From b4df14280514875770794eef5c21bfbe56a72d76 Mon Sep 17 00:00:00 2001 From: Javier Viguera Date: Tue, 12 Sep 2023 18:00:28 +0200 Subject: [PATCH] trustfence-cst: upgrade to version 3.3.2 This version supports i.MX8ULP and i.MX9x devices. NOTICE: changed the "srk_ca" parameter in ahab_pki_tree.sh from "yes" to "no". This script is shared between cc8x and ccimx93. The imx93 does not support that option at the moment (generation of subordinate SGK certs) and for the cc8x we were generating them but never used them to sign the artifacts. Signed-off-by: Javier Viguera --- ...1.bb => nativesdk-trustfence-cst_3.3.2.bb} | 0 ...cst-3.3.1.inc => trustfence-cst-3.3.2.inc} | 15 ++-- ...crypted_data-reuse-existing-DEK-file.patch | 12 +-- ...elper-use-dev-urandom-as-seed-source.patch | 4 +- ...ab4_pki_tree.sh-adapt-script-for-DEY.patch | 77 +++++----------- ...hab_pki_tree.sh-adapt-script-for-DEY.patch | 90 +++++++++---------- ....3.1.bb => trustfence-cst-native_3.3.2.bb} | 0 ....mk-weaken-specific-function-err_msg.patch | 32 ------- 8 files changed, 81 insertions(+), 149 deletions(-) rename meta-digi-arm/recipes-bsp/trustfence-cst/{nativesdk-trustfence-cst_3.3.1.bb => nativesdk-trustfence-cst_3.3.2.bb} (100%) rename meta-digi-arm/recipes-bsp/trustfence-cst/{trustfence-cst-3.3.1.inc => trustfence-cst-3.3.2.inc} (78%) rename meta-digi-arm/recipes-bsp/trustfence-cst/{trustfence-cst => trustfence-cst-3.3.2}/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch (66%) rename meta-digi-arm/recipes-bsp/trustfence-cst/{trustfence-cst => trustfence-cst-3.3.2}/0002-openssl_helper-use-dev-urandom-as-seed-source.patch (90%) rename meta-digi-arm/recipes-bsp/trustfence-cst/{trustfence-cst => trustfence-cst-3.3.2}/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch (79%) rename meta-digi-arm/recipes-bsp/trustfence-cst/{trustfence-cst => trustfence-cst-3.3.2}/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch (74%) rename meta-digi-arm/recipes-bsp/trustfence-cst/{trustfence-cst-native_3.3.1.bb => trustfence-cst-native_3.3.2.bb} (100%) delete mode 100644 meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-rules.mk-weaken-specific-function-err_msg.patch diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/nativesdk-trustfence-cst_3.3.1.bb b/meta-digi-arm/recipes-bsp/trustfence-cst/nativesdk-trustfence-cst_3.3.2.bb similarity index 100% rename from meta-digi-arm/recipes-bsp/trustfence-cst/nativesdk-trustfence-cst_3.3.1.bb rename to meta-digi-arm/recipes-bsp/trustfence-cst/nativesdk-trustfence-cst_3.3.2.bb diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2.inc similarity index 78% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2.inc index 593a5f127..5406f6215 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2.inc @@ -1,4 +1,4 @@ -# Copyright (C) 2017-2022 Digi International +# Copyright (C) 2017-2023 Digi International SUMMARY = "NXP Code signing Tool for the High Assurance Boot library" DESCRIPTION = "Provides software code signing support designed for use with \ @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.bsd3;md5=1fbcd66ae51447aa94da10cbf6271530" DEPENDS = "byacc-native flex-native" -OPENSSL1_VERSION = "1.1.1s" +OPENSSL1_VERSION = "1.1.1t" SRC_URI = " \ ${DIGI_PKG_SRC}/cst-${PV}.tgz;name=cst \ @@ -18,20 +18,19 @@ SRC_URI = " \ file://0002-openssl_helper-use-dev-urandom-as-seed-source.patch \ file://0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch \ file://0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch \ - file://0005-rules.mk-weaken-specific-function-err_msg.patch \ " -SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794" -SRC_URI[cst.sha256sum] = "8b7e44e3e126f814f5caf8a634646fe64021405302ca59ff02f5c8f3b9a5abb9" -SRC_URI[openssl.md5sum] = "077f69d357758c7d6ef686f813e16f30" -SRC_URI[openssl.sha256sum] = "c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa" +SRC_URI[cst.md5sum] = "4b9fccac381fa412cba8ba7028c154c7" +SRC_URI[cst.sha256sum] = "517b11dca181e8c438a6249f56f0a13a0eb251b30e690760be3bf6191ee06c68" +SRC_URI[openssl.md5sum] = "1cfee919e0eac6be62c88c5ae8bcd91e" +SRC_URI[openssl.sha256sum] = "8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b" S = "${WORKDIR}/cst-${PV}" do_compile() { cd code/cst oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-${OPENSSL1_VERSION} OSTYPE=linux64 openssl - oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-${OPENSSL1_VERSION} OSTYPE=linux64 rel_bin + oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-${OPENSSL1_VERSION} OSTYPE=linux64 os_bin } do_install() { diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch similarity index 66% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch index 709cae579..887f79e83 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch @@ -12,14 +12,14 @@ https://jira.digi.com/browse/DUB-608 Signed-off-by: Diaz de Grenu, Jose --- - code/cst/code/back_end/src/adapt_layer_openssl.c | 1 + + code/cst/code/back_end-ssl/src/adapt_layer_openssl.c | 1 + 1 file changed, 1 insertion(+) -diff --git a/code/cst/code/back_end/src/adapt_layer_openssl.c b/code/cst/code/back_end/src/adapt_layer_openssl.c -index 38b8bf5..f389e23 100755 ---- a/code/cst/code/back_end/src/adapt_layer_openssl.c -+++ b/code/cst/code/back_end/src/adapt_layer_openssl.c -@@ -1146,6 +1146,7 @@ int32_t gen_auth_encrypted_data(const char* in_file, +diff --git a/code/cst/code/back_end-ssl/src/adapt_layer_openssl.c b/code/cst/code/back_end-ssl/src/adapt_layer_openssl.c +index d8df54e..86e7e4f 100755 +--- a/code/cst/code/back_end-ssl/src/adapt_layer_openssl.c ++++ b/code/cst/code/back_end-ssl/src/adapt_layer_openssl.c +@@ -1231,6 +1231,7 @@ int32_t gen_auth_encrypted_data(const char* in_file, printf("\n"); #endif if (0 == key_init_done) { diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-openssl_helper-use-dev-urandom-as-seed-source.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0002-openssl_helper-use-dev-urandom-as-seed-source.patch similarity index 90% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-openssl_helper-use-dev-urandom-as-seed-source.patch rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0002-openssl_helper-use-dev-urandom-as-seed-source.patch index 4aa674105..9035f62cb 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-openssl_helper-use-dev-urandom-as-seed-source.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0002-openssl_helper-use-dev-urandom-as-seed-source.patch @@ -10,10 +10,10 @@ Signed-off-by: Diaz de Grenu, Jose 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/cst/code/common/src/openssl_helper.c b/code/cst/code/common/src/openssl_helper.c -index 871cf55..b62c8a8 100755 +index 1e1131b..918c82e 100755 --- a/code/cst/code/common/src/openssl_helper.c +++ b/code/cst/code/common/src/openssl_helper.c -@@ -414,7 +414,7 @@ void print_version(void) +@@ -404,7 +404,7 @@ void print_version(void) ---------------------------*/ uint32_t seed_prng(uint32_t bytes) { diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch similarity index 79% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch index 408bc1cd7..78bde2d42 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch @@ -11,15 +11,16 @@ Subject: [PATCH] hab4_pki_tree.sh: adapt script for DEY * extract public keys from certificates: the public key needs to be available on the rootfs so that signed SWU packages can be authenticated. +Co-Authored-By: Javier Viguera Co-Authored-By: Hector Palacios Co-Authored-By: Diaz de Grenu, Jose Signed-off-by: Arturo Buzarra --- - keys/hab4_pki_tree.sh | 88 ++++++++++++++++++++++++++++--------------- - 1 file changed, 58 insertions(+), 30 deletions(-) + keys/hab4_pki_tree.sh | 80 +++++++++++++++++++++++++++++-------------- + 1 file changed, 54 insertions(+), 26 deletions(-) diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh -index 944cc66..e76f22f 100755 +index 49834f0..de0c969 100755 --- a/keys/hab4_pki_tree.sh +++ b/keys/hab4_pki_tree.sh @@ -66,6 +66,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" @@ -35,12 +36,12 @@ index 944cc66..e76f22f 100755 echo "$0" echo echo "Command Line Mode:" -- echo "$0 -existing-ca [-ca-key -ca-cert ] -use-ecc -kl -duration -num-srk <1-4> -srk-ca " -+ echo "$0 [-csf-path] -existing-ca [-ca-key -ca-cert ] -use-ecc -kl -duration -num-srk <1-4> -srk-ca " - echo "Options:" - echo " -kl: -use-ecc = y then Supported key lengths: p256, p384, p521" - echo " : -use-ecc = n then Supported key lengths: 1024, 2048, 3072, 4096" -@@ -89,10 +91,18 @@ usage() +- echo "$0 -existing-ca [-ca-key -ca-cert ] -kt < rsa/rsa-pss/ecc> -kl -duration -num-srk <1-4> -srk-ca " ++ echo "$0 [-csf-path] -existing-ca [-ca-key -ca-cert ] -kt < rsa/rsa-pss/ecc> -kl -duration -num-srk <1-4> -srk-ca " + echo " Key Type Options:" + echo " -kl ecc : then Supported key lengths: p256, p384, p521" + echo " -kl rsa : then Supported key lengths: 1024, 2048, 3072, 4096" +@@ -90,10 +92,18 @@ usage() echo } @@ -52,7 +53,7 @@ index 944cc66..e76f22f 100755 +# Default values +existing_ca="n" -+use_ecc="n" ++kt="rsa" +kl=4096 +duration=10 +num_srk=4 @@ -61,7 +62,7 @@ index 944cc66..e76f22f 100755 if [ $interactive = "n" ] then # Validate command line parameters -@@ -111,6 +121,11 @@ then +@@ -112,6 +122,11 @@ then while [ $num_param -le $max_param ] && [ "$1" != "" ] do case $1 in @@ -73,7 +74,7 @@ index 944cc66..e76f22f 100755 -existing-ca) shift existing_ca=$1 -@@ -164,9 +179,8 @@ then +@@ -165,9 +180,8 @@ then shift ;; *) @@ -85,7 +86,7 @@ index 944cc66..e76f22f 100755 ;; esac num_param=$(( num_param + 2 )) -@@ -242,6 +256,16 @@ then +@@ -261,6 +275,16 @@ then read duration fi @@ -102,7 +103,7 @@ index 944cc66..e76f22f 100755 # Compute validity period val_period=$((duration*365)) -@@ -275,9 +299,9 @@ then +@@ -294,9 +318,9 @@ then script_name=$0 fi script_path=$(cd $(dirname "${script_name}") && pwd -P) @@ -115,7 +116,7 @@ index 944cc66..e76f22f 100755 if [ ! -d "${keys_dir}" ] then -@@ -291,11 +315,11 @@ then +@@ -310,11 +334,11 @@ then exit 1 fi @@ -132,7 +133,7 @@ index 944cc66..e76f22f 100755 # Switch current working directory to keys directory, if needed. if [ "${crt_dir}" != "${keys_dir}" ] -@@ -318,9 +342,10 @@ fi +@@ -337,9 +361,10 @@ fi # Check that the file "key_pass.txt" is present, if not create it with default user/pwd: if [ ! -f key_pass.txt ] then @@ -146,7 +147,7 @@ index 944cc66..e76f22f 100755 fi # The following is required otherwise OpenSSL complains -@@ -365,7 +390,7 @@ then +@@ -384,7 +409,7 @@ then -x509 -extensions v3_ca \ -keyout temp_ca.pem \ -out ${ca_cert}.pem \ @@ -155,16 +156,7 @@ index 944cc66..e76f22f 100755 # Generate CA key in PKCS #8 format - both PEM and DER openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ -@@ -382,7 +407,7 @@ then - openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der - - # Cleanup -- \rm temp_ca.pem -+ rm temp_ca.pem - fi - - -@@ -432,10 +457,10 @@ then +@@ -452,10 +477,10 @@ then -in ./temp_srk_req.pem \ -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ @@ -177,16 +169,7 @@ index 944cc66..e76f22f 100755 # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -456,7 +481,7 @@ then - -out ${srk_key}.pem - - # Cleanup -- \rm ./temp_srk.pem ./temp_srk_req.pem -+ rm ./temp_srk.pem ./temp_srk_req.pem - i=$((i+1)) - done - else -@@ -505,10 +530,10 @@ do +@@ -526,10 +551,10 @@ do -in ./temp_srk_req.pem \ -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ @@ -199,7 +182,7 @@ index 944cc66..e76f22f 100755 # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -574,10 +599,10 @@ do +@@ -596,10 +621,10 @@ do -in ./temp_csf_req.pem \ -cert ${srk_crt_i} \ -keyfile ${srk_key_i} \ @@ -212,16 +195,7 @@ index 944cc66..e76f22f 100755 # Convert CSF Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -596,7 +621,7 @@ do - -out ${csf_key}.pem - - # Cleanup -- \rm ./temp_csf.pem ./temp_csf_req.pem -+ rm ./temp_csf.pem ./temp_csf_req.pem - - echo - echo ++++++++++++++++++++++++++++++++++++++++ -@@ -636,10 +661,10 @@ do +@@ -659,10 +684,10 @@ do -in ./temp_img_req.pem \ -cert ${srk_crt_i} \ -keyfile ${srk_key_i} \ @@ -234,7 +208,7 @@ index 944cc66..e76f22f 100755 # Convert IMG Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -657,8 +682,11 @@ do +@@ -680,6 +705,9 @@ do -in temp_img.pem \ -out ${img_key}.pem @@ -242,8 +216,5 @@ index 944cc66..e76f22f 100755 + openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub + # Cleanup -- \rm ./temp_img.pem ./temp_img_req.pem -+ rm ./temp_img.pem ./temp_img_req.pem + \rm ./temp_img.pem ./temp_img_req.pem - i=$((i+1)) - done diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch similarity index 74% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch index 55bcd3d77..11387df9d 100644 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch +++ b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch @@ -11,15 +11,16 @@ Subject: [PATCH] ahab_pki_tree.sh: adapt script for DEY * extract public keys from certificates: the public key needs to be available on the rootfs so that signed SWU packages can be authenticated. +Co-Authored-By: Javier Viguera Co-Authored-By: Hector Palacios Co-Authored-By: Mike Engel Signed-off-by: Arturo Buzarra --- - keys/ahab_pki_tree.sh | 80 +++++++++++++++++++++++++++++-------------- - 1 file changed, 54 insertions(+), 26 deletions(-) + keys/ahab_pki_tree.sh | 79 ++++++++++++++++++++++++++++++------------- + 1 file changed, 55 insertions(+), 24 deletions(-) diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh -index f5ab36c..13843f9 100755 +index 0327f83..5c986b2 100755 --- a/keys/ahab_pki_tree.sh +++ b/keys/ahab_pki_tree.sh @@ -64,6 +64,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" @@ -35,12 +36,12 @@ index f5ab36c..13843f9 100755 echo "$0" echo echo "Command Line Mode:" -- echo "$0 -existing-ca [-ca-key -ca-cert ] -use-ecc -kl -da -duration -srk-ca " -+ echo "$0 [-csf-path] -existing-ca [-ca-key -ca-cert ] -use-ecc -kl -da -duration -srk-ca " +- echo "$0 -existing-ca [-ca-key -ca-cert ] -kt -kl -da -duration -srk-ca " ++ echo "$0 [-csf-path] -existing-ca [-ca-key -ca-cert ] -kt -kl -da -duration -srk-ca " echo "Options:" - echo " -kl: -use-ecc = y then Supported key lengths: p256, p384, p521" - echo " : -use-ecc = n then Supported key lengths: 2048, 3072, 4096" -@@ -88,10 +90,18 @@ usage() + echo " -kt ecc : then Supported key lengths: p256, p384, p521" + echo " -kt rsa : then Supported key lengths: 2048, 3072, 4096" +@@ -89,10 +91,18 @@ usage() echo } @@ -52,16 +53,16 @@ index f5ab36c..13843f9 100755 +# Default values +existing_ca="n" -+use_ecc="y" ++kt="ecc" +kl=p521 +da=sha512 +duration=10 -+srk_ca="y" ++srk_ca="n" + if [ $interactive = "n" ] then # Validate command line parameters -@@ -110,6 +120,11 @@ then +@@ -111,6 +121,11 @@ then while [ $num_param -le $max_param ] && [ "$1" != "" ] do case $1 in @@ -73,7 +74,7 @@ index f5ab36c..13843f9 100755 -existing-ca) shift existing_ca=$1 -@@ -163,9 +178,8 @@ then +@@ -164,9 +179,8 @@ then shift ;; *) @@ -85,7 +86,7 @@ index f5ab36c..13843f9 100755 ;; esac num_param=$(( num_param + 2 )) -@@ -255,6 +269,16 @@ then +@@ -274,6 +288,16 @@ then read duration fi @@ -102,7 +103,7 @@ index f5ab36c..13843f9 100755 # Compute validity period val_period=$((duration*365)) -@@ -286,9 +310,9 @@ then +@@ -305,9 +329,9 @@ then script_name=$0 fi script_path=$(cd $(dirname "${script_name}") && pwd -P) @@ -115,14 +116,14 @@ index f5ab36c..13843f9 100755 if [ ! -d "${keys_dir}" ] then -@@ -302,11 +326,11 @@ then - exit 1 +@@ -321,11 +345,11 @@ then + exit 1 fi -if [ ! -d "${ca_dir}" ] -then - echo ERROR: "Openssl configuration directory ${ca_dir} is missing. Expecting /ca directory to hold openssl configuration files." -- exit 1 +- exit 1 -fi +# if [ ! -d "${ca_dir}" ] +# then @@ -132,7 +133,7 @@ index f5ab36c..13843f9 100755 # Switch current working directory to keys directory, if needed. if [ "${crt_dir}" != "${keys_dir}" ] -@@ -329,9 +353,10 @@ fi +@@ -348,9 +372,10 @@ fi # Check that the file "key_pass.txt" is present, if not create it with default user/pwd: if [ ! -f key_pass.txt ] then @@ -146,7 +147,7 @@ index f5ab36c..13843f9 100755 fi # The following is required otherwise OpenSSL complains -@@ -377,7 +402,7 @@ then +@@ -396,7 +421,7 @@ then -x509 -extensions v3_ca \ -keyout temp_ca.pem \ -out ${ca_cert}.pem \ @@ -155,25 +156,30 @@ index f5ab36c..13843f9 100755 # Generate CA key in PKCS #8 format - both PEM and DER openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ -@@ -394,7 +419,7 @@ then - openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der +@@ -464,10 +489,10 @@ then + -in ./temp_srk_req.pem \ + -cert ${ca_cert}.pem \ + -keyfile ${ca_key}.pem \ +- -extfile ../ca/v3_usr.cnf \ ++ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \ + -out ${srk_crt}.pem \ + -days ${val_period} \ +- -config ../ca/openssl.cnf ++ -config "${SCRIPT_BASEDIR}/openssl.cnf" - # Cleanup -- \rm temp_ca.pem -+ rm temp_ca.pem - fi - - -@@ -468,7 +493,7 @@ then + # Convert SRK Certificate to DER format + openssl x509 -inform PEM -outform DER \ +@@ -487,6 +512,9 @@ then + -in temp_srk.pem \ -out ${srk_key}.pem ++ # Extract public key from the certificate ++ openssl x509 -pubkey -noout -in "${srk_crt}.pem" > ../crts/key${i}.pub ++ # Cleanup -- \rm ./temp_srk.pem ./temp_srk_req.pem -+ rm ./temp_srk.pem ./temp_srk_req.pem + \rm ./temp_srk.pem ./temp_srk_req.pem i=$((i+1)) - done - else -@@ -517,10 +542,10 @@ do +@@ -539,10 +567,10 @@ do -in ./temp_srk_req.pem \ -cert ${ca_cert}.pem \ -keyfile ${ca_key}.pem \ @@ -186,16 +192,7 @@ index f5ab36c..13843f9 100755 # Convert SRK Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -541,7 +566,7 @@ do - -out ${srk_key}.pem - - # Cleanup -- \rm ./temp_srk.pem ./temp_srk_req.pem -+ rm ./temp_srk.pem ./temp_srk_req.pem - - echo - echo ++++++++++++++++++++++++++++++++++++++++ -@@ -586,10 +611,10 @@ do +@@ -609,10 +637,10 @@ do -in ./temp_sgk_req.pem \ -cert ${srk_crt_i} \ -keyfile ${srk_key_i} \ @@ -208,7 +205,7 @@ index f5ab36c..13843f9 100755 # Convert SGK Certificate to DER format openssl x509 -inform PEM -outform DER \ -@@ -607,8 +632,11 @@ do +@@ -630,6 +658,9 @@ do -in temp_sgk.pem \ -out ${sgk_key}.pem @@ -216,8 +213,5 @@ index f5ab36c..13843f9 100755 + openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub + # Cleanup -- \rm ./temp_sgk.pem ./temp_sgk_req.pem -+ rm ./temp_sgk.pem ./temp_sgk_req.pem + \rm ./temp_sgk.pem ./temp_sgk_req.pem - i=$((i+1)) - done diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_3.3.1.bb b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_3.3.2.bb similarity index 100% rename from meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_3.3.1.bb rename to meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_3.3.2.bb diff --git a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-rules.mk-weaken-specific-function-err_msg.patch b/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-rules.mk-weaken-specific-function-err_msg.patch deleted file mode 100644 index 1ba99780d..000000000 --- a/meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-rules.mk-weaken-specific-function-err_msg.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Hector Palacios -Date: Mon, 30 Jan 2023 10:38:22 +0100 -Subject: [PATCH] rules.mk: weaken specific function err_msg() - -A bug in binutils 2.38 objcopy '--weaken' produces malformed -binaries. -For the cst, it looks like it's enough to weaken function err_msg() -which is otherwise redefined. -Change the global '--weaken' flag with '--weaken-symbol err_msg' -to have the build process generate a valid 'cst' binary. - -Signed-off-by: Hector Palacios - -https://onedigi.atlassian.net/browse/DEL-8332 -https://onedigi.atlassian.net/browse/DEL-8033 ---- - code/cst/code/build/make/rules.mk | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/code/cst/code/build/make/rules.mk b/code/cst/code/build/make/rules.mk -index 1c0842b..032e18b 100755 ---- a/code/cst/code/build/make/rules.mk -+++ b/code/cst/code/build/make/rules.mk -@@ -27,7 +27,7 @@ LFLAGS := -t - $(AR) $(ARFLAGS) $@ $^ - ifneq ($(OSTYPE),mingw32) - ifneq ($(OSTYPE),osx) -- $(OBJCOPY) --weaken $@ -+ $(OBJCOPY) --weaken-symbol err_msg $@ - endif - endif -