ccmp1: add signed FIT image support

This commit adds signed FIT image support for the CCMP1 platforms when using Trustfence. https://onedigi.atlassian.net/browse/DEL-8591 Signed-off-by: Mike Engel <Mike.Engel@digi.com>
2023-09-26 14:29:49 +02:00 · 2023-09-26 14:29:49 +02:00 · df9b1cf329
parent 4c8bde2bc3
commit df9b1cf329
10 changed files with 150 additions and 51 deletions
--- a/meta-digi-arm/classes/image_types_digi.bbclass
+++ b/meta-digi-arm/classes/image_types_digi.bbclass
@ -21,15 +21,18 @@ do_image_boot_vfat[depends] += " \
 IMAGE_CMD:boot.vfat() {
 	BOOTIMG_FILES="$(readlink -e ${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${MACHINE}.bin)"
 	BOOTIMG_FILES_SYMLINK="${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${MACHINE}.bin"
-	if [ -n "${KERNEL_DEVICETREE}" ]; then
-		for DTB in ${KERNEL_DEVICETREE}; do
-			# Remove potential sub-folders
-			DTB="$(basename ${DTB})"
-			if [ -e "${DEPLOY_DIR_IMAGE}/${DTB}" ]; then
-				BOOTIMG_FILES="${BOOTIMG_FILES} $(readlink -e ${DEPLOY_DIR_IMAGE}/${DTB})"
-				BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${DTB}"
-			fi
-		done
+	# Exclude DTB and DTBO from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		if [ -n "${KERNEL_DEVICETREE}" ]; then
+			for DTB in ${KERNEL_DEVICETREE}; do
+				# Remove potential sub-folders
+				DTB="$(basename ${DTB})"
+				if [ -e "${DEPLOY_DIR_IMAGE}/${DTB}" ]; then
+					BOOTIMG_FILES="${BOOTIMG_FILES} $(readlink -e ${DEPLOY_DIR_IMAGE}/${DTB})"
+					BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${DTB}"
+				fi
+			done
+		fi
 	fi

 	# Add Trustfence initramfs if enabled
@ -57,12 +60,15 @@ IMAGE_CMD:boot.vfat() {
 	mkfs.vfat -n "Boot DEY" -S 512 -C ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat ${BOOTIMG_BLOCKS}
 	mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat ${BOOTIMG_FILES_SYMLINK} ::/

-	# Copy boot scripts into the VFAT image
-	for item in ${BOOT_SCRIPTS}; do
-		src=`echo $item | awk -F':' '{ print $1 }'`
-		dst=`echo $item | awk -F':' '{ print $2 }'`
-		mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat -s ${DEPLOY_DIR_IMAGE}/$src ::/$dst
-	done
+	# Exclude boot scripts from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		# Copy boot scripts into the VFAT image
+		for item in ${BOOT_SCRIPTS}; do
+			src=`echo $item | awk -F':' '{ print $1 }'`
+			dst=`echo $item | awk -F':' '{ print $2 }'`
+			mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat -s ${DEPLOY_DIR_IMAGE}/$src ::/$dst
+		done
+	fi

 	# Truncate the image to speed up the downloading/writing to the EMMC
 	if [ -n "${BOARD_BOOTIMAGE_PARTITION_SIZE}" ]; then
@ -83,14 +89,17 @@ do_image_boot_ubifs[depends] += " \

 IMAGE_CMD:boot.ubifs() {
 	BOOTIMG_FILES_SYMLINK="${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${MACHINE}.bin"
-	if [ -n "${KERNEL_DEVICETREE}" ]; then
-		for DTB in ${KERNEL_DEVICETREE}; do
-			# Remove potential sub-folders
-			DTB="$(basename ${DTB})"
-			if [ -e "${DEPLOY_DIR_IMAGE}/${DTB}" ]; then
-				BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${DTB}"
-			fi
-		done
+	# Exclude DTB and DTBO from UBIFS image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		if [ -n "${KERNEL_DEVICETREE}" ]; then
+			for DTB in ${KERNEL_DEVICETREE}; do
+				# Remove potential sub-folders
+				DTB="$(basename ${DTB})"
+				if [ -e "${DEPLOY_DIR_IMAGE}/${DTB}" ]; then
+					BOOTIMG_FILES_SYMLINK="${BOOTIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${DTB}"
+				fi
+			done
+		fi
 	fi

 	# Add Trustfence initramfs if enabled
@ -107,12 +116,15 @@ IMAGE_CMD:boot.ubifs() {
 		ln ${orig} ${TMP_BOOTDIR}/$(basename ${item})
 	done

-	# Hard-link boot scripts into the temporary folder
-	for item in ${BOOT_SCRIPTS}; do
-		src="$(echo ${item} | awk -F':' '{ print $1 }')"
-		dst="$(echo ${item} | awk -F':' '{ print $2 }')"
-		ln ${DEPLOY_DIR_IMAGE}/${src} ${TMP_BOOTDIR}/${dst}
-	done
+	# Exclude boot scripts from UBIFS image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		# Hard-link boot scripts into the temporary folder
+		for item in ${BOOT_SCRIPTS}; do
+			src="$(echo ${item} | awk -F':' '{ print $1 }')"
+			dst="$(echo ${item} | awk -F':' '{ print $2 }')"
+			ln ${DEPLOY_DIR_IMAGE}/${src} ${TMP_BOOTDIR}/${dst}
+		done
+	fi

 	# Build UBIFS boot image out of temp folder
 	mkfs.ubifs -r ${TMP_BOOTDIR} -o ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.ubifs ${MKUBIFS_BOOT_ARGS}
@ -135,8 +147,11 @@ IMAGE_CMD:recovery.vfat() {
 	# Use 'boot.vfat' image as base
 	cp --remove-destination ${IMGDEPLOYDIR}/${IMAGE_NAME}.boot.vfat ${IMGDEPLOYDIR}/${IMAGE_NAME}.recovery.vfat

-	# Copy the recovery initramfs into the VFAT image
-	mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.recovery.vfat -s ${DEPLOY_DIR_IMAGE}/${RECOVERY_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf ::/uramdisk-recovery.img
+	# Exclude initRAMFS from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		# Copy the recovery initramfs into the VFAT image
+		mcopy -i ${IMGDEPLOYDIR}/${IMAGE_NAME}.recovery.vfat -s ${DEPLOY_DIR_IMAGE}/${RECOVERY_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf ::/uramdisk-recovery.img
+	fi
 }

 # Remove the default ".rootfs." suffix for 'recovery.vfat' images
@ -153,14 +168,17 @@ do_image_recovery_ubifs[depends] += " \

 IMAGE_CMD:recovery.ubifs() {
 	RECOVERYIMG_FILES_SYMLINK="${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${MACHINE}.bin"
-	if [ -n "${KERNEL_DEVICETREE}" ]; then
-		for DTB in ${KERNEL_DEVICETREE}; do
-			# Remove potential sub-folders
-			DTB="$(basename ${DTB})"
-			if [ -e "${DEPLOY_DIR_IMAGE}/${DTB}" ]; then
-				RECOVERYIMG_FILES_SYMLINK="${RECOVERYIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${DTB}"
-			fi
-		done
+	# Exclude DTB and DTBO from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		if [ -n "${KERNEL_DEVICETREE}" ]; then
+			for DTB in ${KERNEL_DEVICETREE}; do
+				# Remove potential sub-folders
+				DTB="$(basename ${DTB})"
+				if [ -e "${DEPLOY_DIR_IMAGE}/${DTB}" ]; then
+					RECOVERYIMG_FILES_SYMLINK="${RECOVERYIMG_FILES_SYMLINK} ${DEPLOY_DIR_IMAGE}/${DTB}"
+				fi
+			done
+		fi
 	fi

 	# Create temporary folder
@ -172,15 +190,18 @@ IMAGE_CMD:recovery.ubifs() {
 		ln ${orig} ${TMP_RECOVERYDIR}/$(basename ${item})
 	done

-	# Hard-link boot scripts into the temporary folder
-	for item in ${BOOT_SCRIPTS}; do
-		src="$(echo ${item} | awk -F':' '{ print $1 }')"
-		dst="$(echo ${item} | awk -F':' '{ print $2 }')"
-		ln ${DEPLOY_DIR_IMAGE}/${src} ${TMP_RECOVERYDIR}/${dst}
-	done
+	# Exclude bootscript from VFAT image when creating a FIT image
+	if [ "${TRUSTFENCE_FIT_IMG}" != "1" ]; then
+		# Hard-link boot scripts into the temporary folder
+		for item in ${BOOT_SCRIPTS}; do
+			src="$(echo ${item} | awk -F':' '{ print $1 }')"
+			dst="$(echo ${item} | awk -F':' '{ print $2 }')"
+			ln ${DEPLOY_DIR_IMAGE}/${src} ${TMP_RECOVERYDIR}/${dst}
+		done

-	# Copy the recovery initramfs into the temporary folder
-	cp ${DEPLOY_DIR_IMAGE}/${RECOVERY_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf ${TMP_RECOVERYDIR}/uramdisk-recovery.img
+		# Copy the recovery initramfs into the temporary folder
+		cp ${DEPLOY_DIR_IMAGE}/${RECOVERY_INITRAMFS_IMAGE}-${MACHINE}.cpio.gz.u-boot.tf ${TMP_RECOVERYDIR}/uramdisk-recovery.img
+	fi

 	# Build UBIFS recovery image out of temp folder
 	mkfs.ubifs -r ${TMP_RECOVERYDIR} -o ${IMGDEPLOYDIR}/${IMAGE_NAME}.recovery.ubifs ${MKUBIFS_BOOT_ARGS}
--- a/meta-digi-arm/conf/machine/ccmp13-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccmp13-dvk.conf
@ -47,6 +47,8 @@ STM32MP_KERNEL_DEVICETREE:ccmp13-dvk += " \
    _ov_som_bt_test_ccmp13.dtbo \
    _ov_som_wifi_ccmp13.dtbo \
 "
+# Set DTB load address to U-Boot fdt_addr_r
+UBOOT_DTB_LOADADDRESS = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', '0xc4000000', '', d)}"

 # =========================================================================
 # Machine features
@ -106,7 +108,8 @@ OPTEE_CONF = "ccmp13-dvk"
 # =========================================================================
 # Kernel
 # =========================================================================
-KERNEL_IMAGETYPE = "zImage"
+KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}"
+KERNEL_CLASSES = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'kernel-fitimage', 'kernel-uimage', d)}"
 KERNEL_ALT_IMAGETYPE = "Image uImage vmlinux"
 KERNEL_DEFCONFIG ?= "ccmp1_defconfig"
 KERNEL_EXTERNAL_DEFCONFIG ?= "defconfig"
--- a/meta-digi-arm/conf/machine/ccmp15-dvk.conf
+++ b/meta-digi-arm/conf/machine/ccmp15-dvk.conf
@ -54,6 +54,8 @@ STM32MP_KERNEL_DEVICETREE:ccmp15-dvk += " \
    _ov_som_mca_ccmp15.dtbo \
    _ov_som_wifi_ccmp15.dtbo \
 "
+# Set DTB load address to U-Boot fdt_addr_r
+UBOOT_DTB_LOADADDRESS = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', '0xc4000000', '', d)}"

 # =========================================================================
 # Machine features
@ -114,7 +116,8 @@ OPTEE_CONF = "ccmp15-dvk"
 # =========================================================================
 # Kernel
 # =========================================================================
-KERNEL_IMAGETYPE = "zImage"
+KERNEL_IMAGETYPE = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'fitImage', 'zImage', d)}"
+KERNEL_CLASSES = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'kernel-fitimage', 'kernel-uimage', d)}"
 KERNEL_ALT_IMAGETYPE = "Image uImage vmlinux"
 KERNEL_DEFCONFIG ?= "ccmp1_defconfig"
 KERNEL_EXTERNAL_DEFCONFIG ?= "defconfig"
--- a/meta-digi-arm/conf/machine/include/ccmp1.inc
+++ b/meta-digi-arm/conf/machine/include/ccmp1.inc
@ -72,3 +72,6 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0"

 # Disable the generation of flashlayout files
 do_create_flashlayout_config[noexec] = "1"
+
+# Include boot script into the FIT image
+UBOOT_ENV = "${@bb.utils.contains('TRUSTFENCE_FIT_IMG', '1', 'boot', '', d)}"
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
@ -198,6 +198,18 @@ do_deploy:append:ccmp1() {
 	# Deploy u-boot-nodtb.bin and ccmp1x-dvk.dtb, to be packaged in fip binary by tf-a
 	install -d ${DEPLOYDIR}/${BOOT_TOOLS}
 	install -m 0777 ${B}/${config}/arch/arm/dts/${UBOOT_DTB_NAME} ${DEPLOYDIR}/${BOOT_TOOLS}/${FIP_UBOOT_DTB}-${FIP_UBOOT_HEADER}.dtb
-
 	install -m 0777 ${B}/${config}/u-boot-nodtb.bin  ${DEPLOYDIR}/${BOOT_TOOLS}/u-boot-nodtb.bin
+
+	# Append signature to u-boot DT
+	if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ] ; then
+		# get name of u-boot devicetree without signature
+		ubootdevicetree="${DEPLOYDIR}/${BOOT_TOOLS}/u-boot-${UBOOT_DTB_NAME}"
+		namewithoutsignature=`echo $ubootdevicetree | sed "s/\.dtb/-without-signature.dtb/g"`
+		namewithsignature=`echo $ubootdevicetree | sed "s/\.dtb/-with-signature.dtb/g"`
+		mv $ubootdevicetree $namewithoutsignature
+		# get name of U-Boot device tree from DEPLOY_DIR
+		nameonkernel="${DEPLOY_DIR_IMAGE}/u-boot-${MACHINE}*.dtb"
+		cp $nameonkernel $namewithsignature
+		cp $nameonkernel $ubootdevicetree
+	fi
 }
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_legacy.cfg
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_legacy.cfg
@ -0,0 +1 @@
+CONFIG_LEGACY_IMAGE_FORMAT=y
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_signature.cfg
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey/ccmp1/fit_signature.cfg
@ -0,0 +1,4 @@
+CONFIG_FIT_SIGNATURE=y
+CONFIG_RSA=y
+CONFIG_ECDSA=y
+CONFIG_ECDSA_VERIFY=y
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2021.10.bb
@ -1,4 +1,4 @@
-# Copyright (C) 2022 Digi International
+# Copyright (C) 2022,2023 Digi International

 require u-boot-dey.inc
 LIC_FILES_CHKSUM = "file://Licenses/README;md5=5a7450c57ffe5ae63fd732446b988025"
@ -9,4 +9,31 @@ DEPENDS += "python3-setuptools-native"
 SRCBRANCH = "v2021.10/master"
 SRCREV = "${AUTOREV}"

+UBOOT_FIT_CFG_FRAGMENTS = " \
+    file://fit_legacy.cfg \
+    file://fit_signature.cfg \
+"
+
+SRC_URI += " \
+    ${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '${UBOOT_FIT_CFG_FRAGMENTS}', '', d)} \
+"
+# Install UBOOT_ENV_BINARY to datadir, so that kernel can use it
+# to include it into the FIT image.
+install_helper_bootscr() {
+	if [ -f "${D}/boot/${UBOOT_ENV_BINARY}" ]; then
+		# Install UBOOT_ENV_BINARY into datadir to share it with the kernel
+		install -Dm 0644 ${D}/boot/${UBOOT_ENV_BINARY} ${D}${datadir}/${UBOOT_ENV_IMAGE}
+		ln -sf ${UBOOT_ENV_IMAGE} ${D}${datadir}/${UBOOT_ENV_BINARY}
+	else
+		bbwarn "${D}/boot/${UBOOT_ENV_BINARY} not found"
+	fi
+}
+
+do_install:append() {
+	# Copy boot script, so kernel can include it when creating the FIT image 
+	if [ "${TRUSTFENCE_FIT_IMG}" = "1" ] && [ -n "${UBOOT_ENV_BINARY}" ]; then
+		install_helper_bootscr
+	fi
+}
+
 COMPATIBLE_MACHINE = "(ccmp1)"
--- a/meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb
+++ b/meta-digi-arm/recipes-kernel/linux/linux-dey_5.15.bb
@ -7,4 +7,10 @@ SRCBRANCH:stm32mpcommon = "v5.15.118/stm/master"
 SRCREV = "${AUTOREV}"
 SRCREV:stm32mpcommon = "${AUTOREV}"

+do_assemble_fitimage:prepend:ccmp1() {
+	# Deploy u-boot script to be included into the FIT image
+	install -d ${STAGING_DIR_HOST}/boot
+	install -m 0644 ${RECIPE_SYSROOT}/${datadir}/${UBOOT_ENV_BINARY} ${STAGING_DIR_HOST}/boot/
+}
+
 COMPATIBLE_MACHINE = "(ccimx6|ccimx6ul|ccimx8m|ccimx8x|ccmp1)"
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@ -26,6 +26,7 @@ TRUSTFENCE_DEK_PATH:ccmp1 ?= "0"
 TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
 TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
 TRUSTFENCE_KEY_INDEX ?= "0"
+TRUSTFENCE_FIT_IMG:ccmp1 ?= "1"

 # Partition encryption configuration
 TRUSTFENCE_ENCRYPT_PARTITIONS ?= "1"
@ -45,6 +46,24 @@ TRUSTFENCE_SIGN_ARTIFACTS:ccimx93 = "0"

 IMAGE_FEATURES += "dey-trustfence"

+# ---------------------------------
+#  Usage of FIT Image signed
+# ---------------------------------
+
+# Enable FIT image build when Trustfence is enabled
+MACHINE_FEATURES += "${@oe.utils.conditional('TRUSTFENCE_FIT_IMG', '1', 'fit', '', d)}"
+# keys name in keydir (eg. "ubootfit.crt", "ubootfit.key")
+TRUSTFENCE_SIGN_KEYNAME ?= ""
+# Set variables required by poky to sign FIT image
+UBOOT_SIGN_KEYNAME ?= "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '${TRUSTFENCE_SIGN_KEYNAME}', '', d)}"
+UBOOT_MKIMAGE_DTCOPTS ?= "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', '-I dts -O dtb -p 2000', '', d)}"
+# Enable FIT signing support
+UBOOT_SIGN_ENABLE ?= "${TRUSTFENCE_SIGN}"
+# Set path to FIT signing keys
+UBOOT_SIGN_KEYDIR ?= "${TRUSTFENCE_SIGN_KEYS_PATH}"
+# Create keys if not defined
+FIT_GENERATE_KEYS ?= "${@oe.utils.conditional('TRUSTFENCE_SIGN_KEYNAME', '', '1', '', d)}"
+
 # Function to generate a PKI tree (with lock dir protection)
 GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
 gen_pki_tree() {