From c8ec33129d75d6142b72595f8b3f2b995badf8f4 Mon Sep 17 00:00:00 2001
From: "Diaz de Grenu, Jose" <Jose.DiazdeGrenu@digi.com>
Date: Tue, 6 Sep 2016 17:24:10 +0200
Subject: [PATCH] meta-digi-arm: trustfence-sign-tools: add sign tools recipe

Add a recipe to include all signing and encryption tools for U-Boot and
kernel images to the SDK. Move existing trustfence kernel scripts to this
new recipe.

This allows to use these scripts not only from the Yocto build system but
also as standalone tools for image signing and encryption.

https://jira.digi.com/browse/DEL-2688

Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
---
 .../nativesdk-packagegroup-sdk-host.bbappend  |  5 +++
 .../trustfence-sign-tools}/encrypt_uimage     |  0
 .../trustfence-sign-tools}/sign_uimage        |  0
 .../trustfence-sign-kernel.sh}                |  6 ++--
 .../trustfence/trustfence-sign-tools_1.0.bb   | 35 +++++++++++++++++++
 .../recipes-kernel/linux/linux-dey.inc        |  3 +-
 6 files changed, 45 insertions(+), 4 deletions(-)
 create mode 100644 meta-digi-arm/recipes-core/packagegroup/nativesdk-packagegroup-sdk-host.bbappend
 rename meta-digi-arm/{scripts/templates => recipes-digi/trustfence/trustfence-sign-tools}/encrypt_uimage (100%)
 rename meta-digi-arm/{scripts/templates => recipes-digi/trustfence/trustfence-sign-tools}/sign_uimage (100%)
 rename meta-digi-arm/{scripts/trustfence-sign-uimage.sh => recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh} (98%)
 create mode 100644 meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_1.0.bb

diff --git a/meta-digi-arm/recipes-core/packagegroup/nativesdk-packagegroup-sdk-host.bbappend b/meta-digi-arm/recipes-core/packagegroup/nativesdk-packagegroup-sdk-host.bbappend
new file mode 100644
index 000000000..febf7cc7a
--- /dev/null
+++ b/meta-digi-arm/recipes-core/packagegroup/nativesdk-packagegroup-sdk-host.bbappend
@@ -0,0 +1,5 @@
+# Copyright (C) 2016 Digi International.
+
+RDEPENDS_${PN} += " \
+    nativesdk-trustfence-sign-tools \
+"
diff --git a/meta-digi-arm/scripts/templates/encrypt_uimage b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_uimage
similarity index 100%
rename from meta-digi-arm/scripts/templates/encrypt_uimage
rename to meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_uimage
diff --git a/meta-digi-arm/scripts/templates/sign_uimage b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_uimage
similarity index 100%
rename from meta-digi-arm/scripts/templates/sign_uimage
rename to meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_uimage
diff --git a/meta-digi-arm/scripts/trustfence-sign-uimage.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
similarity index 98%
rename from meta-digi-arm/scripts/trustfence-sign-uimage.sh
rename to meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
index c7832afc3..380cebaea 100755
--- a/meta-digi-arm/scripts/trustfence-sign-uimage.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-kernel.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 #===============================================================================
 #
 #  trustfence_sign_uimage.sh
@@ -144,7 +144,7 @@ if [ "${ENCRYPT}" = "true" ]; then
 	    -e "s,%r2_uimage_offset%,${r2_uimage_offset},g"		    \
 	    -e "s,%r2_ram_start%,${r2_ram_start},g"			    \
 	    -e "s,%r2_size%,${r2_size},g"				    \
-	"${SCRIPT_BASEDIR}/templates/encrypt_uimage" > csf_descriptor
+	"${SCRIPT_BASEDIR}/csf_templates/encrypt_uimage" > csf_descriptor
 else
 	sed -e "s,%ram_start%,${CONFIG_UIMAGE_LOADADDR},g" \
 	    -e "s,%srk_table%,${SRK_TABLE},g"		   \
@@ -154,7 +154,7 @@ else
 	    -e "s,%cert_img%,${CERT_IMG},g"		   \
 	    -e "s,%uimage_path%,${TARGET},g"		   \
 	    -e "s,%key_index%,${CONFIG_KEY_INDEX},g"	   \
-	"${SCRIPT_BASEDIR}/templates/sign_uimage" > csf_descriptor
+	"${SCRIPT_BASEDIR}/csf_templates/sign_uimage" > csf_descriptor
 fi
 
 # Generate SRK tables
diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_1.0.bb b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_1.0.bb
new file mode 100644
index 000000000..98f8a7a01
--- /dev/null
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools_1.0.bb
@@ -0,0 +1,35 @@
+SUMMARY = "TrustFence signing and encryption scripts"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+
+SRCBRANCH = "v2015.04/master"
+SRCBRANCH_ccimx6ul = "v2015.04/master"
+SRCREV = "${AUTOREV}"
+
+S = "${WORKDIR}"
+
+# Select internal or Github U-Boot repo
+UBOOT_GIT_URI = "${@base_conditional('DIGI_INTERNAL_GIT', '1' , '${DIGI_GIT}u-boot-denx.git', '${DIGI_GITHUB_GIT}/u-boot.git', d)}"
+
+SRC_URI = " \
+    ${UBOOT_GIT_URI};branch=${SRCBRANCH} \
+    file://trustfence-sign-kernel.sh;name=kernel-script \
+    file://sign_uimage;name=kernel-sign \
+    file://encrypt_uimage;name=kernel-encrypt \
+"
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install() {
+	install -d ${D}${bindir}/csf_templates
+	install -m 0755 trustfence-sign-kernel.sh ${D}${bindir}/
+	install -m 0755 sign_uimage ${D}${bindir}/csf_templates/
+	install -m 0755 encrypt_uimage ${D}${bindir}/csf_templates/
+	install -m 0755 git/scripts/sign.sh ${D}${bindir}/trustfence-sign-uboot.sh
+	install -m 0755 git/scripts/csf_templates/sign_uboot ${D}${bindir}/csf_templates
+	install -m 0755 git/scripts/csf_templates/encrypt_uboot ${D}${bindir}/csf_templates
+}
+
+FILES_${PN} = "${bindir}"
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
index da30d219e..ec9ebbcb8 100644
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7"
 
 DEPENDS += "lzop-native bc-native"
 DEPENDS += "${@base_conditional('TRUSTFENCE_SIGN', '1', 'trustfence-cst-native', '', d)}"
+DEPENDS += "${@base_conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
 
 inherit kernel fsl-kernel-localversion
 
@@ -38,7 +39,7 @@ do_deploy_append() {
 		export CONFIG_UIMAGE_LOADADDR="${UBOOT_CONFIG_LOADADDR}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
-		"${THISDIR}/../../scripts/trustfence-sign-uimage.sh" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}.bin" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}-signed.bin"
+		"${STAGING_BINDIR_NATIVE}/trustfence-sign-kernel.sh" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}.bin" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}-signed.bin"
 		mv "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}-signed.bin" "${DEPLOYDIR}/${KERNEL_IMAGE_BASE_NAME}.bin"
 	fi
 	(cd ${DEPLOYDIR} && ln -sf ${KERNEL_IMAGE_BASE_NAME}.bin ${KERNEL_IMAGE_SYMLINK_NAME})