| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 1 | inherit hsm-sign-env | 
|  | 2 |  | 
|  | 3 | python __anonymous () { | 
|  | 4 | depends = d.getVar("DEPENDS", True) | 
|  | 5 | depends = "%s u-boot-mkimage-native lz4-native" % depends | 
|  | 6 | d.setVar("DEPENDS", depends) | 
|  | 7 | } | 
|  | 8 |  | 
|  | 9 | # | 
|  | 10 | # Emit the fitImage ITS header | 
|  | 11 | # | 
|  | 12 | fitimage_emit_fit_header() { | 
|  | 13 | cat << EOF >> ${WORKDIR}/fit-image.its | 
|  | 14 | /dts-v1/; | 
|  | 15 |  | 
|  | 16 | / { | 
|  | 17 | description = "Trustzone fitimage for ${DISTRO_NAME}/${PV}/${MACHINE} ver:${TRUSTZONE_VERSION}"; | 
|  | 18 | #address-cells = <1>; | 
|  | 19 | EOF | 
|  | 20 | } | 
|  | 21 |  | 
|  | 22 | # | 
|  | 23 | # Emit the fitImage section bits | 
|  | 24 | # | 
|  | 25 | # $1 ... Section bit type: imagestart - image section start | 
|  | 26 | #                          confstart  - configuration section start | 
|  | 27 | #                          sectend    - section end | 
|  | 28 | #                          fitend     - fitimage end | 
|  | 29 | # | 
|  | 30 | fitimage_emit_section_maint() { | 
|  | 31 | case $1 in | 
|  | 32 | imagestart) | 
|  | 33 | cat << EOF >> ${WORKDIR}/fit-image.its | 
|  | 34 |  | 
|  | 35 | images { | 
|  | 36 | EOF | 
|  | 37 | ;; | 
|  | 38 | confstart) | 
|  | 39 | cat << EOF >> ${WORKDIR}/fit-image.its | 
|  | 40 |  | 
|  | 41 | configurations { | 
|  | 42 | EOF | 
|  | 43 | ;; | 
|  | 44 | sectend) | 
|  | 45 | cat << EOF >> ${WORKDIR}/fit-image.its | 
|  | 46 | }; | 
|  | 47 | EOF | 
|  | 48 | ;; | 
|  | 49 | fitend) | 
|  | 50 | cat << EOF >> ${WORKDIR}/fit-image.its | 
|  | 51 | }; | 
|  | 52 | EOF | 
|  | 53 | ;; | 
|  | 54 | esac | 
|  | 55 | } | 
|  | 56 |  | 
|  | 57 | fitimage_emit_section_trustedos() { | 
|  | 58 |  | 
|  | 59 | if [ -n "${IMAGE_HASH_ALGO}" ] ; then | 
|  | 60 | trustedos_csum="${IMAGE_HASH_ALGO}" | 
|  | 61 | else | 
|  | 62 | trustedos_csum="sha256" | 
|  | 63 | fi | 
|  | 64 |  | 
|  | 65 | cat << EOF >> ${WORKDIR}/fit-image.its | 
| rjw | 03fe4c0 | 2022-02-16 10:40:11 +0800 | [diff] [blame] | 66 | trustedos_1 { | 
| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 67 | description = "Trusted OS Image"; | 
|  | 68 | data = /incbin/("${1}"); | 
|  | 69 | type = "tee"; | 
|  | 70 | arch = "arm"; | 
|  | 71 | os = "linux"; | 
|  | 72 | compression = "${2}"; | 
|  | 73 | load = <${TRUSTEDOS_LOADADDRESS}>; | 
|  | 74 | entry = <${TRUSTEDOS_ENTRYPOINT}>; | 
| rjw | 03fe4c0 | 2022-02-16 10:40:11 +0800 | [diff] [blame] | 75 | hash { | 
| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 76 | algo = "${trustedos_csum}"; | 
|  | 77 | }; | 
|  | 78 | }; | 
|  | 79 | EOF | 
|  | 80 | } | 
|  | 81 |  | 
|  | 82 | # | 
|  | 83 | # Emit the fitImage ITS trustzone section | 
|  | 84 | # | 
|  | 85 | # $1 ... Path to trustzone image | 
|  | 86 | # $2 ... Compression type | 
|  | 87 | fitimage_emit_section_trustzone() { | 
|  | 88 |  | 
|  | 89 | if [ -n "${IMAGE_HASH_ALGO}" ] ; then | 
|  | 90 | trustzone_csum="${IMAGE_HASH_ALGO}" | 
|  | 91 | else | 
|  | 92 | trustzone_csum="sha256" | 
|  | 93 | fi | 
|  | 94 |  | 
|  | 95 | if [ -d ${TL_SRC} ]; then | 
|  | 96 | cat << EOF >> ${WORKDIR}/fit-image.its | 
| rjw | 03fe4c0 | 2022-02-16 10:40:11 +0800 | [diff] [blame] | 97 | tee_1 { | 
| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 98 | description = "Tee Image"; | 
|  | 99 | data = /incbin/("${1}"); | 
|  | 100 | type = "kernel"; | 
|  | 101 | arch = "arm"; | 
|  | 102 | os = "linux"; | 
|  | 103 | compression = "${2}"; | 
|  | 104 | load = <${TEE_LOADADDRESS}>; | 
|  | 105 | entry = <${TEE_ENTRYPOINT}>; | 
| rjw | 03fe4c0 | 2022-02-16 10:40:11 +0800 | [diff] [blame] | 106 | hash { | 
| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 107 | algo = "${trustzone_csum}"; | 
|  | 108 | }; | 
|  | 109 | }; | 
|  | 110 | EOF | 
|  | 111 | else | 
|  | 112 | cat << EOF >> ${WORKDIR}/fit-image.its | 
| rjw | 03fe4c0 | 2022-02-16 10:40:11 +0800 | [diff] [blame] | 113 | tee_1 { | 
| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 114 | description = "Tee Image"; | 
|  | 115 | data = /incbin/("${1}"); | 
|  | 116 | type = "kernel"; | 
|  | 117 | arch = "arm"; | 
|  | 118 | os = "linux"; | 
|  | 119 | compression = "${2}"; | 
|  | 120 | load = <${TRUSTZONE_LOADADDRESS}>; | 
|  | 121 | entry = <${TRUSTZONE_ENTRYPOINT}>; | 
| rjw | 03fe4c0 | 2022-02-16 10:40:11 +0800 | [diff] [blame] | 122 | hash { | 
| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 123 | algo = "${trustzone_csum}"; | 
|  | 124 | }; | 
|  | 125 | }; | 
|  | 126 | EOF | 
|  | 127 | fi | 
|  | 128 | } | 
|  | 129 |  | 
|  | 130 | # | 
|  | 131 | # Emit the fitImage ITS configuration section | 
|  | 132 | # | 
|  | 133 | # $1 ... trustzone image ID | 
|  | 134 | fitimage_emit_section_config() { | 
|  | 135 |  | 
|  | 136 | if [ -n "${VB_HASH_ALGO}" ] && [ -n "${VB_RSA_ALGO}" ] ; then | 
|  | 137 | conf_csum="${VB_HASH_ALGO},${VB_RSA_ALGO}" | 
|  | 138 | else | 
|  | 139 | conf_csum="sha256,rsa2048" | 
|  | 140 | fi | 
|  | 141 | conf_key_name="dev" | 
|  | 142 |  | 
|  | 143 | conf_desc="${MTK_PROJECT} configuration" | 
|  | 144 |  | 
| rjw | 03fe4c0 | 2022-02-16 10:40:11 +0800 | [diff] [blame] | 145 | trustzone_line="kernel = \"tee_1\";" | 
| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 146 | if [ -n "${TRUSTEDOS_ENTRYPOINT}" ] && [ -n "${TRUSTEDOS_LOADADDRESS}" ] ; then | 
| rjw | 03fe4c0 | 2022-02-16 10:40:11 +0800 | [diff] [blame] | 147 | trustedos_line="tee = \"trustedos_1\";" | 
| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 148 | sign_images_line="sign-images = \"kernel\", \"tee\";" | 
|  | 149 | else | 
|  | 150 | trustedos_line="" | 
|  | 151 | sign_images_line="sign-images = \"kernel\";" | 
|  | 152 | fi | 
|  | 153 |  | 
|  | 154 | cat << EOF >> ${WORKDIR}/fit-image.its | 
| rjw | 03fe4c0 | 2022-02-16 10:40:11 +0800 | [diff] [blame] | 155 | default = "conf_1"; | 
|  | 156 | conf_1 { | 
| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 157 | description = "${conf_desc}"; | 
|  | 158 | ${trustzone_line} | 
|  | 159 | ${trustedos_line} | 
| rjw | 03fe4c0 | 2022-02-16 10:40:11 +0800 | [diff] [blame] | 160 | signature { | 
| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 161 | algo = "${conf_csum}"; | 
|  | 162 | key-name-hint="${conf_key_name}"; | 
|  | 163 | ${sign_images_line} | 
|  | 164 | }; | 
|  | 165 | }; | 
|  | 166 | EOF | 
|  | 167 | } | 
|  | 168 |  | 
|  | 169 | do_assemble_fitimage() { | 
|  | 170 |  | 
|  | 171 | rm -f ${WORKDIR}/fit-image.its | 
|  | 172 |  | 
|  | 173 | fitimage_emit_fit_header | 
|  | 174 |  | 
|  | 175 | # | 
|  | 176 | # Step 1: Prepare a trustzone image section. | 
|  | 177 | # | 
|  | 178 | fitimage_emit_section_maint imagestart | 
|  | 179 |  | 
|  | 180 | #uboot_prep_kimage | 
|  | 181 | if [ -d ${TL_SRC} ]; then | 
|  | 182 | if [ "${SECURE_BOOT_ENABLE}" = "yes" ] && [ "${FORCE_DISABLE_TEE_ENCRYPTION}" != "yes" ]; then | 
|  | 183 | fitimage_emit_section_trustzone ${TZ_ASSEMBLE_OUT}/${TZ_TMP_SIGNED_BINARY} ${TRUSTZONE_COMPRESS} | 
|  | 184 | if [ -n "${TRUSTEDOS_ENTRYPOINT}" ] && [ -n "${TRUSTEDOS_LOADADDRESS}" ] ; then | 
|  | 185 | fitimage_emit_section_trustedos ${TZ_ASSEMBLE_OUT}/${TRUSTEDOS_SIGNED_BINARY} ${TRUSTZONE_COMPRESS} | 
|  | 186 | fi | 
|  | 187 | else | 
|  | 188 | fitimage_emit_section_trustzone ${TZ_ASSEMBLE_OUT}/${TZ_TMP_RAW_BINARY} ${TRUSTZONE_COMPRESS} | 
|  | 189 | if [ -n "${TRUSTEDOS_ENTRYPOINT}" ] && [ -n "${TRUSTEDOS_LOADADDRESS}" ] ; then | 
|  | 190 | fitimage_emit_section_trustedos ${TZ_ASSEMBLE_OUT}/${TRUSTEDOS_RAW_BINARY} ${TRUSTZONE_COMPRESS} | 
|  | 191 | fi | 
|  | 192 | fi | 
|  | 193 | else | 
|  | 194 | fitimage_emit_section_trustzone ${TZ_ASSEMBLE_OUT}/${TZ_RAW_BINARY} ${TRUSTZONE_COMPRESS} | 
|  | 195 | fi | 
|  | 196 |  | 
|  | 197 | fitimage_emit_section_maint sectend | 
|  | 198 |  | 
|  | 199 | # | 
|  | 200 | # Step 2: Prepare a configurations section | 
|  | 201 | # | 
|  | 202 | fitimage_emit_section_maint confstart | 
|  | 203 |  | 
|  | 204 | fitimage_emit_section_config | 
|  | 205 |  | 
|  | 206 | fitimage_emit_section_maint sectend | 
|  | 207 |  | 
|  | 208 | fitimage_emit_section_maint fitend | 
|  | 209 |  | 
|  | 210 | # | 
|  | 211 | # Step 3: Assemble the image | 
|  | 212 | # | 
|  | 213 | ${HSM_ENV} HSM_KEY_NAME=${VERIFIED_KEY} uboot-mkimage -f ${WORKDIR}/fit-image.its ${TZ_ASSEMBLE_OUT}/${TZ_BINARY} | 
|  | 214 |  | 
|  | 215 | if [ "${SECURE_BOOT_ENABLE}" = "yes" ] && [ "${STANDALONE_SIGN_PREPARE}" != "yes" ]; then | 
| rjw | 03fe4c0 | 2022-02-16 10:40:11 +0800 | [diff] [blame] | 216 | mkdir -p ${WORKDIR}/mykeys | 
|  | 217 | cp -f ${MTK_KEY_DIR}/${VERIFIED_KEY}.crt ${WORKDIR}/mykeys/dev.crt | 
|  | 218 | cp -f ${MTK_KEY_DIR}/${VERIFIED_KEY}.pem ${WORKDIR}/mykeys/dev.key | 
|  | 219 | ${HSM_ENV} HSM_KEY_NAME=${VERIFIED_KEY} uboot-mkimage -D "-I dts -O dtb -p 1024" -k ${WORKDIR}/mykeys -f ${WORKDIR}/fit-image.its -r ${TZ_ASSEMBLE_OUT}/${TZ_BINARY} | 
| xj | b04a402 | 2021-11-25 15:01:52 +0800 | [diff] [blame] | 220 | fi | 
|  | 221 | } | 
|  | 222 |  | 
|  | 223 | addtask assemble_fitimage before do_install after do_compile |