M cmake/modules/AddPackage.cmake => cmake/modules/AddPackage.cmake +16 -2
@@ 76,8 76,22 @@ function(add_update_package SOURCE_TARGET)
WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
COMMENT "Generating update image"
)
- message("Adding '${SOURCE_TARGET}-UpdatePackage' target")
- add_custom_target(${SOURCE_TARGET}-UpdatePackage
+
+ add_custom_command(
+ OUTPUT ${UPDATE_PKG}.sig
DEPENDS ${UPDATE_PKG}
+ COMMAND ${CMAKE_SOURCE_DIR}/tools/secureboot_sign_package.sh ${CST_PATH} ${ELFTOSB_PATH} ${SRK_TABLE} ${CSF_KEY} ${IMG_KEY} ${UPDATE_PKG}
+ COMMENT "Generating update signature"
+ WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
)
+ message("Adding '${SOURCE_TARGET}-UpdatePackage' target")
+ if(ENABLE_SECURE_BOOT)
+ add_custom_target(${SOURCE_TARGET}-UpdatePackage
+ DEPENDS ${UPDATE_PKG}.sig
+ )
+ else()
+ add_custom_target(${SOURCE_TARGET}-UpdatePackage
+ DEPENDS ${UPDATE_PKG}
+ )
+ endif()
endfunction()
A tools/secureboot_sign_package.sh => tools/secureboot_sign_package.sh +70 -0
@@ 0,0 1,70 @@
+#!/bin/bash -e
+# Copyright (c) 2017-2021, Mudita Sp. z.o.o. All rights reserved.
+# For licensing, see https://github.com/mudita/MuditaOS/LICENSE.md
+
+usage() {
+cat << ==usage
+Usage: $(basename "$0") [cst_path] [elf2sb_path] [srk_table] [csf_key] [img_key] [file]
+ cst_path: NXP cst tool path
+ elf2sb_path: NXP elf2sb tool path
+ srk_table: SRK table binary file
+ csf_key: CSF key
+ img_key: Image sign key
+ file: File to sign
+==usage
+exit 1
+}
+
+
+# Generate SRK file from the template
+#param in SRK template input
+#param SRK output file
+gen_srk_from_template() {
+ sed "s|startAddress =.*|startAddress=0x80ff0000;|g
+ s|\${SRK_INDEX}|0|g
+ s|\${SRK_TABLE}|${SRK_TABLE}|g
+ s|\${CSF_KEY}|${CSF_KEY}|g
+ s|\${IMG_KEY}|${IMG_KEY}|g
+ " "$1" > $2
+}
+
+
+if [ $# -ne 6 ]; then
+ echo "Error! Invalid argument count"
+ usage
+ exit 1
+fi
+
+CST_PATH="$1"
+ELF2SB_PATH="$2"
+SRK_TABLE="$3"
+CSF_KEY="$4"
+IMG_KEY="$5"
+FILE_TO_SIGN="$6"
+
+
+# Script root dir
+SCRIPT_DIR=$(dirname "$(readlink -f "$0")")
+
+#File search
+if [ ! -f "$FILE_TO_SIGN" ]; then
+ echo "Error! Unable to find file to signature"
+ exit 1
+fi
+#temporary authenticated file HAB
+TEMP_HAB_FILE="$(mktemp)"
+
+# Generate SRK template
+gen_srk_from_template "$SCRIPT_DIR/../config/imx_authenticated_hab.cmake_template" "$TEMP_HAB_FILE"
+
+# Generate SHA 256 binary signature
+openssl dgst -binary -sha256 "$FILE_TO_SIGN" > "$FILE_TO_SIGN.sig"
+# Minimum size of binary is 4k
+truncate -s 4k "${FILE_TO_SIGN}.sig"
+# Convert to srec (acceptable by the tool)
+arm-none-eabi-objcopy --change-addresses=0x80ff1000 --input-target=binary --output-target=srec "$FILE_TO_SIGN.sig" "$FILE_TO_SIGN.srec"
+rm "$FILE_TO_SIGN.sig"
+# Final signing using the tool
+"$SCRIPT_DIR/../config/elftosb_wrapper.sh" "$ELF2SB_PATH" "$CST_PATH" -f imx -V -c "$TEMP_HAB_FILE" -o "$FILE_TO_SIGN.sig" "$FILE_TO_SIGN.srec"
+# Remove temporary files generated by the NXP tools
+rm "$TEMP_HAB_FILE" csf.bin input.csf "${FILE_TO_SIGN}_nopadding.sig" "${FILE_TO_SIGN}.srec" temp.bin