diff --git a/meta-digi-arm/classes/image_types_digi.bbclass b/meta-digi-arm/classes/image_types_digi.bbclass index 48d29b906..03dfd64e7 100644 --- a/meta-digi-arm/classes/image_types_digi.bbclass +++ b/meta-digi-arm/classes/image_types_digi.bbclass @@ -75,6 +75,7 @@ IMAGE_DEPENDS_boot.ubifs = " \ mtd-utils-native:do_populate_sysroot \ u-boot:do_deploy \ virtual/kernel:do_deploy \ + ${@TRUSTFENCE_BOOTIMAGE_DEPENDS(d)} \ " IMAGE_CMD_boot.ubifs() { @@ -90,6 +91,11 @@ IMAGE_CMD_boot.ubifs() { done fi + # Add Trustfence initramfs if enabled + if [ -n "${TRUSTFENCE_INITRAMFS_IMAGE}" ]; then + BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${TRUSTFENCE_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf" + fi + # Create temporary folder TMP_BOOTDIR="$(mktemp -d ${DEPLOY_DIR_IMAGE}/boot.XXXXXX)" diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb index 9759e9abc..25e32c53e 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb @@ -98,6 +98,7 @@ do_compile () { TF_BOOTSCRIPT_SEDFILTER = "" TF_BOOTSCRIPT_SEDFILTER_ccimx6 = "${@tf_bootscript_sedfilter(d)}" +TF_BOOTSCRIPT_SEDFILTER_ccimx6ul = "${@tf_bootscript_sedfilter(d)}" def tf_bootscript_sedfilter(d): tf_initramfs = d.getVar('TRUSTFENCE_INITRAMFS_IMAGE',True) or "" diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb index 7fb2bdc45..278301b5d 100644 --- a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb +++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs.bb @@ -24,9 +24,17 @@ FILES_${PN} = "/" # Runtime packages used in 'trustfence-initramfs-init' RDEPENDS_${PN} = " \ - cryptsetup \ - rng-tools \ trustfence-tool \ util-linux-findfs \ wipe \ + u-boot-fw-utils \ +" + +RDEPENDS_${PN}_append_ccimx6sbc = " \ + cryptsetup \ + rng-tools \ +" + +RDEPENDS_${PN}_append_ccimx6ul = " \ + mtd-utils-ubifs \ " diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-initramfs-init similarity index 100% rename from meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-initramfs-init rename to meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-initramfs-init diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-install.sh b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-install.sh similarity index 100% rename from meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/trustfence-install.sh rename to meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6sbc/trustfence-install.sh diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-initramfs-init b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-initramfs-init new file mode 100644 index 000000000..86fa165e3 --- /dev/null +++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-initramfs-init @@ -0,0 +1,98 @@ +#!/bin/sh +#=============================================================================== +# +# trustfence-initramfs-init +# +# Copyright (C) 2016 by Digi International Inc. +# All rights reserved. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 as published by +# the Free Software Foundation. +# +# +# !Description: Init script for Trustfence initramfs +# +#=============================================================================== + +export PATH=/bin:/sbin:/usr/bin:/usr/sbin + +mkdir -p /proc /sys /dev +mount -t proc proc /proc +mount -t sysfs sysfs /sys +mount -t devtmpfs devtmpfs /dev + +# Set kernel console loglevel +LOGLEVEL="$(sysctl -n kernel.printk)" +sysctl -q -w kernel.printk=4 + +for arg in $(cat /proc/cmdline); do + case "${arg}" in + init=*|rescue=1|root=*|trustfence_install=*) eval ${arg};; + trustfence_fskey*) + tf_fskey_bool=true; + eval ${arg};; + esac +done + +# Translate "PARTUUID=..." to real device +root="/dev/$(findfs ${root})" + +rescue_shell () { + # Expand console and respawn if exited + while true; do + setsid cttyhack sh -l + sleep 1 + done +} + +# Jump to a rescue shell if requested +if [ -n "${rescue}" ]; then + rescue_shell +fi + +if [ -n "${tf_fskey_bool}" ]; then + # Program key if trustfence_fskey kernel parameter exists + if [ -n "${trustfence_fskey}" ]; then + # trustfence_fskey not empty - use provided key + printf "\nUsing provided key\n" + trustfence-tool --newkey=${trustfence_fskey} + if [ "${?}" != "0" ]; then + error "trustfence-tool: key generation" + fi + else + # trustfence_fskey empty - use random key + printf "\nGenerating new random key\n" + trustfence-tool --newkey + if [ "${?}" != "0" ]; then + error "trustfence-tool: key generation" + fi + fi + echo "\nFile system encryption key changed.\n" + echo "A system reboot is needed for the kernel to use it.\n" + rescue_shell +fi + +# Run install script if "trustfence_install" kernel parameter exists +if [ -n "${trustfence_install}" ]; then + trustfence-install.sh ${trustfence_install} + sleep 1 + echo ">> Rebooting the system" + sleep 1 + sync && reboot -f +fi + +# Mount device +mkdir -p /newroot +mount -t "ubifs" ${root} /newroot + +# +# Clean-up and do the switch_root to the final rootfs +# +# - restore previous kernel console loglevel +# - umount virtual filesystems +# +[ -n "${LOGLEVEL}" ] && sysctl -q -w kernel.printk="${LOGLEVEL}" +mount --move /dev /newroot/dev +umount /sys /proc +exec switch_root /newroot ${init:-/sbin/init} diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-install.sh b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-install.sh new file mode 100644 index 000000000..e87f01e6c --- /dev/null +++ b/meta-digi-dey/recipes-core/trustfence/trustfence-initramfs/ccimx6ul/trustfence-install.sh @@ -0,0 +1,94 @@ +#!/bin/sh +#=============================================================================== +# +# trustfence-install.sh +# +# Copyright (C) 2016 by Digi International Inc. +# All rights reserved. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 as published by +# the Free Software Foundation. +# +# +# !Description: Wrapper script for initial deployment of encrypted filesystems +# +# The script gathers the needed information from the 'trustfence_install' +# kernel command line parameter with following syntax: +# +# trustfence_install="source:serverip:filename:partname" +# source -> 'tftp' | +# serverip -> | '' (serverip or empty if local) +# filename -> (path relative to 'source') +# partname -> (should match an entry on the +# partition table) +# +# For 'tftp' mode the kernel IP autoconfig may be used to bring the network +# interface up, with 'ip' kernel parameter. Examples: +# +# ip=:::::eth0:off +# ip=dhcp +# +# This script is meant for testing purposes. It's NOT a stable API and may +# be subject to change. +# +#=============================================================================== + +set -o pipefail + +TF_INSTALL_INFO="${1}" + +error() { + [ "${#}" != "0" ] && printf "\n[ERROR]: %s\n\n" "${1}" + exit 1 +} + +# Parse trustfence_install kernel parameter +IFS=":" read SOURCE SERVERIP FILENAME PARTNAME <<_EOF_ +${TF_INSTALL_INFO} +_EOF_ + +# Validate command line arguments +if [ -z "${SOURCE}" ] || [ -z "${FILENAME}" ] || [ -z "${PARTNAME}" ] || { [ "${SOURCE}" = "tftp" ] && [ -z "${SERVERIP}" ]; }; then + error "wrong 'trustfence_install' parameter: ${TF_INSTALL_INFO}" +fi + +# Format partition +mtdindex="$(sed -ne "/\"${PARTNAME}\"$/s,^mtd\([0-9]\):.*,\1,g;T;p" /proc/mtd)" +ubidetach -p /dev/mtd${mtdindex} >/dev/null 2>&1 +ubiformat -y /dev/mtd${mtdindex} +UBI_DEVICE="$(ubiattach -p /dev/mtd${mtdindex} | sed -ne 's,.*device number \([0-9]\).*,\1,g;T;p')" +ubimkvol /dev/ubi${UBI_DEVICE} -N "${PARTNAME}" -m + +# Install image to the encrypted mapped device +if [ "${SOURCE}" = "tftp" ]; then + printf "\nInstalling ${FILENAME} from TFTP\n\n" + FILE=$(basename "$FILENAME") + tftp -g -l - -r "${FILENAME}" "${SERVERIP}" > ${FILE} || { error "tftp failed"; } + FILESIZE=$(stat -c%s "$FILE") + pv -tprebW ${FILE} | ubiupdatevol /dev/ubi${UBI_DEVICE}_0 -s ${FILESIZE} - 2>/dev/null + rm -f ${FILE} + if [ "${?}" != "0" ]; then + error "write ${FILENAME}" + fi +elif [ -b "${SOURCE}" ]; then + printf "\nInstalling ${FILENAME} from local media\n\n" + MOUNTPOINT="/media/$(basename ${SOURCE})" + FSTYPE="$(blkid ${SOURCE} | sed -e 's,.*TYPE="\([^"]\+\)".*,\1,g')" + mkdir -p ${MOUNTPOINT} + mount -r ${FSTYPE:+-t ${FSTYPE}} ${SOURCE} ${MOUNTPOINT} + FILESIZE=$(stat -c%s "${MOUNTPOINT}/${FILENAME}") + pv -tprebW ${MOUNTPOINT}/${FILENAME} | ubiupdatevol /dev/ubi${UBI_DEVICE}_0 -s ${FILESIZE} - 2>/dev/null + if [ "${?}" != "0" ]; then + error "write ${FILENAME}" + fi + umount ${SOURCE} +else + error "${SOURCE} is neither a block device nor 'tftp'" +fi + +echo "" +echo "#######################" +echo "# Install completed #" +echo "#######################" +echo "" diff --git a/meta-digi-dey/recipes-core/trustfence/trustfence-tool_1.0.bb b/meta-digi-dey/recipes-core/trustfence/trustfence-tool_2.0.bb similarity index 57% rename from meta-digi-dey/recipes-core/trustfence/trustfence-tool_1.0.bb rename to meta-digi-dey/recipes-core/trustfence/trustfence-tool_2.0.bb index 7d42d034e..6786d116c 100644 --- a/meta-digi-dey/recipes-core/trustfence/trustfence-tool_1.0.bb +++ b/meta-digi-dey/recipes-core/trustfence/trustfence-tool_2.0.bb @@ -6,7 +6,7 @@ LICENSE = "CLOSED" SRC_URI = "${DIGI_PKG_SRC}/${BP}.tar.gz" -SRC_URI[md5sum] = "eea4efe8b8e7527a0ffeea16fd238ba3" -SRC_URI[sha256sum] = "aefeb08f2db59c891cf1162488499448bf9d80d64b2778d4fda11343793373e7" +SRC_URI[md5sum] = "413084cc2045d345883189cd0d68ca76" +SRC_URI[sha256sum] = "dff702f2838a7802103469c1ba07daead206652774e02a0a855b08d94aafe5fe" inherit bin_package