Initial commit

meta-aspeed/classes/otptool.bbclass

@@ -0,0 +1,78 @@
+# ASPEED AST2600 devices can use Aspeed's utility 'otptool'
+# to create OTP image
+# The variables below carry default values to the create_otp()
+# function below.
+OTPTOOL_CONFIGS ?= ""
+OTPTOOL_KEY_DIR ?= ""
+OTPTOOL_USER_DIR ?= ""
+OTPTOOL_EXTRA_OPTS ?= ""
+OTPTOOL_EXTRA_DEPENDS ?= " socsec-native"
+DEPENDS += '${@oe.utils.conditional("SOCSEC_SIGN_ENABLE", "1", "${OTPTOOL_EXTRA_DEPENDS}", "", d)}'
+
+do_otptool() {
+    local otptool_config=$1
+    otptool_config_slug="$(basename ${otptool_config} .json)"
+    otptool_config_outdir="${B}"/"${CONFIG_B_PATH}"/"${otptool_config_slug}"
+    otptool_user_folder="$([ -n "${OTPTOOL_USER_DIR}" ] && echo --user_data_folder ${OTPTOOL_USER_DIR})"
+    mkdir -p "${otptool_config_outdir}"
+    otptool make_otp_image \
+        --key_folder ${OTPTOOL_KEY_DIR} \
+        --output_folder "${otptool_config_outdir}" \
+        ${otptool_user_folder} \
+        ${otptool_config} \
+        ${OTPTOOL_EXTRA_OPTS}
+
+    if [ $? -ne 0 ]; then
+        bbfatal "Generated OTP image failed."
+    fi
+
+    otptool print "${otptool_config_outdir}"/otp-all.image
+
+    if [ $? -ne 0 ]; then
+        bbfatal "Printed OTP image failed."
+    fi
+
+    install -m 0644 -T \
+        "${otptool_config_outdir}"/otp-all.image \
+        ${DEPLOYDIR}/"${otptool_config_slug}"-otp-all.image
+}
+
+# Creates the OTP image
+create_otp_helper() {
+    if [ "${SOC_FAMILY}" != "aspeed-g6" ] ; then
+        bbwarn "OTP creation is only supported on AST2600 boards"
+    elif [ -z "${OTPTOOL_CONFIGS}" ] ; then
+        bbfatal "OTPTOOL_CONFIGS is empty, no otptool configurations available"
+    elif [ ! -d "${OTPTOOL_KEY_DIR}" ] ; then
+        bbfatal "Invalid otptool signing key directory: ${OTPTOOL_KEY_DIR}"
+    else
+        for otptool_config in ${OTPTOOL_CONFIGS} ; do
+            if [ ! -e ${otptool_config} ] ; then
+                bbfatal "Invalid otptool config: ${otptool_config}"
+            fi
+
+            do_otptool $otptool_config
+        done
+    fi
+}
+
+create_otp() {
+    mkdir -p ${DEPLOYDIR}
+    if [ -n "${UBOOT_CONFIG}" ]; then
+        for config in ${UBOOT_MACHINE}; do
+            CONFIG_B_PATH="${config}"
+            cd ${B}/${config}
+            create_otp_helper
+        done
+    else
+        CONFIG_B_PATH=""
+        cd ${B}
+        create_otp_helper
+    fi
+}
+
+do_deploy:prepend() {
+    if [ "${SOCSEC_SIGN_ENABLE}" = "1" ] ; then
+        create_otp
+    fi
+}

meta-aspeed/classes/socsec-sign.bbclass

@@ -0,0 +1,80 @@
+# ASPEED AST2600 devices can use Aspeed's utility 'socsec'
+# to sign the SPL (pubkey written to OTP region)
+# The variables below carry default values to the spl_sign()
+# function below.
+SOCSEC_SIGN_ENABLE ?= "0"
+SOCSEC_SIGN_KEY ?= ""
+SOCSEC_SIGN_SOC ?= "2600"
+SOCSEC_SIGN_ALGO ?= "RSA4096_SHA512"
+SOCSEC_SIGN_HELPER ?= ""
+# u-boot-aspeed-sdk commit '2c3b53489c ast2600: Modify SPL SRAM layout'
+# changes the SRAM layout so that the verification region does NOT
+# intersects the stack. The parameter below can be used to instruct
+# socsec to work in either mode (ommitting it throws a warning), but
+# newer (post v00.03.03) u-boot-aspeed-sdk need this set to false
+# A1 rsa order is little endian and A3 is big endian
+# Set big endian for A3 support
+SOCSEC_SIGN_EXTRA_OPTS ?= "--stack_intersects_verification_region=false --rsa_key_order=big"
+DEPENDS += '${@oe.utils.conditional("SOCSEC_SIGN_ENABLE", "1", " socsec-native", "", d)}'
+
+
+# Signs the SPL binary with a pre-established key
+sign_spl_helper() {
+    signing_helper_args=""
+
+    if [ "${SOC_FAMILY}" != "aspeed-g6" ] ; then
+        bbwarn "SPL signing is only supported on AST2600 boards"
+    elif [ ! -e "${SOCSEC_SIGN_KEY}" ] ; then
+        bbfatal "Invalid socsec signing key: ${SOCSEC_SIGN_KEY}"
+    else
+        rm -f ${SPL_BINARY}.staged
+
+        if [ -n "${SOCSEC_SIGN_HELPER}" ] ; then
+            signing_helper_args="--signing_helper ${SOCSEC_SIGN_HELPER}"
+        fi
+        socsec make_secure_bl1_image \
+            --soc ${SOCSEC_SIGN_SOC}  \
+            --algorithm ${SOCSEC_SIGN_ALGO} \
+            --rsa_sign_key ${SOCSEC_SIGN_KEY} \
+            --bl1_image ${DEPLOYDIR}/${SPL_IMAGE} \
+            $signing_helper_args \
+            ${SOCSEC_SIGN_EXTRA_OPTS} \
+            --output ${SPL_BINARY}.staged
+        cp -f ${SPL_BINARY}.staged ${B}/$CONFIG_B_PATH/${SPL_BINARY}
+        mv -f ${SPL_BINARY}.staged ${DEPLOYDIR}/${SPL_IMAGE}
+    fi
+}
+
+sign_spl() {
+    mkdir -p ${DEPLOYDIR}
+    if [ -n "${UBOOT_CONFIG}" ]; then
+        for config in ${UBOOT_MACHINE}; do
+            CONFIG_B_PATH="$config"
+            cd ${B}/$config
+            sign_spl_helper
+        done
+    else
+        CONFIG_B_PATH=""
+        cd ${B}
+        sign_spl_helper
+    fi
+}
+
+verify_spl_otp() {
+    for otptool_config in ${OTPTOOL_CONFIGS} ; do
+        socsec verify \
+            --sec_image ${DEPLOYDIR}/${SPL_IMAGE} \
+            --otp_image ${DEPLOYDIR}/"$(basename ${otptool_config} .json)"-otp-all.image
+
+        if [ $? -ne 0 ]; then
+            bbfatal "Verified OTP image failed."
+        fi
+    done
+}
+
+do_deploy:append() {
+    if [ "${SOCSEC_SIGN_ENABLE}" = "1" -a -n "${SPL_BINARY}" ] ; then
+        sign_spl
+        verify_spl_otp
+    fi
+}