trustfence: add encrypted boot artifact support for STM platforms
This commit updates the secure boot support for STM platforms based on the STM32 MPU Ecosystem v6.1.0. It introduces support for encrypted boot artifacts, including TF-A and FIP, and enables this functionality for the ConnectCore MP2 platform. This enhancement allows secure boot deployments with both authentication and encryption for improved protection of critical boot components. Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit is contained in:
Arturo Buzarra
parent
aabffdd138
commit
c8757b7bf3
|
|
@ -134,11 +134,15 @@ ST_USERFS = "0"
|
|||
|
||||
# Boot artifacts to be copied from the deploy dir to the installer ZIP
|
||||
BOOTABLE_ARTIFACTS = " \
|
||||
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'tf-a-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.stm32', \
|
||||
'tf-a-ccmp25-dvk-optee-emmc.stm32')} \
|
||||
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
|
||||
oe.utils.ifelse(d.getVar('TRUSTFENCE_DEK_PATH') == '0', 'tf-a-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.stm32', \
|
||||
'tf-a-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32'), \
|
||||
'tf-a-ccmp25-dvk-optee-emmc.stm32')} \
|
||||
metadata-ccmp25-dvk.bin \
|
||||
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'fip-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.bin', \
|
||||
'fip-ccmp25-dvk-optee-emmc.bin')} \
|
||||
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
|
||||
oe.utils.ifelse(d.getVar('TRUSTFENCE_DEK_PATH') == '0', 'fip-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.bin', \
|
||||
'fip-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin'), \
|
||||
'fip-ccmp25-dvk-optee-emmc.bin')} \
|
||||
"
|
||||
|
||||
# Per-machine DISTRO_FEATURES customization
|
||||
|
|
|
|||
|
|
@ -56,7 +56,9 @@ do_deploy() {
|
|||
unset k
|
||||
for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do
|
||||
k=$(expr $k + 1)
|
||||
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k})
|
||||
if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] || [ "$(echo ${dt} | grep -c ${FIP_SOC_MATCH})" -eq 1 ] ;then
|
||||
encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k})
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -203,7 +203,9 @@ do_compile() {
|
|||
unset k
|
||||
for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do
|
||||
k=$(expr $k + 1)
|
||||
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k})
|
||||
if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] || [ "$(echo ${dt} | grep -c ${TF_A_SOC_MATCH})" -eq 1 ] ;then
|
||||
encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k})
|
||||
fi
|
||||
done
|
||||
fi
|
||||
if [ "$(file "${encrypt_key}" | sed 's#.*: \(.*\)$#\1#')" = "ASCII text" ]; then
|
||||
|
|
@ -247,7 +249,9 @@ do_compile() {
|
|||
unset k
|
||||
for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do
|
||||
k=$(expr $k + 1)
|
||||
[ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FSBL_KEY_PATH_LIST} | cut -d',' -f${k})
|
||||
if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] || [ "$(echo ${dt} | grep -c ${TF_A_SOC_MATCH})" -eq 1 ] ;then
|
||||
encrypt_key=$(echo ${ENCRYPT_FSBL_KEY_PATH_LIST} | cut -d',' -f${k})
|
||||
fi
|
||||
done
|
||||
fi
|
||||
# Set encryption options for signing tools
|
||||
|
|
|
|||
|
|
@ -106,7 +106,11 @@ build_uboot_scripts() {
|
|||
sed -i -e 's,##SIGNED##,signed,g' ${TMP_INSTALL_SCR}
|
||||
fi
|
||||
else
|
||||
sed -i -e 's,##SIGNED##,_Signed,g' ${TMP_INSTALL_SCR}
|
||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
sed -i -e 's,##SIGNED##,_Encrypted_Signed,g' ${TMP_INSTALL_SCR}
|
||||
else
|
||||
sed -i -e 's,##SIGNED##,_Signed,g' ${TMP_INSTALL_SCR}
|
||||
fi
|
||||
fi
|
||||
else
|
||||
sed -i -e 's,-##SIGNED##,,g' -e 's,##SIGNED##,,g' ${TMP_INSTALL_SCR}
|
||||
|
|
|
|||
|
|
@ -101,3 +101,29 @@ else
|
|||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "${CONFIG_DEK_PATH}" ]; then
|
||||
[ -d "${CONFIG_DEK_PATH}" ] || mkdir "${CONFIG_DEK_PATH}"
|
||||
# Generate random keys if they don't exist
|
||||
if [ "${PLATFORM}" = "ccmp25" ]; then
|
||||
if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin" ]; then
|
||||
echo "Generating random encryption key for FSBL"
|
||||
if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin"; then
|
||||
echo "[ERROR] Failed to generate 16-byte FSBL encryption key"
|
||||
exit 1
|
||||
fi
|
||||
chmod 444 "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin"
|
||||
fi
|
||||
if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_fip.bin" ]; then
|
||||
echo "Generating random encryption key for FIP"
|
||||
if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_DEK_PATH}/encryption_key_fip.bin"; then
|
||||
echo "[ERROR] Failed to generate 32-byte FIP encryption key"
|
||||
exit 1
|
||||
fi
|
||||
chmod 444 "${CONFIG_DEK_PATH}/encryption_key_fip.bin"
|
||||
fi
|
||||
else
|
||||
echo "[ERROR] Could not generate encryption keys. Platform not supported."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -49,7 +49,6 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
|
|||
TF_DEK_PATH = "default"
|
||||
TF_DEK_PATH:ccimx9 = "0"
|
||||
TF_DEK_PATH:ccmp1 = "0"
|
||||
TF_DEK_PATH:ccmp2 = "0"
|
||||
TF_FILE_BASED_ENCRYPT = "0"
|
||||
TF_FILE_BASED_ENCRYPT:ccimx9 = "1"
|
||||
TF_FILE_BASED_ENCRYPT:ccmp1 = "1"
|
||||
|
|
@ -78,6 +77,9 @@ gen_pki_tree() {
|
|||
trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH}
|
||||
elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
|
||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||
fi
|
||||
trustfence-gen-pki.sh -p ${DIGI_SOM}
|
||||
fi
|
||||
rm -rf ${GENPKI_LOCK_DIR}
|
||||
|
|
@ -174,6 +176,9 @@ python () {
|
|||
if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
|
||||
if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"):
|
||||
d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin");
|
||||
elif (d.getVar("DEY_SOC_VENDOR") == "STM"):
|
||||
if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"):
|
||||
d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"));
|
||||
|
||||
if (d.getVar("TRUSTFENCE_SIGN") == "1"):
|
||||
# Set STM-specific variables for signing images
|
||||
|
|
@ -208,7 +213,13 @@ python () {
|
|||
d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
||||
if d.getVar("TRUSTFENCE_SIGN_MODE"):
|
||||
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
|
||||
|
||||
elif (d.getVar("DEY_SOC_VENDOR") == "STM"):
|
||||
if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
|
||||
d.setVar("ENCRYPT_ENABLE", "1")
|
||||
d.setVar("ENCRYPT_FSBL_KEY", '%s/encryption_key_fsbl.bin' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
||||
d.setVar("ENCRYPT_FSBL_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FSBL_KEY"))
|
||||
d.setVar("ENCRYPT_FIP_KEY", '%s/encryption_key_fip.bin' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
||||
d.setVar("ENCRYPT_FIP_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FIP_KEY"))
|
||||
|
||||
if (d.getVar("TRUSTFENCE_SIGN_FIT_STM") == "1"):
|
||||
# FIT-related variables
|
||||
|
|
|
|||
Loading…
Reference in New Issue