From c8757b7bf3e19df44cd07c61e4544a3136eb4ac9 Mon Sep 17 00:00:00 2001 From: Arturo Buzarra Date: Tue, 30 Sep 2025 14:16:42 +0200 Subject: [PATCH] trustfence: add encrypted boot artifact support for STM platforms This commit updates the secure boot support for STM platforms based on the STM32 MPU Ecosystem v6.1.0. It introduces support for encrypted boot artifacts, including TF-A and FIP, and enables this functionality for the ConnectCore MP2 platform. This enhancement allows secure boot deployments with both authentication and encryption for improved protection of critical boot components. Signed-off-by: Arturo Buzarra --- meta-digi-arm/conf/machine/ccmp25-dvk.conf | 12 ++++++--- .../fip-stm32mp/fip-stm32mp.bbappend | 4 ++- .../tf-a-stm32mp_2.10.bbappend | 8 ++++-- .../recipes-bsp/u-boot/u-boot-dey.inc | 6 ++++- .../trustfence-gen-pki-stm.sh | 26 +++++++++++++++++++ meta-digi-dey/classes/trustfence.bbclass | 15 +++++++++-- 6 files changed, 61 insertions(+), 10 deletions(-) diff --git a/meta-digi-arm/conf/machine/ccmp25-dvk.conf b/meta-digi-arm/conf/machine/ccmp25-dvk.conf index df8c187c3..f2296abd4 100644 --- a/meta-digi-arm/conf/machine/ccmp25-dvk.conf +++ b/meta-digi-arm/conf/machine/ccmp25-dvk.conf @@ -134,11 +134,15 @@ ST_USERFS = "0" # Boot artifacts to be copied from the deploy dir to the installer ZIP BOOTABLE_ARTIFACTS = " \ - ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'tf-a-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.stm32', \ - 'tf-a-ccmp25-dvk-optee-emmc.stm32')} \ + ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \ + oe.utils.ifelse(d.getVar('TRUSTFENCE_DEK_PATH') == '0', 'tf-a-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.stm32', \ + 'tf-a-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32'), \ + 'tf-a-ccmp25-dvk-optee-emmc.stm32')} \ metadata-ccmp25-dvk.bin \ - ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', 'fip-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.bin', \ - 'fip-ccmp25-dvk-optee-emmc.bin')} \ + ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \ + oe.utils.ifelse(d.getVar('TRUSTFENCE_DEK_PATH') == '0', 'fip-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.bin', \ + 'fip-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin'), \ + 'fip-ccmp25-dvk-optee-emmc.bin')} \ " # Per-machine DISTRO_FEATURES customization diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/fip-stm32mp/fip-stm32mp.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/fip-stm32mp/fip-stm32mp.bbappend index e0746b47a..2d08cd9c7 100644 --- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/fip-stm32mp/fip-stm32mp.bbappend +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/fip-stm32mp/fip-stm32mp.bbappend @@ -56,7 +56,9 @@ do_deploy() { unset k for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do k=$(expr $k + 1) - [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k}) + if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] || [ "$(echo ${dt} | grep -c ${FIP_SOC_MATCH})" -eq 1 ] ;then + encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k}) + fi done fi fi diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend index ae6a906e7..a1d019075 100644 --- a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.10.bbappend @@ -203,7 +203,9 @@ do_compile() { unset k for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do k=$(expr $k + 1) - [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k}) + if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] || [ "$(echo ${dt} | grep -c ${TF_A_SOC_MATCH})" -eq 1 ] ;then + encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k}) + fi done fi if [ "$(file "${encrypt_key}" | sed 's#.*: \(.*\)$#\1#')" = "ASCII text" ]; then @@ -247,7 +249,9 @@ do_compile() { unset k for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do k=$(expr $k + 1) - [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FSBL_KEY_PATH_LIST} | cut -d',' -f${k}) + if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] || [ "$(echo ${dt} | grep -c ${TF_A_SOC_MATCH})" -eq 1 ] ;then + encrypt_key=$(echo ${ENCRYPT_FSBL_KEY_PATH_LIST} | cut -d',' -f${k}) + fi done fi # Set encryption options for signing tools diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc index 85d1bd9f6..201352ad0 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc @@ -106,7 +106,11 @@ build_uboot_scripts() { sed -i -e 's,##SIGNED##,signed,g' ${TMP_INSTALL_SCR} fi else - sed -i -e 's,##SIGNED##,_Signed,g' ${TMP_INSTALL_SCR} + if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + sed -i -e 's,##SIGNED##,_Encrypted_Signed,g' ${TMP_INSTALL_SCR} + else + sed -i -e 's,##SIGNED##,_Signed,g' ${TMP_INSTALL_SCR} + fi fi else sed -i -e 's,-##SIGNED##,,g' -e 's,##SIGNED##,,g' ${TMP_INSTALL_SCR} diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh index 7dcccee17..0bb1d716e 100755 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh @@ -101,3 +101,29 @@ else exit 1 fi fi + +if [ -n "${CONFIG_DEK_PATH}" ]; then + [ -d "${CONFIG_DEK_PATH}" ] || mkdir "${CONFIG_DEK_PATH}" + # Generate random keys if they don't exist + if [ "${PLATFORM}" = "ccmp25" ]; then + if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin" ]; then + echo "Generating random encryption key for FSBL" + if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin"; then + echo "[ERROR] Failed to generate 16-byte FSBL encryption key" + exit 1 + fi + chmod 444 "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin" + fi + if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_fip.bin" ]; then + echo "Generating random encryption key for FIP" + if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_DEK_PATH}/encryption_key_fip.bin"; then + echo "[ERROR] Failed to generate 32-byte FIP encryption key" + exit 1 + fi + chmod 444 "${CONFIG_DEK_PATH}/encryption_key_fip.bin" + fi + else + echo "[ERROR] Could not generate encryption keys. Platform not supported." + exit 1 + fi +fi diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index b0761d066..2a57d7772 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -49,7 +49,6 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl TF_DEK_PATH = "default" TF_DEK_PATH:ccimx9 = "0" TF_DEK_PATH:ccmp1 = "0" -TF_DEK_PATH:ccmp2 = "0" TF_FILE_BASED_ENCRYPT = "0" TF_FILE_BASED_ENCRYPT:ccimx9 = "1" TF_FILE_BASED_ENCRYPT:ccmp1 = "1" @@ -78,6 +77,9 @@ gen_pki_tree() { trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH} elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" + if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + fi trustfence-gen-pki.sh -p ${DIGI_SOM} fi rm -rf ${GENPKI_LOCK_DIR} @@ -174,6 +176,9 @@ python () { if (d.getVar("DEY_SOC_VENDOR") == "NXP"): if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"): d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin"); + elif (d.getVar("DEY_SOC_VENDOR") == "STM"): + if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"): + d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH")); if (d.getVar("TRUSTFENCE_SIGN") == "1"): # Set STM-specific variables for signing images @@ -208,7 +213,13 @@ python () { d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH")) if d.getVar("TRUSTFENCE_SIGN_MODE"): d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE")) - + elif (d.getVar("DEY_SOC_VENDOR") == "STM"): + if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]): + d.setVar("ENCRYPT_ENABLE", "1") + d.setVar("ENCRYPT_FSBL_KEY", '%s/encryption_key_fsbl.bin' % d.getVar("TRUSTFENCE_DEK_PATH")) + d.setVar("ENCRYPT_FSBL_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FSBL_KEY")) + d.setVar("ENCRYPT_FIP_KEY", '%s/encryption_key_fip.bin' % d.getVar("TRUSTFENCE_DEK_PATH")) + d.setVar("ENCRYPT_FIP_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FIP_KEY")) if (d.getVar("TRUSTFENCE_SIGN_FIT_STM") == "1"): # FIT-related variables