From d78d6018410fb462b47b14801fd171d707094925 Mon Sep 17 00:00:00 2001 From: Mike Engel Date: Mon, 14 Feb 2022 13:11:53 +0100 Subject: [PATCH] linux: move Trustfence signing into include file to be used by different kernel versions Signed-off-by: Mike Engel --- .../recipes-kernel/linux/linux-dey-src.inc | 1 - .../recipes-kernel/linux/linux-dey_5.4.bb | 51 +---------------- .../recipes-kernel/linux/linux-trustfence.inc | 56 +++++++++++++++++++ 3 files changed, 57 insertions(+), 51 deletions(-) create mode 100644 meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey-src.inc b/meta-digi-arm/recipes-kernel/linux/linux-dey-src.inc index 7f314a1da..b25063898 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-dey-src.inc +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey-src.inc @@ -3,7 +3,6 @@ LICENSE = "GPLv2" LOCALVERSION = "-dey" -SRCREV = "${AUTOREV}" # Select internal or Github Linux repo DIGI_LOG_REPO = "linux-2.6.git" diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey_5.4.bb b/meta-digi-arm/recipes-kernel/linux/linux-dey_5.4.bb index 9c0f03d76..6cd20adac 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-dey_5.4.bb +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey_5.4.bb @@ -5,66 +5,17 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "lzop-native bc-native" -DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}" inherit kernel fsl-kernel-localversion SRCBRANCH = "v5.4.70/master" require recipes-kernel/linux/linux-dey-src.inc require ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'linux-virtualization.inc', '', d)} +require recipes-kernel/linux/linux-trustfence.inc # Use custom provided 'defconfig' if variable KERNEL_DEFCONFIG is cleared SRC_URI += "${@oe.utils.conditional('KERNEL_DEFCONFIG', '', 'file://defconfig', '', d)}" -do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign', '', d)}" - -trustfence_sign() { - # Set environment variables for trustfence configuration - export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" - [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" - [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" - - # Sign/encrypt the kernel images - for type in ${KERNEL_IMAGETYPES}; do - KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" - if [ "${type}" = "Image.gz" ]; then - # Sign the uncompressed Image - KERNEL_IMAGE=${WORKDIR}/build/arch/arm64/boot/Image - fi - - TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)" - trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}" - - if [ "${type}" = "Image.gz" ]; then - # Compress the signed Image and restore the original filename - gzip "${TMP_KERNEL_IMAGE_SIGNED}" - mv "${TMP_KERNEL_IMAGE_SIGNED}.gz" "${TMP_KERNEL_IMAGE_SIGNED}" - KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" - fi - - mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}" - done - - # Sign/encrypt the device tree blobs - for DTB in ${KERNEL_DEVICETREE}; do - DTB=`normalize_dtb "${DTB}"` - DTB_EXT=${DTB##*.} - DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` - DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" - - TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)" - if [ "${DTB_EXT}" = "dtbo" ]; then - trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -o "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" - else - trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" - fi - mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}" - done -} -trustfence_sign[dirs] = "${DEPLOYDIR}" - -do_deploy[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH" - FILES_${KERNEL_PACKAGE_NAME}-image += "/boot/config-${KERNEL_VERSION}" # Don't include kernels in standard images diff --git a/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc b/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc new file mode 100644 index 000000000..a1a3c887a --- /dev/null +++ b/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc @@ -0,0 +1,56 @@ +# Copyright (C) 2022 Digi International + +LICENSE = "GPLv2" + +DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}" + +do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign', '', d)}" + +trustfence_sign() { + # Set environment variables for trustfence configuration + export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" + [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" + [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" + + # Sign/encrypt the kernel images + for type in ${KERNEL_IMAGETYPES}; do + KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" + if [ "${type}" = "Image.gz" ]; then + # Sign the uncompressed Image + KERNEL_IMAGE=${WORKDIR}/build/arch/arm64/boot/Image + fi + + TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)" + trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}" + + if [ "${type}" = "Image.gz" ]; then + # Compress the signed Image and restore the original filename + gzip "${TMP_KERNEL_IMAGE_SIGNED}" + mv "${TMP_KERNEL_IMAGE_SIGNED}.gz" "${TMP_KERNEL_IMAGE_SIGNED}" + KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin" + fi + + mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}" + done + + # Sign/encrypt the device tree blobs + for DTB in ${KERNEL_DEVICETREE}; do + DTB=`normalize_dtb "${DTB}"` + DTB_EXT=${DTB##*.} + DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` + DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" + + TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)" + if [ "${DTB_EXT}" = "dtbo" ]; then + trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -o "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" + else + trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" + fi + mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}" + done +} +trustfence_sign[dirs] = "${DEPLOYDIR}" + +do_deploy[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH" +