Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence-cst: upgrade to version 3.3.2 

This version supports i.MX8ULP and i.MX9x devices.

NOTICE: changed the "srk_ca" parameter in ahab_pki_tree.sh from "yes" to
"no". This script is shared between cc8x and ccimx93. The imx93 does not
support that option at the moment (generation of subordinate SGK certs)
and for the cc8x we were generating them but never used them to sign
the artifacts.

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera 2023-09-12 18:00:28 +02:00
parent d7692af7a4
commit b4df142805
8 changed files with 81 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
meta-digi-arm/recipes-bsp/trustfence-cst/nativesdk-trustfence-cst_3.3.1.bb → meta-digi-arm/recipes-bsp/trustfence-cst/nativesdk-trustfence-cst_3.3.2.bb
View File

15
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.1.inc → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2.inc
View File

@ -1,4 +1,4 @@
# Copyright (C) 2017-2022 Digi International # Copyright (C) 2017-2023 Digi International
SUMMARY = "NXP Code signing Tool for the High Assurance Boot library" SUMMARY = "NXP Code signing Tool for the High Assurance Boot library"
DESCRIPTION = "Provides software code signing support designed for use with \ DESCRIPTION = "Provides software code signing support designed for use with \
@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.bsd3;md5=1fbcd66ae51447aa94da10cbf6271530"
DEPENDS = "byacc-native flex-native" DEPENDS = "byacc-native flex-native"
OPENSSL1_VERSION = "1.1.1s" OPENSSL1_VERSION = "1.1.1t"
SRC_URI = " \ SRC_URI = " \
${DIGI_PKG_SRC}/cst-${PV}.tgz;name=cst \ ${DIGI_PKG_SRC}/cst-${PV}.tgz;name=cst \
@ -18,20 +18,19 @@ SRC_URI = " \
file://0002-openssl_helper-use-dev-urandom-as-seed-source.patch \ file://0002-openssl_helper-use-dev-urandom-as-seed-source.patch \
file://0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch \ file://0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch \
file://0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch \ file://0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch \
file://0005-rules.mk-weaken-specific-function-err_msg.patch \
" "
SRC_URI[cst.md5sum] = "27ba9c8bc0b8a7f14d23185775c53794" SRC_URI[cst.md5sum] = "4b9fccac381fa412cba8ba7028c154c7"
SRC_URI[cst.sha256sum] = "8b7e44e3e126f814f5caf8a634646fe64021405302ca59ff02f5c8f3b9a5abb9" SRC_URI[cst.sha256sum] = "517b11dca181e8c438a6249f56f0a13a0eb251b30e690760be3bf6191ee06c68"
SRC_URI[openssl.md5sum] = "077f69d357758c7d6ef686f813e16f30" SRC_URI[openssl.md5sum] = "1cfee919e0eac6be62c88c5ae8bcd91e"
SRC_URI[openssl.sha256sum] = "c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa" SRC_URI[openssl.sha256sum] = "8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b"
S = "${WORKDIR}/cst-${PV}" S = "${WORKDIR}/cst-${PV}"
do_compile() { do_compile() {
cd code/cst cd code/cst
oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-${OPENSSL1_VERSION} OSTYPE=linux64 openssl oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-${OPENSSL1_VERSION} OSTYPE=linux64 openssl
oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-${OPENSSL1_VERSION} OSTYPE=linux64 rel_bin oe_runmake OPENSSL_PATH=${WORKDIR}/openssl-${OPENSSL1_VERSION} OSTYPE=linux64 os_bin
} }
do_install() { do_install() {

12
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0001-gen_auth_encrypted_data-reuse-existing-DEK-file.patch
View File

@ -12,14 +12,14 @@ https://jira.digi.com/browse/DUB-608
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com> Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
--- ---
code/cst/code/back_end/src/adapt_layer_openssl.c | 1 + code/cst/code/back_end-ssl/src/adapt_layer_openssl.c | 1 +
1 file changed, 1 insertion(+) 1 file changed, 1 insertion(+)
diff --git a/code/cst/code/back_end/src/adapt_layer_openssl.c b/code/cst/code/back_end/src/adapt_layer_openssl.c diff --git a/code/cst/code/back_end-ssl/src/adapt_layer_openssl.c b/code/cst/code/back_end-ssl/src/adapt_layer_openssl.c
index 38b8bf5..f389e23 100755 index d8df54e..86e7e4f 100755
--- a/code/cst/code/back_end/src/adapt_layer_openssl.c --- a/code/cst/code/back_end-ssl/src/adapt_layer_openssl.c
+++ b/code/cst/code/back_end/src/adapt_layer_openssl.c +++ b/code/cst/code/back_end-ssl/src/adapt_layer_openssl.c
@@ -1146,6 +1146,7 @@ int32_t gen_auth_encrypted_data(const char* in_file, @@ -1231,6 +1231,7 @@ int32_t gen_auth_encrypted_data(const char* in_file,
printf("\n"); printf("\n");
#endif #endif
if (0 == key_init_done) { if (0 == key_init_done) {

4
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0002-openssl_helper-use-dev-urandom-as-seed-source.patch → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0002-openssl_helper-use-dev-urandom-as-seed-source.patch
View File

@ -10,10 +10,10 @@ Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code/cst/code/common/src/openssl_helper.c b/code/cst/code/common/src/openssl_helper.c diff --git a/code/cst/code/common/src/openssl_helper.c b/code/cst/code/common/src/openssl_helper.c
index 871cf55..b62c8a8 100755 index 1e1131b..918c82e 100755
--- a/code/cst/code/common/src/openssl_helper.c --- a/code/cst/code/common/src/openssl_helper.c
+++ b/code/cst/code/common/src/openssl_helper.c +++ b/code/cst/code/common/src/openssl_helper.c
@@ -414,7 +414,7 @@ void print_version(void) @@ -404,7 +404,7 @@ void print_version(void)
---------------------------*/ ---------------------------*/
uint32_t seed_prng(uint32_t bytes) uint32_t seed_prng(uint32_t bytes)
{ {

77
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0003-hab4_pki_tree.sh-adapt-script-for-DEY.patch
View File

@ -11,15 +11,16 @@ Subject: [PATCH] hab4_pki_tree.sh: adapt script for DEY
* extract public keys from certificates: the public key needs to be * extract public keys from certificates: the public key needs to be
available on the rootfs so that signed SWU packages can be authenticated. available on the rootfs so that signed SWU packages can be authenticated.
Co-Authored-By: Javier Viguera <javier.viguera@digi.com>
Co-Authored-By: Hector Palacios <hector.palacios@digi.com> Co-Authored-By: Hector Palacios <hector.palacios@digi.com>
Co-Authored-By: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com> Co-Authored-By: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com> Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
--- ---
keys/hab4_pki_tree.sh | 88 ++++++++++++++++++++++++++++--------------- keys/hab4_pki_tree.sh | 80 +++++++++++++++++++++++++++++--------------
1 file changed, 58 insertions(+), 30 deletions(-) 1 file changed, 54 insertions(+), 26 deletions(-)
diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh diff --git a/keys/hab4_pki_tree.sh b/keys/hab4_pki_tree.sh
index 944cc66..e76f22f 100755 index 49834f0..de0c969 100755
--- a/keys/hab4_pki_tree.sh --- a/keys/hab4_pki_tree.sh
+++ b/keys/hab4_pki_tree.sh +++ b/keys/hab4_pki_tree.sh
@@ -66,6 +66,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" @@ -66,6 +66,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
@ -35,12 +36,12 @@ index 944cc66..e76f22f 100755
echo "$0" echo "$0"
echo echo
echo "Command Line Mode:" echo "Command Line Mode:"
- echo "$0 -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -duration <years> -num-srk <1-4> -srk-ca <y/n>" - echo "$0 -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -kt < rsa/rsa-pss/ecc> -kl <ECC Curve/RSA Key Length> -duration <years> -num-srk <1-4> -srk-ca <y/n>"
+ echo "$0 [-csf-path] <CSF Path> -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -duration <years> -num-srk <1-4> -srk-ca <y/n>" + echo "$0 [-csf-path] <CSF Path> -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -kt < rsa/rsa-pss/ecc> -kl <ECC Curve/RSA Key Length> -duration <years> -num-srk <1-4> -srk-ca <y/n>"
echo "Options:" echo " Key Type Options:"
echo " -kl: -use-ecc = y then Supported key lengths: p256, p384, p521" echo " -kl ecc : then Supported key lengths: p256, p384, p521"
echo " : -use-ecc = n then Supported key lengths: 1024, 2048, 3072, 4096" echo " -kl rsa : then Supported key lengths: 1024, 2048, 3072, 4096"
@@ -89,10 +91,18 @@ usage() @@ -90,10 +92,18 @@ usage()
echo echo
} }
@ -52,7 +53,7 @@ index 944cc66..e76f22f 100755
+# Default values +# Default values
+existing_ca="n" +existing_ca="n"
+use_ecc="n" +kt="rsa"
+kl=4096 +kl=4096
+duration=10 +duration=10
+num_srk=4 +num_srk=4
@ -61,7 +62,7 @@ index 944cc66..e76f22f 100755
if [ $interactive = "n" ] if [ $interactive = "n" ]
then then
# Validate command line parameters # Validate command line parameters
@@ -111,6 +121,11 @@ then @@ -112,6 +122,11 @@ then
while [ $num_param -le $max_param ] && [ "$1" != "" ] while [ $num_param -le $max_param ] && [ "$1" != "" ]
do do
case $1 in case $1 in
@ -73,7 +74,7 @@ index 944cc66..e76f22f 100755
-existing-ca) -existing-ca)
shift shift
existing_ca=$1 existing_ca=$1
@@ -164,9 +179,8 @@ then @@ -165,9 +180,8 @@ then
shift shift
;; ;;
*) *)
@ -85,7 +86,7 @@ index 944cc66..e76f22f 100755
;; ;;
esac esac
num_param=$(( num_param + 2 )) num_param=$(( num_param + 2 ))
@@ -242,6 +256,16 @@ then @@ -261,6 +275,16 @@ then
read duration read duration
fi fi
@ -102,7 +103,7 @@ index 944cc66..e76f22f 100755
# Compute validity period # Compute validity period
val_period=$((duration*365)) val_period=$((duration*365))
@@ -275,9 +299,9 @@ then @@ -294,9 +318,9 @@ then
script_name=$0 script_name=$0
fi fi
script_path=$(cd $(dirname "${script_name}") && pwd -P) script_path=$(cd $(dirname "${script_name}") && pwd -P)
@ -115,7 +116,7 @@ index 944cc66..e76f22f 100755
if [ ! -d "${keys_dir}" ] if [ ! -d "${keys_dir}" ]
then then
@@ -291,11 +315,11 @@ then @@ -310,11 +334,11 @@ then
exit 1 exit 1
fi fi
@ -132,7 +133,7 @@ index 944cc66..e76f22f 100755
# Switch current working directory to keys directory, if needed. # Switch current working directory to keys directory, if needed.
if [ "${crt_dir}" != "${keys_dir}" ] if [ "${crt_dir}" != "${keys_dir}" ]
@@ -318,9 +342,10 @@ fi @@ -337,9 +361,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd: # Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ] if [ ! -f key_pass.txt ]
then then
@ -146,7 +147,7 @@ index 944cc66..e76f22f 100755
fi fi
# The following is required otherwise OpenSSL complains # The following is required otherwise OpenSSL complains
@@ -365,7 +390,7 @@ then @@ -384,7 +409,7 @@ then
-x509 -extensions v3_ca \ -x509 -extensions v3_ca \
-keyout temp_ca.pem \ -keyout temp_ca.pem \
-out ${ca_cert}.pem \ -out ${ca_cert}.pem \
@ -155,16 +156,7 @@ index 944cc66..e76f22f 100755
# Generate CA key in PKCS #8 format - both PEM and DER # Generate CA key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -382,7 +407,7 @@ then @@ -452,10 +477,10 @@ then
openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der
# Cleanup
- \rm temp_ca.pem
+ rm temp_ca.pem
fi
@@ -432,10 +457,10 @@ then
-in ./temp_srk_req.pem \ -in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \ -cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \ -keyfile ${ca_key}.pem \
@ -177,16 +169,7 @@ index 944cc66..e76f22f 100755
# Convert SRK Certificate to DER format # Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \ openssl x509 -inform PEM -outform DER \
@@ -456,7 +481,7 @@ then @@ -526,10 +551,10 @@ do
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
i=$((i+1))
done
else
@@ -505,10 +530,10 @@ do
-in ./temp_srk_req.pem \ -in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \ -cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \ -keyfile ${ca_key}.pem \
@ -199,7 +182,7 @@ index 944cc66..e76f22f 100755
# Convert SRK Certificate to DER format # Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \ openssl x509 -inform PEM -outform DER \
@@ -574,10 +599,10 @@ do @@ -596,10 +621,10 @@ do
-in ./temp_csf_req.pem \ -in ./temp_csf_req.pem \
-cert ${srk_crt_i} \ -cert ${srk_crt_i} \
-keyfile ${srk_key_i} \ -keyfile ${srk_key_i} \
@ -212,16 +195,7 @@ index 944cc66..e76f22f 100755
# Convert CSF Certificate to DER format # Convert CSF Certificate to DER format
openssl x509 -inform PEM -outform DER \ openssl x509 -inform PEM -outform DER \
@@ -596,7 +621,7 @@ do @@ -659,10 +684,10 @@ do
-out ${csf_key}.pem
# Cleanup
- \rm ./temp_csf.pem ./temp_csf_req.pem
+ rm ./temp_csf.pem ./temp_csf_req.pem
echo
echo ++++++++++++++++++++++++++++++++++++++++
@@ -636,10 +661,10 @@ do
-in ./temp_img_req.pem \ -in ./temp_img_req.pem \
-cert ${srk_crt_i} \ -cert ${srk_crt_i} \
-keyfile ${srk_key_i} \ -keyfile ${srk_key_i} \
@ -234,7 +208,7 @@ index 944cc66..e76f22f 100755
# Convert IMG Certificate to DER format # Convert IMG Certificate to DER format
openssl x509 -inform PEM -outform DER \ openssl x509 -inform PEM -outform DER \
@@ -657,8 +682,11 @@ do @@ -680,6 +705,9 @@ do
-in temp_img.pem \ -in temp_img.pem \
-out ${img_key}.pem -out ${img_key}.pem
@ -242,8 +216,5 @@ index 944cc66..e76f22f 100755
+ openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub + openssl x509 -pubkey -noout -in "${img_crt}.pem" > ../crts/key${i}.pub
+ +
# Cleanup # Cleanup
- \rm ./temp_img.pem ./temp_img_req.pem \rm ./temp_img.pem ./temp_img_req.pem
+ rm ./temp_img.pem ./temp_img_req.pem
i=$((i+1))
done

86
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-3.3.2/0004-ahab_pki_tree.sh-adapt-script-for-DEY.patch
View File

@ -11,15 +11,16 @@ Subject: [PATCH] ahab_pki_tree.sh: adapt script for DEY
* extract public keys from certificates: the public key needs to be * extract public keys from certificates: the public key needs to be
available on the rootfs so that signed SWU packages can be authenticated. available on the rootfs so that signed SWU packages can be authenticated.
Co-Authored-By: Javier Viguera <javier.viguera@digi.com>
Co-Authored-By: Hector Palacios <hector.palacios@digi.com> Co-Authored-By: Hector Palacios <hector.palacios@digi.com>
Co-Authored-By: Mike Engel <Mike.Engel@digi.com> Co-Authored-By: Mike Engel <Mike.Engel@digi.com>
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com> Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
--- ---
keys/ahab_pki_tree.sh | 80 +++++++++++++++++++++++++++++-------------- keys/ahab_pki_tree.sh | 79 ++++++++++++++++++++++++++++++-------------
1 file changed, 54 insertions(+), 26 deletions(-) 1 file changed, 55 insertions(+), 24 deletions(-)
diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh diff --git a/keys/ahab_pki_tree.sh b/keys/ahab_pki_tree.sh
index f5ab36c..13843f9 100755 index 0327f83..5c986b2 100755
--- a/keys/ahab_pki_tree.sh --- a/keys/ahab_pki_tree.sh
+++ b/keys/ahab_pki_tree.sh +++ b/keys/ahab_pki_tree.sh
@@ -64,6 +64,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" @@ -64,6 +64,8 @@ printf " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
@ -35,12 +36,12 @@ index f5ab36c..13843f9 100755
echo "$0" echo "$0"
echo echo
echo "Command Line Mode:" echo "Command Line Mode:"
- echo "$0 -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -da <digest algorithm> -duration <years> -srk-ca <y/n>" - echo "$0 -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -kt <y/n> -kl <ECC/RSA Key Length> -da <digest algorithm> -duration <years> -srk-ca <y/n>"
+ echo "$0 [-csf-path] <CSF Path> -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -use-ecc <y/n> -kl <ECC/RSA Key Length> -da <digest algorithm> -duration <years> -srk-ca <y/n>" + echo "$0 [-csf-path] <CSF Path> -existing-ca <y/n> [-ca-key <CA key name> -ca-cert <CA cert name>] -kt <y/n> -kl <ECC/RSA Key Length> -da <digest algorithm> -duration <years> -srk-ca <y/n>"
echo "Options:" echo "Options:"
echo " -kl: -use-ecc = y then Supported key lengths: p256, p384, p521" echo " -kt ecc : then Supported key lengths: p256, p384, p521"
echo " : -use-ecc = n then Supported key lengths: 2048, 3072, 4096" echo " -kt rsa : then Supported key lengths: 2048, 3072, 4096"
@@ -88,10 +90,18 @@ usage() @@ -89,10 +91,18 @@ usage()
echo echo
} }
@ -52,16 +53,16 @@ index f5ab36c..13843f9 100755
+# Default values +# Default values
+existing_ca="n" +existing_ca="n"
+use_ecc="y" +kt="ecc"
+kl=p521 +kl=p521
+da=sha512 +da=sha512
+duration=10 +duration=10
+srk_ca="y" +srk_ca="n"
+ +
if [ $interactive = "n" ] if [ $interactive = "n" ]
then then
# Validate command line parameters # Validate command line parameters
@@ -110,6 +120,11 @@ then @@ -111,6 +121,11 @@ then
while [ $num_param -le $max_param ] && [ "$1" != "" ] while [ $num_param -le $max_param ] && [ "$1" != "" ]
do do
case $1 in case $1 in
@ -73,7 +74,7 @@ index f5ab36c..13843f9 100755
-existing-ca) -existing-ca)
shift shift
existing_ca=$1 existing_ca=$1
@@ -163,9 +178,8 @@ then @@ -164,9 +179,8 @@ then
shift shift
;; ;;
*) *)
@ -85,7 +86,7 @@ index f5ab36c..13843f9 100755
;; ;;
esac esac
num_param=$(( num_param + 2 )) num_param=$(( num_param + 2 ))
@@ -255,6 +269,16 @@ then @@ -274,6 +288,16 @@ then
read duration read duration
fi fi
@ -102,7 +103,7 @@ index f5ab36c..13843f9 100755
# Compute validity period # Compute validity period
val_period=$((duration*365)) val_period=$((duration*365))
@@ -286,9 +310,9 @@ then @@ -305,9 +329,9 @@ then
script_name=$0 script_name=$0
fi fi
script_path=$(cd $(dirname "${script_name}") && pwd -P) script_path=$(cd $(dirname "${script_name}") && pwd -P)
@ -115,7 +116,7 @@ index f5ab36c..13843f9 100755
if [ ! -d "${keys_dir}" ] if [ ! -d "${keys_dir}" ]
then then
@@ -302,11 +326,11 @@ then @@ -321,11 +345,11 @@ then
exit 1 exit 1
fi fi
@ -132,7 +133,7 @@ index f5ab36c..13843f9 100755
# Switch current working directory to keys directory, if needed. # Switch current working directory to keys directory, if needed.
if [ "${crt_dir}" != "${keys_dir}" ] if [ "${crt_dir}" != "${keys_dir}" ]
@@ -329,9 +353,10 @@ fi @@ -348,9 +372,10 @@ fi
# Check that the file "key_pass.txt" is present, if not create it with default user/pwd: # Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f key_pass.txt ] if [ ! -f key_pass.txt ]
then then
@ -146,7 +147,7 @@ index f5ab36c..13843f9 100755
fi fi
# The following is required otherwise OpenSSL complains # The following is required otherwise OpenSSL complains
@@ -377,7 +402,7 @@ then @@ -396,7 +421,7 @@ then
-x509 -extensions v3_ca \ -x509 -extensions v3_ca \
-keyout temp_ca.pem \ -keyout temp_ca.pem \
-out ${ca_cert}.pem \ -out ${ca_cert}.pem \
@ -155,25 +156,30 @@ index f5ab36c..13843f9 100755
# Generate CA key in PKCS #8 format - both PEM and DER # Generate CA key in PKCS #8 format - both PEM and DER
openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \ openssl pkcs8 -passin file:./key_pass.txt -passout file:./key_pass.txt \
@@ -394,7 +419,7 @@ then @@ -464,10 +489,10 @@ then
openssl x509 -inform PEM -outform DER -in ${ca_cert}.pem -out ${ca_cert}.der -in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \
- -extfile ../ca/v3_usr.cnf \
+ -extfile "${SCRIPT_BASEDIR}/v3_usr.cnf" \
-out ${srk_crt}.pem \
-days ${val_period} \
- -config ../ca/openssl.cnf
+ -config "${SCRIPT_BASEDIR}/openssl.cnf"
# Cleanup # Convert SRK Certificate to DER format
- \rm temp_ca.pem openssl x509 -inform PEM -outform DER \
+ rm temp_ca.pem @@ -487,6 +512,9 @@ then
fi -in temp_srk.pem \
@@ -468,7 +493,7 @@ then
-out ${srk_key}.pem -out ${srk_key}.pem
+ # Extract public key from the certificate
+ openssl x509 -pubkey -noout -in "${srk_crt}.pem" > ../crts/key${i}.pub
+
# Cleanup # Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
i=$((i+1)) i=$((i+1))
done @@ -539,10 +567,10 @@ do
else
@@ -517,10 +542,10 @@ do
-in ./temp_srk_req.pem \ -in ./temp_srk_req.pem \
-cert ${ca_cert}.pem \ -cert ${ca_cert}.pem \
-keyfile ${ca_key}.pem \ -keyfile ${ca_key}.pem \
@ -186,16 +192,7 @@ index f5ab36c..13843f9 100755
# Convert SRK Certificate to DER format # Convert SRK Certificate to DER format
openssl x509 -inform PEM -outform DER \ openssl x509 -inform PEM -outform DER \
@@ -541,7 +566,7 @@ do @@ -609,10 +637,10 @@ do
-out ${srk_key}.pem
# Cleanup
- \rm ./temp_srk.pem ./temp_srk_req.pem
+ rm ./temp_srk.pem ./temp_srk_req.pem
echo
echo ++++++++++++++++++++++++++++++++++++++++
@@ -586,10 +611,10 @@ do
-in ./temp_sgk_req.pem \ -in ./temp_sgk_req.pem \
-cert ${srk_crt_i} \ -cert ${srk_crt_i} \
-keyfile ${srk_key_i} \ -keyfile ${srk_key_i} \
@ -208,7 +205,7 @@ index f5ab36c..13843f9 100755
# Convert SGK Certificate to DER format # Convert SGK Certificate to DER format
openssl x509 -inform PEM -outform DER \ openssl x509 -inform PEM -outform DER \
@@ -607,8 +632,11 @@ do @@ -630,6 +658,9 @@ do
-in temp_sgk.pem \ -in temp_sgk.pem \
-out ${sgk_key}.pem -out ${sgk_key}.pem
@ -216,8 +213,5 @@ index f5ab36c..13843f9 100755
+ openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub + openssl x509 -pubkey -noout -in "${srk_crt_i}" > ../crts/key${i}.pub
+ +
# Cleanup # Cleanup
- \rm ./temp_sgk.pem ./temp_sgk_req.pem \rm ./temp_sgk.pem ./temp_sgk_req.pem
+ rm ./temp_sgk.pem ./temp_sgk_req.pem
i=$((i+1))
done

0
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_3.3.1.bb → meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst-native_3.3.2.bb
View File

32
meta-digi-arm/recipes-bsp/trustfence-cst/trustfence-cst/0005-rules.mk-weaken-specific-function-err_msg.patch
View File

@ -1,32 +0,0 @@
From: Hector Palacios <hector.palacios@digi.com>
Date: Mon, 30 Jan 2023 10:38:22 +0100
Subject: [PATCH] rules.mk: weaken specific function err_msg()
A bug in binutils 2.38 objcopy '--weaken' produces malformed
binaries.
For the cst, it looks like it's enough to weaken function err_msg()
which is otherwise redefined.
Change the global '--weaken' flag with '--weaken-symbol err_msg'
to have the build process generate a valid 'cst' binary.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8332
https://onedigi.atlassian.net/browse/DEL-8033
---
code/cst/code/build/make/rules.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/code/cst/code/build/make/rules.mk b/code/cst/code/build/make/rules.mk
index 1c0842b..032e18b 100755
--- a/code/cst/code/build/make/rules.mk
+++ b/code/cst/code/build/make/rules.mk
@@ -27,7 +27,7 @@ LFLAGS := -t
$(AR) $(ARFLAGS) $@ $^
ifneq ($(OSTYPE),mingw32)
ifneq ($(OSTYPE),osx)
- $(OBJCOPY) --weaken $@
+ $(OBJCOPY) --weaken-symbol err_msg $@
endif
endif