From ae327e8dae5a90023a5a7472c3efc5df453a6a36 Mon Sep 17 00:00:00 2001
From: Hector Palacios <hector.palacios@digi.com>
Date: Tue, 11 Jul 2023 06:50:26 +0200
Subject: [PATCH] trustfence: stm: move generation of PKI out of sign script

Create a new script for the generation of PKI tree for STM platforms
and leave the trustfence-sign-artifact script exclusively for signing.
The new gen-pki script only requires the platform as an argument and the
path to where to save the tree (if it doesn't exist) in
CONFIG_SIGN_KEYS_PATH.

This commit also reverts commit 13c136dbc5ee by getting rid of the
trustfence-genpki-native.bb recipe and moving back the PKI generation
functions into trustfence.bbclass. This recipe didn't quite guarantee
that the PKI was generated on time for the recipes that required the
keys to exist, anyway.
Instead, the PKI generation function must be called right after
do_compile() of recipe tf-a-stm32mp to be ready for do_deploy() where
the key is used.

Signed-off-by: Hector Palacios <hector.palacios@digi.com>
---
 .../tf-a-stm32mp_%.bbappend                   | 11 ++-
 .../trustfence/trustfence-genpki-native.bb    | 62 --------------
 .../trustfence/trustfence-sign-tools.inc      |  2 +
 .../trustfence-gen-pki-stm.sh                 | 85 +++++++++++++++++++
 .../trustfence-sign-artifact-stm.sh           | 51 +++--------
 meta-digi-dey/classes/trustfence.bbclass      | 33 +++++++
 6 files changed, 144 insertions(+), 100 deletions(-)
 delete mode 100644 meta-digi-arm/recipes-digi/trustfence/trustfence-genpki-native.bb
 create mode 100755 meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh

diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend
index c2c4762dd..e70fb808a 100644
--- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend
+++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend
@@ -18,7 +18,7 @@ TF_A_CONFIG = "${DEY_TF_A_CONFIG}"
 TF_A_CONFIG[nand]   = "${DEVICE_BOARD_ENABLE:NAND},STM32MP_RAW_NAND=1 ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_NAND}' if ${TF_A_MTD_START_OFFSET_NAND} else ''} STM32MP_USB_PROGRAMMER=1"
 
 DEPENDS += " \
-    ${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native trustfence-genpki-native', '', d)} \
+    ${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)} \
 "
 
 # This dependency is required so that the PKI generation completes before
@@ -29,6 +29,15 @@ do_install[depends] = " \
     openssl-native:do_populate_sysroot \
 "
 
+# Generate PKI tree if it doesn't exist.
+# This is an append to do_compile because in this recipe, the do_deploy
+# task comes right after do_compile, and the keys must be ready before that.
+do_compile:append() {
+	if ${@oe.utils.conditional('TRUSTFENCE_SIGN','1','true','false',d)}; then
+		check_gen_pki_tree
+	fi
+}
+
 # Obtain password to use in FIP generation
 # Get password from file using the given key index
 do_deploy[prefuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'set_fip_sign_key', '', d)}"
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-genpki-native.bb b/meta-digi-arm/recipes-digi/trustfence/trustfence-genpki-native.bb
deleted file mode 100644
index b1167f55c..000000000
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-genpki-native.bb
+++ /dev/null
@@ -1,62 +0,0 @@
-# Copyright (C) 2023, Digi International Inc.
-
-SUMMARY = "TrustFence generation of Public Key Infrastructure (PKI)"
-LICENSE = "GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
-
-inherit native
-
-RDEPENDS:${PN} = " \
-    trustfence-sign-tools-native \
-    openssl-native \
-"
-
-S = "${WORKDIR}"
-
-do_fetch[noexec] = "1"
-do_configure[noexec] = "1"
-do_compile[noexec] = "1"
-
-# Function to generate a PKI tree (with lock dir protection)
-GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
-gen_pki_tree() {
-	if mkdir -p ${GENPKI_LOCK_DIR}; then
-		if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
-			trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH}
-		elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
-			# Call sign script with no artifact arguments to just
-			# generate the keys
-			export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
-			export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
-			trustfence-sign-artifact.sh -p ${DIGI_SOM}
-		fi
-		rm -rf ${GENPKI_LOCK_DIR}
-	else
-		bbfatal "Could not get lock to generate PKI tree"
-	fi
-}
-
-# Function that generates a PKI tree if there isn't one
-check_gen_pki_tree() {
-	if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
-		SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
-		n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
-		if [ "${n_commas}" -eq 0 ]; then
-			gen_pki_tree
-		elif [ "${n_commas}" -ne 3 ]; then
-			bbfatal "Inconsistent PKI tree"
-		fi
-	elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
-		# The script that generates the PKI tree already checks if
-		# there isn't one, so there's nothing to do here but calling it.
-		gen_pki_tree
-	fi
-}
-
-do_install[depends] = "trustfence-sign-tools-native:do_populate_sysroot \
-			openssl-native:do_populate_sysroot"
-do_install() {
-	check_gen_pki_tree
-}
-
-FILES:${PN} = "${bindir}"
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools.inc b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools.inc
index 39342d489..084fd4d3f 100644
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools.inc
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools.inc
@@ -18,6 +18,7 @@ SRC_URI = " \
     ${UBOOT_GIT_URI};branch=${SRCBRANCH} \
     file://trustfence-sign-artifact-nxp.sh \
     file://trustfence-sign-artifact-stm.sh \
+    file://trustfence-gen-pki-stm.sh \
     file://sign_hab;name=artifact-hab-sign \
     file://encrypt_hab;name=artifact-hab-encrypt \
     file://sign_ahab;name=artifact-ahab-sign \
@@ -57,6 +58,7 @@ do_install() {
 	elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
 		install -d ${D}${bindir}
 		install -m 0755 trustfence-sign-artifact-stm.sh ${D}${bindir}/trustfence-sign-artifact.sh
+		install -m 0755 trustfence-gen-pki-stm.sh ${D}${bindir}/trustfence-gen-pki.sh
 	fi
 }
 
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh
new file mode 100755
index 000000000..fed978035
--- /dev/null
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh
@@ -0,0 +1,85 @@
+#!/bin/sh
+#===============================================================================
+#
+#  trustfence-gen-pki-stm.sh
+#
+#  Copyright (C) 2023 by Digi International Inc.
+#  All rights reserved.
+#
+#  This program is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU General Public License version 2 as published by
+#  the Free Software Foundation.
+#
+#
+#  Description:
+#    Script for generating PKI tree using STM tools
+#
+#===============================================================================
+
+# Avoid parallel execution of this script
+SINGLE_PROCESS_LOCK="/tmp/gen_pki_script.lock.d"
+trap 'rm -rf "${SINGLE_PROCESS_LOCK}"' INT TERM EXIT
+while ! mkdir "${SINGLE_PROCESS_LOCK}" > /dev/null 2>&1; do
+	sleep 1
+done
+
+SCRIPT_NAME="$(basename "${0}")"
+SUPPORTED_PLATFORMS="ccmp15, ccmp13"
+
+while getopts "p:" c; do
+	case "${c}" in
+		p) PLATFORM="${OPTARG}";;
+	esac
+done
+shift "$((OPTIND - 1))"
+
+usage() {
+	cat <<EOF
+
+Usage: ${SCRIPT_NAME} <OPTIONS>
+
+ Options:
+    -p <platform>    platform
+
+Supported platforms: ${SUPPORTED_PLATFORMS}
+
+EOF
+}
+
+if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then
+	echo "Undefined CONFIG_SIGN_KEYS_PATH";
+	exit 1
+fi
+[ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
+
+# Default values
+KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt"
+
+# Generate random keys if they don't exist
+N_PUBK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/publicKey0* 2>/dev/null | wc -l)"
+N_PRVK="$(ls -l "${CONFIG_SIGN_KEYS_PATH}"/keys/privateKey0* 2>/dev/null | wc -l)"
+if [ "${PLATFORM}" = "ccmp15" ]; then
+	if [ "${N_PUBK}" != "1" ] && [ "${N_PRVK}" != 1 ] && [ ! -f "${KEY_PASS_FILE}" ]; then
+		install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
+		# Random password
+		password="$(openssl rand -base64 32)"
+		echo "Generating random key"
+		STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd "${password}" -n 1
+		echo "${password}" > "${KEY_PASS_FILE}"
+	fi
+elif [ "${PLATFORM}" = "ccmp13" ]; then
+	if [ "${N_PUBK}" != "8" ] && [ "${N_PRVK}" != 8 ] && [ ! -f "${KEY_PASS_FILE}" ]; then
+		install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
+		# 8 random passwords (separated by whitespaces)
+		passwords="$(openssl rand -base64 32)"
+		for i in $(seq 1 7); do
+			passwords="${passwords} $(openssl rand -base64 32)"
+		done
+		echo "Generating random keys"
+		STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd "${passwords}" -n 8
+		echo "${passwords}" > "${KEY_PASS_FILE}"
+	fi
+else
+	echo "Undefined platform"
+	exit 1
+fi
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh
index ddf2d1c86..35fd33728 100755
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh
@@ -47,59 +47,36 @@ Usage: ${SCRIPT_NAME} <OPTIONS> [<input-unsigned-image> <output-signed-image>]
 
 Supported platforms: ${SUPPORTED_PLATFORMS}
 
-When called without filename parameters, it generates random keys if they
-do not exist.
-
 EOF
 }
 
+if [ "${#}" != "2" ]; then
+	usage
+	exit 1
+fi
+
 if [ -z "${CONFIG_SIGN_KEYS_PATH}" ]; then
 	echo "Undefined CONFIG_SIGN_KEYS_PATH";
 	exit 1
 fi
-[ -d "${CONFIG_SIGN_KEYS_PATH}" ] || mkdir "${CONFIG_SIGN_KEYS_PATH}"
 
 # Default values
 [ -z "${CONFIG_KEY_INDEX}" ] && CONFIG_KEY_INDEX="0"
 KEY_PASS_FILE="${CONFIG_SIGN_KEYS_PATH}/keys/key_pass.txt"
 
 # Generate random keys if they don't exist
-if [ "${PLATFORM}" = "ccmp15" ]; then
-	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey00.pem"
-	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey00.pem"
-	if [ ! -f "${PRIVATE_KEY}" ] && [ ! -f "${PUBLIC_KEY}" ] && [ ! -f "${KEY_PASS_FILE}" ]; then
-		install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
-		# Random password
-		password="$(openssl rand -base64 32)"
-		echo "Generating random key"
-		STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd ${password} -n 1
-		echo "${password}" > "${KEY_PASS_FILE}"
-	fi
-elif [ "${PLATFORM}" = "ccmp13" ]; then
-	N_PUBK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/keys/publicKey0* 2>/dev/null | wc -l)"
-	N_PRVK="$(ls -l ${CONFIG_SIGN_KEYS_PATH}/keys/privateKey0* 2>/dev/null | wc -l)"
-	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey0*.pem"
-	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey0${CONFIG_KEY_INDEX}.pem"
-	if [ "${N_PUBK}" != "8" ] && [ "${N_PRVK}" != 8 ] && [ ! -f "${KEY_PASS_FILE}" ]; then
-		install -d "${CONFIG_SIGN_KEYS_PATH}/keys/"
-		# 8 random passwords (separated by whitespaces)
-		passwords="$(openssl rand -base64 32)"
-		for i in $(seq 1 7); do
-			passwords="${passwords} $(openssl rand -base64 32)"
-		done
-		echo "Generating random keys"
-		STM32MP_KeyGen_CLI -abs "${CONFIG_SIGN_KEYS_PATH}/keys/" -pwd ${passwords} -n 8
-		echo "${passwords}" > "${KEY_PASS_FILE}"
-	fi
-else
-	echo "Undefined platform"
+if ! trustfence-gen-pki.sh -p ${PLATFORM}; then
 	exit 1
 fi
 
-if [ "${#}" = "0" ]; then
-	exit 0
-elif [ "${#}" != "2" ]; then
-	usage
+if [ "${PLATFORM}" = "ccmp15" ]; then
+	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey00.pem"
+	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey00.pem"
+elif [ "${PLATFORM}" = "ccmp13" ]; then
+	PUBLIC_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/publicKey0*.pem"
+	PRIVATE_KEY="${CONFIG_SIGN_KEYS_PATH}/keys/privateKey0${CONFIG_KEY_INDEX}.pem"
+else
+	echo "Undefined platform"
 	exit 1
 fi
 
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 202ddcd28..6ea35e306 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -36,6 +36,39 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
 
 IMAGE_FEATURES += "dey-trustfence"
 
+# Function to generate a PKI tree (with lock dir protection)
+GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
+gen_pki_tree() {
+	if mkdir -p ${GENPKI_LOCK_DIR}; then
+		if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
+			trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH}
+		elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
+			export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
+			trustfence-gen-pki.sh -p ${DIGI_SOM}
+		fi
+		rm -rf ${GENPKI_LOCK_DIR}
+	else
+		bbfatal "Could not get lock to generate PKI tree"
+	fi
+}
+
+# Function that generates a PKI tree if there isn't one
+check_gen_pki_tree() {
+	if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
+		SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
+		n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
+		if [ "${n_commas}" -eq 0 ]; then
+			gen_pki_tree
+		elif [ "${n_commas}" -ne 3 ]; then
+			bbfatal "Inconsistent PKI tree"
+		fi
+	elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
+		# The script that generates the PKI tree already checks if
+		# there isn't one, so there's nothing to do here but calling it.
+		gen_pki_tree
+	fi
+}
+
 python () {
     import binascii
     import hashlib