meta-phosphor: npcm8xx.bbclass: support sign images feature
Add sign images feature according customer's requirement.
Set "SECURED_IMAGE" to "True" and enable sign images feature.
When sign images feature be enabled. Use default keys to sign
images if customer didn't point their own local keys path.
Note: "SECURED_IMAGE" default is "True".
Tested:
Use default keys sign:
That will use default path and keys from igps to sign.
Use local keys sign:
That will use local path and keys to sign.
When KEY_FOLDER and KEY definition both are valid.
However, when KEY_FOLDER and KEY definition are invalid either,
that will output sign images failed then stop build full images.
Tested: build pass and boot up successfully with signed
Signed-off-by: Tim Lee <timlee660101@gmail.com>
Change-Id: If2b793906ab338aec391062d9bfeae2b1e790078
diff --git a/meta-nuvoton/conf/machine/include/igps-keys.inc b/meta-nuvoton/conf/machine/include/igps-keys.inc
new file mode 100644
index 0000000..dcc5f7c
--- /dev/null
+++ b/meta-nuvoton/conf/machine/include/igps-keys.inc
@@ -0,0 +1,20 @@
+# There are two valid types: "openssl" or "HSM".
+# Currently, default support openssl only.
+SIGN_TYPE ?= "openssl"
+
+KEY_BB_INDEX ?= "1"
+SKMT_BL31_KEY_INDEX ?= "1"
+SKMT_BL32_KEY_INDEX ?= "1"
+SKMT_BL33_KEY_INDEX ?= "1"
+
+KEY_BB_ID ?= "11"
+KEY_BL31_ID ?= "11"
+KEY_OPTEE_ID ?= "11"
+KEY_UBOOT_ID ?= "11"
+
+KEY_FOLDER ?= ""
+KEY_FOLDER_DEFAULT ?= "${DEPLOY_DIR_IMAGE}/${SIGN_TYPE}"
+KEY_BB ?= "skmt_ecc_key_1.der"
+KEY_BL31 ?= "skmt_ecc_key_1.der"
+KEY_OPTEE ?= "skmt_ecc_key_1.der"
+KEY_UBOOT ?= "skmt_ecc_key_1.der"
diff --git a/meta-nuvoton/conf/machine/include/npcm8xx.inc b/meta-nuvoton/conf/machine/include/npcm8xx.inc
index 349d53b..0a753a1 100644
--- a/meta-nuvoton/conf/machine/include/npcm8xx.inc
+++ b/meta-nuvoton/conf/machine/include/npcm8xx.inc
@@ -3,6 +3,7 @@
#@DESCRIPTION: Common machine configuration for Nuvoton NPCM8XX Chip
require conf/machine/include/nuvoton.inc
+require conf/machine/include/igps-keys.inc
KERNEL_IMAGETYPE ?= "Image"
KERNEL_EXTRA_ARGS ?= "UIMAGE_LOADADDR=0x00008000"
@@ -59,4 +60,6 @@
OPTEEMACHINE ?= "nuvoton"
+SECURED_IMAGE ?= "True"
+
TIP_IMAGE ?= "True"
diff --git a/meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc b/meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc
index ace078e..099fa47 100644
--- a/meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc
+++ b/meta-nuvoton/recipes-bsp/images/npcm8xx-igps.inc
@@ -21,14 +21,26 @@
do_install() {
install -d ${DEST}
- if [ "${TIP_IMAGE}" = "True" ] ; then
- install py_scripts/ImageGeneration/references/BootBlockAndHeader_${DEVICE_GEN}_${IGPS_MACHINE}.xml ${DEST}
+ if [ "${TIP_IMAGE}" = "True" ] ; then
+ install py_scripts/ImageGeneration/references/BootBlockAndHeader_${DEVICE_GEN}_${IGPS_MACHINE}.xml ${DEST}
else
- install py_scripts/ImageGeneration/references/BootBlockAndHeader_A1_${IGPS_MACHINE}_NoTip.xml ${DEST}
- fi
+ install py_scripts/ImageGeneration/references/BootBlockAndHeader_${DEVICE_GEN}_${IGPS_MACHINE}_NoTip.xml ${DEST}
+ fi
install py_scripts/ImageGeneration/references/UbootHeader_${DEVICE_GEN}.xml ${DEST}
install py_scripts/ImageGeneration/inputs/BL31_AndHeader.xml ${DEST}
install py_scripts/ImageGeneration/inputs/OpTeeAndHeader.xml ${DEST}
+ install py_scripts/ImageGeneration/asn1.py ${DEST}
+ install py_scripts/ImageGeneration/BinarySignatureGenerator.py ${DEST}
+}
+
+inherit deploy
+
+do_deploy () {
+ # copy default keys to deploy folder
+ install -d ${DEPLOYDIR}
+ cp -vur py_scripts/ImageGeneration/keys/${SIGN_TYPE} ${DEPLOYDIR}/
}
inherit native
+
+addtask deploy before do_build after do_compile