diff options
author | Tim Lee <timlee660101@gmail.com> | 2023-05-29 05:12:08 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2023-06-09 20:04:19 +0300 |
commit | d52b0f66939bb4d3d39e10ac4c74591e2c4a7c48 (patch) | |
tree | d78c5dff591085934dd8d0a7213f9e3aa48a0ec9 /meta-nuvoton | |
parent | eabfa8b745e9258b04f0bffaa8401c8a50cbe37d (diff) | |
download | openbmc-d52b0f66939bb4d3d39e10ac4c74591e2c4a7c48.tar.xz |
meta-phosphor: npcm8xx.bbclass: support sign images feature
Add sign images feature according customer's requirement.
Set "SECURED_IMAGE" to "True" and enable sign images feature.
When sign images feature be enabled. Use default keys to sign
images if customer didn't point their own local keys path.
Note: "SECURED_IMAGE" default is "True".
Tested:
Use default keys sign:
That will use default path and keys from igps to sign.
Use local keys sign:
That will use local path and keys to sign.
When KEY_FOLDER and KEY definition both are valid.
However, when KEY_FOLDER and KEY definition are invalid either,
that will output sign images failed then stop build full images.
Tested: build pass and boot up successfully with signed
Signed-off-by: Tim Lee <timlee660101@gmail.com>
Change-Id: If2b793906ab338aec391062d9bfeae2b1e790078
Diffstat (limited to 'meta-nuvoton')
-rw-r--r-- | meta-nuvoton/conf/machine/include/igps-keys.inc | 20 | ||||
-rw-r--r-- | meta-nuvoton/conf/machine/include/npcm8xx.inc | 3 | ||||
-rw-r--r-- | meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc | 20 |
3 files changed, 39 insertions, 4 deletions
diff --git a/meta-nuvoton/conf/machine/include/igps-keys.inc b/meta-nuvoton/conf/machine/include/igps-keys.inc new file mode 100644 index 0000000000..dcc5f7ce31 --- /dev/null +++ b/meta-nuvoton/conf/machine/include/igps-keys.inc @@ -0,0 +1,20 @@ +# There are two valid types: "openssl" or "HSM". +# Currently, default support openssl only. +SIGN_TYPE ?= "openssl" + +KEY_BB_INDEX ?= "1" +SKMT_BL31_KEY_INDEX ?= "1" +SKMT_BL32_KEY_INDEX ?= "1" +SKMT_BL33_KEY_INDEX ?= "1" + +KEY_BB_ID ?= "11" +KEY_BL31_ID ?= "11" +KEY_OPTEE_ID ?= "11" +KEY_UBOOT_ID ?= "11" + +KEY_FOLDER ?= "" +KEY_FOLDER_DEFAULT ?= "${DEPLOY_DIR_IMAGE}/${SIGN_TYPE}" +KEY_BB ?= "skmt_ecc_key_1.der" +KEY_BL31 ?= "skmt_ecc_key_1.der" +KEY_OPTEE ?= "skmt_ecc_key_1.der" +KEY_UBOOT ?= "skmt_ecc_key_1.der" diff --git a/meta-nuvoton/conf/machine/include/npcm8xx.inc b/meta-nuvoton/conf/machine/include/npcm8xx.inc index 349d53b54e..0a753a15d3 100644 --- a/meta-nuvoton/conf/machine/include/npcm8xx.inc +++ b/meta-nuvoton/conf/machine/include/npcm8xx.inc @@ -3,6 +3,7 @@ #@DESCRIPTION: Common machine configuration for Nuvoton NPCM8XX Chip require conf/machine/include/nuvoton.inc +require conf/machine/include/igps-keys.inc KERNEL_IMAGETYPE ?= "Image" KERNEL_EXTRA_ARGS ?= "UIMAGE_LOADADDR=0x00008000" @@ -59,4 +60,6 @@ TFA_BUILD_TARGET = "bl31" OPTEEMACHINE ?= "nuvoton" +SECURED_IMAGE ?= "True" + TIP_IMAGE ?= "True" diff --git a/meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc b/meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc index ace078e61a..099fa47801 100644 --- a/meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc +++ b/meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc @@ -21,14 +21,26 @@ do_patch() { do_install() { install -d ${DEST} - if [ "${TIP_IMAGE}" = "True" ] ; then - install py_scripts/ImageGeneration/references/BootBlockAndHeader_${DEVICE_GEN}_${IGPS_MACHINE}.xml ${DEST} + if [ "${TIP_IMAGE}" = "True" ] ; then + install py_scripts/ImageGeneration/references/BootBlockAndHeader_${DEVICE_GEN}_${IGPS_MACHINE}.xml ${DEST} else - install py_scripts/ImageGeneration/references/BootBlockAndHeader_A1_${IGPS_MACHINE}_NoTip.xml ${DEST} - fi + install py_scripts/ImageGeneration/references/BootBlockAndHeader_${DEVICE_GEN}_${IGPS_MACHINE}_NoTip.xml ${DEST} + fi install py_scripts/ImageGeneration/references/UbootHeader_${DEVICE_GEN}.xml ${DEST} install py_scripts/ImageGeneration/inputs/BL31_AndHeader.xml ${DEST} install py_scripts/ImageGeneration/inputs/OpTeeAndHeader.xml ${DEST} + install py_scripts/ImageGeneration/asn1.py ${DEST} + install py_scripts/ImageGeneration/BinarySignatureGenerator.py ${DEST} +} + +inherit deploy + +do_deploy () { + # copy default keys to deploy folder + install -d ${DEPLOYDIR} + cp -vur py_scripts/ImageGeneration/keys/${SIGN_TYPE} ${DEPLOYDIR}/ } inherit native + +addtask deploy before do_build after do_compile |