diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc index 6919f7f24..fd44dbe5d 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc @@ -25,49 +25,47 @@ trustfence_sign() { [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" # Sign/encrypt the kernel images - if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then - for type in ${KERNEL_IMAGETYPES}; do - KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" - TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)" - trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}" - mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}" - done + for type in ${KERNEL_IMAGETYPES}; do + KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" + if [ "${type}" = "Image.gz" ]; then + # Sign the uncompressed Image + KERNEL_IMAGE=${WORKDIR}/build/arch/arm64/boot/Image + fi - # Sign/encrypt the device tree blobs - for DTB in ${KERNEL_DEVICETREE}; do - DTB=`normalize_dtb "${DTB}"` - DTB_EXT=${DTB##*.} - DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` - DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" - TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)" - trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" - mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}" - done - elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then - # Sign the kernel images - for type in ${KERNEL_IMAGETYPES}; do - KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" - mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${WORKDIR}/build/arch/arm64/boot/Image a35 ${RAM_CONTAINER_LOC_BOOT} -out flash_os.bin - trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "flash_os.bin" "${type}-${MACHINE}-signed.bin" - gzip ${type}-${MACHINE}-signed.bin - mv ${type}-${MACHINE}-signed.bin.gz "${KERNEL_IMAGE}" - done + if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then + mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${KERNEL_IMAGE} a35 ${RAM_CONTAINER_LOC_BOOT} -out ${KERNEL_IMAGE}-mkimg + mv "${KERNEL_IMAGE}-mkimg" "${KERNEL_IMAGE}" + fi - # Sign/encrypt the device tree blobs - for DTB in ${KERNEL_DEVICETREE}; do - DTB=`normalize_dtb "${DTB}"` - DTB_EXT=${DTB##*.} - DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` - DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" - mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg-signed - trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}-mkimg-signed" "${DTB_IMAGE}-signed" - mv "${DTB_IMAGE}-signed" "${DTB_IMAGE}" - rm -f ${DTB_IMAGE}-mkimg-signed - done - else - bberror "Unkown TRUSTFENCE_SIGN_MODE value" - exit 1 - fi + TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)" + trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}" + + if [ "${type}" = "Image.gz" ]; then + # Compress the signed Image and restore the original filename + gzip "${TMP_KERNEL_IMAGE_SIGNED}" + mv "${TMP_KERNEL_IMAGE_SIGNED}.gz" "${TMP_KERNEL_IMAGE_SIGNED}" + KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" + fi + + mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}" + done + + # Sign/encrypt the device tree blobs + for DTB in ${KERNEL_DEVICETREE}; do + DTB=`normalize_dtb "${DTB}"` + DTB_EXT=${DTB##*.} + DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` + DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" + + if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then + mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg + mv "${DTB_IMAGE}-mkimg" "${DTB_IMAGE}" + fi + + TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)" + trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" + mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}" + done } trustfence_sign[dirs] = "${DEPLOYDIR}"