Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

meta-digi: use CAAM for environment encryption 

https://jira.digi.com/browse/DUB-652

Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
This commit is contained in:
Diaz de Grenu, Jose 2016-07-26 11:44:04 +02:00
parent 5a8e57da72
commit 9e5ee61851
2 changed files with 3 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
View File

@ -37,11 +37,6 @@ UBOOT_EXTRA_CONF ?= ""
python __anonymous() {
if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN", True) != "1"):
bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN=1) or remove encryption (TRUSTFENCE_DEK_PATH = 0)")
if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]):
if (d.getVar("TRUSTFENCE_DEK_PATH", True) in [None, "0"]):
bb.warn("It is strongly recommended to encrypt the U-Boot image when using environment encryption. Consider removing TRUSTFENCE_DEK_PATH = 0")
if (len(d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True)) != 32):
bb.fatal("Invalid TRUSTFENCE_UBOOT_ENV_DEK length. Define a string formed by 32 hexadecimal characters")
}
do_compile () {

9
meta-digi-dey/classes/trustfence.bbclass
View File

@ -22,7 +22,7 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "1"
TRUSTFENCE_SIGN ?= "1"
TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
TRUSTFENCE_DEK_PATH ?= "default"
TRUSTFENCE_UBOOT_ENV_DEK ?= "gen_random"
TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
# Trustfence initramfs image recipe
TRUSTFENCE_INITRAMFS_IMAGE ?= "dey-image-trustfence-initramfs"
@ -46,9 +46,6 @@ python () {
d.appendVar("UBOOT_EXTRA_CONF", " CONFIG_CONSOLE_ENABLE_GPIO=y CONFIG_CONSOLE_ENABLE_GPIO_NR=%s " % d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE"))
# Secure boot configuration
if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK") == "gen_random"):
d.setVar("TRUSTFENCE_UBOOT_ENV_DEK", str(binascii.hexlify(os.urandom(16)).decode()))
if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"):
d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence");
@ -63,6 +60,6 @@ python () {
d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]):
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]):
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_KEY=\\"%s\\"' % d.getVar("TRUSTFENCE_UBOOT_ENV_DEK"))
if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"):
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y')
}