diff --git a/meta-digi-arm/conf/machine/ccmp25-dvk.conf b/meta-digi-arm/conf/machine/ccmp25-dvk.conf index df8c187c3..f2296abd4 100644 --- a/meta-digi-arm/conf/machine/ccmp25-dvk.conf +++ b/meta-digi-arm/conf/machine/ccmp25-dvk.conf @@ -134,11 +134,15 @@ ST_USERFS = "0" # Boot artifacts to be copied from the deploy dir to the installer ZIP BOOTABLE_ARTIFACTS = " \ - ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'tf-a-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.stm32', \ - 'tf-a-ccmp25-dvk-optee-emmc.stm32')} \ + ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \ + oe.utils.ifelse(d.getVar('TRUSTFENCE_DEK_PATH') == '0', 'tf-a-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.stm32', \ + 'tf-a-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32'), \ + 'tf-a-ccmp25-dvk-optee-emmc.stm32')} \ metadata-ccmp25-dvk.bin \ - ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'fip-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.bin', \ - 'fip-ccmp25-dvk-optee-emmc.bin')} \ + ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \ + oe.utils.ifelse(d.getVar('TRUSTFENCE_DEK_PATH') == '0', 'fip-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.bin', \ + 'fip-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin'), \ + 'fip-ccmp25-dvk-optee-emmc.bin')} \ " # Per-machine DISTRO_FEATURES customization diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/fip-stm32mp/fip-stm32mp.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/fip-stm32mp/fip-stm32mp.bbappend index e0746b47a..2d08cd9c7 100644 --- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/fip-stm32mp/fip-stm32mp.bbappend +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/fip-stm32mp/fip-stm32mp.bbappend @@ -56,7 +56,9 @@ do_deploy() { unset k for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do k=$(expr $k + 1) - [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k}) + if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] || [ "$(echo ${dt} | grep -c ${FIP_SOC_MATCH})" -eq 1 ] ;then + encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k}) + fi done fi fi diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend index ae6a906e7..a1d019075 100644 --- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend @@ -203,7 +203,9 @@ do_compile() { unset k for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do k=$(expr $k + 1) - [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k}) + if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] || [ "$(echo ${dt} | grep -c ${TF_A_SOC_MATCH})" -eq 1 ] ;then + encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k}) + fi done fi if [ "$(file "${encrypt_key}" | sed 's#.*: \(.*\)$#\1#')" = "ASCII text" ]; then @@ -247,7 +249,9 @@ do_compile() { unset k for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do k=$(expr $k + 1) - [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FSBL_KEY_PATH_LIST} | cut -d',' -f${k}) + if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] || [ "$(echo ${dt} | grep -c ${TF_A_SOC_MATCH})" -eq 1 ] ;then + encrypt_key=$(echo ${ENCRYPT_FSBL_KEY_PATH_LIST} | cut -d',' -f${k}) + fi done fi # Set encryption options for signing tools diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc index 85d1bd9f6..201352ad0 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc @@ -106,7 +106,11 @@ build_uboot_scripts() { sed -i -e 's,##SIGNED##,signed,g' ${TMP_INSTALL_SCR} fi else - sed -i -e 's,##SIGNED##,_Signed,g' ${TMP_INSTALL_SCR} + if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + sed -i -e 's,##SIGNED##,_Encrypted_Signed,g' ${TMP_INSTALL_SCR} + else + sed -i -e 's,##SIGNED##,_Signed,g' ${TMP_INSTALL_SCR} + fi fi else sed -i -e 's,-##SIGNED##,,g' -e 's,##SIGNED##,,g' ${TMP_INSTALL_SCR} diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh index 7dcccee17..0bb1d716e 100755 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh @@ -101,3 +101,29 @@ else exit 1 fi fi + +if [ -n "${CONFIG_DEK_PATH}" ]; then + [ -d "${CONFIG_DEK_PATH}" ] || mkdir "${CONFIG_DEK_PATH}" + # Generate random keys if they don't exist + if [ "${PLATFORM}" = "ccmp25" ]; then + if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin" ]; then + echo "Generating random encryption key for FSBL" + if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin"; then + echo "[ERROR] Failed to generate 16-byte FSBL encryption key" + exit 1 + fi + chmod 444 "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin" + fi + if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_fip.bin" ]; then + echo "Generating random encryption key for FIP" + if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_DEK_PATH}/encryption_key_fip.bin"; then + echo "[ERROR] Failed to generate 32-byte FIP encryption key" + exit 1 + fi + chmod 444 "${CONFIG_DEK_PATH}/encryption_key_fip.bin" + fi + else + echo "[ERROR] Could not generate encryption keys. Platform not supported." + exit 1 + fi +fi diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index b0761d066..2a57d7772 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -49,7 +49,6 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl TF_DEK_PATH = "default" TF_DEK_PATH:ccimx9 = "0" TF_DEK_PATH:ccmp1 = "0" -TF_DEK_PATH:ccmp2 = "0" TF_FILE_BASED_ENCRYPT = "0" TF_FILE_BASED_ENCRYPT:ccimx9 = "1" TF_FILE_BASED_ENCRYPT:ccmp1 = "1" @@ -78,6 +77,9 @@ gen_pki_tree() { trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH} elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" + if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + fi trustfence-gen-pki.sh -p ${DIGI_SOM} fi rm -rf ${GENPKI_LOCK_DIR} @@ -174,6 +176,9 @@ python () { if (d.getVar("DEY_SOC_VENDOR") == "NXP"): if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"): d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin"); + elif (d.getVar("DEY_SOC_VENDOR") == "STM"): + if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"): + d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH")); if (d.getVar("TRUSTFENCE_SIGN") == "1"): # Set STM-specific variables for signing images @@ -208,7 +213,13 @@ python () { d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH")) if d.getVar("TRUSTFENCE_SIGN_MODE"): d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE")) - + elif (d.getVar("DEY_SOC_VENDOR") == "STM"): + if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]): + d.setVar("ENCRYPT_ENABLE", "1") + d.setVar("ENCRYPT_FSBL_KEY", '%s/encryption_key_fsbl.bin' % d.getVar("TRUSTFENCE_DEK_PATH")) + d.setVar("ENCRYPT_FSBL_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FSBL_KEY")) + d.setVar("ENCRYPT_FIP_KEY", '%s/encryption_key_fip.bin' % d.getVar("TRUSTFENCE_DEK_PATH")) + d.setVar("ENCRYPT_FIP_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FIP_KEY")) if (d.getVar("TRUSTFENCE_SIGN_FIT_STM") == "1"): # FIT-related variables