From acd2ee22c13ca8fb45b74448f8b78f35f825b897 Mon Sep 17 00:00:00 2001
From: Arturo Buzarra <arturo.buzarra@digi.com>
Date: Wed, 30 Aug 2023 08:52:49 +0200
Subject: [PATCH] trustfence: stm: rework PKI tree generation for CCMP15
 platforms

PKI tree generation for the STM32MP15 cpu provides the undesired file
"publicKeysHashHashes.bin", which is only required by STM32MP13. This commit
generates the PKI tree according to the KeyGen tool documentation to avoid
generate this extra file and avoid confusing the end user.

Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
---
 .../trustfence-sign-tools/trustfence-gen-pki-stm.sh   |  6 +++---
 .../trustfence-sign-artifact-stm.sh                   |  4 ++--
 meta-digi-dey/classes/trustfence.bbclass              | 11 +++++++++--
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh
index f9b543284..ad0c4548d 100755
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh
@@ -56,15 +56,15 @@ fi
 KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt"
 
 # Generate random keys if they don't exist
-N_PUBK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/publicKey0* 2>/dev/null | wc -l)"
-N_PRVK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/privateKey0* 2>/dev/null | wc -l)"
+N_PUBK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/publicKey*.pem 2>/dev/null | wc -l)"
+N_PRVK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/privateKey*.pem 2>/dev/null | wc -l)"
 if [ "${PLATFORM}" = "ccmp15" ]; then
 	if [ "${N_PUBK}" != "1" ] && [ "${N_PRVK}" != 1 ] && [ ! -f "${KEY_PASS_FILE}" ]; then
 		install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
 		# Random password
 		password="$(openssl rand -base64 32)"
 		echo "Generating random key"
-		if ! STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd ${password} -n 1; then
+		if ! STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd ${password}; then
 			echo "[ERROR] Could not generate PKI tree"
 			exit 1
 		fi
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh
index 35fd33728..236033d95 100755
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh
@@ -70,8 +70,8 @@ if ! trustfence-gen-pki.sh -p ${PLATFORM}; then
 fi
 
 if [ "${PLATFORM}" = "ccmp15" ]; then
-	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey00.pem"
-	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey00.pem"
+	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey.pem"
+	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey.pem"
 elif [ "${PLATFORM}" = "ccmp13" ]; then
 	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey0*.pem"
 	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey0${CONFIG_KEY_INDEX}.pem"
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 427775939..35597ecd8 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -91,7 +91,14 @@ copy_public_key() {
 			openssl x509 -pubkey -noout -in "${CERT_IMG}" > "${PUBLIC_KEY}"
 		fi
 	elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
-		PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem"
+		if [ "${DIGI_SOM}" = "ccmp15" ]; then
+			PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey.pem"
+		elif [ "${DIGI_SOM}" = "ccmp13" ]; then
+			PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem"
+		else
+			bberror "Unknown DIGI_SOM"
+			exit 1
+		fi
 	else
 		echo "ERROR: Cannot determine the public key"
 		exit 1
@@ -142,7 +149,7 @@ python () {
             d.setVar("FIP_SIGN_ENABLE", "1")
             d.setVar("FIP_SIGN_KEY_EXTERNAL", "1")
             if (d.getVar("DIGI_SOM") == "ccmp15" ):
-                d.setVar("FIP_SIGN_KEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/privateKey00.pem");
+                d.setVar("FIP_SIGN_KEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/privateKey.pem");
             elif (d.getVar("DIGI_SOM") == "ccmp13" ):
                 d.setVar("FIP_SIGN_KEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/privateKey0%s.pem" % d.getVar("TRUSTFENCE_KEY_INDEX"));
             d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass.txt")