From 260c2a57c73cfab6f8dc420af0ce6abfb716c747 Mon Sep 17 00:00:00 2001
From: Bartosz Cichocki <bartosz.cichocki@mudita.com>
Date: Fri, 5 Nov 2021 10:05:22 +0100
Subject: [PATCH] [EGD-7912] Add signing update package SHA

To fully operate on signed packages we have to sign checksum
---
 cmake/modules/AddPackage.cmake   |  2 +-
 tools/secureboot_sign_package.sh | 70 --------------------------------
 2 files changed, 1 insertion(+), 71 deletions(-)
 delete mode 100755 tools/secureboot_sign_package.sh

diff --git a/cmake/modules/AddPackage.cmake b/cmake/modules/AddPackage.cmake
index ff6de8097e5a28b357e653203723a46619b3b193..1ac5634ab7fdbdeb3d3dabc3ccbf203aa1e0f389 100644
--- a/cmake/modules/AddPackage.cmake
+++ b/cmake/modules/AddPackage.cmake
@@ -78,7 +78,7 @@ function(add_update_package SOURCE_TARGET)
     add_custom_command(
         OUTPUT ${UPDATE_PKG}.sig
         DEPENDS ${UPDATE_PKG}
-        COMMAND ${CMAKE_SOURCE_DIR}/tools/secureboot_sign_package.sh ${CST_PATH} ${ELFTOSB_PATH} ${SRK_TABLE} ${CSF_KEY} ${IMG_KEY} ${UPDATE_PKG}
+        COMMAND python3 ${SIGN_CLIENT_PATH}/signclient.py --sha256 ${UPDATE_PKG} --out_file ${UPDATE_PKG}.sig --keystore ${KEYSTORE} --keyslot ${KEYSLOT} --server ${SERVER} --login ${LOGIN}
         COMMENT "Generating update signature"
         WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
     )
diff --git a/tools/secureboot_sign_package.sh b/tools/secureboot_sign_package.sh
deleted file mode 100755
index 6389cc98eef98a018c40feb5292d5510a7382f37..0000000000000000000000000000000000000000
--- a/tools/secureboot_sign_package.sh
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/bin/bash -e
-# Copyright (c) 2017-2021, Mudita Sp. z.o.o. All rights reserved.
-# For licensing, see https://github.com/mudita/MuditaOS/LICENSE.md
-
-usage() {
-cat << ==usage
-Usage: $(basename "$0") [cst_path] [elf2sb_path] [srk_table] [csf_key] [img_key] [file]
-        cst_path:       NXP cst tool path       
-        elf2sb_path:    NXP elf2sb tool path
-        srk_table:      SRK table binary file
-        csf_key:        CSF key
-        img_key:        Image sign key
-        file:           File to sign
-==usage
-exit 1
-}
-
-
-# Generate SRK file from the template 
-#param in SRK template input
-#param SRK output file
-gen_srk_from_template() {
-    sed "s|startAddress =.*|startAddress=0x80ff0000;|g
-         s|\${SRK_INDEX}|0|g
-         s|\${SRK_TABLE}|${SRK_TABLE}|g
-         s|\${CSF_KEY}|${CSF_KEY}|g
-         s|\${IMG_KEY}|${IMG_KEY}|g
-    " "$1" > $2
-}
-
-
-if [ $# -ne 6 ]; then
-        echo "Error! Invalid argument count"
-        usage
-        exit 1
-fi
-
-CST_PATH="$1"
-ELF2SB_PATH="$2"
-SRK_TABLE="$3"
-CSF_KEY="$4"
-IMG_KEY="$5"
-FILE_TO_SIGN="$6"
-
-
-# Script root dir
-SCRIPT_DIR=$(dirname "$(readlink -f "$0")")
-
-#File search
-if [ ! -f "$FILE_TO_SIGN" ]; then 
-    echo "Error! Unable to find file to signature"
-    exit 1
-fi 
-#temporary authenticated file HAB
-TEMP_HAB_FILE="$(mktemp)"
-
-# Generate SRK template
-gen_srk_from_template "$SCRIPT_DIR/../config/imx_authenticated_hab.cmake_template" "$TEMP_HAB_FILE"
-
-# Generate SHA 256 binary signature
-openssl dgst -binary -sha256  "$FILE_TO_SIGN" > "$FILE_TO_SIGN.sig"
-# Minimum size of binary is 4k
-truncate -s 4k "${FILE_TO_SIGN}.sig"
-# Convert to srec (acceptable by the tool)
-arm-none-eabi-objcopy --change-addresses=0x80ff1000 --input-target=binary --output-target=srec "$FILE_TO_SIGN.sig" "$FILE_TO_SIGN.srec"
-rm "$FILE_TO_SIGN.sig"
-# Final signing using the tool
-"$SCRIPT_DIR/../config/elftosb_wrapper.sh" "$ELF2SB_PATH" "$CST_PATH" -f imx -V -c "$TEMP_HAB_FILE" -o "$FILE_TO_SIGN.sig" "$FILE_TO_SIGN.srec"
-# Remove temporary files generated by the NXP tools
-rm "$TEMP_HAB_FILE" csf.bin input.csf  "${FILE_TO_SIGN}_nopadding.sig" "${FILE_TO_SIGN}.srec" temp.bin