meta-phosphor: npcm8xx.bbclass: support sign images feature

Add sign images feature according customer's requirement.
Set "SECURED_IMAGE" to "True" and enable sign images feature.
When sign images feature be enabled. Use default keys to sign
images if customer didn't point their own local keys path.

Note: "SECURED_IMAGE" default is "True".

Tested:
Use default keys sign:
That will use default path and keys from igps to sign.

Use local keys sign:
That will use local path and keys to sign.
When KEY_FOLDER and KEY definition both are valid.

However, when KEY_FOLDER and KEY definition are invalid either,
that will output sign images failed then stop build full images.

Tested: build pass and boot up successfully with signed

Signed-off-by: Tim Lee <timlee660101@gmail.com>
Change-Id: If2b793906ab338aec391062d9bfeae2b1e790078

3 files changed, 39 insertions, 4 deletions

diff --git a/meta-nuvoton/conf/machine/include/igps-keys.inc b/meta-nuvoton/conf/machine/include/igps-keys.inc
new file mode 100644
index 0000000000..dcc5f7ce31
--- /dev/null
+++ b/meta-nuvoton/conf/machine/include/igps-keys.inc
@@ -0,0 +1,20 @@
+# There are two valid types: "openssl" or "HSM".
+# Currently, default support openssl only.
+SIGN_TYPE ?= "openssl"
+
+KEY_BB_INDEX ?= "1"
+SKMT_BL31_KEY_INDEX ?= "1"
+SKMT_BL32_KEY_INDEX ?= "1"
+SKMT_BL33_KEY_INDEX ?= "1"
+
+KEY_BB_ID ?= "11"
+KEY_BL31_ID ?= "11"
+KEY_OPTEE_ID ?= "11"
+KEY_UBOOT_ID ?= "11"
+
+KEY_FOLDER ?= ""
+KEY_FOLDER_DEFAULT ?= "${DEPLOY_DIR_IMAGE}/${SIGN_TYPE}"
+KEY_BB ?= "skmt_ecc_key_1.der"
+KEY_BL31 ?= "skmt_ecc_key_1.der"
+KEY_OPTEE ?= "skmt_ecc_key_1.der"
+KEY_UBOOT ?= "skmt_ecc_key_1.der"
diff --git a/meta-nuvoton/conf/machine/include/npcm8xx.inc b/meta-nuvoton/conf/machine/include/npcm8xx.inc
index 349d53b54e..0a753a15d3 100644
--- a/meta-nuvoton/conf/machine/include/npcm8xx.inc
+++ b/meta-nuvoton/conf/machine/include/npcm8xx.inc
@@ -3,6 +3,7 @@
 #@DESCRIPTION: Common machine configuration for Nuvoton NPCM8XX Chip
 
 require conf/machine/include/nuvoton.inc
+require conf/machine/include/igps-keys.inc
 
 KERNEL_IMAGETYPE ?= "Image"
 KERNEL_EXTRA_ARGS ?= "UIMAGE_LOADADDR=0x00008000"
@@ -59,4 +60,6 @@ TFA_BUILD_TARGET = "bl31"
 
 OPTEEMACHINE ?= "nuvoton"
 
+SECURED_IMAGE ?= "True"
+
 TIP_IMAGE ?= "True"
diff --git a/meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc b/meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc
index ace078e61a..099fa47801 100644
--- a/meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc
+++ b/meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc
@@ -21,14 +21,26 @@ do_patch() {
 
 do_install() {
 	install -d ${DEST}
-	if [ "${TIP_IMAGE}" = "True" ] ; then
-		install py_scripts/ImageGeneration/references/BootBlockAndHeader_${DEVICE_GEN}_${IGPS_MACHINE}.xml ${DEST}
+    if [ "${TIP_IMAGE}" = "True" ] ; then
+        install py_scripts/ImageGeneration/references/BootBlockAndHeader_${DEVICE_GEN}_${IGPS_MACHINE}.xml ${DEST}
 	else
-		install py_scripts/ImageGeneration/references/BootBlockAndHeader_A1_${IGPS_MACHINE}_NoTip.xml ${DEST}
-	fi
+        install py_scripts/ImageGeneration/references/BootBlockAndHeader_${DEVICE_GEN}_${IGPS_MACHINE}_NoTip.xml ${DEST}
+    fi
 	install py_scripts/ImageGeneration/references/UbootHeader_${DEVICE_GEN}.xml ${DEST}
 	install py_scripts/ImageGeneration/inputs/BL31_AndHeader.xml ${DEST}
 	install py_scripts/ImageGeneration/inputs/OpTeeAndHeader.xml ${DEST}
+	install py_scripts/ImageGeneration/asn1.py ${DEST}
+	install py_scripts/ImageGeneration/BinarySignatureGenerator.py ${DEST}
+}
+
+inherit deploy
+
+do_deploy () {
+	# copy default keys to deploy folder
+	install -d ${DEPLOYDIR}
+	cp -vur py_scripts/ImageGeneration/keys/${SIGN_TYPE} ${DEPLOYDIR}/
 }
 
 inherit native
+
+addtask deploy before do_build after do_compile