~aleteoryx/muditaos

90dee999c0aecd5f49a6625535afb4f562d55f89 — Bartosz Cichocki 4 years ago 55da243 
[EGD-7912] Add signing update package SHA

To fully operate on signed packages we have to sign checksum
patch browse .tar.gz 
2 files changed, 1 insertions(+), 71 deletions(-)

M cmake/modules/AddPackage.cmake
D tools/secureboot_sign_package.sh

M cmake/modules/AddPackage.cmake => cmake/modules/AddPackage.cmake +1 -1
@@ 78,7 78,7 @@ function(add_update_package SOURCE_TARGET)
    add_custom_command(
        OUTPUT ${UPDATE_PKG}.sig
        DEPENDS ${UPDATE_PKG}
        COMMAND ${CMAKE_SOURCE_DIR}/tools/secureboot_sign_package.sh ${CST_PATH} ${ELFTOSB_PATH} ${SRK_TABLE} ${CSF_KEY} ${IMG_KEY} ${UPDATE_PKG}
        COMMAND python3 ${SIGN_CLIENT_PATH}/signclient.py --sha256 ${UPDATE_PKG} --out_file ${UPDATE_PKG}.sig --keystore ${KEYSTORE} --keyslot ${KEYSLOT} --server ${SERVER} --login ${LOGIN}
        COMMENT "Generating update signature"
        WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
    )


D tools/secureboot_sign_package.sh => tools/secureboot_sign_package.sh +0 -70
@@ 1,70 0,0 @@
#!/bin/bash -e
# Copyright (c) 2017-2021, Mudita Sp. z.o.o. All rights reserved.
# For licensing, see https://github.com/mudita/MuditaOS/LICENSE.md

usage() {
cat << ==usage
Usage: $(basename "$0") [cst_path] [elf2sb_path] [srk_table] [csf_key] [img_key] [file]
        cst_path:       NXP cst tool path       
        elf2sb_path:    NXP elf2sb tool path
        srk_table:      SRK table binary file
        csf_key:        CSF key
        img_key:        Image sign key
        file:           File to sign
==usage
exit 1
}


# Generate SRK file from the template 
#param in SRK template input
#param SRK output file
gen_srk_from_template() {
    sed "s|startAddress =.*|startAddress=0x80ff0000;|g
         s|\${SRK_INDEX}|0|g
         s|\${SRK_TABLE}|${SRK_TABLE}|g
         s|\${CSF_KEY}|${CSF_KEY}|g
         s|\${IMG_KEY}|${IMG_KEY}|g
    " "$1" > $2
}


if [ $# -ne 6 ]; then
        echo "Error! Invalid argument count"
        usage
        exit 1
fi

CST_PATH="$1"
ELF2SB_PATH="$2"
SRK_TABLE="$3"
CSF_KEY="$4"
IMG_KEY="$5"
FILE_TO_SIGN="$6"


# Script root dir
SCRIPT_DIR=$(dirname "$(readlink -f "$0")")

#File search
if [ ! -f "$FILE_TO_SIGN" ]; then 
    echo "Error! Unable to find file to signature"
    exit 1
fi 
#temporary authenticated file HAB
TEMP_HAB_FILE="$(mktemp)"

# Generate SRK template
gen_srk_from_template "$SCRIPT_DIR/../config/imx_authenticated_hab.cmake_template" "$TEMP_HAB_FILE"

# Generate SHA 256 binary signature
openssl dgst -binary -sha256  "$FILE_TO_SIGN" > "$FILE_TO_SIGN.sig"
# Minimum size of binary is 4k
truncate -s 4k "${FILE_TO_SIGN}.sig"
# Convert to srec (acceptable by the tool)
arm-none-eabi-objcopy --change-addresses=0x80ff1000 --input-target=binary --output-target=srec "$FILE_TO_SIGN.sig" "$FILE_TO_SIGN.srec"
rm "$FILE_TO_SIGN.sig"
# Final signing using the tool
"$SCRIPT_DIR/../config/elftosb_wrapper.sh" "$ELF2SB_PATH" "$CST_PATH" -f imx -V -c "$TEMP_HAB_FILE" -o "$FILE_TO_SIGN.sig" "$FILE_TO_SIGN.srec"
# Remove temporary files generated by the NXP tools
rm "$TEMP_HAB_FILE" csf.bin input.csf  "${FILE_TO_SIGN}_nopadding.sig" "${FILE_TO_SIGN}.srec" temp.bin