u-boot-dey: add support to installation script for Trustfence

This commit adds support to installation script for Trustfence
artifacts.

https://onedigi.atlassian.net/browse/DEL-8271

Signed-off-by: Mike Engel <Mike.Engel@digi.com>

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc

@@ -81,6 +81,26 @@ build_uboot_scripts() {
 			-e 's,##GRAPHICAL_IMAGES##,${GRAPHICAL_IMAGES},g' \
 			-e 's,##DEFAULT_IMAGE_NAME##,${DEFAULT_IMAGE_NAME},g' \
 			${WORKDIR}/${f} > ${TMP_INSTALL_SCR}
+		# Change the u-boot name when TrustFence is enabled
+		if [ "${TRUSTFENCE_SIGN}" == "1" ]; then
+			if [ "${DEY_SOC_VENDOR}" == "NXP" ]; then
+				if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
+					sed -e 's,##SIGNED##,-encrypted,g' \
+					${WORKDIR}/${f} > ${TMP_INSTALL_SCR}
+				else
+					sed -e 's,##SIGNED##,-signed,g' \
+					${WORKDIR}/${f} > ${TMP_INSTALL_SCR}
+				fi
+			else
+				sed -e 's,##SIGNED##,_Signed,g' \
+				${WORKDIR}/${f} > ${TMP_INSTALL_SCR}
+				sed -e 's,##SIGNED_TFA##,_signed,g' \
+				${WORKDIR}/${f} > ${TMP_INSTALL_SCR}
+			fi
+		else
+			sed -e 's,##SIGNED##,,g' \
+			${WORKDIR}/${f} > ${TMP_INSTALL_SCR}
+		fi
 		if [ "${f_ext}" = "txt" ]; then
 			mkimage -T script -n "DEY firmware install script" -C none -d ${TMP_INSTALL_SCR} ${DEPLOYDIR}/${f%.*}.scr
 		else

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6qpsbc/install_linux_fw_uuu.sh

@@ -39,7 +39,10 @@ show_usage()
 	echo "   -i <dey-image-name>    Image name that prefixes the image filenames, such as 'dey-image-qt', "
 	echo "                          'dey-image-webkit', 'core-image-base'..."
 	echo "                          Defaults to '##DEFAULT_IMAGE_NAME##' if not provided."
+	echo "   -k <dek-blob-file>     Update includes dek blob file."
+	echo "                          (requires -t)."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
+	echo "   -t                     Install Trustfence artifacts."
 	echo "   -u <u-boot-filename>   U-Boot filename."
 	echo "                          Auto-determined by variant if not provided."
 	exit 2
@@ -49,6 +52,7 @@ show_usage()
 #   Params:
 #	1. partition
 #	2. file
+#	3. dek blob file when updating an encrypted bootloader
 part_update()
 {
 	echo "\033[36m"
@@ -57,10 +61,23 @@ part_update()
 	echo "====================================================================================="
 	echo "\033[0m"
 
-	if [ "${1}" = "bootloader" ]; then
-		uuu fb: flash "${1}" "${2}"
+	if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then
+		uuu fb: download -f "${2}"
+		if [ -n "${DEK_BLOB_FILE}" ]; then
+			uuu fb: ucmd setenv uboot_size $filesize
+			uuu fb: ucmd setenv fastboot_buffer $initrd_addr
+			uuu fb: download -f "${3}"
+			uuu fb: ucmd setenv dek_size $filesize
+			uuu fb: ucmd trustfence update "${1}" ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+		else
+			uuu fb: ucmd trustfence update "${1}" ram \${fastboot_buffer} \${fastboot_bytes}
+		fi
 	else
-		uuu fb: flash -raw2sparse "${1}" "${2}"
+		if [ "${1}" = "bootloader" ]; then
+			uuu fb: flash "${1}" "${2}"
+		else
+			uuu fb: flash -raw2sparse "${1}" "${2}"
+		fi
 	fi
 }
 
@@ -73,14 +90,16 @@ echo "############################################################"
 # -b, -d, -n (booleans)
 # -i <image-name>
 # -u <u-boot-filename>
-while getopts 'bdhi:nu:' c
+while getopts 'bdhi:k:ntu:' c
 do
 	case $c in
 	b) BOOTCOUNT=true ;;
 	d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
+	k) DEK_BLOB_FILE=${OPTARG} ;;
 	n) NOWAIT=true ;;
+	t) TRUSTFENCE=true ;;
 	u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
 	esac
 done
@@ -243,7 +262,7 @@ fi
 uuu fb: ucmd setenv forced_update 1
 
 # Update U-Boot
-part_update "bootloader" "${INSTALL_UBOOT_FILENAME}"
+part_update "bootloader" "${INSTALL_UBOOT_FILENAME}" "${DEK_BLOB_FILE}"
 
 # Set MMC to boot from BOOT1 partition
 uuu fb: ucmd mmc partconf 0 1 1 1

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6sbc/install_linux_fw_uuu.sh

@@ -39,7 +39,10 @@ show_usage()
 	echo "   -i <dey-image-name>    Image name that prefixes the image filenames, such as 'dey-image-qt', "
 	echo "                          'dey-image-webkit', 'core-image-base'..."
 	echo "                          Defaults to '##DEFAULT_IMAGE_NAME##' if not provided."
+	echo "   -k <dek-blob-file>     Update includes dek blob file."
+	echo "                          (requires -t)."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
+	echo "   -t                     Install Trustfence artifacts."
 	echo "   -u <u-boot-filename>   U-Boot filename."
 	echo "                          Auto-determined by variant if not provided."
 	exit 2
@@ -49,6 +52,7 @@ show_usage()
 #   Params:
 #	1. partition
 #	2. file
+#	3. dek blob file when updating an encrypted bootloader
 part_update()
 {
 	echo "\033[36m"
@@ -57,10 +61,23 @@ part_update()
 	echo "====================================================================================="
 	echo "\033[0m"
 
-	if [ "${1}" = "bootloader" ]; then
-		uuu fb: flash "${1}" "${2}"
+	if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then
+		uuu fb: download -f "${2}"
+		if [ -n "${DEK_BLOB_FILE}" ]; then
+			uuu fb: ucmd setenv uboot_size $filesize
+			uuu fb: ucmd setenv fastboot_buffer $initrd_addr
+			uuu fb: download -f "${3}"
+			uuu fb: ucmd setenv dek_size $filesize
+			uuu fb: ucmd trustfence update "${1}" ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+		else
+			uuu fb: ucmd trustfence update "${1}" ram \${fastboot_buffer} \${fastboot_bytes}
+		fi
 	else
-		uuu fb: flash -raw2sparse "${1}" "${2}"
+		if [ "${1}" = "bootloader" ]; then
+			uuu fb: flash "${1}" "${2}"
+		else
+			uuu fb: flash -raw2sparse "${1}" "${2}"
+		fi
 	fi
 }
 
@@ -73,14 +90,17 @@ echo "############################################################"
 # -b, -d, -n (booleans)
 # -i <image-name>
 # -u <u-boot-filename>
-while getopts 'bdhi:nu:' c
+# -k <dek-blob-name>
+while getopts 'bdhi:k:ntu:' c
 do
 	case $c in
 	b) BOOTCOUNT=true ;;
 	d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
+	k) DEK_BLOB_FILE=${OPTARG} ;;
 	n) NOWAIT=true ;;
+	t) TRUSTFENCE=true ;;
 	u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
 	esac
 done
@@ -262,7 +282,7 @@ fi
 uuu fb: ucmd setenv forced_update 1
 
 # Update U-Boot
-part_update "bootloader" "${INSTALL_UBOOT_FILENAME}"
+part_update "bootloader" "${INSTALL_UBOOT_FILENAME}" "${DEK_BLOB_FILE}"
 
 # Set MMC to boot from BOOT1 partition
 uuu fb: ucmd mmc partconf 0 1 1 1

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx6ul/install_linux_fw_uuu.sh

@@ -39,7 +39,10 @@ show_usage()
 	echo "   -i <dey-image-name>    Image name that prefixes the image filenames, such as 'dey-image-qt', "
 	echo "                          'dey-image-webkit', 'core-image-base'..."
 	echo "                          Defaults to '##DEFAULT_IMAGE_NAME##' if not provided."
+	echo "   -k <dek-blob-file>     Update includes dek blob file."
+	echo "                          (requires -t)."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
+	echo "   -t                     Install Trustfence artifacts."
 	echo "   -u <u-boot-filename>   U-Boot filename."
 	echo "                          Auto-determined by variant if not provided."
 	exit 2
@@ -53,6 +56,7 @@ show_usage()
 #   Description:
 #	- downloads image to RAM
 #	- runs 'update' command from RAM
+#	4. dek blob file when updating an encrypted u-boot
 part_update()
 {
 	echo "\033[36m"
@@ -70,7 +74,19 @@ part_update()
 		ERASE="-e"
 	fi
 	uuu fb: download -f "${2}"
-	uuu "fb[-t ${3}]:" ucmd update "${1}" ram \${fastboot_buffer} \${fastboot_bytes} ${ERASE}
+	if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "uboot" ]; then
+		if [ -n "${DEK_BLOB_FILE}" ]; then
+			uuu fb: ucmd setenv uboot_size $filesize
+			uuu fb: ucmd setenv fastboot_buffer $initrd_addr
+			uuu fb: download -f "${4}"
+			uuu fb: ucmd setenv dek_size $filesize
+			uuu "fb[-t ${3}]:" ucmd trustfence update ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+		else
+			uuu "fb[-t ${3}]:" ucmd trustfence update ram \${fastboot_buffer} \${fastboot_bytes}
+		fi
+	else
+		uuu "fb[-t ${3}]:" ucmd update "${1}" ram \${fastboot_buffer} \${fastboot_bytes} ${ERASE}
+	fi
 }
 
 clear
@@ -82,14 +98,17 @@ echo "############################################################"
 # -b, -d, -n (booleans)
 # -i <image-name>
 # -u <u-boot-filename>
-while getopts 'bdhi:nu:' c
+# -k <dek-blob-name>
+while getopts 'bdhi:k:ntu:' c
 do
 	case $c in
 	b) BOOTCOUNT=true ;;
 	d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
+	k) DEK_BLOB_FILE=${OPTARG} ;;
 	n) NOWAIT=true ;;
+	t) TRUSTFENCE=true ;;
 	u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
 	esac
 done
@@ -119,7 +138,7 @@ if [ -z "${INSTALL_UBOOT_FILENAME}" ]; then
 	if [ -n "$module_variant" ]; then
 		if [ "$module_variant" = "0x08" ] || \
 		   [ "$module_variant" = "0x0a" ]; then
-			INSTALL_UBOOT_FILENAME="u-boot-##MACHINE##512MB.imx"
+			INSTALL_UBOOT_FILENAME="u-boot-##SIGNED##-##MACHINE##512MB.imx"
 		elif [ "$module_variant" = "0x04" ] || \
 		     [ "$module_variant" = "0x05" ] || \
 		     [ "$module_variant" = "0x07" ]; then
@@ -260,7 +279,7 @@ uuu fb: ucmd setenv fastboot_buffer \${loadaddr}
 uuu fb: ucmd setenv forced_update 1
 
 # Update U-Boot
-part_update "uboot" "${INSTALL_UBOOT_FILENAME}" 5000
+part_update "uboot" "${INSTALL_UBOOT_FILENAME}" 5000 "${DEK_BLOB_FILE}"
 
 # Set 'bootcmd' for the second part of the script that will
 #  - Reset environment to defaults

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8m/install_linux_fw_uuu.sh

@@ -39,7 +39,10 @@ show_usage()
 	echo "   -i <dey-image-name>    Image name that prefixes the image filenames, such as 'dey-image-qt', "
 	echo "                          'dey-image-webkit', 'core-image-base'..."
 	echo "                          Defaults to '##DEFAULT_IMAGE_NAME##' if not provided."
+	echo "   -k <dek-blob-file>     Update includes dek blob file."
+	echo "                          (requires -t)."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
+	echo "   -t                     Install Trustfence artifacts."
 	echo "   -u <u-boot-filename>   U-Boot filename."
 	echo "                          Auto-determined by variant if not provided."
 	exit 2
@@ -49,6 +52,7 @@ show_usage()
 #   Params:
 #	1. partition
 #	2. file
+#	3. dek blob file when updating an encrypted bootloader
 part_update()
 {
 	echo "\033[36m"
@@ -57,10 +61,24 @@ part_update()
 	echo "====================================================================================="
 	echo "\033[0m"
 
-	if [ "${1}" = "bootloader" ]; then
-		uuu fb: flash "${1}" "${2}"
+	if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then
+		uuu fb: download -f "${2}"
+		if [ -n "${DEK_BLOB_KEY}" ]; then
+				uuu fb: ucmd setenv uboot_size $filesize
+				uuu fb: ucmd setenv fastboot_buffer $initrd_addr
+				uuu fb: download -f "${3}"
+				uuu fb: ucmd setenv dek_size $filesize
+				uuu fb: ucmd trustfence update "${1}" ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+			else
+				uuu fb: ucmd trustfence update "${1}" ram \${fastboot_buffer} \${fastboot_bytes}
+			fi
+		fi
 	else
-		uuu fb: flash -raw2sparse "${1}" "${2}"
+		if [ "${1}" = "bootloader" ]; then
+			uuu fb: flash "${1}" "${2}"
+		else
+			uuu fb: flash -raw2sparse "${1}" "${2}"
+		fi
 	fi
 }
 
@@ -73,14 +91,17 @@ echo "############################################################"
 # -b, -d, -n (booleans)
 # -i <image-name>
 # -u <u-boot-filename>
-while getopts 'bdhi:nu:' c
+# -k <dek-blob-name>
+while getopts 'bdhi:k:ntu:' c
 do
 	case $c in
 	b) BOOTCOUNT=true ;;
 	d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
+	k) DEK_BLOB_KEY=${OPTARG} ;;
 	n) NOWAIT=true ;;
+	t) TRUSTFENCE=true ;;
 	u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
 	esac
 done
@@ -102,7 +123,7 @@ echo "Determining image files to use..."
 
 # Determine U-Boot file to program basing on SOM's SOC type (linked to bus width)
 if [ -z "${INSTALL_UBOOT_FILENAME}" ]; then
-	INSTALL_UBOOT_FILENAME="imx-boot-##MACHINE##.bin"
+	INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##.bin"
 fi
 
 # Determine linux, recovery, and rootfs image filenames to update
@@ -214,7 +235,7 @@ uuu fb: ucmd setenv fastboot_buffer \${loadaddr}
 uuu fb: ucmd setenv forced_update 1
 
 # Update U-Boot
-part_update "bootloader" "${INSTALL_UBOOT_FILENAME}"
+part_update "bootloader" "${INSTALL_UBOOT_FILENAME}" "${DEK_BLOB_KEY}"
 
 # Set MMC to boot from BOOT1 partition
 uuu fb: ucmd mmc partconf 0 1 1 1

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccimx8x/install_linux_fw_uuu.sh

@@ -39,7 +39,10 @@ show_usage()
 	echo "   -i <dey-image-name>    Image name that prefixes the image filenames, such as 'dey-image-qt', "
 	echo "                          'dey-image-webkit', 'core-image-base'..."
 	echo "                          Defaults to '##DEFAULT_IMAGE_NAME##' if not provided."
+	echo "   -k <dek-blob-file>     Update includes dek blob file."
+	echo "                          (requires -t)."
 	echo "   -n                     No wait. Skips 10 seconds delay to stop script."
+	echo "   -t                     Install Trustfence artifacts."
 	echo "   -u <u-boot-filename>   U-Boot filename."
 	echo "                          Auto-determined by variant if not provided."
 	exit 2
@@ -49,6 +52,7 @@ show_usage()
 #   Params:
 #	1. partition
 #	2. file
+#	3. dek blob file when updating an encrypted bootloader
 part_update()
 {
 	echo "\033[36m"
@@ -57,10 +61,23 @@ part_update()
 	echo "====================================================================================="
 	echo "\033[0m"
 
-	if [ "${1}" = "bootloader" ]; then
-		uuu fb: flash "${1}" "${2}"
+	if [ "${TRUSTFENCE}" = "true" ] && [ "${1}" = "bootloader" ]; then
+		uuu fb: download -f "${2}"
+		if [ -n "${DEK_BLOB_KEY}" ]; then
+			uuu fb: ucmd setenv uboot_size $filesize
+			uuu fb: ucmd setenv fastboot_buffer $initrd_addr
+			uuu fb: download -f "${3}"
+			uuu fb: ucmd setenv dek_size $filesize
+			uuu fb: ucmd trustfence update "${1}" ram \${loadaddr} \${uboot_size} \${initrd_addr} \${dek_size}
+		else
+			uuu fb: ucmd trustfence update "${1}" ram \${fastboot_buffer} \${fastboot_bytes}
+		fi
 	else
-		uuu fb: flash -raw2sparse "${1}" "${2}"
+		if [ "${1}" = "bootloader" ]; then
+			uuu fb: flash "${1}" "${2}"
+		else
+			uuu fb: flash -raw2sparse "${1}" "${2}"
+		fi
 	fi
 }
 
@@ -73,14 +90,17 @@ echo "############################################################"
 # -b, -d, -n (booleans)
 # -i <image-name>
 # -u <u-boot-filename>
-while getopts 'bdhi:nu:' c
+# -k <dek-blob-name>
+while getopts 'bdhi:k:ntu:' c
 do
 	case $c in
 	b) BOOTCOUNT=true ;;
 	d) INSTALL_DUALBOOT=true && BOOTCOUNT=true ;;
 	h) show_usage ;;
 	i) IMAGE_NAME=${OPTARG} ;;
+	k) DEK_BLOB_KEY=${OPTARG} ;;
 	n) NOWAIT=true ;;
+	t) TRUSTFENCE=true ;;
 	u) INSTALL_UBOOT_FILENAME=${OPTARG} ;;
 	esac
 done
@@ -106,7 +126,7 @@ if [ -z ${INSTALL_UBOOT_FILENAME} ]; then
 		soc_rev="B0"
 	fi
 
-	INSTALL_UBOOT_FILENAME="imx-boot-##MACHINE##-${soc_rev}.bin"
+	INSTALL_UBOOT_FILENAME="imx-boot-##SIGNED##-##MACHINE##-${soc_rev}.bin"
 fi
 
 # remove redirect
@@ -214,11 +234,14 @@ if [ "${NOWAIT}" != true ]; then
 	printf " Starting update process\n"
 fi
 
+# Set fastboot buffer address to $loadaddr, just in case
+uuu fb: ucmd setenv fastboot_buffer \${loadaddr}
+
 # Skip user confirmation for U-Boot update
 uuu fb: ucmd setenv forced_update 1
 
 # Update U-Boot
-part_update "bootloader" "${INSTALL_UBOOT_FILENAME}"
+part_update "bootloader" "${INSTALL_UBOOT_FILENAME}" "${DEK_BLOB_KEY}"
 
 # Set MMC to boot from BOOT1 partition
 uuu fb: ucmd mmc partconf 0 1 1 1

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/install_linux_fw_uuu.sh

@@ -120,12 +120,12 @@ echo "Determining image files to use..."
 
 # Determine ATF file to program
 if [ -z "${INSTALL_ATF_FILENAME}" ]; then
-	INSTALL_ATF_FILENAME="tf-a-##MACHINE##-nand.stm32"
+	INSTALL_ATF_FILENAME="tf-a-##MACHINE##-nand##SIGNED_TFA##.stm32"
 fi
 
 # Determine FIP file to program
 if [ -z "${INSTALL_FIP_FILENAME}" ]; then
-	INSTALL_FIP_FILENAME="fip-##MACHINE##-optee.bin"
+	INSTALL_FIP_FILENAME="fip-##MACHINE##-optee##SIGNED##.bin"
 fi
 
 # Determine linux, recovery, and rootfs image filenames to update