Add Trustfence support for signing imx-boot images:
- Install a different U-Boot signing script for images with U-Boot SPL.
- Store mkimage log for later use in the signing script
- make 'print_hab_log' and store its log for later use in the signing script
https://jira.digi.com/browse/DEL-7023
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Digi Embedded Yocto 2.6-r3.1
Manually changed recipes to use the master branches instead of the fixed SHA1
from the last release.
Signed-off-by: Mike Engel <mike.engel@digi.com>
The recipe needs to create a copy of the sign.sh script to be used by
other recipes, but the file is the same whether you use it for HAB or AHAB
images. This is determined through the use of an exported variable with
the mode. There is no need to have the script duplicated.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The only script that needs to generate the SRK_efuses is the sign.sh
script in the U-Boot code. For the rest of signed non-bootable artifacts
this is not required and it was creating the SRK_efuses file on every
recipe where the script was called, like linux-dey and others, which
eventually resulted in a conflict when copying the artifacts to the shared
deploy-image-dir.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit changes the u-boot sources needed to create standalone
signing tools to 2019.04. This u-boot supports all Trustfence
platforms.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
* prefix TRUSTFENCE_ to variable SIGN_MODE for DEY
* prefix CONFIG_ to variable SIGN_MODE for script
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Otherwise, users that are behind corporate firewalls might not be able to
obtain the package sources.
https://jira.digi.com/browse/DEL-6663
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
During the merge of the maintainance branch and the manual revert of
some recipes, these were forgotten.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Update to newest U-Boot v2017.03
Remove the package version since it is based on a git repo and only
used natively.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
util-linux is needed as the scripts use 'hexdump'. In previous versions
of Yocto the tool from the host was used, but this has been fixed in
Yocto 2.3
Also fix the other dependencies: the -native suffix is not needed nor
correct, as the native and nativesdk classes already map packages in
the DEPENDS variable to the corresponding packages.
Signed-off-by: Jose Diaz de Grenu <Jose.DiazdeGrenu@digi.com>
- The IVT table address inside the kernel image must be aligned at 0x1000
bytes. The calculation of this offset was not working when the kernel image
size was multiple of 0x1000 bytes. In this case the IVT table was moved an
extra offset of 0x1000 bytes, causing U-Boot to fail to validate the image
as the IVT table was not in the expected location.
This fix uses the same offset calculation algorithm as U-Boot, ensuring both,
the sign script and U-Boot will look for the IVT at the same address.
https://jira.digi.com/browse/DEL-3972
Signed-off-by: David Escalona <david.escalona@digi.com>
Ensure that the signing script is not executed in parallel. This is required in
order to avoid problems during PKI generation and CST usage when building with
Yocto or the Android build system.
https://jira.digi.com/browse/DEL-2849
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
The HAB on the i.MX6/i.MX6UL expects an entrypoint which is used to pass
execution to U-Boot in the ROM code. In later executions of HAB, U-Boot calls
the HAB but ignores this value.
A fixed value of 0x1000 was being used for the entrypoint, which is too big for
really small artifacts, like bootscripts. This commit reduces the value to
0x100. This allows to sign and encrypt artifacts as small as 260 bytes.
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
This patch introduces some parameters which allow to select the type of image
to be signed. Currently the supported types are:
* linux kernel (-l)
* DTB (-d)
* initramfs (-i)
This also moves the CONFIG_PLATFORM environment variable to a parameter, for
consistency.
https://jira.digi.com/browse/DUB-614https://jira.digi.com/browse/DUB-615
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
* Check number of arguments
* Add platform argument
* Read user configuration from .config file
* Remove unused variable (dek_blob_size)
* Remove noise in output messages
https://jira.digi.com/browse/DEL-2688
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
When writing the fake IVT table in raw, rely on tac (part of the core-utils
package) instead of on xxd.
https://jira.digi.com/browse/DEL-2688
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
Add a recipe to include all signing and encryption tools for U-Boot and
kernel images to the SDK. Move existing trustfence kernel scripts to this
new recipe.
This allows to use these scripts not only from the Yocto build system but
also as standalone tools for image signing and encryption.
https://jira.digi.com/browse/DEL-2688
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
Gonzalo Ruiz
Mike Engel
Arturo Buzarra
Hector Palacios
Gabriel Valcazar
Jose Diaz de Grenu
David Escalona
Alex Gonzalez
Javier Viguera