Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

trustfence: image_types: do not sign artifacts for STM platforms 

For the moment, do not sign aditional artifacts, such as the ramdisk,
the kernel or the boot scripts for STM platforms.

In the specific case of the ramdisk, simply copy it over with the
expected filename extension.

Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit is contained in:
Hector Palacios 2023-04-25 12:43:30 +02:00
parent 13c136dbc5
commit fa1c877758
4 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
meta-digi-arm/classes/image_types_digi.bbclass
View File

@ -207,7 +207,14 @@ trustence_sign_cpio() {
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
# Sign/encrypt the ramdisk # Sign/encrypt the ramdisk
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf" trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf"
elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
# TODO: sign the ramdisk for ST platforms
# (fall-back) Copy the image with no changes
cp "${1}" "${1}.tf"
fi
else else
# Copy the image with no changes # Copy the image with no changes
cp "${1}" "${1}.tf" cp "${1}" "${1}.tf"

4
meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc
View File

@ -99,8 +99,8 @@ build_uboot_scripts() {
# Alternate boot script for dualboot # Alternate boot script for dualboot
mkimage -T script -n "Alternate bootscript" -C none -d ${WORKDIR}/altboot.txt ${DEPLOYDIR}/altboot.scr mkimage -T script -n "Alternate bootscript" -C none -d ${WORKDIR}/altboot.txt ${DEPLOYDIR}/altboot.scr
# Sign the scripts # Sign the scripts (TODO signing of artifacts for STM-based platforms)
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then if [ [ "${TRUSTFENCE_SIGN}" = "1" ] && [ "${DEY_SOC_VENDOR}" != "STM" ] ]; then
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"

3
meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc
View File

@ -5,6 +5,9 @@ DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-too
do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign', '', d)}" do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign', '', d)}"
trustfence_sign() { trustfence_sign() {
# TODO: signing of artifacts for STM-based platforms
[ "${DEY_SOC_VENDOR}" = "STM" ] && return
# Set environment variables for trustfence configuration # Set environment variables for trustfence configuration
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"

3
meta-digi-dey/classes/trustfence.bbclass
View File

@ -70,7 +70,7 @@ python () {
d.setVar("FIP_SIGN_KEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/privateKey0%s.pem" % d.getVar("TRUSTFENCE_KEY_INDEX")); d.setVar("FIP_SIGN_KEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/privateKey0%s.pem" % d.getVar("TRUSTFENCE_KEY_INDEX"));
d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass.txt") d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass.txt")
d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y CONFIG_AUTH_ARTIFACTS=y ") d.appendVar("UBOOT_TF_CONF", "CONFIG_SIGN_IMAGE=y ")
if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"): if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"):
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ") d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ")
if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"): if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"):
@ -80,6 +80,7 @@ python () {
if d.getVar("TRUSTFENCE_KEY_INDEX"): if d.getVar("TRUSTFENCE_KEY_INDEX"):
d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX")) d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
if (d.getVar("DEY_SOC_VENDOR") == "NXP"): if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTH_ARTIFACTS=y ")
if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]): if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH")) d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
if d.getVar("TRUSTFENCE_SIGN_MODE"): if d.getVar("TRUSTFENCE_SIGN_MODE"):