Set TRUSTFENCE_DEK_PATH to "0" for CCMP1 (not using dek.bin), as if this
was disabled.
Set temporarily TRUSTFENCE_ENCRYPT_ENVIRONMENT to "0" for CCMP1 until
environment encryption is fully supported.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Dependencies of this recipe are run-time dependencies, not build-time.
While on it, move them to specific native/nativesdk recipe.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This recipe builds the script (that depends on cst-tool) that is used to
sign the images. It's only run natively.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The stand-alone signing script 'trustfence-sign-artifact.sh' checks
if a valid PKI tree exists (by checking the existance of four SRK
files) and if they don't, it calls trustfence-gen-pki.sh (which is
a wrapper over different generators (for HAB or AHAB) to create one.
Recipes such as 'dualboot' or 'recovery-initramfs' may need to call
openssl functions over the PKI tree. These recipes do not currently
generate the PKI tree; they expect it to be already in place.
This might not be the case if the trustfence-sign-artifact.sh script
has not been called yet.
Originally, a fake dependency on virtual/kernel recipe was made to
force it, but it doesn't quite work since the calling only happens
on deploy() while regular DEPENDS doesn't wait for this task.
If the PKI does not exist, a recipe that requires the PKI tree will
fail.
The solution is to create a function on the trustfence.bbclass that
allows any recipe to check for the existance of a PKI tree and
generate it if it doesn't exist. This is repeated inside the
trustfence-sign-artifact.sh, but it needs to be in both places
because this script must work stand-alone.
The generation of the PKI tree takes some seconds so this commit
adds a lock dir to prevent race conditions when called from
different recipes.
It also removes the fake dependency on virtual/kernel and adds a
dependency on trustfence-cst-native (which is the recipe that
provides the PKI generation tool).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8430
(cherry picked from commit 6a8bf7afff)
Artifact encryption is now supported for ccimx8mn and ccimx8mm.
This reverts commit 1134e4c07c.
https://onedigi.atlassian.net/browse/DEL-7915
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
(cherry picked from commit 588005bb4b2200e79b180f77671304d9c5bdf509)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
As that's an old VM with limited specs, there is no much gain on using
it over the canonical Stash repositories that justifies the code
overhead and the possible errors due to synchronization problems.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The sign mode needed for each platform is invariable, and since the platform
is already a mandatory parameter for the script, we can store this information
implicitly. Reflect this change in every recipe where the script is used, but
keep the variable at the Yocto level since it's still needed in several places.
https://onedigi.atlassian.net/browse/DEL-7862
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The common license file GPL-2.0 is now called GPL-2.0-only in poky, so we need
to reflect this name change to avoid errors
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Digi Embedded Yocto 3.2-r2.2
Manually changed recipes to use the master branches instead of the fixed SHA1
from the last release.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The AHAB decryption process takes the encrypted file from the address defined
in U-Boot and decrypts it into the address defined in this script. If both
addresses are the same, the decryption process ends up failing. This
happens even for signed-only images.
Maintain the original addresses in this script so they do not collide.
This reverts commit c970d87d5a.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Re-use RAMDISK address for authenticating the rootfs instead
of allocating a new address (if authenticating a rootfs, we're
not using a ramdisk).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Enabling DIGI_INTERNAL_GIT defaults to LOG server. The build from local
MTK Digi server was broken.
Fix uboot and linux recipes declaring different repo paths depending on
whether the local remote is LOG or MTK.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Attempting to boot encrypted artifacts on these platforms will result in HAB
events caused by CAAM errors. This is due to the CAAM being configured for
non-secure contexts (in regards to Trustzone) while the HAB expects it to be
configured for secure contexts.
For now, only sign artifacts for these platforms even if the project has the
encryption feature enabled.
https://jira.digi.com/browse/DUB-993
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
In order to revoke SRKs in platforms with AHAB we need to set a mask
during the signing/encryption process.
Create new TRUSTFENCE_SRK_REVOKE_MASK variable to export the
SRK_REVOKE_MASK variable required by the imx-boot signing script.
The revoke mask is not necessary for signing/encryption of other artifacts,
so set it by default to 0x0.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Add support to sign and encrypt OS artifacts for AHAB devices.
https://jira.digi.com/browse/DEL-7371
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Perform AHAB signing process without altering the original file.
https://jira.digi.com/browse/DEL-7024
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
LINUX_ARM64 images include the padding length in the size property of
their header, so for these images read the header size property instead
of calculating it with 'stat'.
https://jira.digi.com/browse/DEL-7024
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
If CONFIG_SIGN_MODE is unset, we were assuming the sign mode to be AHAB
whereas it is preferable to abort the signing process and notify with an
error message.
https://jira.digi.com/browse/DEL-7024
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
The signing script is used for signing multiple artifacts, not just the
kernel, so rename it for a broader use.
https://jira.digi.com/browse/DEL-7047
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
imx-mkimage is a host recipe to provide the mkimage_imx8 binaries, required
for the trustfence support with platform based on AHAB (ccimx8x). Since
these binaries are required to the sign process we need to export it in the
SDK to allow the standalone sign mode, and with that we can simplify the
mechanism to share these binaries with another recipes (u-boot, linux).
Also the do_deploy() from imx-mkimage recipe was removed to avoid overriding
the implementation from the native class and allow populating the mkimage
binaries.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Add Trustfence support for signing imx-boot images:
- Install a different U-Boot signing script for images with U-Boot SPL.
- Store mkimage log for later use in the signing script
- make 'print_hab_log' and store its log for later use in the signing script
https://jira.digi.com/browse/DEL-7023
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Digi Embedded Yocto 2.6-r3.1
Manually changed recipes to use the master branches instead of the fixed SHA1
from the last release.
Signed-off-by: Mike Engel <mike.engel@digi.com>
The recipe needs to create a copy of the sign.sh script to be used by
other recipes, but the file is the same whether you use it for HAB or AHAB
images. This is determined through the use of an exported variable with
the mode. There is no need to have the script duplicated.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The only script that needs to generate the SRK_efuses is the sign.sh
script in the U-Boot code. For the rest of signed non-bootable artifacts
this is not required and it was creating the SRK_efuses file on every
recipe where the script was called, like linux-dey and others, which
eventually resulted in a conflict when copying the artifacts to the shared
deploy-image-dir.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This commit changes the u-boot sources needed to create standalone
signing tools to 2019.04. This u-boot supports all Trustfence
platforms.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
* prefix TRUSTFENCE_ to variable SIGN_MODE for DEY
* prefix CONFIG_ to variable SIGN_MODE for script
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Otherwise, users that are behind corporate firewalls might not be able to
obtain the package sources.
https://jira.digi.com/browse/DEL-6663
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Hector Palacios
Javier Viguera
Arturo Buzarra
Gonzalo Ruiz
Isaac Hermida
Gabriel Valcazar
Mike Engel
Francisco Gil
Hector Bujanda