Add Trustfence support for signing imx-boot images:
- Install a different U-Boot signing script for images with U-Boot SPL.
- Store mkimage log for later use in the signing script
- make 'print_hab_log' and store its log for later use in the signing script
https://jira.digi.com/browse/DEL-7023
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Digi Embedded Yocto 2.6-r3.1
Manually changed recipes to use the master branches instead of the fixed SHA1
from the last release.
Signed-off-by: Mike Engel <mike.engel@digi.com>
The recipe needs to create a copy of the sign.sh script to be used by
other recipes, but the file is the same whether you use it for HAB or AHAB
images. This is determined through the use of an exported variable with
the mode. There is no need to have the script duplicated.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The only script that needs to generate the SRK_efuses is the sign.sh
script in the U-Boot code. For the rest of signed non-bootable artifacts
this is not required and it was creating the SRK_efuses file on every
recipe where the script was called, like linux-dey and others, which
eventually resulted in a conflict when copying the artifacts to the shared
deploy-image-dir.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit changes the u-boot sources needed to create standalone
signing tools to 2019.04. This u-boot supports all Trustfence
platforms.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
* prefix TRUSTFENCE_ to variable SIGN_MODE for DEY
* prefix CONFIG_ to variable SIGN_MODE for script
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This adds the same example application that was used for the old version of the
library, but it has been separated into a proper package this time.
Recommend said package when installing the library.
https://jira.digi.com/browse/DEL-6826
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
This version is based on the 20190517 master release, with the addition of
pkcs11 provisioning support.
The source code now has cmake files, so we don't need as many code
customizations as we used to. Revamp the recipe and its patches.
https://jira.digi.com/browse/DEL-6826https://jira.digi.com/browse/DEL-6835
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Digi Embedded Yocto 2.6-r2.2
Manually changed recipes to use the master branches instead of the fixed SHA1
from the last release.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Otherwise, users that are behind corporate firewalls might not be able to
obtain the package sources.
https://jira.digi.com/browse/DEL-6663
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Collects following changes:
- fix compatible string parsing: Only first compatible string
was being parsed from "/proc/device-tree/compatible"
while looking the device the application is running on.
https://jira.digi.com/browse/DEL-6436
Signed-off-by: Hector Bujanda <hector.bujanda@digi.com>
Digi Embedded Yocto 2.4-r2.2
Manually changed recipes to use the master branches instead of the fixed SHA1
from the last release.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Collects following changes:
- Added tamper support for cc8x.
https://jira.digi.com/browse/DEL-6226
Signed-off-by: Hector Bujanda <hector.bujanda@digi.com>
Collects following changes:
- Added fw_update support for cc8x.
- Platform is auto recognized by the tool.
- Added boot mode configuration.
https://jira.digi.com/browse/DEL-6247
Signed-off-by: Hector Bujanda <hector.bujanda@digi.com>
During the merge of the maintainance branch and the manual revert of
some recipes, these were forgotten.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Update to newest U-Boot v2017.03
Remove the package version since it is based on a git repo and only
used natively.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
We are going to remove this repo, so the sources will always be fetched from
the official Microchip repo from now on.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Install crypto libraries in the rootfs so external applications can made use
of them.
Reworked first patch with all the needed port changes.
https://jira.digi.com/browse/DEL-5710
Signed-off-by: Isaac Hermida <isaac.hermida@digi.com>
Make SRC_URI point to Microchip's standalone repo of the cryptoauth library,
add our customization patches and modify the license variables to point to the
new Microchip license file.
https://jira.digi.com/browse/DEL-5591
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
util-linux is needed as the scripts use 'hexdump'. In previous versions
of Yocto the tool from the host was used, but this has been fixed in
Yocto 2.3
Also fix the other dependencies: the -native suffix is not needed nor
correct, as the native and nativesdk classes already map packages in
the DEPENDS variable to the corresponding packages.
Signed-off-by: Jose Diaz de Grenu <Jose.DiazdeGrenu@digi.com>
The MACHINE_EXTRA_RRECOMMENDS for the ccimx6ul in meta-digi-arm contains
cryptoauthlib. If we want to use meta-digi-arm as a standalone BSP layer
we need to move the cryptoauthlib recipe to meta-digi-arm, that or not make it
a machine dependency.
Signed-off-by: Alex Gonzalez <alex.gonzalez@digi.com>
Tweaked to maintain some recipes' revisions to AUTOREV instead of the
fixed SHA1s from the tag.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Tweaked to maintain some recipes' revisions to AUTOREV instead of the
fixed SHA1s from the tag.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
- The IVT table address inside the kernel image must be aligned at 0x1000
bytes. The calculation of this offset was not working when the kernel image
size was multiple of 0x1000 bytes. In this case the IVT table was moved an
extra offset of 0x1000 bytes, causing U-Boot to fail to validate the image
as the IVT table was not in the expected location.
This fix uses the same offset calculation algorithm as U-Boot, ensuring both,
the sign script and U-Boot will look for the IVT at the same address.
https://jira.digi.com/browse/DEL-3972
Signed-off-by: David Escalona <david.escalona@digi.com>
Tweaked to maintain the u-boot and linux revisions to AUTOREV instead of
the fixed SHA1s from the tag.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Ensure that the signing script is not executed in parallel. This is required in
order to avoid problems during PKI generation and CST usage when building with
Yocto or the Android build system.
https://jira.digi.com/browse/DEL-2849
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
The HAB on the i.MX6/i.MX6UL expects an entrypoint which is used to pass
execution to U-Boot in the ROM code. In later executions of HAB, U-Boot calls
the HAB but ignores this value.
A fixed value of 0x1000 was being used for the entrypoint, which is too big for
really small artifacts, like bootscripts. This commit reduces the value to
0x100. This allows to sign and encrypt artifacts as small as 260 bytes.
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
This patch introduces some parameters which allow to select the type of image
to be signed. Currently the supported types are:
* linux kernel (-l)
* DTB (-d)
* initramfs (-i)
This also moves the CONFIG_PLATFORM environment variable to a parameter, for
consistency.
https://jira.digi.com/browse/DUB-614https://jira.digi.com/browse/DUB-615
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
* Check number of arguments
* Add platform argument
* Read user configuration from .config file
* Remove unused variable (dek_blob_size)
* Remove noise in output messages
https://jira.digi.com/browse/DEL-2688
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
When writing the fake IVT table in raw, rely on tac (part of the core-utils
package) instead of on xxd.
https://jira.digi.com/browse/DEL-2688
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
Add a recipe to include all signing and encryption tools for U-Boot and
kernel images to the SDK. Move existing trustfence kernel scripts to this
new recipe.
This allows to use these scripts not only from the Yocto build system but
also as standalone tools for image signing and encryption.
https://jira.digi.com/browse/DEL-2688
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
Gonzalo Ruiz
Mike Engel
Arturo Buzarra
Hector Palacios
Hector Bujanda
Gabriel Valcazar
Isaac Hermida
Javier Viguera
Jose Diaz de Grenu
Alex Gonzalez
Sebastian Pastor
Alejandro Navarro
Tatiana Leon
David Escalona