Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence: decouple signing external artifacts 

Some platforms do not support signing external artifacts (kernel, dtb,
etc.) yet, so we need to decouple the signing of the bootloader from the
signing of the external artifacts.

This commit generalizes the code, so instead of having platform exceptions
scattered along the recipes, we create a new variable used conditionally
to sign or not the external artifacts.

Signed-off-by: Javier Viguera <javier.viguera@digi.com>
This commit is contained in:
Javier Viguera 2023-09-14 18:46:54 +02:00
parent c014e211a4
commit f1bdbe74c8
4 changed files with 28 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
meta-digi-arm/classes/image_types_digi.bbclass
View File

@ -200,21 +200,13 @@ trustence_sign_cpio() {
# Image generation code for image type 'cpio.gz.u-boot.tf' # Image generation code for image type 'cpio.gz.u-boot.tf'
# (signed/encrypted ramdisk) # (signed/encrypted ramdisk)
# #
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ]; then
# Set environment variables for trustfence configuration # Set environment variables for trustfence configuration
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
# Sign/encrypt the ramdisk # Sign/encrypt the ramdisk
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf"
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf"
elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
# TODO: sign the ramdisk for ST platforms
# (fall-back) Copy the image with no changes
cp "${1}" "${1}.tf"
fi
else else
# Copy the image with no changes # Copy the image with no changes
cp "${1}" "${1}.tf" cp "${1}" "${1}.tf"
@ -228,22 +220,18 @@ IMAGE_TYPES += "cpio.gz.u-boot.tf"
# #
# Sign read-only rootfs # Sign read-only rootfs
# #
do_image_squashfs[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'rootfs_sign', '', d)}" do_image_squashfs[postfuncs] += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'rootfs_sign', '', d)}"
rootfs_sign() { rootfs_sign() {
# Set environment variables for trustfence configuration # Set environment variables for trustfence configuration
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
[ -n "${CONFIG_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${CONFIG_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then ROOTFS_IMAGE="${IMGDEPLOYDIR}/${IMAGE_NAME}.rootfs.squashfs"
ROOTFS_IMAGE="${IMGDEPLOYDIR}/${IMAGE_NAME}.rootfs.squashfs" TMP_ROOTFS_IMAGE_SIGNED="$(mktemp ${ROOTFS_IMAGE}-signed.XXXXXX)"
TMP_ROOTFS_IMAGE_SIGNED="$(mktemp ${ROOTFS_IMAGE}-signed.XXXXXX)" # Sign rootfs read-only image
# Sign rootfs read-only image trustfence-sign-artifact.sh -p "${DIGI_SOM}" -r "${ROOTFS_IMAGE}" "${TMP_ROOTFS_IMAGE_SIGNED}"
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -r "${ROOTFS_IMAGE}" "${TMP_ROOTFS_IMAGE_SIGNED}" mv "${TMP_ROOTFS_IMAGE_SIGNED}" "${ROOTFS_IMAGE}"
mv "${TMP_ROOTFS_IMAGE_SIGNED}" "${ROOTFS_IMAGE}"
fi
} }
rootfs_sign[dirs] = "${DEPLOY_DIR_IMAGE}" rootfs_sign[dirs] = "${DEPLOY_DIR_IMAGE}"
do_image_squashfs[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX" do_image_squashfs[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX"

4
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
View File

@ -95,8 +95,8 @@ build_uboot_scripts() {
mkimage -T script -n bootscript -C none -d ${TMP_BOOTSCR} ${DEPLOYDIR}/boot.scr mkimage -T script -n bootscript -C none -d ${TMP_BOOTSCR} ${DEPLOYDIR}/boot.scr
rm -f ${TMP_BOOTSCR} rm -f ${TMP_BOOTSCR}
# Sign the scripts (TODO signing of artifacts for STM-based platforms) # Sign the boot script
if [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${DEY_SOC_VENDOR}" != "STM" ]; then if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ]; then
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"

10
meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc
View File

@ -1,13 +1,9 @@
# Copyright (C) 2022 Digi International # Copyright (C) 2022-2023 Digi International
DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}" DEPENDS += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'trustfence-sign-tools-native', '', d)}"
do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign', '', d)}"
do_deploy[postfuncs] += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'trustfence_sign', '', d)}"
trustfence_sign() { trustfence_sign() {
# TODO: signing of artifacts for STM-based platforms
[ "${DEY_SOC_VENDOR}" = "STM" ] && return
# Set environment variables for trustfence configuration # Set environment variables for trustfence configuration
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"

16
meta-digi-dey/classes/trustfence.bbclass
View File

@ -34,6 +34,15 @@ TRUSTFENCE_ENCRYPT_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-
# Read-only rootfs # Read-only rootfs
TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "1", "0", d)}" TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "1", "0", d)}"
#
# NOTHING TO CUSTOMIZE BELOW THIS LINE
#
# TrustFence sign artifacts is not supported on all platforms
TRUSTFENCE_SIGN_ARTIFACTS = "1"
TRUSTFENCE_SIGN_ARTIFACTS:ccmp1 = "0"
TRUSTFENCE_SIGN_ARTIFACTS:ccimx93 = "0"
IMAGE_FEATURES += "dey-trustfence" IMAGE_FEATURES += "dey-trustfence"
# Function to generate a PKI tree (with lock dir protection) # Function to generate a PKI tree (with lock dir protection)
@ -155,6 +164,8 @@ python () {
d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass.txt") d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass.txt")
d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y ") d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y ")
if (d.getVar("TRUSTFENCE_SIGN_ARTIFACTS") == "1"):
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTH_ARTIFACTS=y ")
if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"): if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"):
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ") d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ")
if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"): if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"):
@ -164,11 +175,14 @@ python () {
if d.getVar("TRUSTFENCE_KEY_INDEX"): if d.getVar("TRUSTFENCE_KEY_INDEX"):
d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX")) d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
if (d.getVar("DEY_SOC_VENDOR") == "NXP"): if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTH_ARTIFACTS=y ")
if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]): if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH")) d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
if d.getVar("TRUSTFENCE_SIGN_MODE"): if d.getVar("TRUSTFENCE_SIGN_MODE"):
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE")) d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
else:
# Disable signing artifacts if TRUSTFENCE_SIGN != 1
d.setVar("TRUSTFENCE_SIGN_ARTIFACTS", "0")
if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT") == "1"): if (d.getVar("TRUSTFENCE_ENCRYPT_ENVIRONMENT") == "1"):
if (d.getVar("DEY_SOC_VENDOR") == "NXP"): if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
d.appendVar("UBOOT_TF_CONF", "CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y ") d.appendVar("UBOOT_TF_CONF", "CONFIG_ENV_AES=y CONFIG_ENV_AES_CAAM_KEY=y ")