661f59967c
The stand-alone signing script 'trustfence-sign-artifact.sh' checks
if a valid PKI tree exists (by checking the existance of four SRK
files) and if they don't, it calls trustfence-gen-pki.sh (which is
a wrapper over different generators (for HAB or AHAB) to create one.
Recipes such as 'dualboot' or 'recovery-initramfs' may need to call
openssl functions over the PKI tree. These recipes do not currently
generate the PKI tree; they expect it to be already in place.
This might not be the case if the trustfence-sign-artifact.sh script
has not been called yet.
Originally, a fake dependency on virtual/kernel recipe was made to
force it, but it doesn't quite work since the calling only happens
on deploy() while regular DEPENDS doesn't wait for this task.
If the PKI does not exist, a recipe that requires the PKI tree will
fail.
The solution is to create a function on the trustfence.bbclass that
allows any recipe to check for the existance of a PKI tree and
generate it if it doesn't exist. This is repeated inside the
trustfence-sign-artifact.sh, but it needs to be in both places
because this script must work stand-alone.
The generation of the PKI tree takes some seconds so this commit
adds a lock dir to prevent race conditions when called from
different recipes.
It also removes the fake dependency on virtual/kernel and adds a
dependency on trustfence-cst-native (which is the recipe that
provides the PKI generation tool).
Signed-off-by: Hector Palacios <hector.palacios@digi.com>
https://onedigi.atlassian.net/browse/DEL-8430
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| classes | ||
| conf | ||
| dynamic-layers | ||
| recipes-aws | ||
| recipes-connectivity | ||
| recipes-core | ||
| recipes-crank | ||
| recipes-devtools | ||
| recipes-digi | ||
| recipes-extended | ||
| recipes-gnome | ||
| recipes-graphics | ||
| recipes-multimedia | ||
| recipes-sato | ||
| recipes-support | ||
| DIGI_EULA | ||
| DIGI_OPEN_EULA | ||
| README | ||
README
OpenEmbedded/Yocto Digi Embedded Linux layer ============================================ This layer provides the Digi Embedded Linux distribution images. This layer depends on: git://git.yoctoproject.org/poky.git git://git.openembedded.org/meta-openembedded.git git://git.yoctoproject.org/meta-freescale.git git://github.com/Freescale/meta-fsl-demos.git Digi's license agreements ------------------------- All software is covered by Digi's general EULA and Digi's Open Source EULA. To have the right to use the software in your images you need to read and accept both EULAs at the DIGI_EULA and DIGI_OPEN_EULA files. NXP Semiconductors' software license agreement ---------------------------------------------- Some platforms depends on libraries and packages that are covered by NXP Semiconductors' EULA. To have the right to use those binaries in your images you need to read and accept the EULA file in meta-freescale Yocto layer. Support ------- This layer is provided 'as is' with no guarantee. However, some support may be available from tech.support@digi.com