Gitiles
Code Review Sign In
192.168.1.100 / T103 / 1f884588077ad3476b9c91cbb0ee9ee0332bbb68 / . / meta / meta-mediatek / classes / trustzone-fitimage.bbclass
blob: 0572ee4956a56a37047e5f83ca602703a3fa4315 [file] [log] [blame]
rjw1f884582022-01-06 17:20:42 +0800[diff] [blame^]1inherit hsm-sign-env
2
3python __anonymous () {
4 depends = d.getVar("DEPENDS", True)
5 depends = "%s u-boot-mkimage-native lz4-native" % depends
6 d.setVar("DEPENDS", depends)
7}
8
9#
10# Emit the fitImage ITS header
11#
12fitimage_emit_fit_header() {
13 cat << EOF >> ${WORKDIR}/fit-image.its
14/dts-v1/;
15
16/ {
17 description = "Trustzone fitimage for ${DISTRO_NAME}/${PV}/${MACHINE} ver:${TRUSTZONE_VERSION}";
18 #address-cells = <1>;
19EOF
20}
21
22#
23# Emit the fitImage section bits
24#
25# $1 ... Section bit type: imagestart - image section start
26# confstart - configuration section start
27# sectend - section end
28# fitend - fitimage end
29#
30fitimage_emit_section_maint() {
31 case $1 in
32 imagestart)
33 cat << EOF >> ${WORKDIR}/fit-image.its
34
35 images {
36EOF
37 ;;
38 confstart)
39 cat << EOF >> ${WORKDIR}/fit-image.its
40
41 configurations {
42EOF
43 ;;
44 sectend)
45 cat << EOF >> ${WORKDIR}/fit-image.its
46 };
47EOF
48 ;;
49 fitend)
50 cat << EOF >> ${WORKDIR}/fit-image.its
51};
52EOF
53 ;;
54 esac
55}
56
57fitimage_emit_section_trustedos() {
58
59 if [ -n "${IMAGE_HASH_ALGO}" ] ; then
60 trustedos_csum="${IMAGE_HASH_ALGO}"
61 else
62 trustedos_csum="sha256"
63 fi
64
65 cat << EOF >> ${WORKDIR}/fit-image.its
66 trustedos@1 {
67 description = "Trusted OS Image";
68 data = /incbin/("${1}");
69 type = "tee";
70 arch = "arm";
71 os = "linux";
72 compression = "${2}";
73 load = <${TRUSTEDOS_LOADADDRESS}>;
74 entry = <${TRUSTEDOS_ENTRYPOINT}>;
75 hash@1 {
76 algo = "${trustedos_csum}";
77 };
78 };
79EOF
80}
81
82#
83# Emit the fitImage ITS trustzone section
84#
85# $1 ... Path to trustzone image
86# $2 ... Compression type
87fitimage_emit_section_trustzone() {
88
89 if [ -n "${IMAGE_HASH_ALGO}" ] ; then
90 trustzone_csum="${IMAGE_HASH_ALGO}"
91 else
92 trustzone_csum="sha256"
93 fi
94
95if [ -d ${TL_SRC} ]; then
96 cat << EOF >> ${WORKDIR}/fit-image.its
97 tee@1 {
98 description = "Tee Image";
99 data = /incbin/("${1}");
100 type = "kernel";
101 arch = "arm";
102 os = "linux";
103 compression = "${2}";
104 load = <${TEE_LOADADDRESS}>;
105 entry = <${TEE_ENTRYPOINT}>;
106 hash@1 {
107 algo = "${trustzone_csum}";
108 };
109 };
110EOF
111else
112 cat << EOF >> ${WORKDIR}/fit-image.its
113 tee@1 {
114 description = "Tee Image";
115 data = /incbin/("${1}");
116 type = "kernel";
117 arch = "arm";
118 os = "linux";
119 compression = "${2}";
120 load = <${TRUSTZONE_LOADADDRESS}>;
121 entry = <${TRUSTZONE_ENTRYPOINT}>;
122 hash@1 {
123 algo = "${trustzone_csum}";
124 };
125 };
126EOF
127fi
128}
129
130#
131# Emit the fitImage ITS configuration section
132#
133# $1 ... trustzone image ID
134fitimage_emit_section_config() {
135
136 if [ -n "${VB_HASH_ALGO}" ] && [ -n "${VB_RSA_ALGO}" ] ; then
137 conf_csum="${VB_HASH_ALGO},${VB_RSA_ALGO}"
138 else
139 conf_csum="sha256,rsa2048"
140 fi
141 conf_key_name="dev"
142
143 conf_desc="${MTK_PROJECT} configuration"
144
145 trustzone_line="kernel = \"tee@1\";"
146 if [ -n "${TRUSTEDOS_ENTRYPOINT}" ] && [ -n "${TRUSTEDOS_LOADADDRESS}" ] ; then
147 trustedos_line="tee = \"trustedos@1\";"
148 sign_images_line="sign-images = \"kernel\", \"tee\";"
149 else
150 trustedos_line=""
151 sign_images_line="sign-images = \"kernel\";"
152 fi
153
154 cat << EOF >> ${WORKDIR}/fit-image.its
155 default = "conf@1";
156 conf@1 {
157 description = "${conf_desc}";
158 ${trustzone_line}
159 ${trustedos_line}
160 signature@1 {
161 algo = "${conf_csum}";
162 key-name-hint="${conf_key_name}";
163 ${sign_images_line}
164 };
165 };
166EOF
167}
168
169do_assemble_fitimage() {
170
171 rm -f ${WORKDIR}/fit-image.its
172
173 fitimage_emit_fit_header
174
175 #
176 # Step 1: Prepare a trustzone image section.
177 #
178 fitimage_emit_section_maint imagestart
179
180 #uboot_prep_kimage
181 if [ -d ${TL_SRC} ]; then
182 if [ "${SECURE_BOOT_ENABLE}" = "yes" ] && [ "${FORCE_DISABLE_TEE_ENCRYPTION}" != "yes" ]; then
183 fitimage_emit_section_trustzone ${TZ_ASSEMBLE_OUT}/${TZ_TMP_SIGNED_BINARY} ${TRUSTZONE_COMPRESS}
184 if [ -n "${TRUSTEDOS_ENTRYPOINT}" ] && [ -n "${TRUSTEDOS_LOADADDRESS}" ] ; then
185 fitimage_emit_section_trustedos ${TZ_ASSEMBLE_OUT}/${TRUSTEDOS_SIGNED_BINARY} ${TRUSTZONE_COMPRESS}
186 fi
187 else
188 fitimage_emit_section_trustzone ${TZ_ASSEMBLE_OUT}/${TZ_TMP_RAW_BINARY} ${TRUSTZONE_COMPRESS}
189 if [ -n "${TRUSTEDOS_ENTRYPOINT}" ] && [ -n "${TRUSTEDOS_LOADADDRESS}" ] ; then
190 fitimage_emit_section_trustedos ${TZ_ASSEMBLE_OUT}/${TRUSTEDOS_RAW_BINARY} ${TRUSTZONE_COMPRESS}
191 fi
192 fi
193 else
194 fitimage_emit_section_trustzone ${TZ_ASSEMBLE_OUT}/${TZ_RAW_BINARY} ${TRUSTZONE_COMPRESS}
195 fi
196
197 fitimage_emit_section_maint sectend
198
199 #
200 # Step 2: Prepare a configurations section
201 #
202 fitimage_emit_section_maint confstart
203
204 fitimage_emit_section_config
205
206 fitimage_emit_section_maint sectend
207
208 fitimage_emit_section_maint fitend
209
210 #
211 # Step 3: Assemble the image
212 #
213 ${HSM_ENV} HSM_KEY_NAME=${VERIFIED_KEY} uboot-mkimage -f ${WORKDIR}/fit-image.its ${TZ_ASSEMBLE_OUT}/${TZ_BINARY}
214
215 if [ "${SECURE_BOOT_ENABLE}" = "yes" ] && [ "${STANDALONE_SIGN_PREPARE}" != "yes" ]; then
216 mkdir -p ./mykeys
217 cp -f ${MTK_KEY_DIR}/${VERIFIED_KEY}.crt ./mykeys/dev.crt
218 cp -f ${MTK_KEY_DIR}/${VERIFIED_KEY}.pem ./mykeys/dev.key
219 ${HSM_ENV} HSM_KEY_NAME=${VERIFIED_KEY} uboot-mkimage -D "-I dts -O dtb -p 1024" -k ./mykeys -f ${WORKDIR}/fit-image.its -r ${TZ_ASSEMBLE_OUT}/${TZ_BINARY}
220 fi
221}
222
223addtask assemble_fitimage before do_install after do_compile