diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc index a9319dfc0..cf5dda093 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc @@ -21,6 +21,7 @@ SRC_URI = " \ file://0005-ahab_pki_tree.sh-automate-script.patch \ file://0006-ahab_pki_tree.sh-use-a-random-password-for-the-defau.patch \ file://0007-rules.mk-weaken-specific-function-err_msg.patch \ + file://0008-pki_tree.sh-extract-public-keys-from-certificates.patch \ " SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794" diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch new file mode 100644 index 000000000..dcaa24120 --- /dev/null +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0008-pki_tree.sh-extract-public-keys-from-certificates.patch @@ -0,0 +1,42 @@ +From: Hector Palacios +Date: Thu, 3 Aug 2023 16:25:36 +0200 +Subject: [PATCH] pki_tree.sh: extract public keys from certificates + +The public key needs to be available on the rootfs so that signed SWU +packages can be authenticated. +Do this on the PKI generation script so that recipes don't need to do it. + +Signed-off-by: Hector Palacios +--- + keys/ahab_pki_tree.sh | 3 +++ + keys/hab4_pki_tree.sh | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh +index 7f10c5388146..63b5ce58ade7 100755 +--- a/keys/ahab_pki_tree.sh ++++ b/keys/ahab_pki_tree.sh +@@ -632,6 +632,9 @@ do + -in temp_sgk.pem \ + -out ${sgk_key}.pem + ++ # Extract public key from the certificate ++ openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub ++ + # Cleanup + rm ./temp_sgk.pem ./temp_sgk_req.pem + +diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh +index ac6fb29b7f91..e76f22f40643 100755 +--- a/keys/hab4_pki_tree.sh ++++ b/keys/hab4_pki_tree.sh +@@ -682,6 +682,9 @@ do + -in temp_img.pem \ + -out ${img_key}.pem + ++ # Extract public key from the certificate ++ openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub ++ + # Cleanup + rm ./temp_img.pem ./temp_img_req.pem + diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index 6ea35e306..885fad932 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -69,6 +69,39 @@ check_gen_pki_tree() { fi } +copy_public_key() { + if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then + KEY_INDEX="$(expr $TRUSTFENCE_KEY_INDEX + 1)" + PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/crts/key${KEY_INDEX}.pub" + # The new hab/ahab_pki_tree.sh script extracts the public keys after the PKI + # generation and leaves them in the crts/ folder. However, the PKI tree may + # already exist, the PKI generation script not called, and then the public + # keys may not be available. This is a fall-back to generate at least the + # selected public key. + if [ ! -f "${PUBLIC_KEY}" ]; then + if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then + CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)" + elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then + CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX}*_ca_crt.pem)" + else + bberror "Unknown TRUSTFENCE_SIGN_MODE value" + exit 1 + fi + # Extract the public key from the certificate. + openssl x509 -pubkey -noout -in "${CERT_IMG}" > "${PUBLIC_KEY}" + fi + elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then + PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem" + else + echo "ERROR: Cannot determine the public key" + exit 1 + fi + # Copy the public key to the rootfs + install -d ${D}${sysconfdir}/ssl/certs + cp -f "${PUBLIC_KEY}" "${IMAGE_ROOTFS}${sysconfdir}/ssl/certs/key.pub" +} +ROOTFS_POSTINSTALL_COMMAND:append = " copy_public_key;" + python () { import binascii import hashlib diff --git a/meta-digi-dey/recipes-digi/dualboot/dualboot.bb b/meta-digi-dey/recipes-digi/dualboot/dualboot.bb index 188ef3839..f4f8f3127 100644 --- a/meta-digi-dey/recipes-digi/dualboot/dualboot.bb +++ b/meta-digi-dey/recipes-digi/dualboot/dualboot.bb @@ -36,44 +36,6 @@ do_install() { install -d ${D}${systemd_unitdir}/system/ install -m 0644 ${WORKDIR}/firmware-update-check.service ${D}${systemd_unitdir}/system/ - - # If Trustfence is enabled, copy the public key that is going to be used into the - # initramfs '/etc/ssl/certs' folder in order to verify swupdate packages. - if [ "${TRUSTFENCE_SIGN}" = "1" ]; then - # Retrieve the key index to use. - KEY_INDEX="0" - if [ -n "${TRUSTFENCE_KEY_INDEX}" ]; then - KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" - fi - KEY_INDEX_1=$(expr ${KEY_INDEX} + 1) - - # Find the certificate to use. - if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then - if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then - CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)" - elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then - CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX_1}*_ca_crt.pem)" - else - bberror "Unknown TRUSTFENCE_SIGN_MODE value" - exit 1 - fi - # Extract the public key from the certificate. - install -d ${D}${sysconfdir}/ssl/certs - openssl x509 -pubkey -noout -in "${CERT_IMG}" > ${D}${sysconfdir}/ssl/certs/key.pub - elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then - # Copy the public key to the rootfs - if [ "${DIGI_SOM}" = "ccmp15" ]; then - PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey00.pem" - elif [ "${DIGI_SOM}" = "ccmp13" ]; then - PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${KEY_INDEX}.pem" - else - bberror "Unknown DIGI_SOM" - exit 1 - fi - install -d ${D}${sysconfdir}/ssl/certs - cp ${PUBLIC_KEY} ${D}${sysconfdir}/ssl/certs/key.pub - fi - fi } FILES:${PN} += " \