From 9e5ee618511a4ff8aa4bdf7d046fb58ea85fca14 Mon Sep 17 00:00:00 2001
From: "Diaz de Grenu, Jose" <Jose.DiazdeGrenu@digi.com>
Date: Tue, 26 Jul 2016 11:44:04 +0200
Subject: [PATCH] meta-digi: use CAAM for environment encryption

https://jira.digi.com/browse/DUB-652

Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
---
 meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb | 5 -----
 meta-digi-dey/classes/trustfence.bbclass               | 9 +++------
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
index 1abe6a6ea..3d84de6b0 100644
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
@@ -37,11 +37,6 @@ UBOOT_EXTRA_CONF ?= ""
 python __anonymous() {
     if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN", True) != "1"):
          bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN=1) or remove encryption (TRUSTFENCE_DEK_PATH = 0)")
-    if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]):
-        if (d.getVar("TRUSTFENCE_DEK_PATH", True) in [None, "0"]):
-            bb.warn("It is strongly recommended to encrypt the U-Boot image when using environment encryption. Consider removing TRUSTFENCE_DEK_PATH = 0")
-        if (len(d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True)) != 32):
-            bb.fatal("Invalid TRUSTFENCE_UBOOT_ENV_DEK length. Define a string formed by 32 hexadecimal characters")
 }
 
 do_compile () {
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 6530f01ef..76829cd2c 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -22,7 +22,7 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "1"
 TRUSTFENCE_SIGN ?= "1"
 TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
 TRUSTFENCE_DEK_PATH ?= "default"
-TRUSTFENCE_UBOOT_ENV_DEK ?= "gen_random"
+TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
 
 # Trustfence initramfs image recipe
 TRUSTFENCE_INITRAMFS_IMAGE ?= "dey-image-trustfence-initramfs"
@@ -46,9 +46,6 @@ python () {
             d.appendVar("UBOOT_EXTRA_CONF", " CONFIG_CONSOLE_ENABLE_GPIO=y CONFIG_CONSOLE_ENABLE_GPIO_NR=%s " % d.getVar("TRUSTFENCE_CONSOLE_GPIO_ENABLE"))
 
     # Secure boot configuration
-    if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK") == "gen_random"):
-        d.setVar("TRUSTFENCE_UBOOT_ENV_DEK", str(binascii.hexlify(os.urandom(16)).decode()))
-
     if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"):
         d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence");
 
@@ -63,6 +60,6 @@ python () {
             d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
         if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]):
             d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
-    if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]):
-        d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_KEY=\\"%s\\"' % d.getVar("TRUSTFENCE_UBOOT_ENV_DEK"))
+    if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT", True) == "1"):
+        d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y')
 }