From e3ce215f679b499298836f4c2f3299961d0f2aa4 Mon Sep 17 00:00:00 2001
From: David Escalona <david.escalona@digi.com>
Date: Tue, 14 Mar 2017 09:23:34 +0100
Subject: [PATCH] recovery-initramfs: do not generate TrustFence keys in this
 recipe

- Instead of trying to generate the TrustFence keys in this recipe
  when they are not present, depend on the 'virtual/kernel' to
  ensure they are already generated. This solves a concurrency problem
  when two recipes try to generate TrustFence keys at the same time.

https://jira.digi.com/browse/DEL-3913

Signed-off-by: David Escalona <david.escalona@digi.com>
---
 .../recovery/recovery-initramfs.bb            | 25 ++++++-------------
 1 file changed, 7 insertions(+), 18 deletions(-)

diff --git a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
index cfa99088c..c6eea48e3 100644
--- a/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
+++ b/meta-digi-dey/recipes-core/recovery/recovery-initramfs.bb
@@ -4,7 +4,11 @@ SUMMARY = "Recovery initramfs files"
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
 
-DEPENDS += "${@base_conditional('TRUSTFENCE_SIGN', '1', 'trustfence-cst-native openssl-native', '', d)}"
+# When building a TrustFence enabled recovery initramfs, we need the TrustFence PKI tree to
+# be already generated in order to copy the public key. Forcing a dependence against 
+# 'virtual/kernel' ensures that the keys are already generated as they are needed to sign the
+# kernel artifacts.
+DEPENDS += "${@base_conditional('TRUSTFENCE_SIGN', '1', 'virtual/kernel openssl-native', '', d)}"
 
 SRC_URI = " \
     file://recovery-initramfs-init \
@@ -28,25 +32,10 @@ do_install() {
 		fi
 		KEY_INDEX_1=$(expr ${KEY_INDEX} + 1)
 
-		# Check if keys are already generated or not. If keys do not exist, generate them.
-		SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
-		CERT_CSF="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/CSF${KEY_INDEX_1}*crt.pem)"
+		# Find the certificate to use.
 		CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
-		n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
-		if [ "${n_commas}" -eq 3 ] && [ -f "${CERT_CSF}" ] && [ -f "${CERT_IMG}" ]; then
-			# PKI tree already exists. Do nothing
-			echo "Using existing PKI tree for recovery."
-		elif [ "${n_commas}" -eq 0 ] || [ ! -f "${CERT_CSF}" ] || [ ! -f "${CERT_IMG}" ]; then
-			# Generate PKI
-			mkdir -p "${TRUSTFENCE_SIGN_KEYS_PATH}"
-			trustfence-gen-pki.sh "${TRUSTFENCE_SIGN_KEYS_PATH}"
-			CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX_1}*crt.pem)"
-		else
-			echo "Inconsistent CST folder."
-			exit 1
-		fi
 
-		# Extract the public key.
+		# Extract the public key from the certificate.
 		install -d ${D}${sysconfdir}/ssl/certs
 		openssl x509 -pubkey -noout -in "${CERT_IMG}" > ${D}${sysconfdir}/ssl/certs/key.pub
 	fi