Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

imx-boot: fix sign conditions 

Do not evaluate TRUSTFENCE_SIGN_MODE on conditions where the sign mode
is not relevant:

1) U-Boot binary file should be signed directly after building it when simple
U-Boot images are used, but it should not be signed when imx-boot bundled
images are used.
For those, the signing process is performed later over the whole imx-boot
bundled binary file on a different recipe.
We use BOOTLOADER_IMAGE_RECIPE variable to evaluate this distinction.
BOOTLOADER_IMAGE_RECIPE is set to "u-boot" by default and is set to "imx-boot"
on ccimx8x and ccimx8mn machine configuration files.

2) For signing imx-boot images we should treat differently those images that
include the RAM configuration in their name and those that don't, as we do
for the rest of the tasks in the same recipe. We can ignore the sign mode
method in this case.

https://jira.digi.com/browse/DEL-7023

Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This commit is contained in:
Gonzalo Ruiz 2020-04-02 10:41:21 +02:00
parent 38a5b79718
commit ae49a255fa
2 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
meta-digi-arm/recipes-bsp/imx-mkimage/imx-boot_0.2.bbappend
View File

@ -204,16 +204,20 @@ do_deploy () {
} }
do_deploy_append () { do_deploy_append () {
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
# Sign U-boot image # Sign U-boot image
for ramc in ${RAM_CONFIGS}; do if [ "${UBOOT_RAM_COMBINATIONS}" = "" ]; then
trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}-signed.bin trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-signed.bin
done else
for ramc in ${UBOOT_RAM_COMBINATIONS}; do
trustfence-sign-uboot.sh ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}.bin ${DEPLOYDIR}/${UBOOT_PREFIX}-${MACHINE}-${ramc}-signed.bin
done
fi
cp ${B}/SRK_efuses.bin ${DEPLOYDIR} cp ${B}/SRK_efuses.bin ${DEPLOYDIR}
fi fi

8
meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
View File

@ -28,6 +28,8 @@ SRC_URI_append = " \
${@oe.utils.conditional('UBOOT_HAS_FASTBOOT', 'true', 'file://install_linux_fw_uuu.sh', '', d)} \ ${@oe.utils.conditional('UBOOT_HAS_FASTBOOT', 'true', 'file://install_linux_fw_uuu.sh', '', d)} \
" "
BOOTLOADER_IMAGE_RECIPE ?= "u-boot"
LOCALVERSION ?= "" LOCALVERSION ?= ""
inherit fsl-u-boot-localversion inherit fsl-u-boot-localversion
@ -81,7 +83,7 @@ do_compile () {
unset k unset k
# Secure boot artifacts # Secure boot artifacts
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ] if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]
then then
cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX} cp ${B}/${config}/u-boot-dtb-signed.imx ${B}/${config}/u-boot-dtb-signed-${type}.${UBOOT_SUFFIX}
cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX} cp ${B}/${config}/u-boot-dtb-usb-signed.imx ${B}/${config}/u-boot-dtb-usb-signed-${type}.${UBOOT_SUFFIX}
@ -124,7 +126,7 @@ do_deploy_append() {
cd ${DEPLOYDIR} cd ${DEPLOYDIR}
rm -r ${UBOOT_BINARY}-${type} rm -r ${UBOOT_BINARY}-${type}
ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX} ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]; then
install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin install ${B}/${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
@ -170,7 +172,7 @@ do_deploy_append() {
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
# Sign boot script # Sign boot script
if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ] && [ "${BOOTLOADER_IMAGE_RECIPE}" = "u-boot" ]; then
TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)" TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}" trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr" mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"