From ae49a255fa114a1038a058807771bc8c79ffb49c Mon Sep 17 00:00:00 2001 From: Gonzalo Ruiz Date: Thu, 2 Apr 2020 10:41:21 +0200 Subject: [PATCH] imx-boot: fix sign conditions Do not evaluate TRUSTFENCE_SIGN_MODE on conditions where the sign mode is not relevant: 1) U-Boot binary file should be signed directly after building it when simple U-Boot images are used, but it should not be signed when imx-boot bundled images are used. For those, the signing process is performed later over the whole imx-boot bundled binary file on a different recipe. We use BOOTLOADER_IMAGE_RECIPE variable to evaluate this distinction. BOOTLOADER_IMAGE_RECIPE is set to "u-boot" by default and is set to "imx-boot" on ccimx8x and ccimx8mn machine configuration files. 2) For signing imx-boot images we should treat differently those images that include the RAM configuration in their name and those that don't, as we do for the rest of the tasks in the same recipe. We can ignore the sign mode method in this case. https://jira.digi.com/browse/DEL-7023 Signed-off-by: Gonzalo Ruiz --- .../recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend | 12 ++++++++---- meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc | 8 +++++--- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend index 5c184bc7a..6703090e0 100644 --- a/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend +++ b/meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend @@ -204,16 +204,20 @@ do_deploy () { } do_deploy_append () { - if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then + if [ "${TRUSTFENCE_SIGN}" = "1" ]; then export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" # Sign U-boot image - for ramc in ${RAM_CONFIGS}; do - trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}-signed.bin - done + if [ "${UBOOT_RAM_COMBINATIONS}" = "" ]; then + trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-signed.bin + else + for ramc in ${UBOOT_RAM_COMBINATIONS}; do + trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}-signed.bin + done + fi cp ${B}/SRK_efuses.bin ${DEPLOYDIR} fi diff --git a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc index 7780f1d98..1602110ca 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc +++ b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc @@ -28,6 +28,8 @@ SRC_URI_append = " \ ${@oe.utils.conditional('UBOOT_HAS_FASTBOOT', 'true', 'file://install_linux_fw_uuu.sh', '', d)} \ " +BOOTLOADER_IMAGE_RECIPE ?= "u-boot" + LOCALVERSION ?= "" inherit fsl-u-boot-localversion @@ -81,7 +83,7 @@ do_compile () { unset k # Secure boot artifacts - if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ] + if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ] then cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX} cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX} @@ -124,7 +126,7 @@ do_deploy_append() { cd ${DEPLOYDIR} rm -r ${UBOOT_BINARY}-${type} ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX} - if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then + if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]; then install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin @@ -170,7 +172,7 @@ do_deploy_append() { [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" # Sign boot script - if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then + if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]; then TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)" trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}" mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"