From 9d40092ce53f0e05cc24ce71b81f2efa0e313e8b Mon Sep 17 00:00:00 2001 From: Javier Viguera Date: Wed, 21 Dec 2022 13:17:19 +0100 Subject: [PATCH] meta-digi: rework u-boot support Instead of overriding the whole do_compile function, just to reconfigure u-boot for Trustfence, create a do_configure pre-function that takes care of that. This allows the removal of duplicated code. Also, disable the generation of u-boot environment artifacts. We are not using them and so many u-boot artifacts in the deploy directory are confusing. Finally, adjust the names of the TF u-boot artifacts in the do_deploy append function. Signed-off-by: Javier Viguera --- .../conf/machine/include/digi-defaults.inc | 4 - .../recipes-bsp/u-boot/u-boot-dey.inc | 102 +++--------------- meta-digi-dey/classes/trustfence.bbclass | 24 ++--- 3 files changed, 27 insertions(+), 103 deletions(-) diff --git a/meta-digi-arm/conf/machine/include/digi-defaults.inc b/meta-digi-arm/conf/machine/include/digi-defaults.inc index 20179eeae..d27c3dcfb 100644 --- a/meta-digi-arm/conf/machine/include/digi-defaults.inc +++ b/meta-digi-arm/conf/machine/include/digi-defaults.inc @@ -63,10 +63,6 @@ USE_VT ?= "0" MACHINE_VARIANT ?= "" MACHINEOVERRIDES .= "${@['', ':${MACHINE_VARIANT}']['${MACHINE_VARIANT}' != '']}" -# U-Boot symlink -UBOOT_SYMLINK ?= "${UBOOT_PREFIX}-${MACHINE}.${UBOOT_SUFFIX}" -BOOTABLE_ARTIFACTS ?= "" - # Extra RDEPENDS MACHINE_EXTRA_RDEPENDS += " \ ${@bb.utils.contains("MACHINE_FEATURES", "mca", "mca-tool", "", d)} \ diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc index b0bfe30c4..088eef7a5 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc @@ -32,91 +32,21 @@ BUILD_UBOOT_SCRIPTS ?= "true" BOOTLOADER_IMAGE_RECIPE ?= "u-boot" -LOCALVERSION ?= "" - -EXTRA_OEMAKE:append = " KCFLAGS=-fgnu89-inline" - -UBOOT_EXTRA_CONF ?= "" - -# Use default initial env name so userspace tools work as expected -UBOOT_INITIAL_ENV = "u-boot-initial-env" +# Disable u-boot environment artifacts +UBOOT_INITIAL_ENV = "" python __anonymous() { if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN", True) != "1"): bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN = \"1\") or remove encryption (TRUSTFENCE_DEK_PATH = \"0\")") } -do_compile () { - if [ "${@bb.utils.filter('DISTRO_FEATURES', 'ld-is-gold', d)}" ]; then - sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' ${S}/config.mk - fi - - unset LDFLAGS - unset CFLAGS - unset CPPFLAGS - - if [ ! -e ${B}/.scmversion -a ! -e ${S}/.scmversion ] - then - echo ${UBOOT_LOCALVERSION} > ${B}/.scmversion - echo ${UBOOT_LOCALVERSION} > ${S}/.scmversion - fi - - if [ -n "${UBOOT_CONFIG}" ] - then - unset i j k - for config in ${UBOOT_MACHINE}; do - i=$(expr $i + 1); - for type in ${UBOOT_CONFIG}; do - j=$(expr $j + 1); - if [ $j -eq $i ] - then - oe_runmake -C ${S} O=${B}/${config} ${config} - # Reconfigure U-Boot with Digi UBOOT_EXTRA_CONF - for var in ${UBOOT_EXTRA_CONF}; do - echo "${var}" >> ${B}/${config}/.config - done - oe_runmake -C ${S} O=${B}/${config} oldconfig - - oe_runmake -C ${S} O=${B}/${config} ${UBOOT_MAKE_TARGET} - for binary in ${UBOOT_BINARIES}; do - k=$(expr $k + 1); - if [ $k -eq $i ]; then - cp ${B}/${config}/${binary} ${B}/${config}/u-boot-${type}.${UBOOT_SUFFIX} - fi - done - - # Generate the uboot-initial-env - if [ -n "${UBOOT_INITIAL_ENV}" ]; then - oe_runmake -C ${S} O=${B}/${config} u-boot-initial-env - cp ${B}/${config}/u-boot-initial-env ${B}/${config}/u-boot-initial-env-${type} - fi - - unset k - - # Secure boot artifacts - if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ] - then - cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX} - cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX} - if [ "${TRUSTFENCE_DEK_PATH}" != "0" ] - then - cp ${B}/${config}/u-boot-dtb-encrypted.imx ${B}/${config}/u-boot-dtb-encrypted-${type}.${UBOOT_SUFFIX} - fi - fi - fi - done - unset j - done - unset i - else - oe_runmake -C ${S} O=${B} ${UBOOT_MACHINE} - oe_runmake -C ${S} O=${B} ${UBOOT_MAKE_TARGET} - - # Generate the uboot-initial-env - if [ -n "${UBOOT_INITIAL_ENV}" ]; then - oe_runmake -C ${S} O=${B} u-boot-initial-env - fi - fi +do_configure[prefuncs] += "${@oe.utils.ifelse(d.getVar('UBOOT_TF_CONF'), 'trustfence_config', '')}" +python trustfence_config() { + config_path = d.expand('${WORKDIR}/uboot-trustfence.cfg') + with open(config_path, 'w') as f: + for cfg in d.getVar('UBOOT_TF_CONF').split(): + f.write('%s\n' % cfg) + d.appendVar('SRC_URI', ' file://%s' % config_path) } TF_BOOTSCRIPT_SEDFILTER = "${@tf_bootscript_sedfilter(d)}" @@ -186,21 +116,21 @@ do_deploy:append() { then cd ${DEPLOYDIR} rm -r ${UBOOT_BINARY}-${type} - ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX} + ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX} if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]; then install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin - install ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX} u-boot-dtb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} - ln -sf u-boot-dtb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-dtb-signed-${type}.${UBOOT_SUFFIX} + install ${B}/${config}/${UBOOT_BINARYNAME}-dtb-signed.imx ${UBOOT_BINARYNAME}-dtb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} + ln -sf ${UBOOT_BINARYNAME}-dtb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-dtb-signed-${type}.${UBOOT_SUFFIX} - install ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX} u-boot-dtb-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} - ln -sf u-boot-dtb-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX} + install ${B}/${config}/${UBOOT_BINARYNAME}-dtb-usb-signed.imx ${UBOOT_BINARYNAME}-dtb-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} + ln -sf ${UBOOT_BINARYNAME}-dtb-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-dtb-usb-signed-${type}.${UBOOT_SUFFIX} if [ "${TRUSTFENCE_DEK_PATH}" != "0" ] then - install ${B}/${config}/u-boot-dtb-encrypted-${type}.${UBOOT_SUFFIX} u-boot-dtb-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} - ln -sf u-boot-dtb-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-dtb-encrypted-${type}.${UBOOT_SUFFIX} + install ${B}/${config}/${UBOOT_BINARYNAME}-dtb-encrypted.imx ${UBOOT_BINARYNAME}-dtb-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} + ln -sf ${UBOOT_BINARYNAME}-dtb-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-dtb-encrypted-${type}.${UBOOT_SUFFIX} fi fi fi diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index 1ba821755..e5664d467 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -34,8 +34,6 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl IMAGE_FEATURES += "dey-trustfence" -UBOOT_EXTRA_CONF = "" - python () { import binascii import hashlib @@ -43,12 +41,12 @@ python () { # Secure console configuration if (d.getVar("TRUSTFENCE_CONSOLE_DISABLE", True) == "1"): - d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_CONSOLE_DISABLE=y ") + d.appendVar("UBOOT_TF_CONF", "CONFIG_CONSOLE_DISABLE=y ") if d.getVar("TRUSTFENCE_CONSOLE_PASSPHRASE_ENABLE", True): passphrase_hash = hashlib.sha256(d.getVar("TRUSTFENCE_CONSOLE_PASSPHRASE_ENABLE", True).encode()).hexdigest() - d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_CONSOLE_ENABLE_PASSPHRASE=y CONFIG_CONSOLE_ENABLE_PASSPHRASE_KEY=\\"%s\\" ' % passphrase_hash) + d.appendVar("UBOOT_TF_CONF", 'CONFIG_CONSOLE_ENABLE_PASSPHRASE=y CONFIG_CONSOLE_ENABLE_PASSPHRASE_KEY="%s" ' % passphrase_hash) elif d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE", True): - d.appendVar("UBOOT_EXTRA_CONF", " CONFIG_CONSOLE_ENABLE_GPIO=y CONFIG_CONSOLE_ENABLE_GPIO_NR=%s " % d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE", True)) + d.appendVar("UBOOT_TF_CONF", "CONFIG_CONSOLE_ENABLE_GPIO=y CONFIG_CONSOLE_ENABLE_GPIO_NR=%s " % d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE", True)) # Secure boot configuration if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True) == "default"): @@ -58,21 +56,21 @@ python () { d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True) + "/dek.bin"); if (d.getVar("TRUSTFENCE_SIGN", True) == "1"): - d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SIGN_IMAGE=y CONFIG_AUTH_ARTIFACTS=y ") + d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y CONFIG_AUTH_ARTIFACTS=y ") if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS", True) == "1"): - d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ") + d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ") if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True): - d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_SIGN_KEYS_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True)) + d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_KEYS_PATH="%s" ' % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True)) if (d.getVar("TRUSTFENCE_UNLOCK_KEY_REVOCATION", True) == "1"): - d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ") + d.appendVar("UBOOT_TF_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ") if d.getVar("TRUSTFENCE_KEY_INDEX", True): - d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX", True)) + d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX", True)) if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]): - d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH", True)) + d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH", True)) if d.getVar("TRUSTFENCE_SIGN_MODE", True): - d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_SIGN_MODE=\\"%s\\" ' % d.getVar("TRUSTFENCE_SIGN_MODE", True)) + d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE", True)) if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"): - d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y') + d.appendVar("UBOOT_TF_CONF", "CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y ") # Provide sane default values for SWUPDATE class in case Trustfence is enabled if (d.getVar("TRUSTFENCE_SIGN", True) == "1"):