From ea2ffcfee86bc96a31c758dbed37c2a2d375a26e Mon Sep 17 00:00:00 2001 From: Gonzalo Ruiz Date: Thu, 4 Jun 2020 11:41:03 +0200 Subject: [PATCH] trustfence: introduce AHAB container creation into script https://jira.digi.com/browse/DEL-7024 Signed-off-by: Gonzalo Ruiz --- .../classes/image_types_digi.bbclass | 4 -- .../conf/machine/include/ccimx8x.inc | 8 --- .../recipes-bsp/u-boot/digi-u-boot.inc | 5 -- .../trustfence-sign-artifact.sh | 60 +++++++++++-------- .../recipes-kernel/linux/linux-dey.inc | 10 ---- 5 files changed, 35 insertions(+), 52 deletions(-) diff --git a/meta-digi-arm/classes/image_types_digi.bbclass b/meta-digi-arm/classes/image_types_digi.bbclass index c0c205986..b982091ec 100644 --- a/meta-digi-arm/classes/image_types_digi.bbclass +++ b/meta-digi-arm/classes/image_types_digi.bbclass @@ -207,10 +207,6 @@ trustence_sign_cpio() { [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" - if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then - mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${1} a35 ${RAM_CONTAINER_LOC_TF} -out ${1}-mkimg - mv "${1}-mkimg" "${1}" - fi # Sign/encrypt the ramdisk trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -i "${1}" "${1}.tf" else diff --git a/meta-digi-arm/conf/machine/include/ccimx8x.inc b/meta-digi-arm/conf/machine/include/ccimx8x.inc index 35587f451..b4f79cf6f 100644 --- a/meta-digi-arm/conf/machine/include/ccimx8x.inc +++ b/meta-digi-arm/conf/machine/include/ccimx8x.inc @@ -68,18 +68,10 @@ KERNEL_IMAGETYPE = "Image.gz" VIRTUAL-RUNTIME_init_manager ?= "systemd" VIRTUAL-RUNTIME_initscripts ?= "initscripts" -# For i.MX 8 silicon chip revision -MX8_CHIP_REV ?= "B0" -MX8_SOC_VAR ?= "QX" - # TrustFence TRUSTFENCE_SIGN_MODE = "AHAB" # TODO: not yet supported TRUSTFENCE_ENCRYPT_ENVIRONMENT = "0" -# For Trustfence container header RAM locations -RAM_CONTAINER_LOC_BOOT = "0x80280000" -RAM_CONTAINER_LOC_DTB = "0x82000000" -RAM_CONTAINER_LOC_TF = "0x82100000" # Adding 'wayland' along with 'x11' enables the xwayland backend # Vulkan is necessary for wayland to build diff --git a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc index ab5f70ee9..922d34d2d 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc +++ b/meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc @@ -171,11 +171,6 @@ do_deploy_append() { [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" # Sign boot script - if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then - mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DEPLOYDIR}/boot.scr a35 ${RAM_CONTAINER_LOC_BOOT} -out boot.scr-mkimg - mv "boot.scr-mkimg" "${DEPLOYDIR}/boot.scr" - fi - TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)" trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}" mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr" diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh index 1c9822bbe..8502b34ab 100755 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh @@ -88,6 +88,36 @@ if [ -z "${CONFIG_SIGN_MODE}" ]; then exit 1 fi +# Get RAM_START address +if [ "${PLATFORM}" = "ccimx6" ]; then + CONFIG_FDT_LOADADDR="0x18000000" + CONFIG_RAMDISK_LOADADDR="0x19000000" + CONFIG_KERNEL_LOADADDR="0x12000000" +elif [ "${PLATFORM}" = "ccimx6ul" ]; then + CONFIG_FDT_LOADADDR="0x83000000" + CONFIG_RAMDISK_LOADADDR="0x83800000" + CONFIG_KERNEL_LOADADDR="0x80800000" +elif [ "${PLATFORM}" = "ccimx8x" ]; then + CONFIG_FDT_LOADADDR="0x82000000" + CONFIG_RAMDISK_LOADADDR="0x82100000" + CONFIG_KERNEL_LOADADDR="0x80280000" +else + echo "Invalid platform: ${PLATFORM}" + echo "Supported platforms: ccimx6, ccimx6ul, ccimx8x" + exit 1 +fi + +[ "${ARTIFACT_DTB}" = "y" ] && CONFIG_RAM_START="${CONFIG_FDT_LOADADDR}" +[ "${ARTIFACT_INITRAMFS}" = "y" ] && CONFIG_RAM_START="${CONFIG_RAMDISK_LOADADDR}" +[ "${ARTIFACT_KERNEL}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}" +# bootscripts are loaded to $loadaddr, just like the kernel +[ "${ARTIFACT_BOOTSCRIPT}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}" + +if [ -z "${CONFIG_RAM_START}" ]; then + echo "Specify the type of image to process (-b, -i, -d, or -l)" + exit 1 +fi + if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then if [ -n "${CONFIG_DEK_PATH}" ]; then if [ ! -f "${CONFIG_DEK_PATH}" ]; then @@ -102,31 +132,6 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then fi ENCRYPT="true" fi - - if [ "${PLATFORM}" = "ccimx6" ]; then - CONFIG_FDT_LOADADDR="0x18000000" - CONFIG_RAMDISK_LOADADDR="0x19000000" - CONFIG_KERNEL_LOADADDR="0x12000000" - elif [ "${PLATFORM}" = "ccimx6ul" ]; then - CONFIG_FDT_LOADADDR="0x83000000" - CONFIG_RAMDISK_LOADADDR="0x83800000" - CONFIG_KERNEL_LOADADDR="0x80800000" - else - echo "Invalid platform: ${PLATFORM}" - echo "Supported platforms: ccimx6, ccimx6ul" - exit 1 - fi - - [ "${ARTIFACT_DTB}" = "y" ] && CONFIG_RAM_START="${CONFIG_FDT_LOADADDR}" - [ "${ARTIFACT_INITRAMFS}" = "y" ] && CONFIG_RAM_START="${CONFIG_RAMDISK_LOADADDR}" - [ "${ARTIFACT_KERNEL}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}" - # bootscripts are loaded to $loadaddr, just like the kernel - [ "${ARTIFACT_BOOTSCRIPT}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}" - - if [ -z "${CONFIG_RAM_START}" ]; then - echo "Specify the type of image to process (-b, -i, -d, or -l)" - exit 1 - fi fi # Default values @@ -314,6 +319,11 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}" else + # Prepare the image container + mkimage_imx8 -soc "QX" -rev "B0" -c -ap ${UIMAGE_PATH} a35 ${CONFIG_RAM_START} -out temp-mkimg + mv temp-mkimg "${UIMAGE_PATH}" + + # Sign the image CURRENT_PATH="$(pwd)" cst -o "${TARGET}" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null if [ $? -ne 0 ]; then diff --git a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc index 8805527d6..7dd6dbc43 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-dey.inc +++ b/meta-digi-arm/recipes-kernel/linux/linux-dey.inc @@ -32,11 +32,6 @@ trustfence_sign() { KERNEL_IMAGE=${WORKDIR}/build/arch/arm64/boot/Image fi - if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then - mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${KERNEL_IMAGE} a35 ${RAM_CONTAINER_LOC_BOOT} -out ${KERNEL_IMAGE}-mkimg - mv "${KERNEL_IMAGE}-mkimg" "${KERNEL_IMAGE}" - fi - TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)" trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}" @@ -57,11 +52,6 @@ trustfence_sign() { DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" - if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then - mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg - mv "${DTB_IMAGE}-mkimg" "${DTB_IMAGE}" - fi - TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)" trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"