trustfence: introduce AHAB container creation into script
https://jira.digi.com/browse/DEL-7024 Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This commit is contained in:
Gonzalo Ruiz
parent
02646996b9
commit
ea2ffcfee8
|
|
@ -207,10 +207,6 @@ trustence_sign_cpio() {
|
|||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
|
||||
|
||||
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${1} a35 ${RAM_CONTAINER_LOC_TF} -out ${1}-mkimg
|
||||
mv "${1}-mkimg" "${1}"
|
||||
fi
|
||||
# Sign/encrypt the ramdisk
|
||||
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -i "${1}" "${1}.tf"
|
||||
else
|
||||
|
|
|
|||
|
|
@ -68,18 +68,10 @@ KERNEL_IMAGETYPE = "Image.gz"
|
|||
VIRTUAL-RUNTIME_init_manager ?= "systemd"
|
||||
VIRTUAL-RUNTIME_initscripts ?= "initscripts"
|
||||
|
||||
# For i.MX 8 silicon chip revision
|
||||
MX8_CHIP_REV ?= "B0"
|
||||
MX8_SOC_VAR ?= "QX"
|
||||
|
||||
# TrustFence
|
||||
TRUSTFENCE_SIGN_MODE = "AHAB"
|
||||
# TODO: not yet supported
|
||||
TRUSTFENCE_ENCRYPT_ENVIRONMENT = "0"
|
||||
# For Trustfence container header RAM locations
|
||||
RAM_CONTAINER_LOC_BOOT = "0x80280000"
|
||||
RAM_CONTAINER_LOC_DTB = "0x82000000"
|
||||
RAM_CONTAINER_LOC_TF = "0x82100000"
|
||||
|
||||
# Adding 'wayland' along with 'x11' enables the xwayland backend
|
||||
# Vulkan is necessary for wayland to build
|
||||
|
|
|
|||
|
|
@ -171,11 +171,6 @@ do_deploy_append() {
|
|||
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
|
||||
|
||||
# Sign boot script
|
||||
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DEPLOYDIR}/boot.scr a35 ${RAM_CONTAINER_LOC_BOOT} -out boot.scr-mkimg
|
||||
mv "boot.scr-mkimg" "${DEPLOYDIR}/boot.scr"
|
||||
fi
|
||||
|
||||
TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
|
||||
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
|
||||
mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"
|
||||
|
|
|
|||
|
|
@ -88,6 +88,36 @@ if [ -z "${CONFIG_SIGN_MODE}" ]; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
# Get RAM_START address
|
||||
if [ "${PLATFORM}" = "ccimx6" ]; then
|
||||
CONFIG_FDT_LOADADDR="0x18000000"
|
||||
CONFIG_RAMDISK_LOADADDR="0x19000000"
|
||||
CONFIG_KERNEL_LOADADDR="0x12000000"
|
||||
elif [ "${PLATFORM}" = "ccimx6ul" ]; then
|
||||
CONFIG_FDT_LOADADDR="0x83000000"
|
||||
CONFIG_RAMDISK_LOADADDR="0x83800000"
|
||||
CONFIG_KERNEL_LOADADDR="0x80800000"
|
||||
elif [ "${PLATFORM}" = "ccimx8x" ]; then
|
||||
CONFIG_FDT_LOADADDR="0x82000000"
|
||||
CONFIG_RAMDISK_LOADADDR="0x82100000"
|
||||
CONFIG_KERNEL_LOADADDR="0x80280000"
|
||||
else
|
||||
echo "Invalid platform: ${PLATFORM}"
|
||||
echo "Supported platforms: ccimx6, ccimx6ul, ccimx8x"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
[ "${ARTIFACT_DTB}" = "y" ] && CONFIG_RAM_START="${CONFIG_FDT_LOADADDR}"
|
||||
[ "${ARTIFACT_INITRAMFS}" = "y" ] && CONFIG_RAM_START="${CONFIG_RAMDISK_LOADADDR}"
|
||||
[ "${ARTIFACT_KERNEL}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
|
||||
# bootscripts are loaded to $loadaddr, just like the kernel
|
||||
[ "${ARTIFACT_BOOTSCRIPT}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
|
||||
|
||||
if [ -z "${CONFIG_RAM_START}" ]; then
|
||||
echo "Specify the type of image to process (-b, -i, -d, or -l)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
|
||||
if [ -n "${CONFIG_DEK_PATH}" ]; then
|
||||
if [ ! -f "${CONFIG_DEK_PATH}" ]; then
|
||||
|
|
@ -102,31 +132,6 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
|
|||
fi
|
||||
ENCRYPT="true"
|
||||
fi
|
||||
|
||||
if [ "${PLATFORM}" = "ccimx6" ]; then
|
||||
CONFIG_FDT_LOADADDR="0x18000000"
|
||||
CONFIG_RAMDISK_LOADADDR="0x19000000"
|
||||
CONFIG_KERNEL_LOADADDR="0x12000000"
|
||||
elif [ "${PLATFORM}" = "ccimx6ul" ]; then
|
||||
CONFIG_FDT_LOADADDR="0x83000000"
|
||||
CONFIG_RAMDISK_LOADADDR="0x83800000"
|
||||
CONFIG_KERNEL_LOADADDR="0x80800000"
|
||||
else
|
||||
echo "Invalid platform: ${PLATFORM}"
|
||||
echo "Supported platforms: ccimx6, ccimx6ul"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
[ "${ARTIFACT_DTB}" = "y" ] && CONFIG_RAM_START="${CONFIG_FDT_LOADADDR}"
|
||||
[ "${ARTIFACT_INITRAMFS}" = "y" ] && CONFIG_RAM_START="${CONFIG_RAMDISK_LOADADDR}"
|
||||
[ "${ARTIFACT_KERNEL}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
|
||||
# bootscripts are loaded to $loadaddr, just like the kernel
|
||||
[ "${ARTIFACT_BOOTSCRIPT}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
|
||||
|
||||
if [ -z "${CONFIG_RAM_START}" ]; then
|
||||
echo "Specify the type of image to process (-b, -i, -d, or -l)"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Default values
|
||||
|
|
@ -314,6 +319,11 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
|
|||
|
||||
objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}"
|
||||
else
|
||||
# Prepare the image container
|
||||
mkimage_imx8 -soc "QX" -rev "B0" -c -ap ${UIMAGE_PATH} a35 ${CONFIG_RAM_START} -out temp-mkimg
|
||||
mv temp-mkimg "${UIMAGE_PATH}"
|
||||
|
||||
# Sign the image
|
||||
CURRENT_PATH="$(pwd)"
|
||||
cst -o "${TARGET}" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
|
|
|
|||
|
|
@ -32,11 +32,6 @@ trustfence_sign() {
|
|||
KERNEL_IMAGE=${WORKDIR}/build/arch/arm64/boot/Image
|
||||
fi
|
||||
|
||||
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${KERNEL_IMAGE} a35 ${RAM_CONTAINER_LOC_BOOT} -out ${KERNEL_IMAGE}-mkimg
|
||||
mv "${KERNEL_IMAGE}-mkimg" "${KERNEL_IMAGE}"
|
||||
fi
|
||||
|
||||
TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
|
||||
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}"
|
||||
|
||||
|
|
@ -57,11 +52,6 @@ trustfence_sign() {
|
|||
DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"`
|
||||
DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}"
|
||||
|
||||
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg
|
||||
mv "${DTB_IMAGE}-mkimg" "${DTB_IMAGE}"
|
||||
fi
|
||||
|
||||
TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)"
|
||||
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
|
||||
mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
|
||||
|
|
|
|||
Loading…
Reference in New Issue