meta-digi: support SRK revocation mask when signing boot artifacts

The script to sign the boot artifacts lacked the support to configure the revocation mask. The at-the-moment supported platforms did not need it, but the ccimx93 does need it, so implement it in this commit. https://onedigi.atlassian.net/browse/DEL-8704 Signed-off-by: Javier Viguera <javier.viguera@digi.com>
2024-03-08 15:09:37 +01:00 · 2024-03-08 15:09:37 +01:00 · f67d59d7b8
parent 15211c3133
commit f67d59d7b8
3 changed files with 15 additions and 2 deletions
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/encrypt_ahab
@ -14,7 +14,7 @@
    # Type of SRK set (NXP or OEM)
    Source set = OEM
    # bitmask of the revoked SRKs
-    Revocations = 0x0
+    Revocations = %srk_rvk_mask%

 [Authenticate Data]
    # Binary to be signed generated by mkimage
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/sign_ahab
@ -14,7 +14,7 @@
    # Type of SRK set (NXP or OEM)
    Source set = OEM
    # bitmask of the revoked SRKs
-    Revocations = 0x0
+    Revocations = %srk_rvk_mask%

 [Authenticate Data]
    # Binary to be signed generated by mkimage
--- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-nxp.sh
+++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-nxp.sh
@ -17,6 +17,7 @@
 #    The following environment variables define the script behaviour:
 #      CONFIG_SIGN_KEYS_PATH: (mandatory) path to the CST folder by NXP with keys generated.
 #      CONFIG_KEY_INDEX: (optional) key index to use for signing. Default is 0.
+#      SRK_REVOKE_MASK: (optional) bitmask of the revoked SRKs.
 #      CONFIG_DEK_PATH: (optional) Path to keyfile. Define it to generate
 #			encrypted images
 #
@ -63,6 +64,10 @@ Supported platforms: ccimx6, ccimx6qp, ccimx6ul, ccimx8x, ccimx8mn, ccimx8mm
 EOF
 }

+to_hex() {
+	printf '0x%x' "${1}"
+}
+
 if [ "${#}" != "2" ]; then
 	usage
 	exit 1
@ -157,6 +162,12 @@ if [ "${CONFIG_SIGN_MODE}" = "HAB" ]; then
 	DEK_BLOB_OFFSET="0x100"
 fi

+[ -z "${SRK_REVOKE_MASK}" ] && SRK_REVOKE_MASK="0x0"
+if [ "$((SRK_REVOKE_MASK & 0x8))" != 0 ]; then
+	echo "Key 3 cannot be revoked. Removed from mask."
+	SRK_REVOKE_MASK="$((SRK_REVOKE_MASK - 8))"
+fi
+
 # Function to generate a PKI tree (with lock dir protection)
 GENPKI_LOCK_DIR="${CONFIG_SIGN_KEYS_PATH}/.genpki.lock"
 gen_pki_tree() {
@ -324,6 +335,7 @@ elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
 		-e "s,%cert_img%,${SRK_CERT_KEY_IMG},g"		   	\
 		-e "s,%kernel-img%,${KERNEL_NAME},g"		   	\
 		-e "s,%key_index%,${CONFIG_KEY_INDEX},g"	   	\
+		-e "s,%srk_rvk_mask%,$(to_hex "${SRK_REVOKE_MASK}"),g"	\
 		-e "s,%container_offset%,${container_header_offset},g" 	\
 		-e "s,%block_offset%,${signature_block_offset},g" 	\
 		-e "s,%dek_path%,${CONFIG_DEK_PATH},g"		   	\
@ -334,6 +346,7 @@ elif [ "${CONFIG_SIGN_MODE}" = "AHAB" ]; then
 		-e "s,%cert_img%,${SRK_CERT_KEY_IMG},g"		   	\
 		-e "s,%kernel-img%,${KERNEL_NAME},g"		   	\
 		-e "s,%key_index%,${CONFIG_KEY_INDEX},g"	   	\
+		-e "s,%srk_rvk_mask%,$(to_hex "${SRK_REVOKE_MASK}"),g"	\
 		-e "s,%container_offset%,${container_header_offset},g" 	\
 		-e "s,%block_offset%,${signature_block_offset},g" 	\
 		"${SCRIPT_PATH}/csf_templates/sign_ahab" > csf_descriptor