PKI tree generation for the STM32MP15 cpu provides the undesired file
"publicKeysHashHashes.bin", which is only required by STM32MP13. This commit
generates the PKI tree according to the KeyGen tool documentation to avoid
generate this extra file and avoid confusing the end user.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Any errors in the PKI tree generation are not reported to bitbake, so the
script fails silently. This commit adds a validation of the script execution,
and if it fails, it aborts the execution and notifies to bitbake.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
The KeyGen tool to generate 8 key pairs requires 8 consecutive passwords,
however, when the shell expands the passwords variable, it interprets it as a
single string instead of 8 different strings and fails.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Create a new script for the generation of PKI tree for STM platforms
and leave the trustfence-sign-artifact script exclusively for signing.
The new gen-pki script only requires the platform as an argument and the
path to where to save the tree (if it doesn't exist) in
CONFIG_SIGN_KEYS_PATH.
This commit also reverts commit 13c136dbc5 by getting rid of the
trustfence-genpki-native.bb recipe and moving back the PKI generation
functions into trustfence.bbclass. This recipe didn't quite guarantee
that the PKI was generated on time for the recipes that required the
keys to exist, anyway.
Instead, the PKI generation function must be called right after
do_compile() of recipe tf-a-stm32mp to be ready for do_deploy() where
the key is used.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
When building imx-boot images with SPL on the ccimx8x, a different signing
procedure is required. We already have a script for this use case in our U-Boot
fork, so make use of it.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Several recipes depend on the PKI creation.
Create a small recipe to just run this function which
is moved from the trustfence.bbclass.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This script can be called stand-alone or from DEY.
Syntax is :
trustfence-sign-artifact.sh -p <platform> [-t input-unsigned-image> <output-signed-image>]
If files are omitted, it at least generates random keys if they do not
exist.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This is in preparation of using the same script name for different SOC
vendors (NXP and STM).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Set TRUSTFENCE_DEK_PATH to "0" for CCMP1 (not using dek.bin), as if this
was disabled.
Set temporarily TRUSTFENCE_ENCRYPT_ENVIRONMENT to "0" for CCMP1 until
environment encryption is fully supported.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Dependencies of this recipe are run-time dependencies, not build-time.
While on it, move them to specific native/nativesdk recipe.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
This recipe builds the script (that depends on cst-tool) that is used to
sign the images. It's only run natively.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
The stand-alone signing script 'trustfence-sign-artifact.sh' checks
if a valid PKI tree exists (by checking the existance of four SRK
files) and if they don't, it calls trustfence-gen-pki.sh (which is
a wrapper over different generators (for HAB or AHAB) to create one.
Recipes such as 'dualboot' or 'recovery-initramfs' may need to call
openssl functions over the PKI tree. These recipes do not currently
generate the PKI tree; they expect it to be already in place.
This might not be the case if the trustfence-sign-artifact.sh script
has not been called yet.
Originally, a fake dependency on virtual/kernel recipe was made to
force it, but it doesn't quite work since the calling only happens
on deploy() while regular DEPENDS doesn't wait for this task.
If the PKI does not exist, a recipe that requires the PKI tree will
fail.
The solution is to create a function on the trustfence.bbclass that
allows any recipe to check for the existance of a PKI tree and
generate it if it doesn't exist. This is repeated inside the
trustfence-sign-artifact.sh, but it needs to be in both places
because this script must work stand-alone.
The generation of the PKI tree takes some seconds so this commit
adds a lock dir to prevent race conditions when called from
different recipes.
It also removes the fake dependency on virtual/kernel and adds a
dependency on trustfence-cst-native (which is the recipe that
provides the PKI generation tool).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8430
(cherry picked from commit 6a8bf7afff)
Artifact encryption is now supported for ccimx8mn and ccimx8mm.
This reverts commit 1134e4c07c.
https://onedigi.atlassian.net/browse/DEL-7915
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
(cherry picked from commit 588005bb4b2200e79b180f77671304d9c5bdf509)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
As that's an old VM with limited specs, there is no much gain on using
it over the canonical Stash repositories that justifies the code
overhead and the possible errors due to synchronization problems.
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The sign mode needed for each platform is invariable, and since the platform
is already a mandatory parameter for the script, we can store this information
implicitly. Reflect this change in every recipe where the script is used, but
keep the variable at the Yocto level since it's still needed in several places.
https://onedigi.atlassian.net/browse/DEL-7862
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The common license file GPL-2.0 is now called GPL-2.0-only in poky, so we need
to reflect this name change to avoid errors
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
Digi Embedded Yocto 3.2-r2.2
Manually changed recipes to use the master branches instead of the fixed SHA1
from the last release.
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
The AHAB decryption process takes the encrypted file from the address defined
in U-Boot and decrypts it into the address defined in this script. If both
addresses are the same, the decryption process ends up failing. This
happens even for signed-only images.
Maintain the original addresses in this script so they do not collide.
This reverts commit c970d87d5a.
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Re-use RAMDISK address for authenticating the rootfs instead
of allocating a new address (if authenticating a rootfs, we're
not using a ramdisk).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Enabling DIGI_INTERNAL_GIT defaults to LOG server. The build from local
MTK Digi server was broken.
Fix uboot and linux recipes declaring different repo paths depending on
whether the local remote is LOG or MTK.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Arturo Buzarra
Hector Palacios
Gabriel Valcazar
Mike Engel
Javier Viguera
Gonzalo Ruiz
Isaac Hermida