From e6b67b6bf82403da697ded818b30a059b65e815a Mon Sep 17 00:00:00 2001
From: Javier Viguera <javier.viguera@digi.com>
Date: Fri, 8 Mar 2024 15:10:07 +0100
Subject: [PATCH] meta-digi: trustfence: support signing a FIT boot artifact

And enable it for the ccimx93.

https://onedigi.atlassian.net/browse/DEL-8704

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
---
 meta-digi-arm/classes/image_types_digi.bbclass       |  3 ++-
 meta-digi-arm/conf/machine/include/ccimx93.inc       |  4 +++-
 meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc      |  5 +++--
 .../recipes-kernel/linux/linux-trustfence.inc        |  5 ++++-
 meta-digi-dey/classes/trustfence.bbclass             | 12 ++++++++----
 5 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/meta-digi-arm/classes/image_types_digi.bbclass b/meta-digi-arm/classes/image_types_digi.bbclass
index 0b677fe44..d5fded013 100644
--- a/meta-digi-arm/classes/image_types_digi.bbclass
+++ b/meta-digi-arm/classes/image_types_digi.bbclass
@@ -221,10 +221,11 @@ trustence_sign_cpio() {
 	# Image generation code for image type 'cpio.gz.u-boot.tf'
 	# (signed/encrypted ramdisk)
 	#
-	if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ]; then
+	if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_ARTIFACT}" = "0" ]; then
 		# Set environment variables for trustfence configuration
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
+		[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
 		# Sign/encrypt the ramdisk
 		trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf"
diff --git a/meta-digi-arm/conf/machine/include/ccimx93.inc b/meta-digi-arm/conf/machine/include/ccimx93.inc
index 768ff8ce1..278911589 100644
--- a/meta-digi-arm/conf/machine/include/ccimx93.inc
+++ b/meta-digi-arm/conf/machine/include/ccimx93.inc
@@ -15,8 +15,10 @@ UBOOT_ENV = "boot"
 UBOOT_PREFIX = "imx-boot"
 UBOOT_SUFFIX = "bin"
 
-# Platform kernel settings
+# Platform kernel settings (keep the override as otherwise KERNEL_IMAGETYPE
+# from imx-digi-base.inc takes precedence)
 KERNEL_CLASSES = "kernel-fitimage"
+KERNEL_IMAGETYPE:ccimx93 = "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'fitImage', 'Image.gz', d)}"
 
 # The bootloader image that gets flashed consists of U-Boot and several fw binaries
 EXTRA_IMAGEDEPENDS += "imx-boot"
diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
index c36d8f3da..30b6c55b3 100644
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
@@ -117,10 +117,11 @@ build_uboot_scripts() {
 	mkimage -T script -n bootscript -C none -d ${TMP_BOOTSCR} ${DEPLOYDIR}/boot.scr
 	rm -f ${TMP_BOOTSCR}
 
-	# Sign the boot script
-	if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ]; then
+	# Sign the boot script if not contained in a FIT image
+	if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_ARTIFACT}" = "0" ]; then
 		export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 		[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
+		[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
 		[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
 
 		# Sign boot script
diff --git a/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc b/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc
index 6d2b06ee3..4fca51f2c 100644
--- a/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc
+++ b/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc
@@ -7,8 +7,8 @@ trustfence_sign() {
 	# Set environment variables for trustfence configuration
 	export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
 	[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
+	[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
 	[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
-	[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
 
 	# Sign/encrypt the kernel images
 	for type in ${KERNEL_IMAGETYPES}; do
@@ -31,6 +31,9 @@ trustfence_sign() {
 		mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}"
 	done
 
+	# For FIT images there is no need to sign the rest of artifacts
+	[ "${TRUSTFENCE_SIGN_FIT_ARTIFACT}" = "1" ] && return 0
+
 	# Sign/encrypt the device tree blobs
 	for DTB in ${KERNEL_DEVICETREE}; do
 		DTB=`normalize_dtb "${DTB}"`
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 0db6afa1d..6d10ec992 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -30,6 +30,8 @@ TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
 TRUSTFENCE_ENCRYPT_ENVIRONMENT:ccimx93 ?= "0"
 TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
 TRUSTFENCE_KEY_INDEX ?= "0"
+TRUSTFENCE_SIGN_ARTIFACTS = "1"
+TRUSTFENCE_SIGN_ARTIFACTS:ccmp1 = "0"
 TRUSTFENCE_FIT_IMG:ccmp1 ?= "1"
 
 # Partition encryption configuration
@@ -45,10 +47,9 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
 # NOTHING TO CUSTOMIZE BELOW THIS LINE
 #
 
-# TrustFence sign artifacts is not supported on all platforms
-TRUSTFENCE_SIGN_ARTIFACTS = "1"
-TRUSTFENCE_SIGN_ARTIFACTS:ccmp1 = "0"
-TRUSTFENCE_SIGN_ARTIFACTS:ccimx93 = "0"
+# NXP-based sign a FIT-format boot artifact
+TRUSTFENCE_SIGN_FIT_ARTIFACT = "0"
+TRUSTFENCE_SIGN_FIT_ARTIFACT:ccimx93 = "${TRUSTFENCE_SIGN_ARTIFACTS}"
 
 IMAGE_FEATURES += "dey-trustfence"
 
@@ -184,6 +185,9 @@ python () {
         d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y ")
         if (d.getVar("TRUSTFENCE_SIGN_ARTIFACTS") == "1"):
             d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTH_ARTIFACTS=y ")
+            if (d.getVar("TRUSTFENCE_SIGN_FIT_ARTIFACT") == "1"):
+                d.appendVar("UBOOT_TF_CONF", '"# CONFIG_CMD_BOOTI is not set" ')
+                d.appendVar("UBOOT_TF_CONF", '"# CONFIG_LEGACY_IMAGE_FORMAT is not set" ')
         if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"):
             d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ")
         if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"):