linux-dey: simplify trustfence signing process
Signing with AHAB mode only requires an additional prior step, so reuse as much code as possible. Also, for Image.gz images, sign the uncompressed Image and later compress the result. https://jira.digi.com/browse/DEL-7047 Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This commit is contained in:
Gonzalo Ruiz
parent
ce979e9323
commit
ae98d49748
|
|
@ -25,11 +25,28 @@ trustfence_sign() {
|
|||
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
|
||||
|
||||
# Sign/encrypt the kernel images
|
||||
if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
||||
for type in ${KERNEL_IMAGETYPES}; do
|
||||
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
|
||||
if [ "${type}" = "Image.gz" ]; then
|
||||
# Sign the uncompressed Image
|
||||
KERNEL_IMAGE=${WORKDIR}/build/arch/arm64/boot/Image
|
||||
fi
|
||||
|
||||
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${KERNEL_IMAGE} a35 ${RAM_CONTAINER_LOC_BOOT} -out ${KERNEL_IMAGE}-mkimg
|
||||
mv "${KERNEL_IMAGE}-mkimg" "${KERNEL_IMAGE}"
|
||||
fi
|
||||
|
||||
TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
|
||||
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}"
|
||||
|
||||
if [ "${type}" = "Image.gz" ]; then
|
||||
# Compress the signed Image and restore the original filename
|
||||
gzip "${TMP_KERNEL_IMAGE_SIGNED}"
|
||||
mv "${TMP_KERNEL_IMAGE_SIGNED}.gz" "${TMP_KERNEL_IMAGE_SIGNED}"
|
||||
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
|
||||
fi
|
||||
|
||||
mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}"
|
||||
done
|
||||
|
||||
|
|
@ -39,35 +56,16 @@ trustfence_sign() {
|
|||
DTB_EXT=${DTB##*.}
|
||||
DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"`
|
||||
DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}"
|
||||
|
||||
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg
|
||||
mv "${DTB_IMAGE}-mkimg" "${DTB_IMAGE}"
|
||||
fi
|
||||
|
||||
TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)"
|
||||
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
|
||||
mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
|
||||
done
|
||||
elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||
# Sign the kernel images
|
||||
for type in ${KERNEL_IMAGETYPES}; do
|
||||
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
|
||||
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${WORKDIR}/build/arch/arm64/boot/Image a35 ${RAM_CONTAINER_LOC_BOOT} -out flash_os.bin
|
||||
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -l "flash_os.bin" "${type}-${MACHINE}-signed.bin"
|
||||
gzip ${type}-${MACHINE}-signed.bin
|
||||
mv ${type}-${MACHINE}-signed.bin.gz "${KERNEL_IMAGE}"
|
||||
done
|
||||
|
||||
# Sign/encrypt the device tree blobs
|
||||
for DTB in ${KERNEL_DEVICETREE}; do
|
||||
DTB=`normalize_dtb "${DTB}"`
|
||||
DTB_EXT=${DTB##*.}
|
||||
DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"`
|
||||
DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}"
|
||||
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg-signed
|
||||
trustfence-sign-kernel.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}-mkimg-signed" "${DTB_IMAGE}-signed"
|
||||
mv "${DTB_IMAGE}-signed" "${DTB_IMAGE}"
|
||||
rm -f ${DTB_IMAGE}-mkimg-signed
|
||||
done
|
||||
else
|
||||
bberror "Unkown TRUSTFENCE_SIGN_MODE value"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
trustfence_sign[dirs] = "${DEPLOYDIR}"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue