linux-dey: simplify trustfence signing process
Signing with AHAB mode only requires an additional prior step, so reuse as much code as possible. Also, for Image.gz images, sign the uncompressed Image and later compress the result. https://jira.digi.com/browse/DEL-7047 Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This commit is contained in:
Gonzalo Ruiz
parent
ce979e9323
commit
ae98d49748
|
|
@ -25,49 +25,47 @@ trustfence_sign() {
|
||||||
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
|
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
|
||||||
|
|
||||||
# Sign/encrypt the kernel images
|
# Sign/encrypt the kernel images
|
||||||
if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
for type in ${KERNEL_IMAGETYPES}; do
|
||||||
for type in ${KERNEL_IMAGETYPES}; do
|
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
|
||||||
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
|
if [ "${type}" = "Image.gz" ]; then
|
||||||
TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
|
# Sign the uncompressed Image
|
||||||
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}"
|
KERNEL_IMAGE=${WORKDIR}/build/arch/arm64/boot/Image
|
||||||
mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}"
|
fi
|
||||||
done
|
|
||||||
|
|
||||||
# Sign/encrypt the device tree blobs
|
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||||
for DTB in ${KERNEL_DEVICETREE}; do
|
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${KERNEL_IMAGE} a35 ${RAM_CONTAINER_LOC_BOOT} -out ${KERNEL_IMAGE}-mkimg
|
||||||
DTB=`normalize_dtb "${DTB}"`
|
mv "${KERNEL_IMAGE}-mkimg" "${KERNEL_IMAGE}"
|
||||||
DTB_EXT=${DTB##*.}
|
fi
|
||||||
DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"`
|
|
||||||
DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}"
|
|
||||||
TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)"
|
|
||||||
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
|
|
||||||
mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
|
|
||||||
done
|
|
||||||
elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
|
||||||
# Sign the kernel images
|
|
||||||
for type in ${KERNEL_IMAGETYPES}; do
|
|
||||||
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
|
|
||||||
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${WORKDIR}/build/arch/arm64/boot/Image a35 ${RAM_CONTAINER_LOC_BOOT} -out flash_os.bin
|
|
||||||
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "flash_os.bin" "${type}-${MACHINE}-signed.bin"
|
|
||||||
gzip ${type}-${MACHINE}-signed.bin
|
|
||||||
mv ${type}-${MACHINE}-signed.bin.gz "${KERNEL_IMAGE}"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Sign/encrypt the device tree blobs
|
TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
|
||||||
for DTB in ${KERNEL_DEVICETREE}; do
|
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}"
|
||||||
DTB=`normalize_dtb "${DTB}"`
|
|
||||||
DTB_EXT=${DTB##*.}
|
if [ "${type}" = "Image.gz" ]; then
|
||||||
DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"`
|
# Compress the signed Image and restore the original filename
|
||||||
DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}"
|
gzip "${TMP_KERNEL_IMAGE_SIGNED}"
|
||||||
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg-signed
|
mv "${TMP_KERNEL_IMAGE_SIGNED}.gz" "${TMP_KERNEL_IMAGE_SIGNED}"
|
||||||
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}-mkimg-signed" "${DTB_IMAGE}-signed"
|
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
|
||||||
mv "${DTB_IMAGE}-signed" "${DTB_IMAGE}"
|
fi
|
||||||
rm -f ${DTB_IMAGE}-mkimg-signed
|
|
||||||
done
|
mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}"
|
||||||
else
|
done
|
||||||
bberror "Unkown TRUSTFENCE_SIGN_MODE value"
|
|
||||||
exit 1
|
# Sign/encrypt the device tree blobs
|
||||||
fi
|
for DTB in ${KERNEL_DEVICETREE}; do
|
||||||
|
DTB=`normalize_dtb "${DTB}"`
|
||||||
|
DTB_EXT=${DTB##*.}
|
||||||
|
DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"`
|
||||||
|
DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}"
|
||||||
|
|
||||||
|
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||||
|
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg
|
||||||
|
mv "${DTB_IMAGE}-mkimg" "${DTB_IMAGE}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)"
|
||||||
|
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
|
||||||
|
mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
|
||||||
|
done
|
||||||
}
|
}
|
||||||
trustfence_sign[dirs] = "${DEPLOYDIR}"
|
trustfence_sign[dirs] = "${DEPLOYDIR}"
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue