Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence: simplify TRUSTFENCE_ configuration macros 

Adapt the U-Boot recipe to the last U-Boot Kconfig entries changes.

Simplify the name of some TRUSTFENCE_ configuration macros. These were
used to configure U-Boot, but they will also configure the uImage signature
and encryption processes.

https://jira.digi.com/browse/DUB-602
https://jira.digi.com/browse/DUB-618
https://jira.digi.com/browse/DUB-534

Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
This commit is contained in:
Diaz de Grenu, Jose 2016-07-07 11:11:35 +02:00
parent 37eb7db2dc
commit f23d8c6abb
2 changed files with 21 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey_2015.04.bb
View File

@ -34,13 +34,11 @@ EXTRA_OEMAKE_append = " KCFLAGS=-fgnu89-inline"
UBOOT_EXTRA_CONF ?= "" UBOOT_EXTRA_CONF ?= ""
python __anonymous() { python __anonymous() {
if (d.getVar("TRUSTFENCE_UBOOT_SIGN", True) == "1") and not d.getVar("TRUSTFENCE_CST_PATH", True): if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN", True) != "1"):
bb.fatal("NXP's CST tool needs to be installed and a PKI tree generated. Please download it from the NXP website at http://www.nxp.com/pages/i.mx-design-tools:IMX_DESIGN?fsrch=1&sr=1&pageNum=1") bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN=1) or remove encryption (TRUSTFENCE_ENCRYPT = 0)")
if (d.getVar("TRUSTFENCE_UBOOT_ENCRYPT", True) == "1") and (d.getVar("TRUSTFENCE_UBOOT_SIGN", True) != "1"):
bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_UBOOT_SIGN=1) or remove encryption (TRUSTFENCE_UBOOT_ENCRYPT=0)")
if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]): if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]):
if (d.getVar("TRUSTFENCE_UBOOT_ENCRYPT", True) != "1"): if (d.getVar("TRUSTFENCE_DEK_PATH", True) in [None, "0"]):
bb.warn("It is strongly recommended to encrypt the U-Boot image when using environment encrpytion. Consider defining TRUSTFENCE_UBOOT_ENCRYPT=1") bb.warn("It is strongly recommended to encrypt the U-Boot image when using environment encryption. Consider removing TRUSTFENCE_DEK_PATH = 0")
if (len(d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True)) != 32): if (len(d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True)) != 32):
bb.fatal("Invalid TRUSTFENCE_UBOOT_ENV_DEK length. Define a string formed by 32 hexadecimal characters") bb.fatal("Invalid TRUSTFENCE_UBOOT_ENV_DEK length. Define a string formed by 32 hexadecimal characters")
} }
@ -77,7 +75,7 @@ do_compile () {
cp ${S}/build_${config}/${UBOOT_BINARY} ${S}/build_${config}/u-boot-${type}.${UBOOT_SUFFIX} cp ${S}/build_${config}/${UBOOT_BINARY} ${S}/build_${config}/u-boot-${type}.${UBOOT_SUFFIX}
# Secure boot artifacts # Secure boot artifacts
if [ "${TRUSTFENCE_UBOOT_SIGN}" = "1" ] if [ "${TRUSTFENCE_SIGN}" = "1" ]
then then
cp ${S}/build_${config}/u-boot-signed.imx ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} cp ${S}/build_${config}/u-boot-signed.imx ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX}
fi fi
@ -119,19 +117,15 @@ do_deploy_append() {
cd ${DEPLOYDIR} cd ${DEPLOYDIR}
rm -r ${UBOOT_BINARY}-${type} ${UBOOT_SYMLINK}-${type} rm -r ${UBOOT_BINARY}-${type} ${UBOOT_SYMLINK}-${type}
ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX} ln -sf u-boot-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-${type}.${UBOOT_SUFFIX}
if [ "${TRUSTFENCE_UBOOT_SIGN}" = "1" ] if [ "${TRUSTFENCE_SIGN}" = "1" ]
then then
install ${S}/build_${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin install ${S}/build_${config}/SRK_efuses.bin SRK_efuses-${PV}-${PR}.bin
ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin ln -sf SRK_efuses-${PV}-${PR}.bin SRK_efuses.bin
if [ "${TRUSTFENCE_UBOOT_ENCRYPT}" = "1" ] if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]
then then
install ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} u-boot-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} install ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} u-boot-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
ln -sf u-boot-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-encrypted-${type}.${UBOOT_SUFFIX} ln -sf u-boot-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-encrypted-${type}.${UBOOT_SUFFIX}
# Move the data encryption key in plain text directly to the deployment directory.
# Do not leave any other copies in the machine.
mv ${S}/build_${config}/dek.bin ${DEPLOYDIR}/dek-${type}.bin
else else
install ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} install ${S}/build_${config}/u-boot-signed-${type}.${UBOOT_SUFFIX} u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
ln -sf u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-signed-${type}.${UBOOT_SUFFIX} ln -sf u-boot-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} u-boot-signed-${type}.${UBOOT_SUFFIX}

28
meta-digi-dey/classes/trustfence.bbclass
View File

@ -19,9 +19,9 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "1"
#TRUSTFENCE_CONSOLE_GPIO_ENABLE = "4" #TRUSTFENCE_CONSOLE_GPIO_ENABLE = "4"
# Default secure boot configuration # Default secure boot configuration
TRUSTFENCE_CHECK_KERNEL ?= "1" TRUSTFENCE_SIGN ?= "1"
TRUSTFENCE_UBOOT_SIGN ?= "1" TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
TRUSTFENCE_UBOOT_ENCRYPT ?= "1" TRUSTFENCE_DEK_PATH ?= "default"
TRUSTFENCE_UBOOT_ENV_DEK ?= "gen_random" TRUSTFENCE_UBOOT_ENV_DEK ?= "gen_random"
# Trustfence initramfs image recipe # Trustfence initramfs image recipe
@ -49,20 +49,20 @@ python () {
if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK") == "gen_random"): if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK") == "gen_random"):
d.setVar("TRUSTFENCE_UBOOT_ENV_DEK", str(binascii.hexlify(os.urandom(16)).decode())) d.setVar("TRUSTFENCE_UBOOT_ENV_DEK", str(binascii.hexlify(os.urandom(16)).decode()))
if (d.getVar("TRUSTFENCE_CHECK_KERNEL", True) == "1"): if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"):
d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SECURE_BOOT=y ") d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence");
if (d.getVar("TRUSTFENCE_UBOOT_SIGN", True) == "1"):
if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"):
d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin");
if (d.getVar("TRUSTFENCE_SIGN", True) == "1"):
d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SIGN_IMAGE=y ") d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_SIGN_IMAGE=y ")
if d.getVar("TRUSTFENCE_CST_PATH", True): if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH", True):
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_CST_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_CST_PATH")) d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_SIGN_KEYS_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"))
if d.getVar("TRUSTFENCE_CSF_SIZE", True):
d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_CSF_SIZE=%s " % d.getVar("TRUSTFENCE_CSF_SIZE"))
if d.getVar("TRUSTFENCE_KEY_INDEX", True): if d.getVar("TRUSTFENCE_KEY_INDEX", True):
d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX")) d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
if (d.getVar("TRUSTFENCE_UBOOT_ENCRYPT", True) == "1"): if (d.getVar("TRUSTFENCE_DEK_PATH", True) not in [None, "0"]):
d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_ENCRYPT_IMAGE=y ") d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_DEK_PATH=\\"%s\\" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
if d.getVar("TRUSTFENCE_UBOOT_DEK_SIZE", True):
d.appendVar("UBOOT_EXTRA_CONF", "CONFIG_DEK_SIZE=%s CONFIG_DEK_SIZE_%s=y" % (d.getVar("TRUSTFENCE_UBOOT_DEK_SIZE"),d.getVar("TRUSTFENCE_UBOOT_DEK_SIZE")))
if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]): if (d.getVar("TRUSTFENCE_UBOOT_ENV_DEK", True) not in [None, "0"]):
d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_KEY=\\"%s\\"' % d.getVar("TRUSTFENCE_UBOOT_ENV_DEK")) d.appendVar("UBOOT_EXTRA_CONF", 'CONFIG_ENV_AES=y CONFIG_ENV_AES_KEY=\\"%s\\"' % d.getVar("TRUSTFENCE_UBOOT_ENV_DEK"))
} }