From f67d59d7b8e8fbf0cf646def9075d528cb452ca2 Mon Sep 17 00:00:00 2001 From: Javier Viguera Date: Fri, 8 Mar 2024 15:09:37 +0100 Subject: [PATCH] meta-digi: support SRK revocation mask when signing boot artifacts The script to sign the boot artifacts lacked the support to configure the revocation mask. The at-the-moment supported platforms did not need it, but the ccimx93 does need it, so implement it in this commit. https://onedigi.atlassian.net/browse/DEL-8704 Signed-off-by: Javier Viguera --- .../trustfence/trustfence-sign-tools/encrypt_ahab | 2 +- .../trustfence/trustfence-sign-tools/sign_ahab | 2 +- .../trustfence-sign-artifact-nxp.sh | 13 +++++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab index f7df7b86c..8705ff5b4 100644 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab @@ -14,7 +14,7 @@ # Type of SRK set (NXP or OEM) Source set = OEM # bitmask of the revoked SRKs - Revocations = 0x0 + Revocations = %srk_rvk_mask% [Authenticate Data] # Binary to be signed generated by mkimage diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab index 0d43a64b3..c25212976 100644 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab @@ -14,7 +14,7 @@ # Type of SRK set (NXP or OEM) Source set = OEM # bitmask of the revoked SRKs - Revocations = 0x0 + Revocations = %srk_rvk_mask% [Authenticate Data] # Binary to be signed generated by mkimage diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-nxp.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-nxp.sh index 4a6e222e9..3413d0121 100755 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-nxp.sh +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-nxp.sh @@ -17,6 +17,7 @@ # The following environment variables define the script behaviour: # CONFIG_SIGN_KEYS_PATH: (mandatory) path to the CST folder by NXP with keys generated. # CONFIG_KEY_INDEX: (optional) key index to use for signing. Default is 0. +# SRK_REVOKE_MASK: (optional) bitmask of the revoked SRKs. # CONFIG_DEK_PATH: (optional) Path to keyfile. Define it to generate # encrypted images # @@ -63,6 +64,10 @@ Supported platforms: ccimx6, ccimx6qp, ccimx6ul, ccimx8x, ccimx8mn, ccimx8mm EOF } +to_hex() { + printf '0x%x' "${1}" +} + if [ "${#}" != "2" ]; then usage exit 1 @@ -157,6 +162,12 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then DEK_BLOB_OFFSET="0x100" fi +[ -z "${SRK_REVOKE_MASK}" ] && SRK_REVOKE_MASK="0x0" +if [ "$((SRK_REVOKE_MASK & 0x8))" != 0 ]; then + echo "Key 3 cannot be revoked. Removed from mask." + SRK_REVOKE_MASK="$((SRK_REVOKE_MASK - 8))" +fi + # Function to generate a PKI tree (with lock dir protection) GENPKI_LOCK_DIR="${CONFIG_SIGN_KEYS_PATH}/.genpki.lock" gen_pki_tree() { @@ -324,6 +335,7 @@ elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then -e "s,%cert_img%,${SRK_CERT_KEY_IMG},g" \ -e "s,%kernel-img%,${KERNEL_NAME},g" \ -e "s,%key_index%,${CONFIG_KEY_INDEX},g" \ + -e "s,%srk_rvk_mask%,$(to_hex "${SRK_REVOKE_MASK}"),g" \ -e "s,%container_offset%,${container_header_offset},g" \ -e "s,%block_offset%,${signature_block_offset},g" \ -e "s,%dek_path%,${CONFIG_DEK_PATH},g" \ @@ -334,6 +346,7 @@ elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then -e "s,%cert_img%,${SRK_CERT_KEY_IMG},g" \ -e "s,%kernel-img%,${KERNEL_NAME},g" \ -e "s,%key_index%,${CONFIG_KEY_INDEX},g" \ + -e "s,%srk_rvk_mask%,$(to_hex "${SRK_REVOKE_MASK}"),g" \ -e "s,%container_offset%,${container_header_offset},g" \ -e "s,%block_offset%,${signature_block_offset},g" \ "${SCRIPT_PATH}/csf_templates/sign_ahab" > csf_descriptor