5 files changed, 15 insertions(+), 203 deletions(-)

M CMakeLists.txt
M cmake/modules/AddBootBin.cmake
D cmake/modules/SecureBoot.cmake
D config/elftosb_wrapper.sh
D config/imx_authenticated_hab.cmake_template

@@ 105,7 105,9 @@ if (GENERATE_STACK_USAGE)
     add_compile_options (-fstack-usage)
 endif ()
 
-include(SecureBoot)
+option (ENABLE_SECURE_BOOT "Build signed binary for Secure Boot" OFF)
+set(SIGN_CLIENT_PATH "${CMAKE_SOURCE_DIR}/../sign_server/key_client" CACHE PATH "signclient.py path")
+set(SERVER "https://172.17.0.1:4430" CACHE STRING "sign server address")
 
 if (NOT ENABLE_SECURE_BOOT)
     # Only enable the build-time boot header in a non-secure configuration,

@@ 8,27 8,18 @@ function(add_boot_bin SOURCE_TARGET)
     )
 
     if (ENABLE_SECURE_BOOT)
-        set (SREC_FILE ${CMAKE_PROJECT_NAME}.srec)
-        # .srec file required by elftosb
-        add_custom_command(
-            COMMENT "Generate ${CMAKE_PROJECT_NAME}.srec"
-            OUTPUT ${CMAKE_BINARY_DIR}/${SREC_FILE}
-            DEPENDS ${SOURCE_TARGET}
-            COMMAND ${CMAKE_OBJCOPY} -Osrec $<TARGET_FILE:${SOURCE_TARGET}> ${SREC_FILE}
-            WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
-            )
-
-        add_custom_command(
-            COMMENT "Generate signed boot.bin (Secure Boot)"
-            OUTPUT ${BIN_FILE}
-            DEPENDS ${CMAKE_BINARY_DIR}/${SREC_FILE}
-            COMMAND ${CMAKE_SOURCE_DIR}/config/elftosb_wrapper.sh "${ELFTOSB_PATH}" "${CST_PATH}" -f imx -V
-            -c ${CMAKE_BINARY_DIR}/imx_authenticated_hab.bd
-            -o ${BIN_FILE}
-            ${CMAKE_BINARY_DIR}/${SREC_FILE}
-            VERBATIM
-            WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
-            )
+        IF(EXISTS ${SIGN_CLIENT_PATH}/signclient.py)
+            add_custom_command(
+                COMMENT "Generate signed boot.bin (Secure Boot)"
+                OUTPUT ${BIN_FILE}
+                DEPENDS ${SOURCE_TARGET}
+                COMMAND python3 ${SIGN_CLIENT_PATH}/signclient.py --in_file $<TARGET_FILE:${SOURCE_TARGET}> --out_file=${BIN_FILE} --keystore ${KEYSTORE} --keyslot ${KEYSLOT} --server ${SERVER} --login ${LOGIN}
+                VERBATIM
+                WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+                )
+        else()
+            message( FATAL_ERROR "signclient.py not found in ${SIGN_CLIENT_PATH}" )
+        endif()
     else ()
         add_custom_command(
             COMMENT "Generate ${SOURCE_TARGET}-boot.bin"

@@ 1,49 0,0 @@
-option (ENABLE_SECURE_BOOT "Build signed binary for Secure Boot" OFF)
-
-if (ENABLE_SECURE_BOOT)
-    message(STATUS "Secure boot enabled")
-    # NXP CST utility
-    set(CST_PATH "" CACHE PATH "NXP Code Signing Tool (CST) utility exec. path. PATH lookup if not specified.")
-    if (NOT CST_PATH)
-        message(STATUS "Using NXP CST utility from PATH")
-    else ()
-        message(STATUS "Using NXP CST utility path: ${CST_PATH}")
-    endif ()
-    # NXP elftosb utility
-    set(ELFTOSB_PATH "" CACHE FILEPATH "NXP elftosb utility exec. path. PATH lookup if not specified.")
-    if (NOT ELFTOSB_PATH)
-        message(STATUS "Using NXP elftosb utility from PATH")
-    else ()
-        message(STATUS "Using NXP elftosb utility path: ${ELFTOSB_PATH}")
-    endif ()
-    # SRK table
-    set(SRK_TABLE "" CACHE FILEPATH "Super Root Key (SRK) table in a binary form (generated by NXP srktool)")
-    if (NOT SRK_TABLE)
-        message(FATAL_ERROR "SRK_TABLE not specified (required for Secure Boot)")
-    endif ()
-    # SRK index
-    set(SRK_INDEX "" CACHE STRING "SRK key index in the SRK table (0-3)")
-    if (NOT SRK_INDEX)
-        set(SRK_INDEX "0" CACHE STRING "" FORCE)
-    endif ()
-    # CSF key
-    set(CSF_KEY "" CACHE FILEPATH "CSF key in PEM format for CSF authentication")
-    if (NOT CSF_KEY)
-        message(FATAL_ERROR "CSF_KEY not specified (required for Secure Boot)")
-    endif ()
-    # IMG key
-    set(IMG_KEY "" CACHE FILEPATH "IMG key in PEM format for image authentication")
-    if (NOT IMG_KEY)
-        message(FATAL_ERROR "IMG_KEY not specified (required for Secure Boot)")
-    endif ()
-
-    message(STATUS "Using SRK table: ${SRK_TABLE}")
-    message(STATUS "Using SRK index: ${SRK_INDEX}")
-    message(STATUS "Using CSF key: ${CSF_KEY}")
-    message(STATUS "Using IMG key: ${IMG_KEY}")
-
-    configure_file(
-        ${CMAKE_SOURCE_DIR}/config/imx_authenticated_hab.cmake_template
-        ${CMAKE_BINARY_DIR}/imx_authenticated_hab.bd
-        )
-endif ()

@@ 1,42 0,0 @@
-#! /bin/bash
-# Copyright (c) 2017-2021, Mudita Sp. z.o.o. All rights reserved.
-# For licensing, see https://github.com/mudita/MuditaOS/LICENSE.md
-
-# This wrapper script expects filepaths to elftosb and cst NXP utilities
-# as the first and second pos. arg. respectively. It passes the rest of
-# pos. args to elftosb. Its main purpose is to export the path to cst utility
-# so it is visible to elftosb.
-
-function print_help() {
-    echo -e "This script is a wrapper around the elftosb NXP utility used for" 
-    echo -e "signing program images. Its purpose is to export the path to"
-    echo -e "the NXP Code Signing Utility (CST) which is looked up in PATH"
-    echo -e "by elftosb.\n"
-    echo -e "Usage: elftosb_wrapper <elftosb_path> <cst_path> [elftosb_args]"
-}
-
-set -euo pipefail
-
-if [[ $# -lt 2 ]]; then
-    print_help
-    exit 1
-fi
-
-elftosb_path=$1
-shift 1
-cst_path=$1
-shift 1
-
-if [[ -n "$elftosb_path" ]]; then
-    elftosb_exec="$elftosb_path/elftosb"
-else
-    elftosb_exec="elftosb"
-fi
-
-if [[ -n "$cst_path" ]]; then
-    # Export CST path for elftosb (assume already in PATH if empty)
-    export "PATH=$cst_path:$PATH"
-fi
-
-# Run elftosb passing the remaining args
-"$elftosb_exec" $@

@@ 1,90 0,0 @@
-# This is a template of the command file for the NXP elftosb utility. It is
-# processed by CMake which substitutes placeholders wich CMake variable values
-# (configure file).
-
-options {
-    flags = 0x08;
-    startAddress = 0x80000000;
-    ivtOffset = 0x400;
-    initialLoadSize = 0x1000;
-}
-
-sources {
-    elfFile = extern(0);
-}
-
-constants {
-    SEC_CSF_HEADER              = 20;
-    SEC_CSF_INSTALL_SRK         = 21;
-    SEC_CSF_INSTALL_CSFK        = 22;
-    SEC_CSF_INSTALL_NOCAK       = 23;
-    SEC_CSF_AUTHENTICATE_CSF    = 24;
-    SEC_CSF_INSTALL_KEY         = 25;
-    SEC_CSF_AUTHENTICATE_DATA   = 26;
-    SEC_CSF_INSTALL_SECRET_KEY  = 27;
-    SEC_CSF_DECRYPT_DATA        = 28;
-    SEC_NOP                     = 29;
-    SEC_SET_MID                 = 30;
-    SEC_SET_ENGINE              = 31;
-    SEC_INIT                    = 32;
-    SEC_UNLOCK                  = 33;
-}
-
-section (SEC_CSF_HEADER;
-    Header_Version="4.2",
-    Header_HashAlgorithm="sha256",
-    Header_Engine="DCP",
-    Header_EngineConfiguration=0,
-    Header_CertificateFormat="x509",
-    Header_SignatureFormat="CMS"
-    )
-{
-}
-
-section (SEC_CSF_INSTALL_SRK;
-    InstallSRK_Table="${SRK_TABLE}",
-    InstallSRK_SourceIndex=${SRK_INDEX}
-    )
-{
-}
-
-section (SEC_CSF_INSTALL_CSFK;
-    InstallCSFK_File="${CSF_KEY}",
-    InstallCSFK_CertificateFormat="x509"
-    )
-{
-}
-
-section (SEC_CSF_AUTHENTICATE_CSF)
-{
-}
-
-section (SEC_CSF_INSTALL_KEY;
-    InstallKey_File="${IMG_KEY}",
-    InstallKey_VerificationIndex=0,
-    InstallKey_TargetIndex=2)
-{
-}
-
-section (SEC_CSF_AUTHENTICATE_DATA;
-    AuthenticateData_VerificationIndex=2,
-    AuthenticateData_Engine="DCP",
-    AuthenticateData_EngineConfiguration=0)
-{
-}
-
-
-section (SEC_SET_ENGINE;
-    SetEngine_HashAlgorithm = "sha256",
-    SetEngine_Engine = "DCP",
-    SetEngine_EngineConfiguration = "0")
-{
-}
-
-section (SEC_UNLOCK;
-    Unlock_Engine = "SNVS",
-    Unlock_features = "ZMK WRITE"
-    )
-{
-}
-