trustfence: decouple signing external artifacts
Some platforms do not support signing external artifacts (kernel, dtb, etc.) yet, so we need to decouple the signing of the bootloader from the signing of the external artifacts. This commit generalizes the code, so instead of having platform exceptions scattered along the recipes, we create a new variable used conditionally to sign or not the external artifacts. Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera
parent
c014e211a4
commit
f1bdbe74c8
|
|
@ -200,21 +200,13 @@ trustence_sign_cpio() {
|
||||||
# Image generation code for image type 'cpio.gz.u-boot.tf'
|
# Image generation code for image type 'cpio.gz.u-boot.tf'
|
||||||
# (signed/encrypted ramdisk)
|
# (signed/encrypted ramdisk)
|
||||||
#
|
#
|
||||||
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
|
if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ]; then
|
||||||
# Set environment variables for trustfence configuration
|
# Set environment variables for trustfence configuration
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||||
|
|
||||||
# Sign/encrypt the ramdisk
|
# Sign/encrypt the ramdisk
|
||||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
|
||||||
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf"
|
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf"
|
||||||
elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
|
|
||||||
# TODO: sign the ramdisk for ST platforms
|
|
||||||
|
|
||||||
# (fall-back) Copy the image with no changes
|
|
||||||
cp "${1}" "${1}.tf"
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
# Copy the image with no changes
|
# Copy the image with no changes
|
||||||
cp "${1}" "${1}.tf"
|
cp "${1}" "${1}.tf"
|
||||||
|
|
@ -228,22 +220,18 @@ IMAGE_TYPES += "cpio.gz.u-boot.tf"
|
||||||
#
|
#
|
||||||
# Sign read-only rootfs
|
# Sign read-only rootfs
|
||||||
#
|
#
|
||||||
do_image_squashfs[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'rootfs_sign', '', d)}"
|
do_image_squashfs[postfuncs] += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'rootfs_sign', '', d)}"
|
||||||
|
|
||||||
rootfs_sign() {
|
rootfs_sign() {
|
||||||
# Set environment variables for trustfence configuration
|
# Set environment variables for trustfence configuration
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||||
[ -n "${CONFIG_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${CONFIG_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
|
|
||||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
|
||||||
ROOTFS_IMAGE="${IMGDEPLOYDIR}/${IMAGE_NAME}.rootfs.squashfs"
|
ROOTFS_IMAGE="${IMGDEPLOYDIR}/${IMAGE_NAME}.rootfs.squashfs"
|
||||||
TMP_ROOTFS_IMAGE_SIGNED="$(mktemp ${ROOTFS_IMAGE}-signed.XXXXXX)"
|
TMP_ROOTFS_IMAGE_SIGNED="$(mktemp ${ROOTFS_IMAGE}-signed.XXXXXX)"
|
||||||
# Sign rootfs read-only image
|
# Sign rootfs read-only image
|
||||||
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -r "${ROOTFS_IMAGE}" "${TMP_ROOTFS_IMAGE_SIGNED}"
|
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -r "${ROOTFS_IMAGE}" "${TMP_ROOTFS_IMAGE_SIGNED}"
|
||||||
mv "${TMP_ROOTFS_IMAGE_SIGNED}" "${ROOTFS_IMAGE}"
|
mv "${TMP_ROOTFS_IMAGE_SIGNED}" "${ROOTFS_IMAGE}"
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
rootfs_sign[dirs] = "${DEPLOY_DIR_IMAGE}"
|
rootfs_sign[dirs] = "${DEPLOY_DIR_IMAGE}"
|
||||||
|
|
||||||
do_image_squashfs[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX"
|
do_image_squashfs[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX"
|
||||||
|
|
|
||||||
|
|
@ -95,8 +95,8 @@ build_uboot_scripts() {
|
||||||
mkimage -T script -n bootscript -C none -d ${TMP_BOOTSCR} ${DEPLOYDIR}/boot.scr
|
mkimage -T script -n bootscript -C none -d ${TMP_BOOTSCR} ${DEPLOYDIR}/boot.scr
|
||||||
rm -f ${TMP_BOOTSCR}
|
rm -f ${TMP_BOOTSCR}
|
||||||
|
|
||||||
# Sign the scripts (TODO signing of artifacts for STM-based platforms)
|
# Sign the boot script
|
||||||
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${DEY_SOC_VENDOR}" != "STM" ]; then
|
if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ]; then
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||||
|
|
|
||||||
|
|
@ -1,13 +1,9 @@
|
||||||
# Copyright (C) 2022 Digi International
|
# Copyright (C) 2022-2023 Digi International
|
||||||
|
|
||||||
DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
|
DEPENDS += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'trustfence-sign-tools-native', '', d)}"
|
||||||
|
|
||||||
do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign', '', d)}"
|
|
||||||
|
|
||||||
|
do_deploy[postfuncs] += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'trustfence_sign', '', d)}"
|
||||||
trustfence_sign() {
|
trustfence_sign() {
|
||||||
# TODO: signing of artifacts for STM-based platforms
|
|
||||||
[ "${DEY_SOC_VENDOR}" = "STM" ] && return
|
|
||||||
|
|
||||||
# Set environment variables for trustfence configuration
|
# Set environment variables for trustfence configuration
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
|
|
|
||||||
|
|
@ -34,6 +34,15 @@ TRUSTFENCE_ENCRYPT_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-
|
||||||
# Read-only rootfs
|
# Read-only rootfs
|
||||||
TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "1", "0", d)}"
|
TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "1", "0", d)}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# NOTHING TO CUSTOMIZE BELOW THIS LINE
|
||||||
|
#
|
||||||
|
|
||||||
|
# TrustFence sign artifacts is not supported on all platforms
|
||||||
|
TRUSTFENCE_SIGN_ARTIFACTS = "1"
|
||||||
|
TRUSTFENCE_SIGN_ARTIFACTS:ccmp1 = "0"
|
||||||
|
TRUSTFENCE_SIGN_ARTIFACTS:ccimx93 = "0"
|
||||||
|
|
||||||
IMAGE_FEATURES += "dey-trustfence"
|
IMAGE_FEATURES += "dey-trustfence"
|
||||||
|
|
||||||
# Function to generate a PKI tree (with lock dir protection)
|
# Function to generate a PKI tree (with lock dir protection)
|
||||||
|
|
@ -155,6 +164,8 @@ python () {
|
||||||
d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass.txt")
|
d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass.txt")
|
||||||
|
|
||||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y ")
|
d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y ")
|
||||||
|
if (d.getVar("TRUSTFENCE_SIGN_ARTIFACTS") == "1"):
|
||||||
|
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTH_ARTIFACTS=y ")
|
||||||
if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"):
|
if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"):
|
||||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ")
|
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ")
|
||||||
if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"):
|
if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"):
|
||||||
|
|
@ -164,11 +175,14 @@ python () {
|
||||||
if d.getVar("TRUSTFENCE_KEY_INDEX"):
|
if d.getVar("TRUSTFENCE_KEY_INDEX"):
|
||||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
|
d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
|
||||||
if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
|
if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
|
||||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTH_ARTIFACTS=y ")
|
|
||||||
if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
|
if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
|
||||||
d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
||||||
if d.getVar("TRUSTFENCE_SIGN_MODE"):
|
if d.getVar("TRUSTFENCE_SIGN_MODE"):
|
||||||
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
|
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
|
||||||
|
else:
|
||||||
|
# Disable signing artifacts if TRUSTFENCE_SIGN != 1
|
||||||
|
d.setVar("TRUSTFENCE_SIGN_ARTIFACTS", "0")
|
||||||
|
|
||||||
if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT") == "1"):
|
if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT") == "1"):
|
||||||
if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
|
if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
|
||||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y ")
|
d.appendVar("UBOOT_TF_CONF", "CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y ")
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue