trustfence: add TRUSTFENCE_ENCRYPT variable
Add a variable analogous to TRUSTFENCE_SIGN to enable/disable artifact encryption. Deprecate TRUSTFENCE_DEK_PATH in favor of TRUSTFENCE_KEYS_PATH to use a more generic name and avoid overloading it as an on/off flag. Add per-key variables for encryption key filenames to avoid hardcoded names and allow platform overrides. Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit is contained in:
Arturo Buzarra
parent
e9ad0abb48
commit
fc1d3c5f75
|
|
@ -230,10 +230,10 @@ trustence_sign_cpio() {
|
||||||
#
|
#
|
||||||
if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_NXP}" = "0" ]; then
|
if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_NXP}" = "0" ]; then
|
||||||
# Set environment variables for trustfence configuration
|
# Set environment variables for trustfence configuration
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}"
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
|
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ "${TRUSTFENCE_ENCRYPT}" = "1" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME}"
|
||||||
# Sign/encrypt the ramdisk
|
# Sign/encrypt the ramdisk
|
||||||
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf"
|
trustfence-sign-artifact.sh -p "${DIGI_SOM}" -i "${1}" "${1}.tf"
|
||||||
else
|
else
|
||||||
|
|
@ -252,7 +252,7 @@ IMAGE_TYPES += "cpio.gz.u-boot.tf"
|
||||||
do_image_squashfs[postfuncs] += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'rootfs_sign', '', d)}"
|
do_image_squashfs[postfuncs] += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'rootfs_sign', '', d)}"
|
||||||
rootfs_sign() {
|
rootfs_sign() {
|
||||||
# Set environment variables for trustfence configuration
|
# Set environment variables for trustfence configuration
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}"
|
||||||
[ -n "${CONFIG_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${CONFIG_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
|
|
||||||
ROOTFS_IMAGE="${IMGDEPLOYDIR}/${IMAGE_NAME}.squashfs"
|
ROOTFS_IMAGE="${IMGDEPLOYDIR}/${IMAGE_NAME}.squashfs"
|
||||||
|
|
@ -263,4 +263,4 @@ rootfs_sign() {
|
||||||
}
|
}
|
||||||
rootfs_sign[dirs] = "${DEPLOY_DIR_IMAGE}"
|
rootfs_sign[dirs] = "${DEPLOY_DIR_IMAGE}"
|
||||||
|
|
||||||
do_image_squashfs[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX"
|
do_image_squashfs[vardeps] += "TRUSTFENCE_KEYS_PATH TRUSTFENCE_KEY_INDEX"
|
||||||
|
|
|
||||||
|
|
@ -134,13 +134,13 @@ ST_USERFS = "0"
|
||||||
# Boot artifacts to be copied from the deploy dir to the installer ZIP
|
# Boot artifacts to be copied from the deploy dir to the installer ZIP
|
||||||
BOOTABLE_ARTIFACTS = " \
|
BOOTABLE_ARTIFACTS = " \
|
||||||
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
|
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
|
||||||
oe.utils.ifelse(d.getVar('TRUSTFENCE_DEK_PATH') == '0', 'tf-a-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.stm32', \
|
oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'tf-a-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.stm32', \
|
||||||
'tf-a-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32'), \
|
'tf-a-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.stm32'), \
|
||||||
'tf-a-ccmp25-dvk-optee-emmc.stm32')} \
|
'tf-a-ccmp25-dvk-optee-emmc.stm32')} \
|
||||||
metadata-ccmp25-dvk.bin \
|
metadata-ccmp25-dvk.bin \
|
||||||
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
|
${@oe.utils.ifelse(d.getVar('TRUSTFENCE_SIGN') == '1', \
|
||||||
oe.utils.ifelse(d.getVar('TRUSTFENCE_DEK_PATH') == '0', 'fip-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.bin', \
|
oe.utils.ifelse(d.getVar('TRUSTFENCE_ENCRYPT') == '0', 'fip-ccmp25-dvk-optee-emmc${SIGN_SUFFIX}.bin', \
|
||||||
'fip-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin'), \
|
'fip-ccmp25-dvk-optee-emmc${ENCRYPT_SUFFIX}${SIGN_SUFFIX}.bin'), \
|
||||||
'fip-ccmp25-dvk-optee-emmc.bin')} \
|
'fip-ccmp25-dvk-optee-emmc.bin')} \
|
||||||
"
|
"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -59,7 +59,7 @@ compile_mx8m() {
|
||||||
|
|
||||||
compile_mx8m:append:ccimx8m() {
|
compile_mx8m:append:ccimx8m() {
|
||||||
# Create dummy DEK blob to support building with encrypted u-boot
|
# Create dummy DEK blob to support building with encrypted u-boot
|
||||||
if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||||
dd if=/dev/zero of=${BOOT_STAGING}/dek_blob_fit_dummy.bin bs=96 count=1 oflag=sync
|
dd if=/dev/zero of=${BOOT_STAGING}/dek_blob_fit_dummy.bin bs=96 count=1 oflag=sync
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
@ -200,7 +200,7 @@ do_deploy:ccimx8x () {
|
||||||
|
|
||||||
do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign_imxboot', '', d)}"
|
do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign_imxboot', '', d)}"
|
||||||
trustfence_sign_imxboot() {
|
trustfence_sign_imxboot() {
|
||||||
TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_SIGN_KEYS_PATH}"
|
TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_KEYS_PATH}"
|
||||||
TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_FIT_HAB_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-print_fit_hab.log"
|
TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_FIT_HAB_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-print_fit_hab.log"
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_KEY_INDEX=${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_KEY_INDEX=${TRUSTFENCE_KEY_INDEX}"
|
||||||
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_SIGN_MODE=${TRUSTFENCE_SIGN_MODE}"
|
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_SIGN_MODE=${TRUSTFENCE_SIGN_MODE}"
|
||||||
|
|
@ -216,21 +216,21 @@ trustfence_sign_imxboot() {
|
||||||
fi
|
fi
|
||||||
TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_MKIMAGE_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-${target}.log"
|
TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_MKIMAGE_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-${target}.log"
|
||||||
env $TF_SIGN_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}.bin-${target} imx-boot-signed-${MACHINE}.bin-${target}
|
env $TF_SIGN_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}.bin-${target} imx-boot-signed-${MACHINE}.bin-${target}
|
||||||
if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||||
TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_DEK_PATH} ENABLE_ENCRYPTION=y"
|
TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME} ENABLE_ENCRYPTION=y"
|
||||||
env $TF_SIGN_ENV $TF_ENC_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}.bin-${target} imx-boot-encrypted-${MACHINE}.bin-${target}
|
env $TF_SIGN_ENV $TF_ENC_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}.bin-${target} imx-boot-encrypted-${MACHINE}.bin-${target}
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
# Generate symlinks for trustfence artifacts.
|
# Generate symlinks for trustfence artifacts.
|
||||||
ln -sf imx-boot-signed-${MACHINE}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/imx-boot-signed-${MACHINE}.bin
|
ln -sf imx-boot-signed-${MACHINE}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/imx-boot-signed-${MACHINE}.bin
|
||||||
if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||||
ln -sf imx-boot-encrypted-${MACHINE}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/imx-boot-encrypted-${MACHINE}.bin
|
ln -sf imx-boot-encrypted-${MACHINE}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/imx-boot-encrypted-${MACHINE}.bin
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
trustfence_sign_imxboot:ccimx8x() {
|
trustfence_sign_imxboot:ccimx8x() {
|
||||||
TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_SIGN_KEYS_PATH}"
|
TF_SIGN_ENV="CONFIG_SIGN_KEYS_PATH=${TRUSTFENCE_KEYS_PATH}"
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_KEY_INDEX=${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_KEY_INDEX=${TRUSTFENCE_KEY_INDEX}"
|
||||||
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_SIGN_MODE=${TRUSTFENCE_SIGN_MODE}"
|
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_SIGN_MODE=${TRUSTFENCE_SIGN_MODE}"
|
||||||
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && TF_SIGN_ENV="$TF_SIGN_ENV SRK_REVOKE_MASK=${TRUSTFENCE_SRK_REVOKE_MASK}"
|
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && TF_SIGN_ENV="$TF_SIGN_ENV SRK_REVOKE_MASK=${TRUSTFENCE_SRK_REVOKE_MASK}"
|
||||||
|
|
@ -245,8 +245,8 @@ trustfence_sign_imxboot:ccimx8x() {
|
||||||
for rev in ${SOC_REVISIONS}; do
|
for rev in ${SOC_REVISIONS}; do
|
||||||
TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_MKIMAGE_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-${rev}-${target}.log"
|
TF_SIGN_ENV="$TF_SIGN_ENV CONFIG_MKIMAGE_LOG_PATH=${DEPLOYDIR}/${BOOT_TOOLS}/mkimage-${rev}-${target}.log"
|
||||||
env $TF_SIGN_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}-${rev}.bin-${target} imx-boot-signed-${MACHINE}-${rev}.bin-${target}
|
env $TF_SIGN_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}-${rev}.bin-${target} imx-boot-signed-${MACHINE}-${rev}.bin-${target}
|
||||||
if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||||
TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_DEK_PATH} ENABLE_ENCRYPTION=y"
|
TF_ENC_ENV="CONFIG_DEK_PATH=${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME} ENABLE_ENCRYPTION=y"
|
||||||
env $TF_SIGN_ENV $TF_ENC_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}-${rev}.bin-${target} imx-boot-encrypted-${MACHINE}-${rev}.bin-${target}
|
env $TF_SIGN_ENV $TF_ENC_ENV trustfence-sign-uboot.sh imx-boot-${MACHINE}-${rev}.bin-${target} imx-boot-encrypted-${MACHINE}-${rev}.bin-${target}
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
@ -255,11 +255,11 @@ trustfence_sign_imxboot:ccimx8x() {
|
||||||
# Generate symlinks for trustfence artifacts.
|
# Generate symlinks for trustfence artifacts.
|
||||||
for rev in ${SOC_REVISIONS}; do
|
for rev in ${SOC_REVISIONS}; do
|
||||||
ln -sf ${UBOOT_PREFIX}-signed-${MACHINE}-${rev}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/${UBOOT_PREFIX}-signed-${MACHINE}-${rev}.bin
|
ln -sf ${UBOOT_PREFIX}-signed-${MACHINE}-${rev}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/${UBOOT_PREFIX}-signed-${MACHINE}-${rev}.bin
|
||||||
if [ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||||
ln -sf ${UBOOT_PREFIX}-encrypted-${MACHINE}-${rev}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/${UBOOT_PREFIX}-encrypted-${MACHINE}-${rev}.bin
|
ln -sf ${UBOOT_PREFIX}-encrypted-${MACHINE}-${rev}.bin-${IMAGE_IMXBOOT_TARGET} ${DEPLOYDIR}/${UBOOT_PREFIX}-encrypted-${MACHINE}-${rev}.bin
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
trustfence_sign_imxboot[dirs] = "${DEPLOYDIR}"
|
trustfence_sign_imxboot[dirs] = "${DEPLOYDIR}"
|
||||||
trustfence_sign_imxboot[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH TRUSTFENCE_SIGN_MODE TRUSTFENCE_SRK_REVOKE_MASK TRUSTFENCE_UNLOCK_KEY_REVOCATION"
|
trustfence_sign_imxboot[vardeps] += "TRUSTFENCE_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_ENCRYPT TRUSTFENCE_SIGN_MODE TRUSTFENCE_SRK_REVOKE_MASK TRUSTFENCE_UNLOCK_KEY_REVOCATION"
|
||||||
|
|
|
||||||
|
|
@ -46,8 +46,8 @@ UUU_BOOTLOADER:mx9-generic-bsp = ""
|
||||||
UBOOT_INITIAL_ENV = ""
|
UBOOT_INITIAL_ENV = ""
|
||||||
|
|
||||||
python __anonymous() {
|
python __anonymous() {
|
||||||
if (d.getVar("TRUSTFENCE_DEK_PATH") not in ["0", None]) and (d.getVar("TRUSTFENCE_SIGN") != "1"):
|
if (d.getVar("TRUSTFENCE_ENCRYPT") == "1") and (d.getVar("TRUSTFENCE_SIGN") != "1"):
|
||||||
bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN = \"1\") or remove encryption (TRUSTFENCE_DEK_PATH = \"0\")")
|
bb.fatal("Only signed U-Boot images can be encrypted. Generate signed images (TRUSTFENCE_SIGN = \"1\") or remove encryption (TRUSTFENCE_ENCRYPT = \"0\")")
|
||||||
}
|
}
|
||||||
|
|
||||||
do_configure[prefuncs] += "${@oe.utils.ifelse(d.getVar('UBOOT_TF_CONF'), 'trustfence_config', '')}"
|
do_configure[prefuncs] += "${@oe.utils.ifelse(d.getVar('UBOOT_TF_CONF'), 'trustfence_config', '')}"
|
||||||
|
|
@ -102,13 +102,13 @@ build_uboot_scripts() {
|
||||||
# Change the u-boot name when TrustFence is enabled
|
# Change the u-boot name when TrustFence is enabled
|
||||||
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
|
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
|
||||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
||||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||||
sed -i -e 's,##SIGNED##,encrypted,g' ${TMP_INSTALL_SCR}
|
sed -i -e 's,##SIGNED##,encrypted,g' ${TMP_INSTALL_SCR}
|
||||||
else
|
else
|
||||||
sed -i -e 's,##SIGNED##,signed,g' ${TMP_INSTALL_SCR}
|
sed -i -e 's,##SIGNED##,signed,g' ${TMP_INSTALL_SCR}
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||||
sed -i -e 's,##SIGNED##,_Encrypted_Signed,g' ${TMP_INSTALL_SCR}
|
sed -i -e 's,##SIGNED##,_Encrypted_Signed,g' ${TMP_INSTALL_SCR}
|
||||||
else
|
else
|
||||||
sed -i -e 's,##SIGNED##,_Signed,g' ${TMP_INSTALL_SCR}
|
sed -i -e 's,##SIGNED##,_Signed,g' ${TMP_INSTALL_SCR}
|
||||||
|
|
@ -133,10 +133,10 @@ build_uboot_scripts() {
|
||||||
|
|
||||||
# Sign the boot script if not contained in a FIT image
|
# Sign the boot script if not contained in a FIT image
|
||||||
if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_NXP}" = "0" ]; then
|
if [ "${TRUSTFENCE_SIGN_ARTIFACTS}" = "1" ] && [ "${TRUSTFENCE_SIGN_FIT_NXP}" = "0" ]; then
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}"
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
|
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ "${TRUSTFENCE_ENCRYPT}" = "1" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME}"
|
||||||
|
|
||||||
# Sign boot script
|
# Sign boot script
|
||||||
TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
|
TMP_SIGNED_BOOTSCR="$(mktemp ${WORKDIR}/bootscr-signed.XXXXXX)"
|
||||||
|
|
@ -190,7 +190,7 @@ sign_uboot() {
|
||||||
ln -sf ${UBOOT_BINARYNAME}-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-signed-${type}.${UBOOT_SUFFIX}
|
ln -sf ${UBOOT_BINARYNAME}-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-signed-${type}.${UBOOT_SUFFIX}
|
||||||
cp -fp ${B}/${config}/${UBOOT_BINARYNAME}-dtb-usb-signed.imx ${UBOOT_BINARYNAME}-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
|
cp -fp ${B}/${config}/${UBOOT_BINARYNAME}-dtb-usb-signed.imx ${UBOOT_BINARYNAME}-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
|
||||||
ln -sf ${UBOOT_BINARYNAME}-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-usb-signed-${type}.${UBOOT_SUFFIX}
|
ln -sf ${UBOOT_BINARYNAME}-usb-signed-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-usb-signed-${type}.${UBOOT_SUFFIX}
|
||||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||||
cp -fp ${B}/${config}/${UBOOT_BINARYNAME}-dtb-encrypted.imx ${UBOOT_BINARYNAME}-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
|
cp -fp ${B}/${config}/${UBOOT_BINARYNAME}-dtb-encrypted.imx ${UBOOT_BINARYNAME}-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX}
|
||||||
ln -sf ${UBOOT_BINARYNAME}-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-encrypted-${type}.${UBOOT_SUFFIX}
|
ln -sf ${UBOOT_BINARYNAME}-encrypted-${type}-${PV}-${PR}.${UBOOT_SUFFIX} ${UBOOT_BINARYNAME}-encrypted-${type}.${UBOOT_SUFFIX}
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,12 @@
|
||||||
# Description:
|
# Description:
|
||||||
# Script for generating PKI tree using STM tools
|
# Script for generating PKI tree using STM tools
|
||||||
#
|
#
|
||||||
|
# The following environment variables define the script behaviour:
|
||||||
|
# CONFIG_SIGN_KEYS_PATH: (mandatory) Path to the folder to hold the generated PKI tree keys.
|
||||||
|
# CONFIG_FIP_ENCRYPT_KEYNAME: (optional) Encryption key filename for FIP
|
||||||
|
# CONFIG_FSBL_ENCRYPT_KEYNAME: (optional) Encryption key filename for FSBL
|
||||||
|
# CONFIG_RPROC_ENCRYPT_KEYNAME: (optional) Encryption key filename for RPROC
|
||||||
|
#
|
||||||
#===============================================================================
|
#===============================================================================
|
||||||
|
|
||||||
# Avoid parallel execution of this script
|
# Avoid parallel execution of this script
|
||||||
|
|
@ -137,33 +143,33 @@ if [ "${PLATFORM}" = "ccmp25" ]; then
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "${CONFIG_DEK_PATH}" ]; then
|
if [ -n "${CONFIG_FSBL_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_FIP_ENCRYPT_KEYNAME}" ] && [ -n "${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then
|
||||||
[ -d "${CONFIG_DEK_PATH}" ] || mkdir "${CONFIG_DEK_PATH}"
|
|
||||||
# Generate random keys if they don't exist
|
# Generate random keys if they don't exist
|
||||||
if [ "${PLATFORM}" = "ccmp25" ]; then
|
if [ "${PLATFORM}" = "ccmp25" ]; then
|
||||||
if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin" ]; then
|
if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}" ]; then
|
||||||
echo "Generating random encryption key for FSBL"
|
echo "Generating random encryption key for FSBL"
|
||||||
if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin"; then
|
if ! STM32MP_KeyGen_CLI -rand 16 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"; then
|
||||||
echo "[ERROR] Failed to generate 16-byte FSBL encryption key"
|
echo "[ERROR] Failed to generate 16-byte FSBL encryption key"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
chmod 444 "${CONFIG_DEK_PATH}/encryption_key_fsbl.bin"
|
chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FSBL_ENCRYPT_KEYNAME}"
|
||||||
fi
|
fi
|
||||||
if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_fip.bin" ]; then
|
if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}" ]; then
|
||||||
echo "Generating random encryption key for FIP"
|
echo "Generating random encryption key for FIP"
|
||||||
if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_DEK_PATH}/encryption_key_fip.bin"; then
|
if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"; then
|
||||||
echo "[ERROR] Failed to generate 32-byte FIP encryption key"
|
echo "[ERROR] Failed to generate 32-byte FIP encryption key"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
chmod 444 "${CONFIG_DEK_PATH}/encryption_key_fip.bin"
|
chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_FIP_ENCRYPT_KEYNAME}"
|
||||||
fi
|
fi
|
||||||
if [ ! -f "${CONFIG_DEK_PATH}/encryption_key_rproc.bin" ]; then
|
if [ ! -f "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}" ]; then
|
||||||
echo "Generating random encryption keys for Cortex-M coprocessor"
|
echo "Generating random encryption keys for Cortex-M coprocessor"
|
||||||
if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_DEK_PATH}/encryption_key_rproc.bin"; then
|
if ! STM32MP_KeyGen_CLI -rand 32 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}"; then
|
||||||
echo "[ERROR] Failed to generate 32-byte Cortex-M encryption key"
|
echo "[ERROR] Failed to generate 32-byte Cortex-M encryption key"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
chmod 444 "${CONFIG_DEK_PATH}/encryption_key_rproc.bin"
|
chmod 444 "${CONFIG_SIGN_KEYS_PATH}/${CONFIG_RPROC_ENCRYPT_KEYNAME}"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "[ERROR] Could not generate encryption keys. Platform not supported."
|
echo "[ERROR] Could not generate encryption keys. Platform not supported."
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,8 @@
|
||||||
# Script for building signed and encrypted artifacts using STM sign tools.
|
# Script for building signed and encrypted artifacts using STM sign tools.
|
||||||
#
|
#
|
||||||
# The following environment variables define the script behaviour:
|
# The following environment variables define the script behaviour:
|
||||||
|
# CONFIG_SIGN_KEYS_PATH: (mandatory) Path to the folder with the PKI tree keys generated.
|
||||||
|
# CONFIG_KEY_INDEX: (optional) key index to use for signing. Default is 0.
|
||||||
#
|
#
|
||||||
#===============================================================================
|
#===============================================================================
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,10 +5,10 @@ DEPENDS += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'trustfence-sign-to
|
||||||
do_deploy[postfuncs] += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'trustfence_sign', '', d)}"
|
do_deploy[postfuncs] += "${@oe.utils.vartrue('TRUSTFENCE_SIGN_ARTIFACTS', 'trustfence_sign', '', d)}"
|
||||||
trustfence_sign() {
|
trustfence_sign() {
|
||||||
# Set environment variables for trustfence configuration
|
# Set environment variables for trustfence configuration
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}"
|
||||||
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
|
||||||
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
|
[ -n "${TRUSTFENCE_SRK_REVOKE_MASK}" ] && export SRK_REVOKE_MASK="${TRUSTFENCE_SRK_REVOKE_MASK}"
|
||||||
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
[ "${TRUSTFENCE_ENCRYPT}" = "1" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_KEYS_PATH}/${TRUSTFENCE_DEK_ENCRYPT_KEYNAME}"
|
||||||
|
|
||||||
# Sign/encrypt the kernel images
|
# Sign/encrypt the kernel images
|
||||||
for type in ${KERNEL_IMAGETYPES}; do
|
for type in ${KERNEL_IMAGETYPES}; do
|
||||||
|
|
@ -52,5 +52,5 @@ trustfence_sign() {
|
||||||
}
|
}
|
||||||
trustfence_sign[dirs] = "${DEPLOYDIR}"
|
trustfence_sign[dirs] = "${DEPLOYDIR}"
|
||||||
|
|
||||||
do_deploy[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH"
|
do_deploy[vardeps] += "TRUSTFENCE_KEYS_PATH TRUSTFENCE_KEY_INDEX"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@ curate_bootloader_artifacts() {
|
||||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ] && echo "${artifact}" | grep -q -e "##SIGNED##"; then
|
if [ "${DEY_SOC_VENDOR}" = "NXP" ] && echo "${artifact}" | grep -q -e "##SIGNED##"; then
|
||||||
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
|
if [ "${TRUSTFENCE_SIGN}" = "1" ]; then
|
||||||
if [ "${DIGI_SOM}" = "ccimx6ul" ]; then
|
if [ "${DIGI_SOM}" = "ccimx6ul" ]; then
|
||||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||||
# Encrypted bootloader
|
# Encrypted bootloader
|
||||||
curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_ENCRYPTED_STRING},")
|
curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_ENCRYPTED_STRING},")
|
||||||
CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
|
CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
|
||||||
|
|
@ -54,7 +54,7 @@ curate_bootloader_artifacts() {
|
||||||
curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_SIGNED_USB_STRING},")
|
curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_SIGNED_USB_STRING},")
|
||||||
CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
|
CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
|
||||||
else
|
else
|
||||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||||
# Encrypted bootloader
|
# Encrypted bootloader
|
||||||
curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_ENCRYPTED_STRING},")
|
curated_artifact=$(echo "${artifact}" | sed "s,##SIGNED##,${BOOTLOADER_ENCRYPTED_STRING},")
|
||||||
CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
|
CURATED_BOOTABLE_ARTIFACTS="${CURATED_BOOTABLE_ARTIFACTS} ${curated_artifact}"
|
||||||
|
|
|
||||||
|
|
@ -100,7 +100,7 @@ SWUPDATE_UBOOT_SCRIPT_NAME = "${@os.path.basename(d.getVar('SWUPDATE_UBOOT_SCRIP
|
||||||
def get_uboot_prefix(d):
|
def get_uboot_prefix(d):
|
||||||
prefix = d.getVar('UBOOT_PREFIX')
|
prefix = d.getVar('UBOOT_PREFIX')
|
||||||
if d.getVar('DEY_SOC_VENDOR') == "NXP" and d.getVar('TRUSTFENCE_ENABLED') == "1":
|
if d.getVar('DEY_SOC_VENDOR') == "NXP" and d.getVar('TRUSTFENCE_ENABLED') == "1":
|
||||||
if d.getVar('TRUSTFENCE_DEK_PATH') and d.getVar('TRUSTFENCE_DEK_PATH') != "0":
|
if d.getVar('TRUSTFENCE_ENCRYPT') == "1":
|
||||||
prefix = f"{prefix}-encrypted"
|
prefix = f"{prefix}-encrypted"
|
||||||
else:
|
else:
|
||||||
prefix = f"{prefix}-signed"
|
prefix = f"{prefix}-signed"
|
||||||
|
|
@ -124,7 +124,7 @@ SWUPDATE_UBOOT_OFFSET ?= "${BOOTLOADER_SEEK_BOOTPART}"
|
||||||
|
|
||||||
# Retrieve the correct encryption type.
|
# Retrieve the correct encryption type.
|
||||||
def get_swupdate_uboot_enc(d):
|
def get_swupdate_uboot_enc(d):
|
||||||
if d.getVar('TRUSTFENCE_DEK_PATH') and d.getVar('TRUSTFENCE_DEK_PATH') != "0" :
|
if d.getVar('TRUSTFENCE_ENCRYPT') == "1" :
|
||||||
return "enc"
|
return "enc"
|
||||||
return "normal"
|
return "normal"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,8 +16,15 @@ TRUSTFENCE_CONSOLE_DISABLE ?= "0"
|
||||||
|
|
||||||
# Default secure boot configuration
|
# Default secure boot configuration
|
||||||
TRUSTFENCE_SIGN ?= "1"
|
TRUSTFENCE_SIGN ?= "1"
|
||||||
TRUSTFENCE_SIGN_KEYS_PATH ?= "default"
|
TRUSTFENCE_ENCRYPT ?= "${TF_ENCRYPT}"
|
||||||
TRUSTFENCE_DEK_PATH ?= "${TF_DEK_PATH}"
|
TRUSTFENCE_KEYS_PATH ?= "${TOPDIR}/trustfence"
|
||||||
|
# NXP keys
|
||||||
|
TRUSTFENCE_DEK_ENCRYPT_KEYNAME ?= "dek.bin"
|
||||||
|
# STM keys
|
||||||
|
TRUSTFENCE_FIP_ENCRYPT_KEYNAME ?= "encryption_key_fip.bin"
|
||||||
|
TRUSTFENCE_FSBL_ENCRYPT_KEYNAME ?= "encryption_key_fsbl.bin"
|
||||||
|
TRUSTFENCE_RPROC_ENCRYPT_KEYNAME ?= "encryption_key_rproc.bin"
|
||||||
|
|
||||||
TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
|
TRUSTFENCE_ENCRYPT_ENVIRONMENT ?= "1"
|
||||||
TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
|
TRUSTFENCE_SRK_REVOKE_MASK ?= "0x0"
|
||||||
TRUSTFENCE_KEY_INDEX ?= "0"
|
TRUSTFENCE_KEY_INDEX ?= "0"
|
||||||
|
|
@ -46,9 +53,9 @@ TRUSTFENCE_READ_ONLY_ROOTFS ?= "${@bb.utils.contains("IMAGE_FEATURES", "read-onl
|
||||||
#
|
#
|
||||||
|
|
||||||
# Platform specific defaults
|
# Platform specific defaults
|
||||||
TF_DEK_PATH = "default"
|
TF_ENCRYPT = "1"
|
||||||
TF_DEK_PATH:ccimx9 = "0"
|
TF_ENCRYPT:ccimx9 = "0"
|
||||||
TF_DEK_PATH:ccmp1 = "0"
|
TF_ENCRYPT:ccmp1 = "0"
|
||||||
TF_FILE_BASED_ENCRYPT = "0"
|
TF_FILE_BASED_ENCRYPT = "0"
|
||||||
TF_FILE_BASED_ENCRYPT:ccimx9 = "1"
|
TF_FILE_BASED_ENCRYPT:ccimx9 = "1"
|
||||||
TF_FILE_BASED_ENCRYPT:ccmp1 = "1"
|
TF_FILE_BASED_ENCRYPT:ccmp1 = "1"
|
||||||
|
|
@ -70,15 +77,17 @@ TRUSTFENCE_FIT_CFG_SIGN_KEYNAME ?= "fitcfg"
|
||||||
TRUSTFENCE_FIT_IMG_SIGN_KEYNAME ?= "fitimg"
|
TRUSTFENCE_FIT_IMG_SIGN_KEYNAME ?= "fitimg"
|
||||||
|
|
||||||
# Function to generate a PKI tree (with lock dir protection)
|
# Function to generate a PKI tree (with lock dir protection)
|
||||||
GENPKI_LOCK_DIR = "${TRUSTFENCE_SIGN_KEYS_PATH}/.genpki.lock"
|
GENPKI_LOCK_DIR = "${TRUSTFENCE_KEYS_PATH}/.genpki.lock"
|
||||||
gen_pki_tree() {
|
gen_pki_tree() {
|
||||||
if mkdir -p ${GENPKI_LOCK_DIR}; then
|
if mkdir -p ${GENPKI_LOCK_DIR}; then
|
||||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
||||||
trustfence-gen-pki.sh ${TRUSTFENCE_SIGN_KEYS_PATH}
|
trustfence-gen-pki.sh ${TRUSTFENCE_KEYS_PATH}
|
||||||
elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
|
elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
|
||||||
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
|
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_KEYS_PATH}"
|
||||||
if [ "${TRUSTFENCE_DEK_PATH}" != "0" ]; then
|
if [ "${TRUSTFENCE_ENCRYPT}" = "1" ]; then
|
||||||
export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
|
export CONFIG_FIP_ENCRYPT_KEYNAME="${TRUSTFENCE_FIP_ENCRYPT_KEYNAME}"
|
||||||
|
export CONFIG_FSBL_ENCRYPT_KEYNAME="${TRUSTFENCE_FSBL_ENCRYPT_KEYNAME}"
|
||||||
|
export CONFIG_RPROC_ENCRYPT_KEYNAME="${TRUSTFENCE_RPROC_ENCRYPT_KEYNAME}"
|
||||||
fi
|
fi
|
||||||
trustfence-gen-pki.sh -p ${DIGI_SOM}
|
trustfence-gen-pki.sh -p ${DIGI_SOM}
|
||||||
fi
|
fi
|
||||||
|
|
@ -91,7 +100,7 @@ gen_pki_tree() {
|
||||||
# Function that generates a PKI tree if there isn't one
|
# Function that generates a PKI tree if there isn't one
|
||||||
check_gen_pki_tree() {
|
check_gen_pki_tree() {
|
||||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
||||||
SRK_KEYS="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
|
SRK_KEYS="$(echo ${TRUSTFENCE_KEYS_PATH}/crts/SRK*crt.pem | sed s/\ /\,/g)"
|
||||||
n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
|
n_commas="$(echo ${SRK_KEYS} | grep -o "," | wc -l)"
|
||||||
if [ "${n_commas}" -eq 0 ]; then
|
if [ "${n_commas}" -eq 0 ]; then
|
||||||
gen_pki_tree
|
gen_pki_tree
|
||||||
|
|
@ -112,7 +121,7 @@ copy_public_key() {
|
||||||
|
|
||||||
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
if [ "${DEY_SOC_VENDOR}" = "NXP" ]; then
|
||||||
KEY_INDEX="$(expr ${TRUSTFENCE_KEY_INDEX} + 1)"
|
KEY_INDEX="$(expr ${TRUSTFENCE_KEY_INDEX} + 1)"
|
||||||
PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/crts/key${KEY_INDEX}.pub"
|
PUBLIC_KEY="${TRUSTFENCE_KEYS_PATH}/crts/key${KEY_INDEX}.pub"
|
||||||
# The new hab/ahab_pki_tree.sh script extracts the public keys after the PKI
|
# The new hab/ahab_pki_tree.sh script extracts the public keys after the PKI
|
||||||
# generation and leaves them in the crts/ folder. However, the PKI tree may
|
# generation and leaves them in the crts/ folder. However, the PKI tree may
|
||||||
# already exist, the PKI generation script not called, and then the public
|
# already exist, the PKI generation script not called, and then the public
|
||||||
|
|
@ -120,9 +129,9 @@ copy_public_key() {
|
||||||
# selected public key.
|
# selected public key.
|
||||||
if [ ! -f "${PUBLIC_KEY}" ]; then
|
if [ ! -f "${PUBLIC_KEY}" ]; then
|
||||||
if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
if [ "${TRUSTFENCE_SIGN_MODE}" = "HAB" ]; then
|
||||||
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)"
|
CERT_IMG="$(echo ${TRUSTFENCE_KEYS_PATH}/crts/IMG${KEY_INDEX}*crt.pem)"
|
||||||
elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
elif [ "${TRUSTFENCE_SIGN_MODE}" = "AHAB" ]; then
|
||||||
CERT_IMG="$(echo ${TRUSTFENCE_SIGN_KEYS_PATH}/crts/SRK${KEY_INDEX}*crt.pem)"
|
CERT_IMG="$(echo ${TRUSTFENCE_KEYS_PATH}/crts/SRK${KEY_INDEX}*crt.pem)"
|
||||||
else
|
else
|
||||||
bberror "Unknown TRUSTFENCE_SIGN_MODE value"
|
bberror "Unknown TRUSTFENCE_SIGN_MODE value"
|
||||||
exit 1
|
exit 1
|
||||||
|
|
@ -132,9 +141,9 @@ copy_public_key() {
|
||||||
fi
|
fi
|
||||||
elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
|
elif [ "${DEY_SOC_VENDOR}" = "STM" ]; then
|
||||||
if [ "${DIGI_SOM}" = "ccmp15" ]; then
|
if [ "${DIGI_SOM}" = "ccmp15" ]; then
|
||||||
PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey.pem"
|
PUBLIC_KEY="${TRUSTFENCE_KEYS_PATH}/keys/publicKey.pem"
|
||||||
else
|
else
|
||||||
PUBLIC_KEY="${TRUSTFENCE_SIGN_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem"
|
PUBLIC_KEY="${TRUSTFENCE_KEYS_PATH}/keys/publicKey0${TRUSTFENCE_KEY_INDEX}.pem"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "ERROR: Cannot determine the public key"
|
echo "ERROR: Cannot determine the public key"
|
||||||
|
|
@ -152,6 +161,14 @@ python () {
|
||||||
import hashlib
|
import hashlib
|
||||||
import os
|
import os
|
||||||
|
|
||||||
|
# Check backwards compatibility
|
||||||
|
if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"):
|
||||||
|
d.setVar("TRUSTFENCE_KEYS_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"))
|
||||||
|
if d.getVar("TRUSTFENCE_DEK_PATH"):
|
||||||
|
DEK_PATH = os.path.dirname(d.getVar("TRUSTFENCE_DEK_PATH"))
|
||||||
|
if (d.getVar("TRUSTFENCE_KEYS_PATH") != DEK_PATH):
|
||||||
|
bb.fatal('[trustfence] TRUSTFENCE_DEK_PATH is deprecated; Set new variable TRUSTFENCE_KEYS_PATH to the directory containing both your sign and encryption keys.')
|
||||||
|
|
||||||
# Secure console configuration
|
# Secure console configuration
|
||||||
if (d.getVar("TRUSTFENCE_CONSOLE_DISABLE") == "1"):
|
if (d.getVar("TRUSTFENCE_CONSOLE_DISABLE") == "1"):
|
||||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_CONSOLE_DISABLE=y ")
|
d.appendVar("UBOOT_TF_CONF", "CONFIG_CONSOLE_DISABLE=y ")
|
||||||
|
|
@ -170,16 +187,6 @@ python () {
|
||||||
d.appendVar("UBOOT_TF_CONF", '"# CONFIG_CONSOLE_ENABLE_GPIO_ACTIVE_LOW is not set" ')
|
d.appendVar("UBOOT_TF_CONF", '"# CONFIG_CONSOLE_ENABLE_GPIO_ACTIVE_LOW is not set" ')
|
||||||
|
|
||||||
# Secure boot configuration
|
# Secure boot configuration
|
||||||
if (d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") == "default"):
|
|
||||||
d.setVar("TRUSTFENCE_SIGN_KEYS_PATH", d.getVar("TOPDIR") + "/trustfence");
|
|
||||||
|
|
||||||
if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
|
|
||||||
if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"):
|
|
||||||
d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/dek.bin");
|
|
||||||
elif (d.getVar("DEY_SOC_VENDOR") == "STM"):
|
|
||||||
if (d.getVar("TRUSTFENCE_DEK_PATH") == "default"):
|
|
||||||
d.setVar("TRUSTFENCE_DEK_PATH", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"));
|
|
||||||
|
|
||||||
if (d.getVar("TRUSTFENCE_SIGN") == "1"):
|
if (d.getVar("TRUSTFENCE_SIGN") == "1"):
|
||||||
# Set STM-specific variables for signing images
|
# Set STM-specific variables for signing images
|
||||||
if (d.getVar("DEY_SOC_VENDOR") == "STM"):
|
if (d.getVar("DEY_SOC_VENDOR") == "STM"):
|
||||||
|
|
@ -187,17 +194,17 @@ python () {
|
||||||
d.setVar("EXTERNAL_KEY_CONF", "1")
|
d.setVar("EXTERNAL_KEY_CONF", "1")
|
||||||
d.setVar("SIGN_TOOL", "STM32MP_SigningTool_CLI")
|
d.setVar("SIGN_TOOL", "STM32MP_SigningTool_CLI")
|
||||||
if (d.getVar("DIGI_SOM") == "ccmp15" ):
|
if (d.getVar("DIGI_SOM") == "ccmp15" ):
|
||||||
d.setVar("SIGN_KEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/privateKey.pem");
|
d.setVar("SIGN_KEY", d.getVar("TRUSTFENCE_KEYS_PATH") + "/keys/privateKey.pem");
|
||||||
d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass.txt")
|
d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_KEYS_PATH") + "/keys/key_pass.txt")
|
||||||
else:
|
else:
|
||||||
d.setVar("SIGN_KEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/privateKey0%s.pem" % d.getVar("TRUSTFENCE_KEY_INDEX"));
|
d.setVar("SIGN_KEY", d.getVar("TRUSTFENCE_KEYS_PATH") + "/keys/privateKey0%s.pem" % d.getVar("TRUSTFENCE_KEY_INDEX"));
|
||||||
d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/keys/key_pass0%s.txt" % d.getVar("TRUSTFENCE_KEY_INDEX"))
|
d.setVar("TRUSTFENCE_PASSWORD_FILE", d.getVar("TRUSTFENCE_KEYS_PATH") + "/keys/key_pass0%s.txt" % d.getVar("TRUSTFENCE_KEY_INDEX"))
|
||||||
if (d.getVar("SIGN_COPRO_ENABLE") == "1" ):
|
if (d.getVar("SIGN_COPRO_ENABLE") == "1" ):
|
||||||
d.setVar("SIGN_COPRO_ECC_PRIVKEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/rproc-keys/privateKey.pem")
|
d.setVar("SIGN_COPRO_ECC_PRIVKEY", d.getVar("TRUSTFENCE_KEYS_PATH") + "/rproc-keys/privateKey.pem")
|
||||||
d.setVar("SIGN_COPRO_ECC_PRIVKEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("SIGN_COPRO_ECC_PRIVKEY"))
|
d.setVar("SIGN_COPRO_ECC_PRIVKEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("SIGN_COPRO_ECC_PRIVKEY"))
|
||||||
d.setVar("SIGN_COPRO_ECC_INFOKEY", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "/rproc-keys/publicKey.der")
|
d.setVar("SIGN_COPRO_ECC_INFOKEY", d.getVar("TRUSTFENCE_KEYS_PATH") + "/rproc-keys/publicKey.der")
|
||||||
d.setVar("SIGN_COPRO_ECC_INFOKEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("SIGN_COPRO_ECC_INFOKEY"))
|
d.setVar("SIGN_COPRO_ECC_INFOKEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("SIGN_COPRO_ECC_INFOKEY"))
|
||||||
d.setVar("TRUSTFENCE_COPRO_PASSWORD_FILE", d.getVar("TRUSTFENCE_SIGN_KEYS_PATH") + "rproc-keys/key_pass.txt")
|
d.setVar("TRUSTFENCE_COPRO_PASSWORD_FILE", d.getVar("TRUSTFENCE_KEYS_PATH") + "rproc-keys/key_pass.txt")
|
||||||
d.setVar("SIGN_COPRO_ECC_PASS_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), "UNDEFINED");
|
d.setVar("SIGN_COPRO_ECC_PASS_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), "UNDEFINED");
|
||||||
d.setVar("SIGN_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("SIGN_KEY"));
|
d.setVar("SIGN_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("SIGN_KEY"));
|
||||||
|
|
||||||
|
|
@ -209,26 +216,26 @@ python () {
|
||||||
d.appendVar("UBOOT_TF_CONF", '"# CONFIG_LEGACY_IMAGE_FORMAT is not set" ')
|
d.appendVar("UBOOT_TF_CONF", '"# CONFIG_LEGACY_IMAGE_FORMAT is not set" ')
|
||||||
if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"):
|
if (d.getVar("TRUSTFENCE_READ_ONLY_ROOTFS") == "1"):
|
||||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ")
|
d.appendVar("UBOOT_TF_CONF", "CONFIG_AUTHENTICATE_SQUASHFS_ROOTFS=y ")
|
||||||
if d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"):
|
if d.getVar("TRUSTFENCE_KEYS_PATH"):
|
||||||
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_KEYS_PATH="%s" ' % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"))
|
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_KEYS_PATH="%s" ' % d.getVar("TRUSTFENCE_KEYS_PATH"))
|
||||||
if (d.getVar("TRUSTFENCE_UNLOCK_KEY_REVOCATION") == "1"):
|
if (d.getVar("TRUSTFENCE_UNLOCK_KEY_REVOCATION") == "1"):
|
||||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ")
|
d.appendVar("UBOOT_TF_CONF", "CONFIG_UNLOCK_SRK_REVOKE=y ")
|
||||||
if d.getVar("TRUSTFENCE_KEY_INDEX"):
|
if d.getVar("TRUSTFENCE_KEY_INDEX"):
|
||||||
d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
|
d.appendVar("UBOOT_TF_CONF", "CONFIG_KEY_INDEX=%s " % d.getVar("TRUSTFENCE_KEY_INDEX"))
|
||||||
if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
|
if (d.getVar("DEY_SOC_VENDOR") == "NXP"):
|
||||||
if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
|
if (d.getVar("TRUSTFENCE_ENCRYPT") == "1"):
|
||||||
d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s" ' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
d.appendVar("UBOOT_TF_CONF", 'CONFIG_DEK_PATH="%s/%s" ' % (d.getVar("TRUSTFENCE_KEYS_PATH"), d.getVar("TRUSTFENCE_DEK_ENCRYPT_KEYNAME")))
|
||||||
if d.getVar("TRUSTFENCE_SIGN_MODE"):
|
if d.getVar("TRUSTFENCE_SIGN_MODE"):
|
||||||
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
|
d.appendVar("UBOOT_TF_CONF", 'CONFIG_SIGN_MODE="%s" ' % d.getVar("TRUSTFENCE_SIGN_MODE"))
|
||||||
elif (d.getVar("DEY_SOC_VENDOR") == "STM"):
|
elif (d.getVar("DEY_SOC_VENDOR") == "STM"):
|
||||||
if (d.getVar("TRUSTFENCE_DEK_PATH") not in [None, "0"]):
|
if (d.getVar("TRUSTFENCE_ENCRYPT") == "1"):
|
||||||
d.setVar("ENCRYPT_ENABLE", "1")
|
d.setVar("ENCRYPT_ENABLE", "1")
|
||||||
d.setVar("ENCRYPT_FSBL_KEY", '%s/encryption_key_fsbl.bin' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
d.setVar("ENCRYPT_FSBL_KEY", '%s/%s' % (d.getVar("TRUSTFENCE_KEYS_PATH"), d.getVar("TRUSTFENCE_FSBL_ENCRYPT_KEYNAME")))
|
||||||
d.setVar("ENCRYPT_FSBL_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FSBL_KEY"))
|
d.setVar("ENCRYPT_FSBL_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FSBL_KEY"))
|
||||||
d.setVar("ENCRYPT_FIP_KEY", '%s/encryption_key_fip.bin' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
d.setVar("ENCRYPT_FIP_KEY", '%s/%s' % (d.getVar("TRUSTFENCE_KEYS_PATH"), d.getVar("TRUSTFENCE_FIP_ENCRYPT_KEYNAME")))
|
||||||
d.setVar("ENCRYPT_FIP_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FIP_KEY"))
|
d.setVar("ENCRYPT_FIP_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_FIP_KEY"))
|
||||||
if (d.getVar("ENCRYPT_COPRO_ENABLE") == "1"):
|
if (d.getVar("ENCRYPT_COPRO_ENABLE") == "1"):
|
||||||
d.setVar("ENCRYPT_COPRO_KEY", '%s/encryption_key_rproc.bin' % d.getVar("TRUSTFENCE_DEK_PATH"))
|
d.setVar("ENCRYPT_COPRO_KEY", '%s/%s' % (d.getVar("TRUSTFENCE_KEYS_PATH"), d.getVar("TRUSTFENCE_RPROC_ENCRYPT_KEYNAME")))
|
||||||
d.setVar("ENCRYPT_COPRO_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_COPRO_KEY"))
|
d.setVar("ENCRYPT_COPRO_KEY_%s" % (d.getVar("STM32MP_SOC_NAME").strip()), d.getVar("ENCRYPT_COPRO_KEY"))
|
||||||
|
|
||||||
if (d.getVar("TRUSTFENCE_SIGN_FIT_STM") == "1"):
|
if (d.getVar("TRUSTFENCE_SIGN_FIT_STM") == "1"):
|
||||||
|
|
@ -244,7 +251,7 @@ python () {
|
||||||
# Enable FIT signing support
|
# Enable FIT signing support
|
||||||
d.setVar("UBOOT_SIGN_ENABLE", d.getVar("TRUSTFENCE_SIGN"))
|
d.setVar("UBOOT_SIGN_ENABLE", d.getVar("TRUSTFENCE_SIGN"))
|
||||||
# Set path to FIT signing keys
|
# Set path to FIT signing keys
|
||||||
d.setVar("UBOOT_SIGN_KEYDIR", "%s/fit" % d.getVar("TRUSTFENCE_SIGN_KEYS_PATH"))
|
d.setVar("UBOOT_SIGN_KEYDIR", "%s/fit" % d.getVar("TRUSTFENCE_KEYS_PATH"))
|
||||||
|
|
||||||
else:
|
else:
|
||||||
# Disable signing artifacts if TRUSTFENCE_SIGN != 1
|
# Disable signing artifacts if TRUSTFENCE_SIGN != 1
|
||||||
|
|
@ -262,7 +269,7 @@ python () {
|
||||||
d.setVar("SWUPDATE_SIGNING", "RSA")
|
d.setVar("SWUPDATE_SIGNING", "RSA")
|
||||||
|
|
||||||
# Retrieve the keys path to use.
|
# Retrieve the keys path to use.
|
||||||
keys_path = d.getVar("TRUSTFENCE_SIGN_KEYS_PATH")
|
keys_path = d.getVar("TRUSTFENCE_KEYS_PATH")
|
||||||
|
|
||||||
# Retrieve the key index to use.
|
# Retrieve the key index to use.
|
||||||
key_index = 0
|
key_index = 0
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue