meta-phosphor: npcm8xx.bbclass: support sign images feature
Add sign images feature according customer's requirement.
Set "SECURED_IMAGE" to "True" and enable sign images feature.
When sign images feature be enabled. Use default keys to sign
images if customer didn't point their own local keys path.
Note: "SECURED_IMAGE" default is "True".
Tested:
Use default keys sign:
That will use default path and keys from igps to sign.
Use local keys sign:
That will use local path and keys to sign.
When KEY_FOLDER and KEY definition both are valid.
However, when KEY_FOLDER and KEY definition are invalid either,
that will output sign images failed then stop build full images.
Tested: build pass and boot up successfully with signed
Signed-off-by: Tim Lee <timlee660101@gmail.com>
Change-Id: If2b793906ab338aec391062d9bfeae2b1e790078
diff --git a/meta-nuvoton/conf/machine/include/igps-keys.inc b/meta-nuvoton/conf/machine/include/igps-keys.inc
new file mode 100644
index 0000000..dcc5f7c
--- /dev/null
+++ b/meta-nuvoton/conf/machine/include/igps-keys.inc
@@ -0,0 +1,20 @@
+# There are two valid types: "openssl" or "HSM".
+# Currently, default support openssl only.
+SIGN_TYPE ?= "openssl"
+
+KEY_BB_INDEX ?= "1"
+SKMT_BL31_KEY_INDEX ?= "1"
+SKMT_BL32_KEY_INDEX ?= "1"
+SKMT_BL33_KEY_INDEX ?= "1"
+
+KEY_BB_ID ?= "11"
+KEY_BL31_ID ?= "11"
+KEY_OPTEE_ID ?= "11"
+KEY_UBOOT_ID ?= "11"
+
+KEY_FOLDER ?= ""
+KEY_FOLDER_DEFAULT ?= "${DEPLOY_DIR_IMAGE}/${SIGN_TYPE}"
+KEY_BB ?= "skmt_ecc_key_1.der"
+KEY_BL31 ?= "skmt_ecc_key_1.der"
+KEY_OPTEE ?= "skmt_ecc_key_1.der"
+KEY_UBOOT ?= "skmt_ecc_key_1.der"