The signing script is used for signing multiple artifacts, not just the
kernel, so rename it for a broader use.
https://jira.digi.com/browse/DEL-7047
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
Signing with AHAB mode only requires an additional prior step, so
reuse as much code as possible.
Also, for Image.gz images, sign the uncompressed Image and later
compress the result.
https://jira.digi.com/browse/DEL-7047
Signed-off-by: Gonzalo Ruiz <Gonzalo.Ruiz@digi.com>
imx-mkimage is a host recipe to provide the mkimage_imx8 binaries, required
for the trustfence support with platform based on AHAB (ccimx8x). Since
these binaries are required to the sign process we need to export it in the
SDK to allow the standalone sign mode, and with that we can simplify the
mechanism to share these binaries with another recipes (u-boot, linux).
Also the do_deploy() from imx-mkimage recipe was removed to avoid overriding
the implementation from the native class and allow populating the mkimage
binaries.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
This commit adds some dependencies to include the imx-mkimage package
that is needed to use the mkimage_imx8 tool.
Signed-off-by: Mike Engel <Mike.Engel@digi.com>
* prefix TRUSTFENCE_ to variable SIGN_MODE for DEY
* prefix CONFIG_ to variable SIGN_MODE for script
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
When using virtualization, ammend the kernel configuration so that docker
is supported.
https://jira.digi.com/browse/DEL-6681
Signed-off-by: Jose Diaz de Grenu <Jose.DiazdeGrenu@digi.com>
Remove the linux-v4.20 recipe and use the linux-fslc kernel recipe in
meta-freescale-3rdparty instead.
Signed-off-by: Alex Gonzalez <alex.gonzalez@digi.com>
Device tree files no longer have the kernel type prefixed to their name, so the
trustfence_sign() function must be updated to reflect this change or else
errors will occur.
https://jira.digi.com/browse/DEL-6476
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
KERNEL_IMAGE_BASE_NAME was replaced by KERNEL_IMAGE_NAME for
consistency between variable names.
https://jira.digi.com/browse/DEL-6443
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
new version allows building multiple flavors of the kernel and
module packages by templatizing kernel package names via a new
KERNEL_PACKAGE_NAME variable in kernel.bbclass.
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Just add the following to the conf/local.conf file:
MACHINEOVERRIDES .= ":use-mainline-bsp"
The defconfig is the mainline imx_v6_v7_defconfig.
Signed-off-by: Alex Gonzalez <alex.gonzalez@digi.com>
This way, other recipes (like the ones for kernel modules) can re-use the
sources if needed.
https://jira.digi.com/browse/DEL-6115
Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
With this patch a user can provide his own kernel 'defconfig' file by:
- setting the variable KERNEL_DEFCONFIG to a custom kernel configuration
file inside the kernel repository.
- setting the variable KERNEL_DEFCONFIG to a kernel configuration file
using the full path to the file.
- clearing the variable KERNEL_DEFCONFIG and providing a kernel
configuration file in the layer (in this case the file must be named
'defconfig').
Otherwise the default platform's kernel configuration file will be taken
directly from the Linux source code tree.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
As a side effect, remove U-Boot entry point variable and LOADADDR
extra parameter from the kernel recipe.
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://jira.digi.com/browse/DEL-5554
The way the kernel artifacts are generated has change as of Yocto 2.2.
Also some of the variables (e.g. KERNEL_IMAGE_SYMLINK_NAME) have changed
their default values.
Thus the trustfence_sign function needed some tweaks to continue working
properly.
https://jira.digi.com/browse/DEL-3834
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
KERNEL_IMAGE_BASE_NAME and KERNEL_IMAGE_SYMLINK_NAME default values have
changed in Yocto 2.2, so now this appended command is failing because
it's translated to:
ln -sf -4.1-r0.2-ccimx6ulstarter-20170216122147.bin ccimx6ulstarter
which fails with:
ln: invalid option -- '4'
Just remove it, because we don't need that symlink anymore. New U-Boot's
'zimage' and 'uimage' environment variables have default values ending in
'.bin' which is what Yocto provides.
https://jira.digi.com/browse/DEL-3451
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
The kernel recipe was modifying the device tree blobs in place within the
kernel build temporal directory. This can cause problems after several
compilations, only the deployed artifacts should be signed/encrypted.
The deployment of the DTBs is done by do_deploy_appends in other layers which
are appended after this recipe, so it is required to use a postfunc to do the
trustfence related process after the deployment of all the artifacts.
https://jira.digi.com/browse/DEL-3388
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
This patch introduces some parameters which allow to select the type of image
to be signed. Currently the supported types are:
* linux kernel (-l)
* DTB (-d)
* initramfs (-i)
This also moves the CONFIG_PLATFORM environment variable to a parameter, for
consistency.
https://jira.digi.com/browse/DUB-614https://jira.digi.com/browse/DUB-615
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
* Check number of arguments
* Add platform argument
* Read user configuration from .config file
* Remove unused variable (dek_blob_size)
* Remove noise in output messages
https://jira.digi.com/browse/DEL-2688
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
Add a recipe to include all signing and encryption tools for U-Boot and
kernel images to the SDK. Move existing trustfence kernel scripts to this
new recipe.
This allows to use these scripts not only from the Yocto build system but
also as standalone tools for image signing and encryption.
https://jira.digi.com/browse/DEL-2688
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
When changing any of the secure boot configurable macros the Linux kernel
should be re-deployed so that it can be signed/encrypted as needed.
https://jira.digi.com/browse/DEL-2750
Signed-off-by: Alex Gonzalez <alex.gonzalez@digi.com>
TRUSTFENCE_SIGN can be defined to "0" to explicitly disable uImage sign and
encryption.
https://jira.digi.com/browse/DEL-2803
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
NXP Code signing Tool for the High Assurance Boot library is needed for
signing and encrypting different artifacts (U-Boot image, uImage, ...).
As the CST cannot be included in DEY, the user needs to download the
tarball and add it to the recipe folder.
https://jira.digi.com/browse/DUB-618
Signed-off-by: Diaz de Grenu, Jose <Jose.DiazdeGrenu@digi.com>
As the plan is to use the same git objects (SHA1) in the internal and
github repos, also remove that internal/external SRCREV infrastructure.
https://jira.digi.com/browse/DEL-2205
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
* Move kernel configuration fragments to 2.6.35 recipe (that's the only
kernel version using them)
* Move compile-time dependences to common include linux-dey.inc
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Gonzalo Ruiz
Arturo Buzarra
Mike Engel
Hector Palacios
Jose Diaz de Grenu
Alex Gonzalez
Gabriel Valcazar
Javier Viguera