From 6db5a89215bf9d06ed6e54148647340fd14903eb Mon Sep 17 00:00:00 2001
From: Bartosz Cichocki <bartosz.cichocki@mudita.com>
Date: Thu, 4 Nov 2021 09:47:33 +0100
Subject: [PATCH] [EGD-7912] Enable sign script for CI in CMake

Enabled possibility to sign boot.bin via CI scripts
---
 CMakeLists.txt                              |  4 +-
 cmake/modules/AddBootBin.cmake              | 33 +++-----
 cmake/modules/SecureBoot.cmake              | 49 -----------
 config/elftosb_wrapper.sh                   | 42 ----------
 config/imx_authenticated_hab.cmake_template | 90 ---------------------
 5 files changed, 15 insertions(+), 203 deletions(-)
 delete mode 100644 cmake/modules/SecureBoot.cmake
 delete mode 100755 config/elftosb_wrapper.sh
 delete mode 100644 config/imx_authenticated_hab.cmake_template

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 0bee17c74e91d8074a2caf623e89476f0f1677ef..8b1c19edfdc16d42d8da9b992851ee471a0e5e1e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -105,7 +105,9 @@ if (GENERATE_STACK_USAGE)
     add_compile_options (-fstack-usage)
 endif ()
 
-include(SecureBoot)
+option (ENABLE_SECURE_BOOT "Build signed binary for Secure Boot" OFF)
+set(SIGN_CLIENT_PATH "${CMAKE_SOURCE_DIR}/../sign_server/key_client" CACHE PATH "signclient.py path")
+set(SERVER "https://172.17.0.1:4430" CACHE STRING "sign server address")
 
 if (NOT ENABLE_SECURE_BOOT)
     # Only enable the build-time boot header in a non-secure configuration,
diff --git a/cmake/modules/AddBootBin.cmake b/cmake/modules/AddBootBin.cmake
index d3008f2bf64b08a398bc8c3b5a4893ec1bb22524..1760811d2fcdd7315357bd0c635c23d67e724fcf 100644
--- a/cmake/modules/AddBootBin.cmake
+++ b/cmake/modules/AddBootBin.cmake
@@ -8,27 +8,18 @@ function(add_boot_bin SOURCE_TARGET)
     )
 
     if (ENABLE_SECURE_BOOT)
-        set (SREC_FILE ${CMAKE_PROJECT_NAME}.srec)
-        # .srec file required by elftosb
-        add_custom_command(
-            COMMENT "Generate ${CMAKE_PROJECT_NAME}.srec"
-            OUTPUT ${CMAKE_BINARY_DIR}/${SREC_FILE}
-            DEPENDS ${SOURCE_TARGET}
-            COMMAND ${CMAKE_OBJCOPY} -Osrec $<TARGET_FILE:${SOURCE_TARGET}> ${SREC_FILE}
-            WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
-            )
-
-        add_custom_command(
-            COMMENT "Generate signed boot.bin (Secure Boot)"
-            OUTPUT ${BIN_FILE}
-            DEPENDS ${CMAKE_BINARY_DIR}/${SREC_FILE}
-            COMMAND ${CMAKE_SOURCE_DIR}/config/elftosb_wrapper.sh "${ELFTOSB_PATH}" "${CST_PATH}" -f imx -V
-            -c ${CMAKE_BINARY_DIR}/imx_authenticated_hab.bd
-            -o ${BIN_FILE}
-            ${CMAKE_BINARY_DIR}/${SREC_FILE}
-            VERBATIM
-            WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
-            )
+        IF(EXISTS ${SIGN_CLIENT_PATH}/signclient.py)
+            add_custom_command(
+                COMMENT "Generate signed boot.bin (Secure Boot)"
+                OUTPUT ${BIN_FILE}
+                DEPENDS ${SOURCE_TARGET}
+                COMMAND python3 ${SIGN_CLIENT_PATH}/signclient.py --in_file $<TARGET_FILE:${SOURCE_TARGET}> --out_file=${BIN_FILE} --keystore ${KEYSTORE} --keyslot ${KEYSLOT} --server ${SERVER} --login ${LOGIN}
+                VERBATIM
+                WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+                )
+        else()
+            message( FATAL_ERROR "signclient.py not found in ${SIGN_CLIENT_PATH}" )
+        endif()
     else ()
         add_custom_command(
             COMMENT "Generate ${SOURCE_TARGET}-boot.bin"
diff --git a/cmake/modules/SecureBoot.cmake b/cmake/modules/SecureBoot.cmake
deleted file mode 100644
index da05ee4d23461192624d67bdf9a23eaa13b0714f..0000000000000000000000000000000000000000
--- a/cmake/modules/SecureBoot.cmake
+++ /dev/null
@@ -1,49 +0,0 @@
-option (ENABLE_SECURE_BOOT "Build signed binary for Secure Boot" OFF)
-
-if (ENABLE_SECURE_BOOT)
-    message(STATUS "Secure boot enabled")
-    # NXP CST utility
-    set(CST_PATH "" CACHE PATH "NXP Code Signing Tool (CST) utility exec. path. PATH lookup if not specified.")
-    if (NOT CST_PATH)
-        message(STATUS "Using NXP CST utility from PATH")
-    else ()
-        message(STATUS "Using NXP CST utility path: ${CST_PATH}")
-    endif ()
-    # NXP elftosb utility
-    set(ELFTOSB_PATH "" CACHE FILEPATH "NXP elftosb utility exec. path. PATH lookup if not specified.")
-    if (NOT ELFTOSB_PATH)
-        message(STATUS "Using NXP elftosb utility from PATH")
-    else ()
-        message(STATUS "Using NXP elftosb utility path: ${ELFTOSB_PATH}")
-    endif ()
-    # SRK table
-    set(SRK_TABLE "" CACHE FILEPATH "Super Root Key (SRK) table in a binary form (generated by NXP srktool)")
-    if (NOT SRK_TABLE)
-        message(FATAL_ERROR "SRK_TABLE not specified (required for Secure Boot)")
-    endif ()
-    # SRK index
-    set(SRK_INDEX "" CACHE STRING "SRK key index in the SRK table (0-3)")
-    if (NOT SRK_INDEX)
-        set(SRK_INDEX "0" CACHE STRING "" FORCE)
-    endif ()
-    # CSF key
-    set(CSF_KEY "" CACHE FILEPATH "CSF key in PEM format for CSF authentication")
-    if (NOT CSF_KEY)
-        message(FATAL_ERROR "CSF_KEY not specified (required for Secure Boot)")
-    endif ()
-    # IMG key
-    set(IMG_KEY "" CACHE FILEPATH "IMG key in PEM format for image authentication")
-    if (NOT IMG_KEY)
-        message(FATAL_ERROR "IMG_KEY not specified (required for Secure Boot)")
-    endif ()
-
-    message(STATUS "Using SRK table: ${SRK_TABLE}")
-    message(STATUS "Using SRK index: ${SRK_INDEX}")
-    message(STATUS "Using CSF key: ${CSF_KEY}")
-    message(STATUS "Using IMG key: ${IMG_KEY}")
-
-    configure_file(
-        ${CMAKE_SOURCE_DIR}/config/imx_authenticated_hab.cmake_template
-        ${CMAKE_BINARY_DIR}/imx_authenticated_hab.bd
-        )
-endif ()
diff --git a/config/elftosb_wrapper.sh b/config/elftosb_wrapper.sh
deleted file mode 100755
index 7680f1e5c36fb791557507aefd1e3ee7ec496d62..0000000000000000000000000000000000000000
--- a/config/elftosb_wrapper.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#! /bin/bash
-# Copyright (c) 2017-2021, Mudita Sp. z.o.o. All rights reserved.
-# For licensing, see https://github.com/mudita/MuditaOS/LICENSE.md
-
-# This wrapper script expects filepaths to elftosb and cst NXP utilities
-# as the first and second pos. arg. respectively. It passes the rest of
-# pos. args to elftosb. Its main purpose is to export the path to cst utility
-# so it is visible to elftosb.
-
-function print_help() {
-    echo -e "This script is a wrapper around the elftosb NXP utility used for" 
-    echo -e "signing program images. Its purpose is to export the path to"
-    echo -e "the NXP Code Signing Utility (CST) which is looked up in PATH"
-    echo -e "by elftosb.\n"
-    echo -e "Usage: elftosb_wrapper <elftosb_path> <cst_path> [elftosb_args]"
-}
-
-set -euo pipefail
-
-if [[ $# -lt 2 ]]; then
-    print_help
-    exit 1
-fi
-
-elftosb_path=$1
-shift 1
-cst_path=$1
-shift 1
-
-if [[ -n "$elftosb_path" ]]; then
-    elftosb_exec="$elftosb_path/elftosb"
-else
-    elftosb_exec="elftosb"
-fi
-
-if [[ -n "$cst_path" ]]; then
-    # Export CST path for elftosb (assume already in PATH if empty)
-    export "PATH=$cst_path:$PATH"
-fi
-
-# Run elftosb passing the remaining args
-"$elftosb_exec" $@
diff --git a/config/imx_authenticated_hab.cmake_template b/config/imx_authenticated_hab.cmake_template
deleted file mode 100644
index 1662d686bae46ca3989637c9f9871fa47526bf5a..0000000000000000000000000000000000000000
--- a/config/imx_authenticated_hab.cmake_template
+++ /dev/null
@@ -1,90 +0,0 @@
-# This is a template of the command file for the NXP elftosb utility. It is
-# processed by CMake which substitutes placeholders wich CMake variable values
-# (configure file).
-
-options {
-    flags = 0x08;
-    startAddress = 0x80000000;
-    ivtOffset = 0x400;
-    initialLoadSize = 0x1000;
-}
-
-sources {
-    elfFile = extern(0);
-}
-
-constants {
-    SEC_CSF_HEADER              = 20;
-    SEC_CSF_INSTALL_SRK         = 21;
-    SEC_CSF_INSTALL_CSFK        = 22;
-    SEC_CSF_INSTALL_NOCAK       = 23;
-    SEC_CSF_AUTHENTICATE_CSF    = 24;
-    SEC_CSF_INSTALL_KEY         = 25;
-    SEC_CSF_AUTHENTICATE_DATA   = 26;
-    SEC_CSF_INSTALL_SECRET_KEY  = 27;
-    SEC_CSF_DECRYPT_DATA        = 28;
-    SEC_NOP                     = 29;
-    SEC_SET_MID                 = 30;
-    SEC_SET_ENGINE              = 31;
-    SEC_INIT                    = 32;
-    SEC_UNLOCK                  = 33;
-}
-
-section (SEC_CSF_HEADER;
-    Header_Version="4.2",
-    Header_HashAlgorithm="sha256",
-    Header_Engine="DCP",
-    Header_EngineConfiguration=0,
-    Header_CertificateFormat="x509",
-    Header_SignatureFormat="CMS"
-    )
-{
-}
-
-section (SEC_CSF_INSTALL_SRK;
-    InstallSRK_Table="${SRK_TABLE}",
-    InstallSRK_SourceIndex=${SRK_INDEX}
-    )
-{
-}
-
-section (SEC_CSF_INSTALL_CSFK;
-    InstallCSFK_File="${CSF_KEY}",
-    InstallCSFK_CertificateFormat="x509"
-    )
-{
-}
-
-section (SEC_CSF_AUTHENTICATE_CSF)
-{
-}
-
-section (SEC_CSF_INSTALL_KEY;
-    InstallKey_File="${IMG_KEY}",
-    InstallKey_VerificationIndex=0,
-    InstallKey_TargetIndex=2)
-{
-}
-
-section (SEC_CSF_AUTHENTICATE_DATA;
-    AuthenticateData_VerificationIndex=2,
-    AuthenticateData_Engine="DCP",
-    AuthenticateData_EngineConfiguration=0)
-{
-}
-
-
-section (SEC_SET_ENGINE;
-    SetEngine_HashAlgorithm = "sha256",
-    SetEngine_Engine = "DCP",
-    SetEngine_EngineConfiguration = "0")
-{
-}
-
-section (SEC_UNLOCK;
-    Unlock_Engine = "SNVS",
-    Unlock_features = "ZMK WRITE"
-    )
-{
-}
-