From ae98d4974863e68316151ae536b5902b156db585 Mon Sep 17 00:00:00 2001 From: Gonzalo Ruiz Date: Thu, 28 May 2020 16:00:05 +0200 Subject: [PATCH] linux-dey: simplify trustfence signing process Signing with AHAB mode only requires an additional prior step, so reuse as much code as possible. Also, for Image.gz images, sign the uncompressed Image and later compress the result. https://jira.digi.com/browse/DEL-7047 Signed-off-by: Gonzalo Ruiz --- .../recipes-kernel/linux/linux-dey.inc | 80 +++++++++---------- 1 file changed, 39 insertions(+), 41 deletions(-) diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc index 6919f7f24..fd44dbe5d 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc @@ -25,49 +25,47 @@ trustfence_sign() { [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" # Sign/encrypt the kernel images - if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then - for type in ${KERNEL_IMAGETYPES}; do - KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" - TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)" - trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}" - mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}" - done + for type in ${KERNEL_IMAGETYPES}; do + KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" + if [ "${type}" = "Image.gz" ]; then + # Sign the uncompressed Image + KERNEL_IMAGE=${WORKDIR}/build/arch/arm64/boot/Image + fi - # Sign/encrypt the device tree blobs - for DTB in ${KERNEL_DEVICETREE}; do - DTB=`normalize_dtb "${DTB}"` - DTB_EXT=${DTB##*.} - DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` - DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" - TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)" - trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" - mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}" - done - elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then - # Sign the kernel images - for type in ${KERNEL_IMAGETYPES}; do - KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" - mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${WORKDIR}/build/arch/arm64/boot/Image a35 ${RAM_CONTAINER_LOC_BOOT} -out flash_os.bin - trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "flash_os.bin" "${type}-${MACHINE}-signed.bin" - gzip ${type}-${MACHINE}-signed.bin - mv ${type}-${MACHINE}-signed.bin.gz "${KERNEL_IMAGE}" - done + if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then + mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${KERNEL_IMAGE} a35 ${RAM_CONTAINER_LOC_BOOT} -out ${KERNEL_IMAGE}-mkimg + mv "${KERNEL_IMAGE}-mkimg" "${KERNEL_IMAGE}" + fi - # Sign/encrypt the device tree blobs - for DTB in ${KERNEL_DEVICETREE}; do - DTB=`normalize_dtb "${DTB}"` - DTB_EXT=${DTB##*.} - DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` - DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" - mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg-signed - trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}-mkimg-signed" "${DTB_IMAGE}-signed" - mv "${DTB_IMAGE}-signed" "${DTB_IMAGE}" - rm -f ${DTB_IMAGE}-mkimg-signed - done - else - bberror "Unkown TRUSTFENCE_SIGN_MODE value" - exit 1 - fi + TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)" + trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}" + + if [ "${type}" = "Image.gz" ]; then + # Compress the signed Image and restore the original filename + gzip "${TMP_KERNEL_IMAGE_SIGNED}" + mv "${TMP_KERNEL_IMAGE_SIGNED}.gz" "${TMP_KERNEL_IMAGE_SIGNED}" + KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" + fi + + mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}" + done + + # Sign/encrypt the device tree blobs + for DTB in ${KERNEL_DEVICETREE}; do + DTB=`normalize_dtb "${DTB}"` + DTB_EXT=${DTB##*.} + DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` + DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" + + if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then + mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg + mv "${DTB_IMAGE}-mkimg" "${DTB_IMAGE}" + fi + + TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)" + trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" + mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}" + done } trustfence_sign[dirs] = "${DEPLOYDIR}"