Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence: introduce AHAB container creation into script 

https://jira.digi.com/browse/DEL-7024

Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
This commit is contained in:
Gonzalo Ruiz 2020-06-04 11:41:03 +02:00
parent 02646996b9
commit ea2ffcfee8
5 changed files with 35 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
meta-digi-arm/classes/image_types_digi.bbclass
View File

@ -207,10 +207,6 @@ trustence_sign_cpio() {
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${1} a35 ${RAM_CONTAINER_LOC_TF} -out ${1}-mkimg
mv "${1}-mkimg" "${1}"
fi
# Sign/encrypt the ramdisk # Sign/encrypt the ramdisk
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -i "${1}" "${1}.tf" trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -i "${1}" "${1}.tf"
else else

8
meta-digi-arm/conf/machine/include/ccimx8x.inc
View File

@ -68,18 +68,10 @@ KERNEL_IMAGETYPE = "Image.gz"
VIRTUAL-RUNTIME_init_manager ?= "systemd" VIRTUAL-RUNTIME_init_manager ?= "systemd"
VIRTUAL-RUNTIME_initscripts ?= "initscripts" VIRTUAL-RUNTIME_initscripts ?= "initscripts"
# For i.MX 8 silicon chip revision
MX8_CHIP_REV ?= "B0"
MX8_SOC_VAR ?= "QX"
# TrustFence # TrustFence
TRUSTFENCE_SIGN_MODE = "AHAB" TRUSTFENCE_SIGN_MODE = "AHAB"
# TODO: not yet supported # TODO: not yet supported
TRUSTFENCE_ENCRYPT_ENVIRONMENT = "0" TRUSTFENCE_ENCRYPT_ENVIRONMENT = "0"
# For Trustfence container header RAM locations
RAM_CONTAINER_LOC_BOOT = "0x80280000"
RAM_CONTAINER_LOC_DTB = "0x82000000"
RAM_CONTAINER_LOC_TF = "0x82100000"
# Adding 'wayland' along with 'x11' enables the xwayland backend # Adding 'wayland' along with 'x11' enables the xwayland backend
# Vulkan is necessary for wayland to build # Vulkan is necessary for wayland to build

5
meta-digi-arm/recipes-bsp/u-boot/digi-u-boot.inc
View File

@ -171,11 +171,6 @@ do_deploy_append() {
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}" [ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
# Sign boot script # Sign boot script
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DEPLOYDIR}/boot.scr a35 ${RAM_CONTAINER_LOC_BOOT} -out boot.scr-mkimg
mv "boot.scr-mkimg" "${DEPLOYDIR}/boot.scr"
fi
TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)" TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}" trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -b "${DEPLOYDIR}/boot.scr" "${TMP_SIGNED_BOOTSCR}"
mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr" mv "${TMP_SIGNED_BOOTSCR}" "${DEPLOYDIR}/boot.scr"

60
meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact.sh
View File

@ -88,6 +88,36 @@ if [ -z "${CONFIG_SIGN_MODE}" ]; then
exit 1 exit 1
fi fi
# Get RAM_START address
if [ "${PLATFORM}" = "ccimx6" ]; then
CONFIG_FDT_LOADADDR="0x18000000"
CONFIG_RAMDISK_LOADADDR="0x19000000"
CONFIG_KERNEL_LOADADDR="0x12000000"
elif [ "${PLATFORM}" = "ccimx6ul" ]; then
CONFIG_FDT_LOADADDR="0x83000000"
CONFIG_RAMDISK_LOADADDR="0x83800000"
CONFIG_KERNEL_LOADADDR="0x80800000"
elif [ "${PLATFORM}" = "ccimx8x" ]; then
CONFIG_FDT_LOADADDR="0x82000000"
CONFIG_RAMDISK_LOADADDR="0x82100000"
CONFIG_KERNEL_LOADADDR="0x80280000"
else
echo "Invalid platform: ${PLATFORM}"
echo "Supported platforms: ccimx6, ccimx6ul, ccimx8x"
exit 1
fi
[ "${ARTIFACT_DTB}" = "y" ] && CONFIG_RAM_START="${CONFIG_FDT_LOADADDR}"
[ "${ARTIFACT_INITRAMFS}" = "y" ] && CONFIG_RAM_START="${CONFIG_RAMDISK_LOADADDR}"
[ "${ARTIFACT_KERNEL}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
# bootscripts are loaded to $loadaddr, just like the kernel
[ "${ARTIFACT_BOOTSCRIPT}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
if [ -z "${CONFIG_RAM_START}" ]; then
echo "Specify the type of image to process (-b, -i, -d, or -l)"
exit 1
fi
if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
if [ -n "${CONFIG_DEK_PATH}" ]; then if [ -n "${CONFIG_DEK_PATH}" ]; then
if [ ! -f "${CONFIG_DEK_PATH}" ]; then if [ ! -f "${CONFIG_DEK_PATH}" ]; then
@ -102,31 +132,6 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
fi fi
ENCRYPT="true" ENCRYPT="true"
fi fi
if [ "${PLATFORM}" = "ccimx6" ]; then
CONFIG_FDT_LOADADDR="0x18000000"
CONFIG_RAMDISK_LOADADDR="0x19000000"
CONFIG_KERNEL_LOADADDR="0x12000000"
elif [ "${PLATFORM}" = "ccimx6ul" ]; then
CONFIG_FDT_LOADADDR="0x83000000"
CONFIG_RAMDISK_LOADADDR="0x83800000"
CONFIG_KERNEL_LOADADDR="0x80800000"
else
echo "Invalid platform: ${PLATFORM}"
echo "Supported platforms: ccimx6, ccimx6ul"
exit 1
fi
[ "${ARTIFACT_DTB}" = "y" ] && CONFIG_RAM_START="${CONFIG_FDT_LOADADDR}"
[ "${ARTIFACT_INITRAMFS}" = "y" ] && CONFIG_RAM_START="${CONFIG_RAMDISK_LOADADDR}"
[ "${ARTIFACT_KERNEL}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
# bootscripts are loaded to $loadaddr, just like the kernel
[ "${ARTIFACT_BOOTSCRIPT}" = "y" ] && CONFIG_RAM_START="${CONFIG_KERNEL_LOADADDR}"
if [ -z "${CONFIG_RAM_START}" ]; then
echo "Specify the type of image to process (-b, -i, -d, or -l)"
exit 1
fi
fi fi
# Default values # Default values
@ -314,6 +319,11 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}" objcopy -I binary -O binary --pad-to "${sig_len}" --gap-fill="${GAP_FILLER}" "${TARGET}"
else else
# Prepare the image container
mkimage_imx8 -soc "QX" -rev "B0" -c -ap ${UIMAGE_PATH} a35 ${CONFIG_RAM_START} -out temp-mkimg
mv temp-mkimg "${UIMAGE_PATH}"
# Sign the image
CURRENT_PATH="$(pwd)" CURRENT_PATH="$(pwd)"
cst -o "${TARGET}" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null cst -o "${TARGET}" -i "${CURRENT_PATH}/csf_descriptor" >/dev/null
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then

10
meta-digi-arm/recipes-kernel/linux/linux-dey.inc
View File

@ -32,11 +32,6 @@ trustfence_sign() {
KERNEL_IMAGE=${WORKDIR}/build/arch/arm64/boot/Image KERNEL_IMAGE=${WORKDIR}/build/arch/arm64/boot/Image
fi fi
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${KERNEL_IMAGE} a35 ${RAM_CONTAINER_LOC_BOOT} -out ${KERNEL_IMAGE}-mkimg
mv "${KERNEL_IMAGE}-mkimg" "${KERNEL_IMAGE}"
fi
TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)" TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}" trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}"
@ -57,11 +52,6 @@ trustfence_sign() {
DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"` DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"`
DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}" DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}"
if [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
mkimage_imx8 -soc ${MX8_SOC_VAR} -rev ${MX8_CHIP_REV} -c -ap ${DTB_IMAGE} a35 ${RAM_CONTAINER_LOC_DTB} -out ${DTB_IMAGE}-mkimg
mv "${DTB_IMAGE}-mkimg" "${DTB_IMAGE}"
fi
TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)" TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)"
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}" trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}" mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"