ccmp1: add signed FIT image support

This commit adds signed FIT image support for the CCMP1
platforms when using Trustfence.

https://onedigi.atlassian.net/browse/DEL-8591

Signed-off-by: Mike Engel <Mike.Engel@digi.com>

meta-digi-arm/classes/image_types_digi.bbclass

@@ -21,6 +21,8 @@ do_image_boot_vfat[depends] += " \
 IMAGE_CMD:boot.vfat() {
 	BOOTIMG_FILES="$(readlink -e ${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${MACHINE}.bin)"
 	BOOTIMG_FILES_SYMLINK="${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${MACHINE}.bin"
+	# Exclude DTB and DTBO from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
 		if [ -n "${KERNEL_DEVICETREE}" ]; then
 			for DTB in ${KERNEL_DEVICETREE}; do
 				# Remove potential sub-folders
@@ -31,6 +33,7 @@ IMAGE_CMD:boot.vfat() {
 				fi
 			done
 		fi
+	fi
 
 	# Add Trustfence initramfs if enabled
 	if [ -n "${TRUSTFENCE_INITRAMFS_IMAGE}" ]; then
@@ -57,12 +60,15 @@ IMAGE_CMD:boot.vfat() {
 	mkfs.vfat -n "Boot DEY" -S 512 -C ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat ${BOOTIMG_BLOCKS}
 	mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat ${BOOTIMG_FILES_SYMLINK} ::/
 
+	# Exclude boot scripts from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
 		# Copy boot scripts into the VFAT image
 		for item in ${BOOT_SCRIPTS}; do
 			src=`echo $item | awk -F':' '{ print $1 }'`
 			dst=`echo $item | awk -F':' '{ print $2 }'`
 			mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat -s ${DEPLOY_DIR_IMAGE}/$src ::/$dst
 		done
+	fi
 
 	# Truncate the image to speed up the downloading/writing to the EMMC
 	if [ -n "${BOARD_BOOTIMAGE_PARTITION_SIZE}" ]; then
@@ -83,6 +89,8 @@ do_image_boot_ubifs[depends] += " \
 
 IMAGE_CMD:boot.ubifs() {
 	BOOTIMG_FILES_SYMLINK="${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${MACHINE}.bin"
+	# Exclude DTB and DTBO from UBIFS image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
 		if [ -n "${KERNEL_DEVICETREE}" ]; then
 			for DTB in ${KERNEL_DEVICETREE}; do
 				# Remove potential sub-folders
@@ -92,6 +100,7 @@ IMAGE_CMD:boot.ubifs() {
 				fi
 			done
 		fi
+	fi
 
 	# Add Trustfence initramfs if enabled
 	if [ -n "${TRUSTFENCE_INITRAMFS_IMAGE}" ]; then
@@ -107,12 +116,15 @@ IMAGE_CMD:boot.ubifs() {
 		ln ${orig} ${TMP_BOOTDIR}/$(basename ${item})
 	done
 
+	# Exclude boot scripts from UBIFS image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
 		# Hard-link boot scripts into the temporary folder
 		for item in ${BOOT_SCRIPTS}; do
 			src="$(echo ${item} | awk -F':' '{ print $1 }')"
 			dst="$(echo ${item} | awk -F':' '{ print $2 }')"
 			ln ${DEPLOY_DIR_IMAGE}/${src} ${TMP_BOOTDIR}/${dst}
 		done
+	fi
 
 	# Build UBIFS boot image out of temp folder
 	mkfs.ubifs -r ${TMP_BOOTDIR} -o ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.ubifs ${MKUBIFS_BOOT_ARGS}
@@ -135,8 +147,11 @@ IMAGE_CMD:recovery.vfat() {
 	# Use 'boot.vfat' image as base
 	cp --remove-destination ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat ${IMGDEPLOYDIR}/${IMAGE_NAME}.recovery.vfat
 
+	# Exclude initRAMFS from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
 		# Copy the recovery initramfs into the VFAT image
 		mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.recovery.vfat -s ${DEPLOY_DIR_IMAGE}/${RECOVERY_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf ::/uramdisk-recovery.img
+	fi
 }
 
 # Remove the default ".rootfs." suffix for 'recovery.vfat' images
@@ -153,6 +168,8 @@ do_image_recovery_ubifs[depends] += " \
 
 IMAGE_CMD:recovery.ubifs() {
 	RECOVERYIMG_FILES_SYMLINK="${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${MACHINE}.bin"
+	# Exclude DTB and DTBO from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
 		if [ -n "${KERNEL_DEVICETREE}" ]; then
 			for DTB in ${KERNEL_DEVICETREE}; do
 				# Remove potential sub-folders
@@ -162,6 +179,7 @@ IMAGE_CMD:recovery.ubifs() {
 				fi
 			done
 		fi
+	fi
 
 	# Create temporary folder
 	TMP_RECOVERYDIR="$(mktemp -d ${IMGDEPLOYDIR}/recovery.XXXXXX)"
@@ -172,6 +190,8 @@ IMAGE_CMD:recovery.ubifs() {
 		ln ${orig} ${TMP_RECOVERYDIR}/$(basename ${item})
 	done
 
+	# Exclude bootscript from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
 		# Hard-link boot scripts into the temporary folder
 		for item in ${BOOT_SCRIPTS}; do
 			src="$(echo ${item} | awk -F':' '{ print $1 }')"
@@ -181,6 +201,7 @@ IMAGE_CMD:recovery.ubifs() {
 
 		# Copy the recovery initramfs into the temporary folder
 		cp ${DEPLOY_DIR_IMAGE}/${RECOVERY_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf ${TMP_RECOVERYDIR}/uramdisk-recovery.img
+	fi
 
 	# Build UBIFS recovery image out of temp folder
 	mkfs.ubifs -r ${TMP_RECOVERYDIR} -o ${IMGDEPLOYDIR}/${IMAGE_NAME}.recovery.ubifs ${MKUBIFS_BOOT_ARGS}

meta-digi-arm/conf/machine/ccmp13-dvk.conf

@@ -47,6 +47,8 @@ STM32MP_KERNEL_DEVICETREE:ccmp13-dvk += " \
     _ov_som_bt_test_ccmp13.dtbo \
     _ov_som_wifi_ccmp13.dtbo \
 "
+# Set DTB load address to U-Boot fdt_addr_r
+UBOOT_DTB_LOADADDRESS = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', '0xc4000000', '', d)}"
 
 # =========================================================================
 # Machine features
@@ -106,7 +108,8 @@ OPTEE_CONF = "ccmp13-dvk"
 # =========================================================================
 # Kernel
 # =========================================================================
-KERNEL_IMAGETYPE = "zImage"
+KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}"
+KERNEL_CLASSES = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'kernel-fitimage', 'kernel-uimage', d)}"
 KERNEL_ALT_IMAGETYPE = "Image uImage vmlinux"
 KERNEL_DEFCONFIG ?= "ccmp1_defconfig"
 KERNEL_EXTERNAL_DEFCONFIG ?= "defconfig"

meta-digi-arm/conf/machine/ccmp15-dvk.conf

@@ -54,6 +54,8 @@ STM32MP_KERNEL_DEVICETREE:ccmp15-dvk += " \
     _ov_som_mca_ccmp15.dtbo \
     _ov_som_wifi_ccmp15.dtbo \
 "
+# Set DTB load address to U-Boot fdt_addr_r
+UBOOT_DTB_LOADADDRESS = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', '0xc4000000', '', d)}"
 
 # =========================================================================
 # Machine features
@@ -114,7 +116,8 @@ OPTEE_CONF = "ccmp15-dvk"
 # =========================================================================
 # Kernel
 # =========================================================================
-KERNEL_IMAGETYPE = "zImage"
+KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}"
+KERNEL_CLASSES = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'kernel-fitimage', 'kernel-uimage', d)}"
 KERNEL_ALT_IMAGETYPE = "Image uImage vmlinux"
 KERNEL_DEFCONFIG ?= "ccmp1_defconfig"
 KERNEL_EXTERNAL_DEFCONFIG ?= "defconfig"

meta-digi-arm/conf/machine/include/ccmp1.inc

@@ -72,3 +72,6 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0"
 
 # Disable the generation of flashlayout files
 do_create_flashlayout_config[noexec] = "1"
+
+# Include boot script into the FIT image
+UBOOT_ENV = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'boot', '', d)}"

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc

@@ -198,6 +198,18 @@ do_deploy:append:ccmp1() {
 	# Deploy u-boot-nodtb.bin and ccmp1x-dvk.dtb, to be packaged in fip binary by tf-a
 	install -d ${DEPLOYDIR}/${BOOT_TOOLS}
 	install -m 0777 ${B}/${config}/arch/arm/dts/${UBOOT_DTB_NAME} ${DEPLOYDIR}/${BOOT_TOOLS}/${FIP_UBOOT_DTB}-${FIP_UBOOT_HEADER}.dtb
-
 	install -m 0777 ${B}/${config}/u-boot-nodtb.bin  ${DEPLOYDIR}/${BOOT_TOOLS}/u-boot-nodtb.bin
+
+	# Append signature to u-boot DT
+	if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then
+		# get name of u-boot devicetree without signature
+		ubootdevicetree="${DEPLOYDIR}/${BOOT_TOOLS}/u-boot-${UBOOT_DTB_NAME}"
+		namewithoutsignature=`echo $ubootdevicetree | sed "s/\.dtb/-without-signature.dtb/g"`
+		namewithsignature=`echo $ubootdevicetree | sed "s/\.dtb/-with-signature.dtb/g"`
+		mv $ubootdevicetree $namewithoutsignature
+		# get name of U-Boot device tree from DEPLOY_DIR
+		nameonkernel="${DEPLOY_DIR_IMAGE}/u-boot-${MACHINE}*.dtb"
+		cp $nameonkernel $namewithsignature
+		cp $nameonkernel $ubootdevicetree
+	fi
 }

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_legacy.cfg

@@ -0,0 +1 @@
+CONFIG_LEGACY_IMAGE_FORMAT=y

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_signature.cfg

@@ -0,0 +1,4 @@
+CONFIG_FIT_SIGNATURE=y
+CONFIG_RSA=y
+CONFIG_ECDSA=y
+CONFIG_ECDSA_VERIFY=y

meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb

@@ -1,4 +1,4 @@
-# Copyright (C) 2022 Digi International
+# Copyright (C) 2022,2023 Digi International
 
 require u-boot-dey.inc
 LIC_FILES_CHKSUM = "file://Licenses/README;md5=5a7450c57ffe5ae63fd732446b988025"
@@ -9,4 +9,31 @@ DEPENDS += "python3-setuptools-native"
 SRCBRANCH = "v2021.10/master"
 SRCREV = "${AUTOREV}"
 
+UBOOT_FIT_CFG_FRAGMENTS = " \
+    file://fit_legacy.cfg \
+    file://fit_signature.cfg \
+"
+
+SRC_URI += " \
+    ${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '${UBOOT_FIT_CFG_FRAGMENTS}', '', d)} \
+"
+# Install UBOOT_ENV_BINARY to datadir, so that kernel can use it
+# to include it into the FIT image.
+install_helper_bootscr() {
+	if [ -f "${D}/boot/${UBOOT_ENV_BINARY}" ]; then
+		# Install UBOOT_ENV_BINARY into datadir to share it with the kernel
+		install -Dm 0644 ${D}/boot/${UBOOT_ENV_BINARY} ${D}${datadir}/${UBOOT_ENV_IMAGE}
+		ln -sf ${UBOOT_ENV_IMAGE} ${D}${datadir}/${UBOOT_ENV_BINARY}
+	else
+		bbwarn "${D}/boot/${UBOOT_ENV_BINARY} not found"
+	fi
+}
+
+do_install:append() {
+	# Copy boot script, so kernel can include it when creating the FIT image 
+	if [ "${TRUSTFENCE_FIT_IMG}" = "1" ] && [ -n "${UBOOT_ENV_BINARY}" ]; then
+		install_helper_bootscr
+	fi
+}
+
 COMPATIBLE_MACHINE = "(ccmp1)"

meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb

@@ -7,4 +7,10 @@ SRCBRANCH:stm32mpcommon = "v5.15.118/stm/master"
 SRCREV = "${AUTOREV}"
 SRCREV:stm32mpcommon = "${AUTOREV}"
 
+do_assemble_fitimage:prepend:ccmp1() {
+	# Deploy u-boot script to be included into the FIT image
+	install -d ${STAGING_DIR_HOST}/boot
+	install -m 0644 ${RECIPE_SYSROOT}/${datadir}/${UBOOT_ENV_BINARY} ${STAGING_DIR_HOST}/boot/
+}
+
 COMPATIBLE_MACHINE = "(ccimx6|ccimx6ul|ccimx8m|ccimx8x|ccmp1)"

meta-digi-dey/classes/trustfence.bbclass

@@ -26,6 +26,7 @@ TRUSTFENCE_DEK_PATH:ccmp1 ?= "0"
 TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
 TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
 TRUSTFENCE_KEY_INDEX ?= "0"
+TRUSTFENCE_FIT_IMG:ccmp1 ?= "1"
 
 # Partition encryption configuration
 TRUSTFENCE_ENCRYPT_PARTITIONS ?= "1"
@@ -45,6 +46,24 @@ TRUSTFENCE_SIGN_ARTIFACTS:ccimx93 = "0"
 
 IMAGE_FEATURES += "dey-trustfence"
 
+# ---------------------------------
+#  Usage of FIT Image signed
+# ---------------------------------
+
+# Enable FIT image build when Trustfence is enabled
+MACHINE_FEATURES += "${@oe.utils.conditional('TRUSTFENCE_FIT_IMG', '1', 'fit', '', d)}"
+# keys name in keydir (eg. "ubootfit.crt", "ubootfit.key")
+TRUSTFENCE_SIGN_KEYNAME ?= ""
+# Set variables required by poky to sign FIT image
+UBOOT_SIGN_KEYNAME ?= "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '${TRUSTFENCE_SIGN_KEYNAME}', '', d)}"
+UBOOT_MKIMAGE_DTCOPTS ?= "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '-I dts -O dtb -p 2000', '', d)}"
+# Enable FIT signing support
+UBOOT_SIGN_ENABLE ?= "${TRUSTFENCE_SIGN}"
+# Set path to FIT signing keys
+UBOOT_SIGN_KEYDIR ?= "${TRUSTFENCE_SIGN_KEYS_PATH}"
+# Create keys if not defined
+FIT_GENERATE_KEYS ?= "${@oe.utils.conditional('TRUSTFENCE_SIGN_KEYNAME', '', '1', '', d)}"
+
 # Function to generate a PKI tree (with lock dir protection)
 GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
 gen_pki_tree() {