "\033[93m" + echo "WARNING!" + echo "You are trying to program encrypted images but the device status is OPEN." + echo "An OPEN device requires manual procedure for installing an encrypted bootloader," + echo "programming the secure keys, and closing the device." + echo "Continuing would result in a non-secure setup or a non-bootable device after the" + echo "close operation." + echo "" + echo "Check the online documentation for manual steps at:" + echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html" + echo "" + echo "You can run this installer to program encrypted artifacts when the device has been closed." + echo "\033[0m" + echo "Exiting." + exit 1 + fi +fi + # remove redirect uuu fb: ucmd setenv stdout serial diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8m/install_linux_fw_uuu.sh b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8m/install_linux_fw_uuu.sh index bf19752de..41234a8d2 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8m/install_linux_fw_uuu.sh +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8m/install_linux_fw_uuu.sh @@ -27,6 +27,15 @@ getenv() uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p" } +# Grep for string in command output +# Params: +# 1. Command +# 2. String to grep +grep_string() +{ + uuu -v fb: ucmd ${1} | grep "${2}" +} + show_usage() { echo "Usage: $0 [options]" @@ -123,9 +132,6 @@ if [ "${dualboot}" = "yes" ]; then DUALBOOT=true; fi -# remove redirect -uuu fb: ucmd setenv stdout serial - echo "" echo "Determining image files to use..." @@ -142,6 +148,30 @@ if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then ENCRYPTED=true fi +if [ "${ENCRYPTED}" = "true" ]; then + tf_status=$(grep_string "trustfence status" "Secure boot:") + if echo "${tf_status}" | grep -q -e "OPEN"; then + echo "\033[93m" + echo "WARNING!" + echo "You are trying to program encrypted images but the device status is OPEN." + echo "An OPEN device requires manual procedure for installing an encrypted bootloader," + echo "programming the secure keys, and closing the device." + echo "Continuing would result in a non-secure setup or a non-bootable device after the" + echo "close operation." + echo "" + echo "Check the online documentation for manual steps at:" + echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html" + echo "" + echo "You can run this installer to program encrypted artifacts when the device has been closed." + echo "\033[0m" + echo "Exiting." + exit 1 + fi +fi + +# remove redirect +uuu fb: ucmd setenv stdout serial + # Determine linux, recovery, and rootfs image filenames to update if [ -z "${IMAGE_NAME}" ]; then IMAGE_NAME="##DEFAULT_IMAGE_NAME##" diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x/install_linux_fw_uuu.sh b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x/install_linux_fw_uuu.sh index cf7a797e8..c87a4e718 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x/install_linux_fw_uuu.sh +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x/install_linux_fw_uuu.sh @@ -27,6 +27,15 @@ getenv() uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p" } +# Grep for string in command output +# Params: +# 1. Command +# 2. String to grep +grep_string() +{ + uuu -v fb: ucmd ${1} | grep "${2}" +} + show_usage() { echo "Usage: $0 [options]" @@ -146,6 +155,27 @@ if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then ENCRYPTED=true fi +if [ "${ENCRYPTED}" = "true" ]; then + tf_status=$(grep_string "trustfence status" "Secure boot:") + if echo "${tf_status}" | grep -q -e "OPEN"; then + echo "\033[93m" + echo "WARNING!" + echo "You are trying to program encrypted images but the device status is OPEN." + echo "An OPEN device requires manual procedure for installing an encrypted bootloader," + echo "programming the secure keys, and closing the device." + echo "Continuing would result in a non-secure setup or a non-bootable device after the" + echo "close operation." + echo "" + echo "Check the online documentation for manual steps at:" + echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html" + echo "" + echo "You can run this installer to program encrypted artifacts when the device has been closed." + echo "\033[0m" + echo "Exiting." + exit 1 + fi +fi + # remove redirect uuu fb: ucmd setenv stdout serial diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx9/install_linux_fw_uuu.sh b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx9/install_linux_fw_uuu.sh index c8aad3f3e..924469283 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx9/install_linux_fw_uuu.sh +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx9/install_linux_fw_uuu.sh @@ -27,6 +27,15 @@ getenv() uuu -v fb: ucmd printenv "${1}" | sed -ne "s,^${1}=,,g;T;p" } +# Grep for string in command output +# Params: +# 1. Command +# 2. String to grep +grep_string() +{ + uuu -v fb: ucmd ${1} | grep "${2}" +} + show_usage() { echo "Usage: $0 [options]" @@ -155,6 +164,27 @@ if echo "$INSTALL_UBOOT_FILENAME" | grep -q -e "encrypted"; then ENCRYPTED=true fi +if [ "${ENCRYPTED}" = "true" ]; then + tf_status=$(grep_string "trustfence status" "Secure boot:") + if echo "${tf_status}" | grep -q -e "OPEN"; then + echo "\033[93m" + echo "WARNING!" + echo "You are trying to program encrypted images but the device status is OPEN." + echo "An OPEN device requires manual procedure for installing an encrypted bootloader," + echo "programming the secure keys, and closing the device." + echo "Continuing would result in a non-secure setup or a non-bootable device after the" + echo "close operation." + echo "" + echo "Check the online documentation for manual steps at:" + echo "https://docs.digi.com/resources/documentation/digidocs/embedded/trustfence_home.html" + echo "" + echo "You can run this installer to program encrypted artifacts when the device has been closed." + echo "\033[0m" + echo "Exiting." + exit 1 + fi +fi + # remove redirect uuu fb: ucmd setenv stdout serial @@ -354,7 +384,7 @@ if [ -f ${COMPRESSED_ROOTFS_IMAGE} ] && [ -f ${INSTALL_ROOTFS_FILENAME} ]; then rm -f "${INSTALL_ROOTFS_FILENAME}" fi # Set the dboot_kernel_var to fitimage if Trustfence is enabled -if [ "${SIGNED}" = "true" || "${ENCRYPTED}" = "true" ]; then +if [ "${SIGNED}" = "true" ] || [ "${ENCRYPTED}" = "true" ]; then uuu fb: ucmd setenv dboot_kernel_var fitimage fi