diff --git a/meta-digi-arm/classes/image_types_digi.bbclass b/meta-digi-arm/classes/image_types_digi.bbclass index 59b1e3029..2bcb1b5b4 100644 --- a/meta-digi-arm/classes/image_types_digi.bbclass +++ b/meta-digi-arm/classes/image_types_digi.bbclass @@ -230,10 +230,10 @@ trustence_sign_cpio() { # if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_NXP}" = "0" ]; then # Set environment variables for trustfence configuration - export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" + export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}" - [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + [ "${TRUSTFENCE_ENCRYPT}" = "1" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME}" # Sign/encrypt the ramdisk trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf" else @@ -252,7 +252,7 @@ IMAGE_TYPES += "cpio.gz.u-boot.tf" do_image_squashfs[postfuncs] += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'rootfs_sign', '', d)}" rootfs_sign() { # Set environment variables for trustfence configuration - export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" + export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}" [ -n "${CONFIG_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" ROOTFS_IMAGE="${IMGDEPLOYDIR}/${IMAGE_NAME}.squashfs" @@ -263,4 +263,4 @@ rootfs_sign() { } rootfs_sign[dirs] = "${DEPLOY_DIR_IMAGE}" -do_image_squashfs[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX" +do_image_squashfs[vardeps] += "TRUSTFENCE_KEYS_PATH TRUSTFENCE_KEY_INDEX" diff --git a/meta-digi-arm/conf/machine/ccmp25-dvk.conf b/meta-digi-arm/conf/machine/ccmp25-dvk.conf index 420da4a5e..8bdf6f5f1 100644 --- a/meta-digi-arm/conf/machine/ccmp25-dvk.conf +++ b/meta-digi-arm/conf/machine/ccmp25-dvk.conf @@ -134,13 +134,13 @@ ST_USERFS = "0" # Boot artifacts to be copied from the deploy dir to the installer ZIP BOOTABLE_ARTIFACTS = " \ ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \ - oe.utils.ifelse(d.getVar('TRUSTFENCE_DEK_PATH') == '0', 'tf-a-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.stm32', \ - 'tf-a-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32'), \ + oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'tf-a-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.stm32', \ + 'tf-a-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32'), \ 'tf-a-ccmp25-dvk-optee-emmc.stm32')} \ metadata-ccmp25-dvk.bin \ ${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \ - oe.utils.ifelse(d.getVar('TRUSTFENCE_DEK_PATH') == '0', 'fip-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.bin', \ - 'fip-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin'), \ + oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'fip-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.bin', \ + 'fip-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin'), \ 'fip-ccmp25-dvk-optee-emmc.bin')} \ " diff --git a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend index c015cab1e..b132a77ce 100644 --- a/meta-digi-arm/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend +++ b/meta-digi-arm/dynamic-layers/freescale-layer/recipes-bsp/imx-mkimage/imx-boot_1.0.bbappend @@ -59,7 +59,7 @@ compile_mx8m() { compile_mx8m:append:ccimx8m() { # Create dummy DEK blob to support building with encrypted u-boot - if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then dd if=/dev/zero of=${BOOT_STAGING}/dek_blob_fit_dummy.bin bs=96 count=1 oflag=sync fi } @@ -200,7 +200,7 @@ do_deploy:ccimx8x () { do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign_imxboot', '', d)}" trustfence_sign_imxboot() { - TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_SIGN_KEYS_PATH}" + TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_KEYS_PATH}" TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_FIT_HAB_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-print_fit_hab.log" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_KEY_INDEX=${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_SIGN_MODE}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_SIGN_MODE=${TRUSTFENCE_SIGN_MODE}" @@ -216,21 +216,21 @@ trustfence_sign_imxboot() { fi TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_MKIMAGE_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-${target}.log" env $TF_SIGN_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}.bin-${target} imx-boot-signed-${MACHINE}.bin-${target} - if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then - TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_DEK_PATH} ENABLE_ENCRYPTION=y" + if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then + TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME} ENABLE_ENCRYPTION=y" env $TF_SIGN_ENV $TF_ENC_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}.bin-${target} imx-boot-encrypted-${MACHINE}.bin-${target} fi done # Generate symlinks for trustfence artifacts. ln -sf imx-boot-signed-${MACHINE}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/imx-boot-signed-${MACHINE}.bin - if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then ln -sf imx-boot-encrypted-${MACHINE}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/imx-boot-encrypted-${MACHINE}.bin fi } trustfence_sign_imxboot:ccimx8x() { - TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_SIGN_KEYS_PATH}" + TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_KEYS_PATH}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_KEY_INDEX=${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_SIGN_MODE}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_SIGN_MODE=${TRUSTFENCE_SIGN_MODE}" [ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && TF_SIGN_ENV="$TF_SIGN_ENV SRK_REVOKE_MASK=${TRUSTFENCE_SRK_REVOKE_MASK}" @@ -245,8 +245,8 @@ trustfence_sign_imxboot:ccimx8x() { for rev in ${SOC_REVISIONS}; do TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_MKIMAGE_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-${rev}-${target}.log" env $TF_SIGN_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}-${rev}.bin-${target} imx-boot-signed-${MACHINE}-${rev}.bin-${target} - if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then - TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_DEK_PATH} ENABLE_ENCRYPTION=y" + if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then + TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME} ENABLE_ENCRYPTION=y" env $TF_SIGN_ENV $TF_ENC_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}-${rev}.bin-${target} imx-boot-encrypted-${MACHINE}-${rev}.bin-${target} fi done @@ -255,11 +255,11 @@ trustfence_sign_imxboot:ccimx8x() { # Generate symlinks for trustfence artifacts. for rev in ${SOC_REVISIONS}; do ln -sf ${UBOOT_PREFIX}-signed-${MACHINE}-${rev}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/${UBOOT_PREFIX}-signed-${MACHINE}-${rev}.bin - if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then ln -sf ${UBOOT_PREFIX}-encrypted-${MACHINE}-${rev}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/${UBOOT_PREFIX}-encrypted-${MACHINE}-${rev}.bin fi done } trustfence_sign_imxboot[dirs] = "${DEPLOYDIR}" -trustfence_sign_imxboot[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH TRUSTFENCE_SIGN_MODE TRUSTFENCE_SRK_REVOKE_MASK TRUSTFENCE_UNLOCK_KEY_REVOCATION" +trustfence_sign_imxboot[vardeps] += "TRUSTFENCE_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_ENCRYPT TRUSTFENCE_SIGN_MODE TRUSTFENCE_SRK_REVOKE_MASK TRUSTFENCE_UNLOCK_KEY_REVOCATION" diff --git a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc index 8ba8c386d..c325cceb8 100644 --- a/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc +++ b/meta-digi-arm/recipes-bsp/u-boot/u-boot-dey.inc @@ -46,8 +46,8 @@ UUU_BOOTLOADER:mx9-generic-bsp = "" UBOOT_INITIAL_ENV = "" python __anonymous() { - if (d.getVar("TRUSTFENCE_DEK_PATH") not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN") != "1"): - bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN = \"1\") or remove encryption (TRUSTFENCE_DEK_PATH = \"0\")") + if (d.getVar("TRUSTFENCE_ENCRYPT") == "1") and (d.getVar("TRUSTFENCE_SIGN") != "1"): + bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN = \"1\") or remove encryption (TRUSTFENCE_ENCRYPT = \"0\")") } do_configure[prefuncs] += "${@oe.utils.ifelse(d.getVar('UBOOT_TF_CONF'), 'trustfence_config', '')}" @@ -102,13 +102,13 @@ build_uboot_scripts() { # Change the u-boot name when TrustFence is enabled if [ "${TRUSTFENCE_SIGN}" = "1" ]; then if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then - if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then sed -i -e 's,##SIGNED##,encrypted,g' ${TMP_INSTALL_SCR} else sed -i -e 's,##SIGNED##,signed,g' ${TMP_INSTALL_SCR} fi else - if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then sed -i -e 's,##SIGNED##,_Encrypted_Signed,g' ${TMP_INSTALL_SCR} else sed -i -e 's,##SIGNED##,_Signed,g' ${TMP_INSTALL_SCR} @@ -133,10 +133,10 @@ build_uboot_scripts() { # Sign the boot script if not contained in a FIT image if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_NXP}" = "0" ]; then - export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" + export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}" - [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + [ "${TRUSTFENCE_ENCRYPT}" = "1" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME}" # Sign boot script TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)" @@ -190,7 +190,7 @@ sign_uboot() { ln -sf ${UBOOT_BINARYNAME}-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-signed-${type}.${UBOOT_SUFFIX} cp -fp ${B}/${config}/${UBOOT_BINARYNAME}-dtb-usb-signed.imx ${UBOOT_BINARYNAME}-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ln -sf ${UBOOT_BINARYNAME}-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-usb-signed-${type}.${UBOOT_SUFFIX} - if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then cp -fp ${B}/${config}/${UBOOT_BINARYNAME}-dtb-encrypted.imx ${UBOOT_BINARYNAME}-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ln -sf ${UBOOT_BINARYNAME}-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-encrypted-${type}.${UBOOT_SUFFIX} fi diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh index 65c734ed0..e6c6e1d19 100755 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-gen-pki-stm.sh @@ -14,6 +14,12 @@ # Description: # Script for generating PKI tree using STM tools # +# The following environment variables define the script behaviour: +# CONFIG_SIGN_KEYS_PATH: (mandatory) Path to the folder to hold the generated PKI tree keys. +# CONFIG_FIP_ENCRYPT_KEYNAME: (optional) Encryption key filename for FIP +# CONFIG_FSBL_ENCRYPT_KEYNAME: (optional) Encryption key filename for FSBL +# CONFIG_RPROC_ENCRYPT_KEYNAME: (optional) Encryption key filename for RPROC +# #=============================================================================== # Avoid parallel execution of this script @@ -137,33 +143,33 @@ if [ "${PLATFORM}" = "ccmp25" ]; then fi fi -if [ -n "${CONFIG_DEK_PATH}" ]; then - [ -d "${CONFIG_DEK_PATH}" ] || mkdir "${CONFIG_DEK_PATH}" +if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then + # Generate random keys if they don't exist if [ "${PLATFORM}" = "ccmp25" ]; then - if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin" ]; then + if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" ]; then echo "Generating random encryption key for FSBL" - if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin"; then + if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"; then echo "[ERROR] Failed to generate 16-byte FSBL encryption key" exit 1 fi - chmod 444 "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin" + chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" fi - if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_fip.bin" ]; then + if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}" ]; then echo "Generating random encryption key for FIP" - if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_DEK_PATH}/encryption_key_fip.bin"; then + if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"; then echo "[ERROR] Failed to generate 32-byte FIP encryption key" exit 1 fi - chmod 444 "${CONFIG_DEK_PATH}/encryption_key_fip.bin" + chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}" fi - if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_rproc.bin" ]; then + if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then echo "Generating random encryption keys for Cortex-M coprocessor" - if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_DEK_PATH}/encryption_key_rproc.bin"; then + if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}"; then echo "[ERROR] Failed to generate 32-byte Cortex-M encryption key" exit 1 fi - chmod 444 "${CONFIG_DEK_PATH}/encryption_key_rproc.bin" + chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}" fi else echo "[ERROR] Could not generate encryption keys. Platform not supported." diff --git a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh index 4868cb7bd..73c1a04f0 100755 --- a/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh +++ b/meta-digi-arm/recipes-digi/trustfence/trustfence-sign-tools/trustfence-sign-artifact-stm.sh @@ -15,6 +15,8 @@ # Script for building signed and encrypted artifacts using STM sign tools. # # The following environment variables define the script behaviour: +# CONFIG_SIGN_KEYS_PATH: (mandatory) Path to the folder with the PKI tree keys generated. +# CONFIG_KEY_INDEX: (optional) key index to use for signing. Default is 0. # #=============================================================================== diff --git a/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc b/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc index 556024e3c..7eeeb838b 100644 --- a/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc +++ b/meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc @@ -5,10 +5,10 @@ DEPENDS += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'trustfence-sign-to do_deploy[postfuncs] += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'trustfence_sign', '', d)}" trustfence_sign() { # Set environment variables for trustfence configuration - export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" + export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}" [ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}" [ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}" - [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + [ "${TRUSTFENCE_ENCRYPT}" = "1" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME}" # Sign/encrypt the kernel images for type in ${KERNEL_IMAGETYPES}; do @@ -52,5 +52,5 @@ trustfence_sign() { } trustfence_sign[dirs] = "${DEPLOYDIR}" -do_deploy[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH" +do_deploy[vardeps] += "TRUSTFENCE_KEYS_PATH TRUSTFENCE_KEY_INDEX" diff --git a/meta-digi-dey/classes/dey-image-installer.bbclass b/meta-digi-dey/classes/dey-image-installer.bbclass index 191a0b05a..e7f1defdd 100644 --- a/meta-digi-dey/classes/dey-image-installer.bbclass +++ b/meta-digi-dey/classes/dey-image-installer.bbclass @@ -41,7 +41,7 @@ curate_bootloader_artifacts() { if [ "${DEY_SOC_VENDOR}" = "NXP" ] && echo "${artifact}" | grep -q -e "##SIGNED##"; then if [ "${TRUSTFENCE_SIGN}" = "1" ]; then if [ "${DIGI_SOM}" = "ccimx6ul" ]; then - if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then # Encrypted bootloader curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_ENCRYPTED_STRING},") CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}" @@ -54,7 +54,7 @@ curate_bootloader_artifacts() { curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_SIGNED_USB_STRING},") CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}" else - if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then + if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then # Encrypted bootloader curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_ENCRYPTED_STRING},") CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}" diff --git a/meta-digi-dey/classes/dey-swupdate-common.bbclass b/meta-digi-dey/classes/dey-swupdate-common.bbclass index 671900fbd..32b7531f3 100644 --- a/meta-digi-dey/classes/dey-swupdate-common.bbclass +++ b/meta-digi-dey/classes/dey-swupdate-common.bbclass @@ -100,7 +100,7 @@ SWUPDATE_UBOOT_SCRIPT_NAME = "${@os.path.basename(d.getVar('SWUPDATE_UBOOT_SCRIP def get_uboot_prefix(d): prefix = d.getVar('UBOOT_PREFIX') if d.getVar('DEY_SOC_VENDOR') == "NXP" and d.getVar('TRUSTFENCE_ENABLED') == "1": - if d.getVar('TRUSTFENCE_DEK_PATH') and d.getVar('TRUSTFENCE_DEK_PATH') != "0": + if d.getVar('TRUSTFENCE_ENCRYPT') == "1": prefix = f"{prefix}-encrypted" else: prefix = f"{prefix}-signed" @@ -124,7 +124,7 @@ SWUPDATE_UBOOT_OFFSET ?= "${BOOTLOADER_SEEK_BOOTPART}" # Retrieve the correct encryption type. def get_swupdate_uboot_enc(d): - if d.getVar('TRUSTFENCE_DEK_PATH') and d.getVar('TRUSTFENCE_DEK_PATH') != "0" : + if d.getVar('TRUSTFENCE_ENCRYPT') == "1" : return "enc" return "normal" diff --git a/meta-digi-dey/classes/trustfence.bbclass b/meta-digi-dey/classes/trustfence.bbclass index 7ce380ef3..a86228ac3 100644 --- a/meta-digi-dey/classes/trustfence.bbclass +++ b/meta-digi-dey/classes/trustfence.bbclass @@ -16,8 +16,15 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0" # Default secure boot configuration TRUSTFENCE_SIGN ?= "1" -TRUSTFENCE_SIGN_KEYS_PATH ?= "default" -TRUSTFENCE_DEK_PATH ?= "${TF_DEK_PATH}" +TRUSTFENCE_ENCRYPT ?= "${TF_ENCRYPT}" +TRUSTFENCE_KEYS_PATH ?= "${TOPDIR}/trustfence" +# NXP keys +TRUSTFENCE_DEK_ENCRYPT_KEYNAME ?= "dek.bin" +# STM keys +TRUSTFENCE_FIP_ENCRYPT_KEYNAME ?= "encryption_key_fip.bin" +TRUSTFENCE_FSBL_ENCRYPT_KEYNAME ?= "encryption_key_fsbl.bin" +TRUSTFENCE_RPROC_ENCRYPT_KEYNAME ?= "encryption_key_rproc.bin" + TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1" TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0" TRUSTFENCE_KEY_INDEX ?= "0" @@ -46,9 +53,9 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl # # Platform specific defaults -TF_DEK_PATH = "default" -TF_DEK_PATH:ccimx9 = "0" -TF_DEK_PATH:ccmp1 = "0" +TF_ENCRYPT = "1" +TF_ENCRYPT:ccimx9 = "0" +TF_ENCRYPT:ccmp1 = "0" TF_FILE_BASED_ENCRYPT = "0" TF_FILE_BASED_ENCRYPT:ccimx9 = "1" TF_FILE_BASED_ENCRYPT:ccmp1 = "1" @@ -70,15 +77,17 @@ TRUSTFENCE_FIT_CFG_SIGN_KEYNAME ?= "fitcfg" TRUSTFENCE_FIT_IMG_SIGN_KEYNAME ?= "fitimg" # Function to generate a PKI tree (with lock dir protection) -GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock" +GENPKI_LOCK_DIR = "${TRUSTFENCE_KEYS_PATH}/.genpki.lock" gen_pki_tree() { if mkdir -p ${GENPKI_LOCK_DIR}; then if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then - trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH} + trustfence-gen-pki.sh ${TRUSTFENCE_KEYS_PATH} elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then - export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}" - if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then - export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}" + export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}" + if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then + export CONFIG_FIP_ENCRYPT_KEYNAME="${TRUSTFENCE_FIP_ENCRYPT_KEYNAME}" + export CONFIG_FSBL_ENCRYPT_KEYNAME="${TRUSTFENCE_FSBL_ENCRYPT_KEYNAME}" + export CONFIG_RPROC_ENCRYPT_KEYNAME="${TRUSTFENCE_RPROC_ENCRYPT_KEYNAME}" fi trustfence-gen-pki.sh -p ${DIGI_SOM} fi @@ -91,7 +100,7 @@ gen_pki_tree() { # Function that generates a PKI tree if there isn't one check_gen_pki_tree() { if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then - SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)" + SRK_KEYS="$(echo ${TRUSTFENCE_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)" n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)" if [ "${n_commas}" -eq 0 ]; then gen_pki_tree @@ -112,7 +121,7 @@ copy_public_key() { if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then KEY_INDEX="$(expr ${TRUSTFENCE_KEY_INDEX} + 1)" - PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/crts/key${KEY_INDEX}.pub" + PUBLIC_KEY="${TRUSTFENCE_KEYS_PATH}/crts/key${KEY_INDEX}.pub" # The new hab/ahab_pki_tree.sh script extracts the public keys after the PKI # generation and leaves them in the crts/ folder. However, the PKI tree may # already exist, the PKI generation script not called, and then the public @@ -120,9 +129,9 @@ copy_public_key() { # selected public key. if [ ! -f "${PUBLIC_KEY}" ]; then if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then - CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)" + CERT_IMG="$(echo ${TRUSTFENCE_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)" elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then - CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX}*crt.pem)" + CERT_IMG="$(echo ${TRUSTFENCE_KEYS_PATH}/crts/SRK${KEY_INDEX}*crt.pem)" else bberror "Unknown TRUSTFENCE_SIGN_MODE value" exit 1 @@ -132,9 +141,9 @@ copy_public_key() { fi elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then if [ "${DIGI_SOM}" = "ccmp15" ]; then - PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey.pem" + PUBLIC_KEY="${TRUSTFENCE_KEYS_PATH}/keys/publicKey.pem" else - PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem" + PUBLIC_KEY="${TRUSTFENCE_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem" fi else echo "ERROR: Cannot determine the public key" @@ -152,6 +161,14 @@ python () { import hashlib import os + # Check backwards compatibility + if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"): + d.setVar("TRUSTFENCE_KEYS_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH")) + if d.getVar("TRUSTFENCE_DEK_PATH"): + DEK_PATH = os.path.dirname(d.getVar("TRUSTFENCE_DEK_PATH")) + if (d.getVar("TRUSTFENCE_KEYS_PATH") != DEK_PATH): + bb.fatal('[trustfence] TRUSTFENCE_DEK_PATH is deprecated; Set new variable TRUSTFENCE_KEYS_PATH to the directory containing both your sign and encryption keys.') + # Secure console configuration if (d.getVar("TRUSTFENCE_CONSOLE_DISABLE") == "1"): d.appendVar("UBOOT_TF_CONF", "CONFIG_CONSOLE_DISABLE=y ") @@ -170,16 +187,6 @@ python () { d.appendVar("UBOOT_TF_CONF", '"# CONFIG_CONSOLE_ENABLE_GPIO_ACTIVE_LOW is not set" ') # Secure boot configuration - if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"): - d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence"); - - if (d.getVar("DEY_SOC_VENDOR") == "NXP"): - if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"): - d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin"); - elif (d.getVar("DEY_SOC_VENDOR") == "STM"): - if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"): - d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH")); - if (d.getVar("TRUSTFENCE_SIGN") == "1"): # Set STM-specific variables for signing images if (d.getVar("DEY_SOC_VENDOR") == "STM"): @@ -187,17 +194,17 @@ python () { d.setVar("EXTERNAL_KEY_CONF", "1") d.setVar("SIGN_TOOL", "STM32MP_SigningTool_CLI") if (d.getVar("DIGI_SOM") == "ccmp15" ): - d.setVar("SIGN_KEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/privateKey.pem"); - d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass.txt") + d.setVar("SIGN_KEY", d.getVar("TRUSTFENCE_KEYS_PATH") + "/keys/privateKey.pem"); + d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_KEYS_PATH") + "/keys/key_pass.txt") else: - d.setVar("SIGN_KEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/privateKey0%s.pem" % d.getVar("TRUSTFENCE_KEY_INDEX")); - d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass0%s.txt" % d.getVar("TRUSTFENCE_KEY_INDEX")) + d.setVar("SIGN_KEY", d.getVar("TRUSTFENCE_KEYS_PATH") + "/keys/privateKey0%s.pem" % d.getVar("TRUSTFENCE_KEY_INDEX")); + d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_KEYS_PATH") + "/keys/key_pass0%s.txt" % d.getVar("TRUSTFENCE_KEY_INDEX")) if (d.getVar("SIGN_COPRO_ENABLE") == "1" ): - d.setVar("SIGN_COPRO_ECC_PRIVKEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/rproc-keys/privateKey.pem") + d.setVar("SIGN_COPRO_ECC_PRIVKEY", d.getVar("TRUSTFENCE_KEYS_PATH") + "/rproc-keys/privateKey.pem") d.setVar("SIGN_COPRO_ECC_PRIVKEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("SIGN_COPRO_ECC_PRIVKEY")) - d.setVar("SIGN_COPRO_ECC_INFOKEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/rproc-keys/publicKey.der") + d.setVar("SIGN_COPRO_ECC_INFOKEY", d.getVar("TRUSTFENCE_KEYS_PATH") + "/rproc-keys/publicKey.der") d.setVar("SIGN_COPRO_ECC_INFOKEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("SIGN_COPRO_ECC_INFOKEY")) - d.setVar("TRUSTFENCE_COPRO_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "rproc-keys/key_pass.txt") + d.setVar("TRUSTFENCE_COPRO_PASSWORD_FILE", d.getVar("TRUSTFENCE_KEYS_PATH") + "rproc-keys/key_pass.txt") d.setVar("SIGN_COPRO_ECC_PASS_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), "UNDEFINED"); d.setVar("SIGN_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("SIGN_KEY")); @@ -209,26 +216,26 @@ python () { d.appendVar("UBOOT_TF_CONF", '"# CONFIG_LEGACY_IMAGE_FORMAT is not set" ') if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"): d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ") - if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"): - d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_KEYS_PATH="%s" ' % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH")) + if d.getVar("TRUSTFENCE_KEYS_PATH"): + d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_KEYS_PATH="%s" ' % d.getVar("TRUSTFENCE_KEYS_PATH")) if (d.getVar("TRUSTFENCE_UNLOCK_KEY_REVOCATION") == "1"): d.appendVar("UBOOT_TF_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ") if d.getVar("TRUSTFENCE_KEY_INDEX"): d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX")) if (d.getVar("DEY_SOC_VENDOR") == "NXP"): - if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]): - d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH")) + if (d.getVar("TRUSTFENCE_ENCRYPT") == "1"): + d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s/%s" ' % (d.getVar("TRUSTFENCE_KEYS_PATH"), d.getVar("TRUSTFENCE_DEK_ENCRYPT_KEYNAME"))) if d.getVar("TRUSTFENCE_SIGN_MODE"): d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE")) elif (d.getVar("DEY_SOC_VENDOR") == "STM"): - if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]): + if (d.getVar("TRUSTFENCE_ENCRYPT") == "1"): d.setVar("ENCRYPT_ENABLE", "1") - d.setVar("ENCRYPT_FSBL_KEY", '%s/encryption_key_fsbl.bin' % d.getVar("TRUSTFENCE_DEK_PATH")) + d.setVar("ENCRYPT_FSBL_KEY", '%s/%s' % (d.getVar("TRUSTFENCE_KEYS_PATH"), d.getVar("TRUSTFENCE_FSBL_ENCRYPT_KEYNAME"))) d.setVar("ENCRYPT_FSBL_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FSBL_KEY")) - d.setVar("ENCRYPT_FIP_KEY", '%s/encryption_key_fip.bin' % d.getVar("TRUSTFENCE_DEK_PATH")) + d.setVar("ENCRYPT_FIP_KEY", '%s/%s' % (d.getVar("TRUSTFENCE_KEYS_PATH"), d.getVar("TRUSTFENCE_FIP_ENCRYPT_KEYNAME"))) d.setVar("ENCRYPT_FIP_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FIP_KEY")) if (d.getVar("ENCRYPT_COPRO_ENABLE") == "1"): - d.setVar("ENCRYPT_COPRO_KEY", '%s/encryption_key_rproc.bin' % d.getVar("TRUSTFENCE_DEK_PATH")) + d.setVar("ENCRYPT_COPRO_KEY", '%s/%s' % (d.getVar("TRUSTFENCE_KEYS_PATH"), d.getVar("TRUSTFENCE_RPROC_ENCRYPT_KEYNAME"))) d.setVar("ENCRYPT_COPRO_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_COPRO_KEY")) if (d.getVar("TRUSTFENCE_SIGN_FIT_STM") == "1"): @@ -244,7 +251,7 @@ python () { # Enable FIT signing support d.setVar("UBOOT_SIGN_ENABLE", d.getVar("TRUSTFENCE_SIGN")) # Set path to FIT signing keys - d.setVar("UBOOT_SIGN_KEYDIR", "%s/fit" % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH")) + d.setVar("UBOOT_SIGN_KEYDIR", "%s/fit" % d.getVar("TRUSTFENCE_KEYS_PATH")) else: # Disable signing artifacts if TRUSTFENCE_SIGN != 1 @@ -262,7 +269,7 @@ python () { d.setVar("SWUPDATE_SIGNING", "RSA") # Retrieve the keys path to use. - keys_path = d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + keys_path = d.getVar("TRUSTFENCE_KEYS_PATH") # Retrieve the key index to use. key_index = 0