trustfence: add TRUSTFENCE_ENCRYPT variable
Add a variable analogous to TRUSTFENCE_SIGN to enable/disable artifact encryption. Deprecate TRUSTFENCE_DEK_PATH in favor of TRUSTFENCE_KEYS_PATH to use a more generic name and avoid overloading it as an on/off flag. Add per-key variables for encryption key filenames to avoid hardcoded names and allow platform overrides. Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit is contained in:
Arturo Buzarra
parent
e9ad0abb48
commit
fc1d3c5f75
|
|
@ -230,10 +230,10 @@ trustence_sign_cpio() {
|
|||
#
|
||||
if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_NXP}" = "0" ]; then
|
||||
# Set environment variables for trustfence configuration
|
||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}"
|
||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
|
||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||
[ "${TRUSTFENCE_ENCRYPT}" = "1" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME}"
|
||||
# Sign/encrypt the ramdisk
|
||||
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf"
|
||||
else
|
||||
|
|
@ -252,7 +252,7 @@ IMAGE_TYPES += "cpio.gz.u-boot.tf"
|
|||
do_image_squashfs[postfuncs] += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'rootfs_sign', '', d)}"
|
||||
rootfs_sign() {
|
||||
# Set environment variables for trustfence configuration
|
||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}"
|
||||
[ -n "${CONFIG_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||
|
||||
ROOTFS_IMAGE="${IMGDEPLOYDIR}/${IMAGE_NAME}.squashfs"
|
||||
|
|
@ -263,4 +263,4 @@ rootfs_sign() {
|
|||
}
|
||||
rootfs_sign[dirs] = "${DEPLOY_DIR_IMAGE}"
|
||||
|
||||
do_image_squashfs[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX"
|
||||
do_image_squashfs[vardeps] += "TRUSTFENCE_KEYS_PATH TRUSTFENCE_KEY_INDEX"
|
||||
|
|
|
|||
|
|
@ -134,13 +134,13 @@ ST_USERFS = "0"
|
|||
# Boot artifacts to be copied from the deploy dir to the installer ZIP
|
||||
BOOTABLE_ARTIFACTS = " \
|
||||
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
|
||||
oe.utils.ifelse(d.getVar('TRUSTFENCE_DEK_PATH') == '0', 'tf-a-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.stm32', \
|
||||
'tf-a-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32'), \
|
||||
oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'tf-a-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.stm32', \
|
||||
'tf-a-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32'), \
|
||||
'tf-a-ccmp25-dvk-optee-emmc.stm32')} \
|
||||
metadata-ccmp25-dvk.bin \
|
||||
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
|
||||
oe.utils.ifelse(d.getVar('TRUSTFENCE_DEK_PATH') == '0', 'fip-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.bin', \
|
||||
'fip-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin'), \
|
||||
oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'fip-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.bin', \
|
||||
'fip-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin'), \
|
||||
'fip-ccmp25-dvk-optee-emmc.bin')} \
|
||||
"
|
||||
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ compile_mx8m() {
|
|||
|
||||
compile_mx8m:append:ccimx8m() {
|
||||
# Create dummy DEK blob to support building with encrypted u-boot
|
||||
if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||
dd if=/dev/zero of=${BOOT_STAGING}/dek_blob_fit_dummy.bin bs=96 count=1 oflag=sync
|
||||
fi
|
||||
}
|
||||
|
|
@ -200,7 +200,7 @@ do_deploy:ccimx8x () {
|
|||
|
||||
do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign_imxboot', '', d)}"
|
||||
trustfence_sign_imxboot() {
|
||||
TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||
TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_KEYS_PATH}"
|
||||
TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_FIT_HAB_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-print_fit_hab.log"
|
||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_KEY_INDEX=${TRUSTFENCE_KEY_INDEX}"
|
||||
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_SIGN_MODE=${TRUSTFENCE_SIGN_MODE}"
|
||||
|
|
@ -216,21 +216,21 @@ trustfence_sign_imxboot() {
|
|||
fi
|
||||
TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_MKIMAGE_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-${target}.log"
|
||||
env $TF_SIGN_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}.bin-${target} imx-boot-signed-${MACHINE}.bin-${target}
|
||||
if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_DEK_PATH} ENABLE_ENCRYPTION=y"
|
||||
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||
TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME} ENABLE_ENCRYPTION=y"
|
||||
env $TF_SIGN_ENV $TF_ENC_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}.bin-${target} imx-boot-encrypted-${MACHINE}.bin-${target}
|
||||
fi
|
||||
done
|
||||
|
||||
# Generate symlinks for trustfence artifacts.
|
||||
ln -sf imx-boot-signed-${MACHINE}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/imx-boot-signed-${MACHINE}.bin
|
||||
if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||
ln -sf imx-boot-encrypted-${MACHINE}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/imx-boot-encrypted-${MACHINE}.bin
|
||||
fi
|
||||
}
|
||||
|
||||
trustfence_sign_imxboot:ccimx8x() {
|
||||
TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||
TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_KEYS_PATH}"
|
||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_KEY_INDEX=${TRUSTFENCE_KEY_INDEX}"
|
||||
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_SIGN_MODE=${TRUSTFENCE_SIGN_MODE}"
|
||||
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && TF_SIGN_ENV="$TF_SIGN_ENV SRK_REVOKE_MASK=${TRUSTFENCE_SRK_REVOKE_MASK}"
|
||||
|
|
@ -245,8 +245,8 @@ trustfence_sign_imxboot:ccimx8x() {
|
|||
for rev in ${SOC_REVISIONS}; do
|
||||
TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_MKIMAGE_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-${rev}-${target}.log"
|
||||
env $TF_SIGN_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}-${rev}.bin-${target} imx-boot-signed-${MACHINE}-${rev}.bin-${target}
|
||||
if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_DEK_PATH} ENABLE_ENCRYPTION=y"
|
||||
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||
TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME} ENABLE_ENCRYPTION=y"
|
||||
env $TF_SIGN_ENV $TF_ENC_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}-${rev}.bin-${target} imx-boot-encrypted-${MACHINE}-${rev}.bin-${target}
|
||||
fi
|
||||
done
|
||||
|
|
@ -255,11 +255,11 @@ trustfence_sign_imxboot:ccimx8x() {
|
|||
# Generate symlinks for trustfence artifacts.
|
||||
for rev in ${SOC_REVISIONS}; do
|
||||
ln -sf ${UBOOT_PREFIX}-signed-${MACHINE}-${rev}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/${UBOOT_PREFIX}-signed-${MACHINE}-${rev}.bin
|
||||
if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||
ln -sf ${UBOOT_PREFIX}-encrypted-${MACHINE}-${rev}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/${UBOOT_PREFIX}-encrypted-${MACHINE}-${rev}.bin
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
trustfence_sign_imxboot[dirs] = "${DEPLOYDIR}"
|
||||
trustfence_sign_imxboot[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH TRUSTFENCE_SIGN_MODE TRUSTFENCE_SRK_REVOKE_MASK TRUSTFENCE_UNLOCK_KEY_REVOCATION"
|
||||
trustfence_sign_imxboot[vardeps] += "TRUSTFENCE_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_ENCRYPT TRUSTFENCE_SIGN_MODE TRUSTFENCE_SRK_REVOKE_MASK TRUSTFENCE_UNLOCK_KEY_REVOCATION"
|
||||
|
|
|
|||
|
|
@ -46,8 +46,8 @@ UUU_BOOTLOADER:mx9-generic-bsp = ""
|
|||
UBOOT_INITIAL_ENV = ""
|
||||
|
||||
python __anonymous() {
|
||||
if (d.getVar("TRUSTFENCE_DEK_PATH") not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN") != "1"):
|
||||
bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN = \"1\") or remove encryption (TRUSTFENCE_DEK_PATH = \"0\")")
|
||||
if (d.getVar("TRUSTFENCE_ENCRYPT") == "1") and (d.getVar("TRUSTFENCE_SIGN") != "1"):
|
||||
bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN = \"1\") or remove encryption (TRUSTFENCE_ENCRYPT = \"0\")")
|
||||
}
|
||||
|
||||
do_configure[prefuncs] += "${@oe.utils.ifelse(d.getVar('UBOOT_TF_CONF'), 'trustfence_config', '')}"
|
||||
|
|
@ -102,13 +102,13 @@ build_uboot_scripts() {
|
|||
# Change the u-boot name when TrustFence is enabled
|
||||
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
|
||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||
sed -i -e 's,##SIGNED##,encrypted,g' ${TMP_INSTALL_SCR}
|
||||
else
|
||||
sed -i -e 's,##SIGNED##,signed,g' ${TMP_INSTALL_SCR}
|
||||
fi
|
||||
else
|
||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||
sed -i -e 's,##SIGNED##,_Encrypted_Signed,g' ${TMP_INSTALL_SCR}
|
||||
else
|
||||
sed -i -e 's,##SIGNED##,_Signed,g' ${TMP_INSTALL_SCR}
|
||||
|
|
@ -133,10 +133,10 @@ build_uboot_scripts() {
|
|||
|
||||
# Sign the boot script if not contained in a FIT image
|
||||
if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_NXP}" = "0" ]; then
|
||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}"
|
||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
|
||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||
[ "${TRUSTFENCE_ENCRYPT}" = "1" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME}"
|
||||
|
||||
# Sign boot script
|
||||
TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
|
||||
|
|
@ -190,7 +190,7 @@ sign_uboot() {
|
|||
ln -sf ${UBOOT_BINARYNAME}-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-signed-${type}.${UBOOT_SUFFIX}
|
||||
cp -fp ${B}/${config}/${UBOOT_BINARYNAME}-dtb-usb-signed.imx ${UBOOT_BINARYNAME}-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
|
||||
ln -sf ${UBOOT_BINARYNAME}-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-usb-signed-${type}.${UBOOT_SUFFIX}
|
||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||
cp -fp ${B}/${config}/${UBOOT_BINARYNAME}-dtb-encrypted.imx ${UBOOT_BINARYNAME}-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
|
||||
ln -sf ${UBOOT_BINARYNAME}-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-encrypted-${type}.${UBOOT_SUFFIX}
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -14,6 +14,12 @@
|
|||
# Description:
|
||||
# Script for generating PKI tree using STM tools
|
||||
#
|
||||
# The following environment variables define the script behaviour:
|
||||
# CONFIG_SIGN_KEYS_PATH: (mandatory) Path to the folder to hold the generated PKI tree keys.
|
||||
# CONFIG_FIP_ENCRYPT_KEYNAME: (optional) Encryption key filename for FIP
|
||||
# CONFIG_FSBL_ENCRYPT_KEYNAME: (optional) Encryption key filename for FSBL
|
||||
# CONFIG_RPROC_ENCRYPT_KEYNAME: (optional) Encryption key filename for RPROC
|
||||
#
|
||||
#===============================================================================
|
||||
|
||||
# Avoid parallel execution of this script
|
||||
|
|
@ -137,33 +143,33 @@ if [ "${PLATFORM}" = "ccmp25" ]; then
|
|||
fi
|
||||
fi
|
||||
|
||||
if [ -n "${CONFIG_DEK_PATH}" ]; then
|
||||
[ -d "${CONFIG_DEK_PATH}" ] || mkdir "${CONFIG_DEK_PATH}"
|
||||
if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then
|
||||
|
||||
# Generate random keys if they don't exist
|
||||
if [ "${PLATFORM}" = "ccmp25" ]; then
|
||||
if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin" ]; then
|
||||
if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" ]; then
|
||||
echo "Generating random encryption key for FSBL"
|
||||
if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin"; then
|
||||
if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"; then
|
||||
echo "[ERROR] Failed to generate 16-byte FSBL encryption key"
|
||||
exit 1
|
||||
fi
|
||||
chmod 444 "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin"
|
||||
chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"
|
||||
fi
|
||||
if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_fip.bin" ]; then
|
||||
if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}" ]; then
|
||||
echo "Generating random encryption key for FIP"
|
||||
if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_DEK_PATH}/encryption_key_fip.bin"; then
|
||||
if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"; then
|
||||
echo "[ERROR] Failed to generate 32-byte FIP encryption key"
|
||||
exit 1
|
||||
fi
|
||||
chmod 444 "${CONFIG_DEK_PATH}/encryption_key_fip.bin"
|
||||
chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"
|
||||
fi
|
||||
if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_rproc.bin" ]; then
|
||||
if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then
|
||||
echo "Generating random encryption keys for Cortex-M coprocessor"
|
||||
if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_DEK_PATH}/encryption_key_rproc.bin"; then
|
||||
if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}"; then
|
||||
echo "[ERROR] Failed to generate 32-byte Cortex-M encryption key"
|
||||
exit 1
|
||||
fi
|
||||
chmod 444 "${CONFIG_DEK_PATH}/encryption_key_rproc.bin"
|
||||
chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}"
|
||||
fi
|
||||
else
|
||||
echo "[ERROR] Could not generate encryption keys. Platform not supported."
|
||||
|
|
|
|||
|
|
@ -15,6 +15,8 @@
|
|||
# Script for building signed and encrypted artifacts using STM sign tools.
|
||||
#
|
||||
# The following environment variables define the script behaviour:
|
||||
# CONFIG_SIGN_KEYS_PATH: (mandatory) Path to the folder with the PKI tree keys generated.
|
||||
# CONFIG_KEY_INDEX: (optional) key index to use for signing. Default is 0.
|
||||
#
|
||||
#===============================================================================
|
||||
|
||||
|
|
|
|||
|
|
@ -5,10 +5,10 @@ DEPENDS += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'trustfence-sign-to
|
|||
do_deploy[postfuncs] += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'trustfence_sign', '', d)}"
|
||||
trustfence_sign() {
|
||||
# Set environment variables for trustfence configuration
|
||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}"
|
||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
|
||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||
[ "${TRUSTFENCE_ENCRYPT}" = "1" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME}"
|
||||
|
||||
# Sign/encrypt the kernel images
|
||||
for type in ${KERNEL_IMAGETYPES}; do
|
||||
|
|
@ -52,5 +52,5 @@ trustfence_sign() {
|
|||
}
|
||||
trustfence_sign[dirs] = "${DEPLOYDIR}"
|
||||
|
||||
do_deploy[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH"
|
||||
do_deploy[vardeps] += "TRUSTFENCE_KEYS_PATH TRUSTFENCE_KEY_INDEX"
|
||||
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ curate_bootloader_artifacts() {
|
|||
if [ "${DEY_SOC_VENDOR}" = "NXP" ] && echo "${artifact}" | grep -q -e "##SIGNED##"; then
|
||||
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
|
||||
if [ "${DIGI_SOM}" = "ccimx6ul" ]; then
|
||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||
# Encrypted bootloader
|
||||
curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_ENCRYPTED_STRING},")
|
||||
CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
|
||||
|
|
@ -54,7 +54,7 @@ curate_bootloader_artifacts() {
|
|||
curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_SIGNED_USB_STRING},")
|
||||
CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
|
||||
else
|
||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||
# Encrypted bootloader
|
||||
curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_ENCRYPTED_STRING},")
|
||||
CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
|
||||
|
|
|
|||
|
|
@ -100,7 +100,7 @@ SWUPDATE_UBOOT_SCRIPT_NAME = "${@os.path.basename(d.getVar('SWUPDATE_UBOOT_SCRIP
|
|||
def get_uboot_prefix(d):
|
||||
prefix = d.getVar('UBOOT_PREFIX')
|
||||
if d.getVar('DEY_SOC_VENDOR') == "NXP" and d.getVar('TRUSTFENCE_ENABLED') == "1":
|
||||
if d.getVar('TRUSTFENCE_DEK_PATH') and d.getVar('TRUSTFENCE_DEK_PATH') != "0":
|
||||
if d.getVar('TRUSTFENCE_ENCRYPT') == "1":
|
||||
prefix = f"{prefix}-encrypted"
|
||||
else:
|
||||
prefix = f"{prefix}-signed"
|
||||
|
|
@ -124,7 +124,7 @@ SWUPDATE_UBOOT_OFFSET ?= "${BOOTLOADER_SEEK_BOOTPART}"
|
|||
|
||||
# Retrieve the correct encryption type.
|
||||
def get_swupdate_uboot_enc(d):
|
||||
if d.getVar('TRUSTFENCE_DEK_PATH') and d.getVar('TRUSTFENCE_DEK_PATH') != "0" :
|
||||
if d.getVar('TRUSTFENCE_ENCRYPT') == "1" :
|
||||
return "enc"
|
||||
return "normal"
|
||||
|
||||
|
|
|
|||
|
|
@ -16,8 +16,15 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0"
|
|||
|
||||
# Default secure boot configuration
|
||||
TRUSTFENCE_SIGN ?= "1"
|
||||
TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
|
||||
TRUSTFENCE_DEK_PATH ?= "${TF_DEK_PATH}"
|
||||
TRUSTFENCE_ENCRYPT ?= "${TF_ENCRYPT}"
|
||||
TRUSTFENCE_KEYS_PATH ?= "${TOPDIR}/trustfence"
|
||||
# NXP keys
|
||||
TRUSTFENCE_DEK_ENCRYPT_KEYNAME ?= "dek.bin"
|
||||
# STM keys
|
||||
TRUSTFENCE_FIP_ENCRYPT_KEYNAME ?= "encryption_key_fip.bin"
|
||||
TRUSTFENCE_FSBL_ENCRYPT_KEYNAME ?= "encryption_key_fsbl.bin"
|
||||
TRUSTFENCE_RPROC_ENCRYPT_KEYNAME ?= "encryption_key_rproc.bin"
|
||||
|
||||
TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
|
||||
TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
|
||||
TRUSTFENCE_KEY_INDEX ?= "0"
|
||||
|
|
@ -46,9 +53,9 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
|
|||
#
|
||||
|
||||
# Platform specific defaults
|
||||
TF_DEK_PATH = "default"
|
||||
TF_DEK_PATH:ccimx9 = "0"
|
||||
TF_DEK_PATH:ccmp1 = "0"
|
||||
TF_ENCRYPT = "1"
|
||||
TF_ENCRYPT:ccimx9 = "0"
|
||||
TF_ENCRYPT:ccmp1 = "0"
|
||||
TF_FILE_BASED_ENCRYPT = "0"
|
||||
TF_FILE_BASED_ENCRYPT:ccimx9 = "1"
|
||||
TF_FILE_BASED_ENCRYPT:ccmp1 = "1"
|
||||
|
|
@ -70,15 +77,17 @@ TRUSTFENCE_FIT_CFG_SIGN_KEYNAME ?= "fitcfg"
|
|||
TRUSTFENCE_FIT_IMG_SIGN_KEYNAME ?= "fitimg"
|
||||
|
||||
# Function to generate a PKI tree (with lock dir protection)
|
||||
GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
|
||||
GENPKI_LOCK_DIR = "${TRUSTFENCE_KEYS_PATH}/.genpki.lock"
|
||||
gen_pki_tree() {
|
||||
if mkdir -p ${GENPKI_LOCK_DIR}; then
|
||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
||||
trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH}
|
||||
trustfence-gen-pki.sh ${TRUSTFENCE_KEYS_PATH}
|
||||
elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
|
||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
||||
export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}"
|
||||
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||
export CONFIG_FIP_ENCRYPT_KEYNAME="${TRUSTFENCE_FIP_ENCRYPT_KEYNAME}"
|
||||
export CONFIG_FSBL_ENCRYPT_KEYNAME="${TRUSTFENCE_FSBL_ENCRYPT_KEYNAME}"
|
||||
export CONFIG_RPROC_ENCRYPT_KEYNAME="${TRUSTFENCE_RPROC_ENCRYPT_KEYNAME}"
|
||||
fi
|
||||
trustfence-gen-pki.sh -p ${DIGI_SOM}
|
||||
fi
|
||||
|
|
@ -91,7 +100,7 @@ gen_pki_tree() {
|
|||
# Function that generates a PKI tree if there isn't one
|
||||
check_gen_pki_tree() {
|
||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
||||
SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
|
||||
SRK_KEYS="$(echo ${TRUSTFENCE_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
|
||||
n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
|
||||
if [ "${n_commas}" -eq 0 ]; then
|
||||
gen_pki_tree
|
||||
|
|
@ -112,7 +121,7 @@ copy_public_key() {
|
|||
|
||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
||||
KEY_INDEX="$(expr ${TRUSTFENCE_KEY_INDEX} + 1)"
|
||||
PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/crts/key${KEY_INDEX}.pub"
|
||||
PUBLIC_KEY="${TRUSTFENCE_KEYS_PATH}/crts/key${KEY_INDEX}.pub"
|
||||
# The new hab/ahab_pki_tree.sh script extracts the public keys after the PKI
|
||||
# generation and leaves them in the crts/ folder. However, the PKI tree may
|
||||
# already exist, the PKI generation script not called, and then the public
|
||||
|
|
@ -120,9 +129,9 @@ copy_public_key() {
|
|||
# selected public key.
|
||||
if [ ! -f "${PUBLIC_KEY}" ]; then
|
||||
if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
||||
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)"
|
||||
CERT_IMG="$(echo ${TRUSTFENCE_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)"
|
||||
elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX}*crt.pem)"
|
||||
CERT_IMG="$(echo ${TRUSTFENCE_KEYS_PATH}/crts/SRK${KEY_INDEX}*crt.pem)"
|
||||
else
|
||||
bberror "Unknown TRUSTFENCE_SIGN_MODE value"
|
||||
exit 1
|
||||
|
|
@ -132,9 +141,9 @@ copy_public_key() {
|
|||
fi
|
||||
elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
|
||||
if [ "${DIGI_SOM}" = "ccmp15" ]; then
|
||||
PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey.pem"
|
||||
PUBLIC_KEY="${TRUSTFENCE_KEYS_PATH}/keys/publicKey.pem"
|
||||
else
|
||||
PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem"
|
||||
PUBLIC_KEY="${TRUSTFENCE_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem"
|
||||
fi
|
||||
else
|
||||
echo "ERROR: Cannot determine the public key"
|
||||
|
|
@ -152,6 +161,14 @@ python () {
|
|||
import hashlib
|
||||
import os
|
||||
|
||||
# Check backwards compatibility
|
||||
if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"):
|
||||
d.setVar("TRUSTFENCE_KEYS_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"))
|
||||
if d.getVar("TRUSTFENCE_DEK_PATH"):
|
||||
DEK_PATH = os.path.dirname(d.getVar("TRUSTFENCE_DEK_PATH"))
|
||||
if (d.getVar("TRUSTFENCE_KEYS_PATH") != DEK_PATH):
|
||||
bb.fatal('[trustfence] TRUSTFENCE_DEK_PATH is deprecated; Set new variable TRUSTFENCE_KEYS_PATH to the directory containing both your sign and encryption keys.')
|
||||
|
||||
# Secure console configuration
|
||||
if (d.getVar("TRUSTFENCE_CONSOLE_DISABLE") == "1"):
|
||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_CONSOLE_DISABLE=y ")
|
||||
|
|
@ -170,16 +187,6 @@ python () {
|
|||
d.appendVar("UBOOT_TF_CONF", '"# CONFIG_CONSOLE_ENABLE_GPIO_ACTIVE_LOW is not set" ')
|
||||
|
||||
# Secure boot configuration
|
||||
if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"):
|
||||
d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence");
|
||||
|
||||
if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
|
||||
if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"):
|
||||
d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin");
|
||||
elif (d.getVar("DEY_SOC_VENDOR") == "STM"):
|
||||
if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"):
|
||||
d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"));
|
||||
|
||||
if (d.getVar("TRUSTFENCE_SIGN") == "1"):
|
||||
# Set STM-specific variables for signing images
|
||||
if (d.getVar("DEY_SOC_VENDOR") == "STM"):
|
||||
|
|
@ -187,17 +194,17 @@ python () {
|
|||
d.setVar("EXTERNAL_KEY_CONF", "1")
|
||||
d.setVar("SIGN_TOOL", "STM32MP_SigningTool_CLI")
|
||||
if (d.getVar("DIGI_SOM") == "ccmp15" ):
|
||||
d.setVar("SIGN_KEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/privateKey.pem");
|
||||
d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass.txt")
|
||||
d.setVar("SIGN_KEY", d.getVar("TRUSTFENCE_KEYS_PATH") + "/keys/privateKey.pem");
|
||||
d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_KEYS_PATH") + "/keys/key_pass.txt")
|
||||
else:
|
||||
d.setVar("SIGN_KEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/privateKey0%s.pem" % d.getVar("TRUSTFENCE_KEY_INDEX"));
|
||||
d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass0%s.txt" % d.getVar("TRUSTFENCE_KEY_INDEX"))
|
||||
d.setVar("SIGN_KEY", d.getVar("TRUSTFENCE_KEYS_PATH") + "/keys/privateKey0%s.pem" % d.getVar("TRUSTFENCE_KEY_INDEX"));
|
||||
d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_KEYS_PATH") + "/keys/key_pass0%s.txt" % d.getVar("TRUSTFENCE_KEY_INDEX"))
|
||||
if (d.getVar("SIGN_COPRO_ENABLE") == "1" ):
|
||||
d.setVar("SIGN_COPRO_ECC_PRIVKEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/rproc-keys/privateKey.pem")
|
||||
d.setVar("SIGN_COPRO_ECC_PRIVKEY", d.getVar("TRUSTFENCE_KEYS_PATH") + "/rproc-keys/privateKey.pem")
|
||||
d.setVar("SIGN_COPRO_ECC_PRIVKEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("SIGN_COPRO_ECC_PRIVKEY"))
|
||||
d.setVar("SIGN_COPRO_ECC_INFOKEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/rproc-keys/publicKey.der")
|
||||
d.setVar("SIGN_COPRO_ECC_INFOKEY", d.getVar("TRUSTFENCE_KEYS_PATH") + "/rproc-keys/publicKey.der")
|
||||
d.setVar("SIGN_COPRO_ECC_INFOKEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("SIGN_COPRO_ECC_INFOKEY"))
|
||||
d.setVar("TRUSTFENCE_COPRO_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "rproc-keys/key_pass.txt")
|
||||
d.setVar("TRUSTFENCE_COPRO_PASSWORD_FILE", d.getVar("TRUSTFENCE_KEYS_PATH") + "rproc-keys/key_pass.txt")
|
||||
d.setVar("SIGN_COPRO_ECC_PASS_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), "UNDEFINED");
|
||||
d.setVar("SIGN_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("SIGN_KEY"));
|
||||
|
||||
|
|
@ -209,26 +216,26 @@ python () {
|
|||
d.appendVar("UBOOT_TF_CONF", '"# CONFIG_LEGACY_IMAGE_FORMAT is not set" ')
|
||||
if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"):
|
||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ")
|
||||
if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"):
|
||||
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_KEYS_PATH="%s" ' % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"))
|
||||
if d.getVar("TRUSTFENCE_KEYS_PATH"):
|
||||
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_KEYS_PATH="%s" ' % d.getVar("TRUSTFENCE_KEYS_PATH"))
|
||||
if (d.getVar("TRUSTFENCE_UNLOCK_KEY_REVOCATION") == "1"):
|
||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ")
|
||||
if d.getVar("TRUSTFENCE_KEY_INDEX"):
|
||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
|
||||
if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
|
||||
if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
|
||||
d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
||||
if (d.getVar("TRUSTFENCE_ENCRYPT") == "1"):
|
||||
d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s/%s" ' % (d.getVar("TRUSTFENCE_KEYS_PATH"), d.getVar("TRUSTFENCE_DEK_ENCRYPT_KEYNAME")))
|
||||
if d.getVar("TRUSTFENCE_SIGN_MODE"):
|
||||
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
|
||||
elif (d.getVar("DEY_SOC_VENDOR") == "STM"):
|
||||
if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
|
||||
if (d.getVar("TRUSTFENCE_ENCRYPT") == "1"):
|
||||
d.setVar("ENCRYPT_ENABLE", "1")
|
||||
d.setVar("ENCRYPT_FSBL_KEY", '%s/encryption_key_fsbl.bin' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
||||
d.setVar("ENCRYPT_FSBL_KEY", '%s/%s' % (d.getVar("TRUSTFENCE_KEYS_PATH"), d.getVar("TRUSTFENCE_FSBL_ENCRYPT_KEYNAME")))
|
||||
d.setVar("ENCRYPT_FSBL_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FSBL_KEY"))
|
||||
d.setVar("ENCRYPT_FIP_KEY", '%s/encryption_key_fip.bin' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
||||
d.setVar("ENCRYPT_FIP_KEY", '%s/%s' % (d.getVar("TRUSTFENCE_KEYS_PATH"), d.getVar("TRUSTFENCE_FIP_ENCRYPT_KEYNAME")))
|
||||
d.setVar("ENCRYPT_FIP_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FIP_KEY"))
|
||||
if (d.getVar("ENCRYPT_COPRO_ENABLE") == "1"):
|
||||
d.setVar("ENCRYPT_COPRO_KEY", '%s/encryption_key_rproc.bin' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
||||
d.setVar("ENCRYPT_COPRO_KEY", '%s/%s' % (d.getVar("TRUSTFENCE_KEYS_PATH"), d.getVar("TRUSTFENCE_RPROC_ENCRYPT_KEYNAME")))
|
||||
d.setVar("ENCRYPT_COPRO_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_COPRO_KEY"))
|
||||
|
||||
if (d.getVar("TRUSTFENCE_SIGN_FIT_STM") == "1"):
|
||||
|
|
@ -244,7 +251,7 @@ python () {
|
|||
# Enable FIT signing support
|
||||
d.setVar("UBOOT_SIGN_ENABLE", d.getVar("TRUSTFENCE_SIGN"))
|
||||
# Set path to FIT signing keys
|
||||
d.setVar("UBOOT_SIGN_KEYDIR", "%s/fit" % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"))
|
||||
d.setVar("UBOOT_SIGN_KEYDIR", "%s/fit" % d.getVar("TRUSTFENCE_KEYS_PATH"))
|
||||
|
||||
else:
|
||||
# Disable signing artifacts if TRUSTFENCE_SIGN != 1
|
||||
|
|
@ -262,7 +269,7 @@ python () {
|
|||
d.setVar("SWUPDATE_SIGNING", "RSA")
|
||||
|
||||
# Retrieve the keys path to use.
|
||||
keys_path = d.getVar("TRUSTFENCE_SIGN_KEYS_PATH")
|
||||
keys_path = d.getVar("TRUSTFENCE_KEYS_PATH")
|
||||
|
||||
# Retrieve the key index to use.
|
||||
key_index = 0
|
||||
|
|
|
|||
Loading…
Reference in New Issue