Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

meta-digi: rework u-boot support 

Instead of overriding the whole do_compile function, just to reconfigure
u-boot for Trustfence, create a do_configure pre-function that takes care
of that. This allows the removal of duplicated code.

Also, disable the generation of u-boot environment artifacts. We are
not using them and so many u-boot artifacts in the deploy directory
are confusing.

Finally, adjust the names of the TF u-boot artifacts in the do_deploy
append function.

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera 2022-12-21 13:17:19 +01:00
parent 385884473e
commit 9d40092ce5
3 changed files with 27 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
meta-digi-arm/conf/machine/include/digi-defaults.inc
View File

@ -63,10 +63,6 @@ USE_VT ?= "0"
MACHINE_VARIANT ?= "" MACHINE_VARIANT ?= ""
MACHINEOVERRIDES .= "${@['', ':${MACHINE_VARIANT}']['${MACHINE_VARIANT}' != '']}" MACHINEOVERRIDES .= "${@['', ':${MACHINE_VARIANT}']['${MACHINE_VARIANT}' != '']}"
# U-Boot symlink
UBOOT_SYMLINK ?= "${UBOOT_PREFIX}-${MACHINE}.${UBOOT_SUFFIX}"
BOOTABLE_ARTIFACTS ?= ""
# Extra RDEPENDS # Extra RDEPENDS
MACHINE_EXTRA_RDEPENDS += " \ MACHINE_EXTRA_RDEPENDS += " \
${@bb.utils.contains("MACHINE_FEATURES", "mca", "mca-tool", "", d)} \ ${@bb.utils.contains("MACHINE_FEATURES", "mca", "mca-tool", "", d)} \

102
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
View File

@ -32,91 +32,21 @@ BUILD_UBOOT_SCRIPTS ?= "true"
BOOTLOADER_IMAGE_RECIPE ?= "u-boot" BOOTLOADER_IMAGE_RECIPE ?= "u-boot"
LOCALVERSION ?= "" # Disable u-boot environment artifacts
UBOOT_INITIAL_ENV = ""
EXTRA_OEMAKE:append = " KCFLAGS=-fgnu89-inline"
UBOOT_EXTRA_CONF ?= ""
# Use default initial env name so userspace tools work as expected
UBOOT_INITIAL_ENV = "u-boot-initial-env"
python __anonymous() { python __anonymous() {
if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN", True) != "1"): if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN", True) != "1"):
bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN = \"1\") or remove encryption (TRUSTFENCE_DEK_PATH = \"0\")") bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN = \"1\") or remove encryption (TRUSTFENCE_DEK_PATH = \"0\")")
} }
do_compile () { do_configure[prefuncs] += "${@oe.utils.ifelse(d.getVar('UBOOT_TF_CONF'), 'trustfence_config', '')}"
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'ld-is-gold', d)}" ]; then python trustfence_config() {
sed -i 's/$(CROSS_COMPILE)ld$/$(CROSS_COMPILE)ld.bfd/g' ${S}/config.mk config_path = d.expand('${WORKDIR}/uboot-trustfence.cfg')
fi with open(config_path, 'w') as f:
for cfg in d.getVar('UBOOT_TF_CONF').split():
unset LDFLAGS f.write('%s\n' % cfg)
unset CFLAGS d.appendVar('SRC_URI', ' file://%s' % config_path)
unset CPPFLAGS
if [ ! -e ${B}/.scmversion -a ! -e ${S}/.scmversion ]
then
echo ${UBOOT_LOCALVERSION} > ${B}/.scmversion
echo ${UBOOT_LOCALVERSION} > ${S}/.scmversion
fi
if [ -n "${UBOOT_CONFIG}" ]
then
unset i j k
for config in ${UBOOT_MACHINE}; do
i=$(expr $i + 1);
for type in ${UBOOT_CONFIG}; do
j=$(expr $j + 1);
if [ $j -eq $i ]
then
oe_runmake -C ${S} O=${B}/${config} ${config}
# Reconfigure U-Boot with Digi UBOOT_EXTRA_CONF
for var in ${UBOOT_EXTRA_CONF}; do
echo "${var}" >> ${B}/${config}/.config
done
oe_runmake -C ${S} O=${B}/${config} oldconfig
oe_runmake -C ${S} O=${B}/${config} ${UBOOT_MAKE_TARGET}
for binary in ${UBOOT_BINARIES}; do
k=$(expr $k + 1);
if [ $k -eq $i ]; then
cp ${B}/${config}/${binary} ${B}/${config}/u-boot-${type}.${UBOOT_SUFFIX}
fi
done
# Generate the uboot-initial-env
if [ -n "${UBOOT_INITIAL_ENV}" ]; then
oe_runmake -C ${S} O=${B}/${config} u-boot-initial-env
cp ${B}/${config}/u-boot-initial-env ${B}/${config}/u-boot-initial-env-${type}
fi
unset k
# Secure boot artifacts
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]
then
cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX}
cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX}
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]
then
cp ${B}/${config}/u-boot-dtb-encrypted.imx ${B}/${config}/u-boot-dtb-encrypted-${type}.${UBOOT_SUFFIX}
fi
fi
fi
done
unset j
done
unset i
else
oe_runmake -C ${S} O=${B} ${UBOOT_MACHINE}
oe_runmake -C ${S} O=${B} ${UBOOT_MAKE_TARGET}
# Generate the uboot-initial-env
if [ -n "${UBOOT_INITIAL_ENV}" ]; then
oe_runmake -C ${S} O=${B} u-boot-initial-env
fi
fi
} }
TF_BOOTSCRIPT_SEDFILTER = "${@tf_bootscript_sedfilter(d)}" TF_BOOTSCRIPT_SEDFILTER = "${@tf_bootscript_sedfilter(d)}"
@ -186,21 +116,21 @@ do_deploy:append() {
then then
cd ${DEPLOYDIR} cd ${DEPLOYDIR}
rm -r ${UBOOT_BINARY}-${type} rm -r ${UBOOT_BINARY}-${type}
ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX} ln -sf ${UBOOT_BINARYNAME}-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-${type}.${UBOOT_SUFFIX}
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]; then if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]; then
install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
install ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX} u-boot-dtb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} install ${B}/${config}/${UBOOT_BINARYNAME}-dtb-signed.imx ${UBOOT_BINARYNAME}-dtb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
ln -sf u-boot-dtb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-dtb-signed-${type}.${UBOOT_SUFFIX} ln -sf ${UBOOT_BINARYNAME}-dtb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-dtb-signed-${type}.${UBOOT_SUFFIX}
install ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX} u-boot-dtb-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} install ${B}/${config}/${UBOOT_BINARYNAME}-dtb-usb-signed.imx ${UBOOT_BINARYNAME}-dtb-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
ln -sf u-boot-dtb-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX} ln -sf ${UBOOT_BINARYNAME}-dtb-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-dtb-usb-signed-${type}.${UBOOT_SUFFIX}
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ] if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]
then then
install ${B}/${config}/u-boot-dtb-encrypted-${type}.${UBOOT_SUFFIX} u-boot-dtb-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} install ${B}/${config}/${UBOOT_BINARYNAME}-dtb-encrypted.imx ${UBOOT_BINARYNAME}-dtb-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
ln -sf u-boot-dtb-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-dtb-encrypted-${type}.${UBOOT_SUFFIX} ln -sf ${UBOOT_BINARYNAME}-dtb-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-dtb-encrypted-${type}.${UBOOT_SUFFIX}
fi fi
fi fi
fi fi

24
meta-digi-dey/classes/trustfence.bbclass
View File

@ -34,8 +34,6 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
IMAGE_FEATURES += "dey-trustfence" IMAGE_FEATURES += "dey-trustfence"
UBOOT_EXTRA_CONF = ""
python () { python () {
import binascii import binascii
import hashlib import hashlib
@ -43,12 +41,12 @@ python () {
# Secure console configuration # Secure console configuration
if (d.getVar("TRUSTFENCE_CONSOLE_DISABLE", True) == "1"): if (d.getVar("TRUSTFENCE_CONSOLE_DISABLE", True) == "1"):
d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_CONSOLE_DISABLE=y ") d.appendVar("UBOOT_TF_CONF", "CONFIG_CONSOLE_DISABLE=y ")
if d.getVar("TRUSTFENCE_CONSOLE_PASSPHRASE_ENABLE", True): if d.getVar("TRUSTFENCE_CONSOLE_PASSPHRASE_ENABLE", True):
passphrase_hash = hashlib.sha256(d.getVar("TRUSTFENCE_CONSOLE_PASSPHRASE_ENABLE", True).encode()).hexdigest() passphrase_hash = hashlib.sha256(d.getVar("TRUSTFENCE_CONSOLE_PASSPHRASE_ENABLE", True).encode()).hexdigest()
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_CONSOLE_ENABLE_PASSPHRASE=y CONFIG_CONSOLE_ENABLE_PASSPHRASE_KEY=\\"%s\\" ' % passphrase_hash) d.appendVar("UBOOT_TF_CONF", 'CONFIG_CONSOLE_ENABLE_PASSPHRASE=y CONFIG_CONSOLE_ENABLE_PASSPHRASE_KEY="%s" ' % passphrase_hash)
elif d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE", True): elif d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE", True):
d.appendVar("UBOOT_EXTRA_CONF", " CONFIG_CONSOLE_ENABLE_GPIO=y CONFIG_CONSOLE_ENABLE_GPIO_NR=%s " % d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE", True)) d.appendVar("UBOOT_TF_CONF", "CONFIG_CONSOLE_ENABLE_GPIO=y CONFIG_CONSOLE_ENABLE_GPIO_NR=%s " % d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE", True))
# Secure boot configuration # Secure boot configuration
if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True) == "default"): if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True) == "default"):
@ -58,21 +56,21 @@ python () {
d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True) + "/dek.bin"); d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True) + "/dek.bin");
if (d.getVar("TRUSTFENCE_SIGN", True) == "1"): if (d.getVar("TRUSTFENCE_SIGN", True) == "1"):
d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SIGN_IMAGE=y CONFIG_AUTH_ARTIFACTS=y ") d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y CONFIG_AUTH_ARTIFACTS=y ")
if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS", True) == "1"): if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS", True) == "1"):
d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ") d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ")
if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True): if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True):
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_SIGN_KEYS_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True)) d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_KEYS_PATH="%s" ' % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True))
if (d.getVar("TRUSTFENCE_UNLOCK_KEY_REVOCATION", True) == "1"): if (d.getVar("TRUSTFENCE_UNLOCK_KEY_REVOCATION", True) == "1"):
d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ") d.appendVar("UBOOT_TF_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ")
if d.getVar("TRUSTFENCE_KEY_INDEX", True): if d.getVar("TRUSTFENCE_KEY_INDEX", True):
d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX", True)) d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX", True))
if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]): if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]):
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH", True)) d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH", True))
if d.getVar("TRUSTFENCE_SIGN_MODE", True): if d.getVar("TRUSTFENCE_SIGN_MODE", True):
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_SIGN_MODE=\\"%s\\" ' % d.getVar("TRUSTFENCE_SIGN_MODE", True)) d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE", True))
if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"): if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"):
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y') d.appendVar("UBOOT_TF_CONF", "CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y ")
# Provide sane default values for SWUPDATE class in case Trustfence is enabled # Provide sane default values for SWUPDATE class in case Trustfence is enabled
if (d.getVar("TRUSTFENCE_SIGN", True) == "1"): if (d.getVar("TRUSTFENCE_SIGN", True) == "1"):