Several recipes depend on the PKI creation.
Create a small recipe to just run this function which
is moved from the trustfence.bbclass.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This script can be called stand-alone or from DEY.
Syntax is :
trustfence-sign-artifact.sh -p <platform> [-t input-unsigned-image> <output-signed-image>]
If files are omitted, it at least generates random keys if they do not
exist.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This is in preparation of using the same script name for different SOC
vendors (NXP and STM).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Set TRUSTFENCE_DEK_PATH to "0" for CCMP1 (not using dek.bin), as if this
was disabled.
Set temporarily TRUSTFENCE_ENCRYPT_ENVIRONMENT to "0" for CCMP1 until
environment encryption is fully supported.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Dependencies of this recipe are run-time dependencies, not build-time.
While on it, move them to specific native/nativesdk recipe.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This recipe builds the script (that depends on cst-tool) that is used to
sign the images. It's only run natively.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The commit we use to build the cryotpauthlib package is currently not part of
any branches or tags in the original MicrochipTech repo. To make sure the
package can always be built, use our mirror of the repo, which includes an
additional branch for the specific commit.
While at it, move the "nobranch=1" parameter to the GIT_URI variable, since
we're putting all other git parameters there, anyway. Also, remove the "branch"
parameter because it isn't needed in this case.
https://onedigi.atlassian.net/browse/DEL-8015
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The stand-alone signing script 'trustfence-sign-artifact.sh' checks
if a valid PKI tree exists (by checking the existance of four SRK
files) and if they don't, it calls trustfence-gen-pki.sh (which is
a wrapper over different generators (for HAB or AHAB) to create one.
Recipes such as 'dualboot' or 'recovery-initramfs' may need to call
openssl functions over the PKI tree. These recipes do not currently
generate the PKI tree; they expect it to be already in place.
This might not be the case if the trustfence-sign-artifact.sh script
has not been called yet.
Originally, a fake dependency on virtual/kernel recipe was made to
force it, but it doesn't quite work since the calling only happens
on deploy() while regular DEPENDS doesn't wait for this task.
If the PKI does not exist, a recipe that requires the PKI tree will
fail.
The solution is to create a function on the trustfence.bbclass that
allows any recipe to check for the existance of a PKI tree and
generate it if it doesn't exist. This is repeated inside the
trustfence-sign-artifact.sh, but it needs to be in both places
because this script must work stand-alone.
The generation of the PKI tree takes some seconds so this commit
adds a lock dir to prevent race conditions when called from
different recipes.
It also removes the fake dependency on virtual/kernel and adds a
dependency on trustfence-cst-native (which is the recipe that
provides the PKI generation tool).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8430
(cherry picked from commit 6a8bf7afff)
Artifact encryption is now supported for ccimx8mn and ccimx8mm.
This reverts commit 1134e4c07c.
https://onedigi.atlassian.net/browse/DEL-7915
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
(cherry picked from commit 588005bb4b2200e79b180f77671304d9c5bdf509)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
As that's an old VM with limited specs, there is no much gain on using
it over the canonical Stash repositories that justifies the code
overhead and the possible errors due to synchronization problems.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The sign mode needed for each platform is invariable, and since the platform
is already a mandatory parameter for the script, we can store this information
implicitly. Reflect this change in every recipe where the script is used, but
keep the variable at the Yocto level since it's still needed in several places.
https://onedigi.atlassian.net/browse/DEL-7862
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The common license file GPL-2.0 is now called GPL-2.0-only in poky, so we need
to reflect this name change to avoid errors
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Digi Embedded Yocto 3.2-r2.2
Manually changed recipes to use the master branches instead of the fixed SHA1
from the last release.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The AHAB decryption process takes the encrypted file from the address defined
in U-Boot and decrypts it into the address defined in this script. If both
addresses are the same, the decryption process ends up failing. This
happens even for signed-only images.
Maintain the original addresses in this script so they do not collide.
This reverts commit c970d87d5a.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
By default, all platforms except ccimx6qpsbc work at 400 kHz on the i2c bus
connected to the ATECC508A crypto chip.
https://onedigi.atlassian.net/browse/DEL-7727
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Re-use RAMDISK address for authenticating the rootfs instead
of allocating a new address (if authenticating a rootfs, we're
not using a ramdisk).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Enabling DIGI_INTERNAL_GIT defaults to LOG server. The build from local
MTK Digi server was broken.
Fix uboot and linux recipes declaring different repo paths depending on
whether the local remote is LOG or MTK.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Includes:
- add support for getting properties from the ROM bootloader.
- flash layout extra check by asking flash size to the MCA bootloader.
- flash layout extra check by asking flash size to the MCA.
Signed-off-by: Hector Bujanda <hector.bujanda@digi.com>
Attempting to boot encrypted artifacts on these platforms will result in HAB
events caused by CAAM errors. This is due to the CAAM being configured for
non-secure contexts (in regards to Trustzone) while the HAB expects it to be
configured for secure contexts.
For now, only sign artifacts for these platforms even if the project has the
encryption feature enabled.
https://jira.digi.com/browse/DUB-993
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
In order to revoke SRKs in platforms with AHAB we need to set a mask
during the signing/encryption process.
Create new TRUSTFENCE_SRK_REVOKE_MASK variable to export the
SRK_REVOKE_MASK variable required by the imx-boot signing script.
The revoke mask is not necessary for signing/encryption of other artifacts,
so set it by default to 0x0.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Add support to sign and encrypt OS artifacts for AHAB devices.
https://jira.digi.com/browse/DEL-7371
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Perform AHAB signing process without altering the original file.
https://jira.digi.com/browse/DEL-7024
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
LINUX_ARM64 images include the padding length in the size property of
their header, so for these images read the header size property instead
of calculating it with 'stat'.
https://jira.digi.com/browse/DEL-7024
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
If CONFIG_SIGN_MODE is unset, we were assuming the sign mode to be AHAB
whereas it is preferable to abort the signing process and notify with an
error message.
https://jira.digi.com/browse/DEL-7024
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
The signing script is used for signing multiple artifacts, not just the
kernel, so rename it for a broader use.
https://jira.digi.com/browse/DEL-7047
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Includes:
- add io reset support including edge detection.
https://jira.digi.com/browse/CC6UL-1132
Signed-off-by: Pedro Perez de Heredia <pedro.perez@digi.com>
imx-mkimage is a host recipe to provide the mkimage_imx8 binaries, required
for the trustfence support with platform based on AHAB (ccimx8x). Since
these binaries are required to the sign process we need to export it in the
SDK to allow the standalone sign mode, and with that we can simplify the
mechanism to share these binaries with another recipes (u-boot, linux).
Also the do_deploy() from imx-mkimage recipe was removed to avoid overriding
the implementation from the native class and allow populating the mkimage
binaries.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Arturo Buzarra
Hector Palacios
Gabriel Valcazar
Javier Viguera
Gonzalo Ruiz
Isaac Hermida
Mike Engel
Hector Bujanda
Francisco Gil