From f23d8c6abb03deeed6c72a679c63fb575ce35a3e Mon Sep 17 00:00:00 2001
From: "Diaz de Grenu, Jose" <Jose.DiazdeGrenu@digi.com>
Date: Thu, 7 Jul 2016 11:11:35 +0200
Subject: [PATCH] trustfence: simplify TRUSTFENCE_ configuration macros

Adapt the U-Boot recipe to the last U-Boot Kconfig entries changes.

Simplify the name of some TRUSTFENCE_ configuration macros. These were
used to configure U-Boot, but they will also configure the uImage signature
and encryption processes.

https://jira.digi.com/browse/DUB-602
https://jira.digi.com/browse/DUB-618
https://jira.digi.com/browse/DUB-534

Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
---
 .../recipes-bsp/u-boot/u-boot-dey_2015.04.bb  | 20 +++++--------
 meta-digi-dey/classes/trustfence.bbclass      | 28 +++++++++----------
 2 files changed, 21 insertions(+), 27 deletions(-)

diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
index 68738aade..4f0a3051a 100644
--- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
+++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
@@ -34,13 +34,11 @@ EXTRA_OEMAKE_append = " KCFLAGS=-fgnu89-inline"
 UBOOT_EXTRA_CONF ?= ""
 
 python __anonymous() {
-    if (d.getVar("TRUSTFENCE_UBOOT_SIGN", True) == "1") and not d.getVar("TRUSTFENCE_CST_PATH", True):
-         bb.fatal("NXP's CST tool needs to be installed and a PKI tree generated. Please download it from the NXP website at http://www.nxp.com/pages/i.mx-design-tools:IMX_DESIGN?fsrch=1&sr=1&pageNum=1")
-    if (d.getVar("TRUSTFENCE_UBOOT_ENCRYPT", True) == "1") and (d.getVar("TRUSTFENCE_UBOOT_SIGN", True) != "1"):
-         bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_UBOOT_SIGN=1) or remove encryption (TRUSTFENCE_UBOOT_ENCRYPT=0)")
+    if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN", True) != "1"):
+         bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN=1) or remove encryption (TRUSTFENCE_ENCRYPT = 0)")
     if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]):
-        if (d.getVar("TRUSTFENCE_UBOOT_ENCRYPT", True) != "1"):
-            bb.warn("It is strongly recommended to encrypt the U-Boot image when using environment encrpytion. Consider defining TRUSTFENCE_UBOOT_ENCRYPT=1")
+        if (d.getVar("TRUSTFENCE_DEK_PATH", True) in [None, "0"]):
+            bb.warn("It is strongly recommended to encrypt the U-Boot image when using environment encryption. Consider removing TRUSTFENCE_DEK_PATH = 0")
         if (len(d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True)) != 32):
             bb.fatal("Invalid TRUSTFENCE_UBOOT_ENV_DEK length. Define a string formed by 32 hexadecimal characters")
 }
@@ -77,7 +75,7 @@ do_compile () {
                     cp  ${S}/build_${config}/${UBOOT_BINARY}  ${S}/build_${config}/u-boot-${type}.${UBOOT_SUFFIX}
 
                     # Secure boot artifacts
-                    if [ "${TRUSTFENCE_UBOOT_SIGN}" = "1" ]
+                    if [ "${TRUSTFENCE_SIGN}" = "1" ]
                     then
                         cp ${S}/build_${config}/u-boot-signed.imx ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX}
                     fi
@@ -119,19 +117,15 @@ do_deploy_append() {
 					cd ${DEPLOYDIR}
 					rm -r ${UBOOT_BINARY}-${type} ${UBOOT_SYMLINK}-${type}
 					ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
-					if [ "${TRUSTFENCE_UBOOT_SIGN}" = "1" ]
+					if [ "${TRUSTFENCE_SIGN}" = "1" ]
 					then
 						install ${S}/build_${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
 						ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
 
-						if [ "${TRUSTFENCE_UBOOT_ENCRYPT}" = "1" ]
+						if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]
 						then
 							install ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} u-boot-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
 							ln -sf u-boot-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-encrypted-${type}.${UBOOT_SUFFIX}
-
-							# Move the data encryption key in plain text directly to the deployment directory.
-							# Do not leave any other copies in the machine.
-							mv ${S}/build_${config}/dek.bin ${DEPLOYDIR}/dek-${type}.bin
 						else
 							install ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
 							ln -sf u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-signed-${type}.${UBOOT_SUFFIX}
diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass
index 1844a3fea..6530f01ef 100644
--- a/meta-digi-dey/classes/trustfence.bbclass
+++ b/meta-digi-dey/classes/trustfence.bbclass
@@ -19,9 +19,9 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "1"
 #TRUSTFENCE_CONSOLE_GPIO_ENABLE = "4"
 
 # Default secure boot configuration
-TRUSTFENCE_CHECK_KERNEL ?= "1"
-TRUSTFENCE_UBOOT_SIGN ?= "1"
-TRUSTFENCE_UBOOT_ENCRYPT ?= "1"
+TRUSTFENCE_SIGN ?= "1"
+TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
+TRUSTFENCE_DEK_PATH ?= "default"
 TRUSTFENCE_UBOOT_ENV_DEK ?= "gen_random"
 
 # Trustfence initramfs image recipe
@@ -49,20 +49,20 @@ python () {
     if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK") == "gen_random"):
         d.setVar("TRUSTFENCE_UBOOT_ENV_DEK", str(binascii.hexlify(os.urandom(16)).decode()))
 
-    if (d.getVar("TRUSTFENCE_CHECK_KERNEL", True) == "1"):
-        d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SECURE_BOOT=y ")
-    if (d.getVar("TRUSTFENCE_UBOOT_SIGN", True) == "1"):
+    if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"):
+        d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence");
+
+    if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"):
+        d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin");
+    
+    if (d.getVar("TRUSTFENCE_SIGN", True) == "1"):
         d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SIGN_IMAGE=y ")
-        if d.getVar("TRUSTFENCE_CST_PATH", True):
-            d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_CST_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_CST_PATH"))
-        if d.getVar("TRUSTFENCE_CSF_SIZE", True):
-            d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_CSF_SIZE=%s " % d.getVar("TRUSTFENCE_CSF_SIZE"))
+        if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True):
+            d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_SIGN_KEYS_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"))
         if d.getVar("TRUSTFENCE_KEY_INDEX", True):
             d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
-        if (d.getVar("TRUSTFENCE_UBOOT_ENCRYPT", True) == "1"):
-            d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_ENCRYPT_IMAGE=y ")
-            if d.getVar("TRUSTFENCE_UBOOT_DEK_SIZE", True):
-                d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_DEK_SIZE=%s CONFIG_DEK_SIZE_%s=y" % (d.getVar("TRUSTFENCE_UBOOT_DEK_SIZE"),d.getVar("TRUSTFENCE_UBOOT_DEK_SIZE")))
+        if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]):
+            d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
     if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]):
         d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_KEY=\\"%s\\"' % d.getVar("TRUSTFENCE_UBOOT_ENV_DEK"))
 }