meta-digi: trustfence: support signing a FIT boot artifact
And enable it for the ccimx93. https://onedigi.atlassian.net/browse/DEL-8704 Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera
parent
1d0631ef96
commit
e6b67b6bf8
|
|
@ -221,10 +221,11 @@ trustence_sign_cpio() {
|
||||||
# Image generation code for image type 'cpio.gz.u-boot.tf'
|
# Image generation code for image type 'cpio.gz.u-boot.tf'
|
||||||
# (signed/encrypted ramdisk)
|
# (signed/encrypted ramdisk)
|
||||||
#
|
#
|
||||||
if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ]; then
|
if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_ARTIFACT}" = "0" ]; then
|
||||||
# Set environment variables for trustfence configuration
|
# Set environment variables for trustfence configuration
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
|
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||||
# Sign/encrypt the ramdisk
|
# Sign/encrypt the ramdisk
|
||||||
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf"
|
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf"
|
||||||
|
|
|
||||||
|
|
@ -15,8 +15,10 @@ UBOOT_ENV = "boot"
|
||||||
UBOOT_PREFIX = "imx-boot"
|
UBOOT_PREFIX = "imx-boot"
|
||||||
UBOOT_SUFFIX = "bin"
|
UBOOT_SUFFIX = "bin"
|
||||||
|
|
||||||
# Platform kernel settings
|
# Platform kernel settings (keep the override as otherwise KERNEL_IMAGETYPE
|
||||||
|
# from imx-digi-base.inc takes precedence)
|
||||||
KERNEL_CLASSES = "kernel-fitimage"
|
KERNEL_CLASSES = "kernel-fitimage"
|
||||||
|
KERNEL_IMAGETYPE:ccimx93 = "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'fitImage', 'Image.gz', d)}"
|
||||||
|
|
||||||
# The bootloader image that gets flashed consists of U-Boot and several fw binaries
|
# The bootloader image that gets flashed consists of U-Boot and several fw binaries
|
||||||
EXTRA_IMAGEDEPENDS += "imx-boot"
|
EXTRA_IMAGEDEPENDS += "imx-boot"
|
||||||
|
|
|
||||||
|
|
@ -117,10 +117,11 @@ build_uboot_scripts() {
|
||||||
mkimage -T script -n bootscript -C none -d ${TMP_BOOTSCR} ${DEPLOYDIR}/boot.scr
|
mkimage -T script -n bootscript -C none -d ${TMP_BOOTSCR} ${DEPLOYDIR}/boot.scr
|
||||||
rm -f ${TMP_BOOTSCR}
|
rm -f ${TMP_BOOTSCR}
|
||||||
|
|
||||||
# Sign the boot script
|
# Sign the boot script if not contained in a FIT image
|
||||||
if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ]; then
|
if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_ARTIFACT}" = "0" ]; then
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
|
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||||
|
|
||||||
# Sign boot script
|
# Sign boot script
|
||||||
|
|
|
||||||
|
|
@ -7,8 +7,8 @@ trustfence_sign() {
|
||||||
# Set environment variables for trustfence configuration
|
# Set environment variables for trustfence configuration
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
|
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||||
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
|
|
||||||
|
|
||||||
# Sign/encrypt the kernel images
|
# Sign/encrypt the kernel images
|
||||||
for type in ${KERNEL_IMAGETYPES}; do
|
for type in ${KERNEL_IMAGETYPES}; do
|
||||||
|
|
@ -31,6 +31,9 @@ trustfence_sign() {
|
||||||
mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}"
|
mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# For FIT images there is no need to sign the rest of artifacts
|
||||||
|
[ "${TRUSTFENCE_SIGN_FIT_ARTIFACT}" = "1" ] && return 0
|
||||||
|
|
||||||
# Sign/encrypt the device tree blobs
|
# Sign/encrypt the device tree blobs
|
||||||
for DTB in ${KERNEL_DEVICETREE}; do
|
for DTB in ${KERNEL_DEVICETREE}; do
|
||||||
DTB=`normalize_dtb "${DTB}"`
|
DTB=`normalize_dtb "${DTB}"`
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,8 @@ TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
|
||||||
TRUSTFENCE_ENCRYPT_ENVIRONMENT:ccimx93 ?= "0"
|
TRUSTFENCE_ENCRYPT_ENVIRONMENT:ccimx93 ?= "0"
|
||||||
TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
|
TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
|
||||||
TRUSTFENCE_KEY_INDEX ?= "0"
|
TRUSTFENCE_KEY_INDEX ?= "0"
|
||||||
|
TRUSTFENCE_SIGN_ARTIFACTS = "1"
|
||||||
|
TRUSTFENCE_SIGN_ARTIFACTS:ccmp1 = "0"
|
||||||
TRUSTFENCE_FIT_IMG:ccmp1 ?= "1"
|
TRUSTFENCE_FIT_IMG:ccmp1 ?= "1"
|
||||||
|
|
||||||
# Partition encryption configuration
|
# Partition encryption configuration
|
||||||
|
|
@ -45,10 +47,9 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
|
||||||
# NOTHING TO CUSTOMIZE BELOW THIS LINE
|
# NOTHING TO CUSTOMIZE BELOW THIS LINE
|
||||||
#
|
#
|
||||||
|
|
||||||
# TrustFence sign artifacts is not supported on all platforms
|
# NXP-based sign a FIT-format boot artifact
|
||||||
TRUSTFENCE_SIGN_ARTIFACTS = "1"
|
TRUSTFENCE_SIGN_FIT_ARTIFACT = "0"
|
||||||
TRUSTFENCE_SIGN_ARTIFACTS:ccmp1 = "0"
|
TRUSTFENCE_SIGN_FIT_ARTIFACT:ccimx93 = "${TRUSTFENCE_SIGN_ARTIFACTS}"
|
||||||
TRUSTFENCE_SIGN_ARTIFACTS:ccimx93 = "0"
|
|
||||||
|
|
||||||
IMAGE_FEATURES += "dey-trustfence"
|
IMAGE_FEATURES += "dey-trustfence"
|
||||||
|
|
||||||
|
|
@ -184,6 +185,9 @@ python () {
|
||||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y ")
|
d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y ")
|
||||||
if (d.getVar("TRUSTFENCE_SIGN_ARTIFACTS") == "1"):
|
if (d.getVar("TRUSTFENCE_SIGN_ARTIFACTS") == "1"):
|
||||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTH_ARTIFACTS=y ")
|
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTH_ARTIFACTS=y ")
|
||||||
|
if (d.getVar("TRUSTFENCE_SIGN_FIT_ARTIFACT") == "1"):
|
||||||
|
d.appendVar("UBOOT_TF_CONF", '"# CONFIG_CMD_BOOTI is not set" ')
|
||||||
|
d.appendVar("UBOOT_TF_CONF", '"# CONFIG_LEGACY_IMAGE_FORMAT is not set" ')
|
||||||
if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"):
|
if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"):
|
||||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ")
|
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ")
|
||||||
if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"):
|
if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"):
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue